Skip to content
This repository was archived by the owner on Nov 15, 2023. It is now read-only.

BennyThink/Typecho_deserialization_exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
b374k.php
b374k.php
 
 
backdoor.log
backdoor.log
 
 
exp.py
exp.py
 
 

Repository files navigation

Typecho_deserialization_exploit

Description

Typecho deserialization vulnerability in Oct 2017.

This scripts is for learning purpose ONLY. DO NOT use on unauthorized circumstances. USE AT YOUR OWN RISK!!!

Environment

pip install requests

Python 2/3, then you are all set!

Build your own exe

If you want to build exe on your own, install pyinstaller and run pyinstaller -F exp.py.

How to patch Typecho and some further suggestions##

  • Upgrade Typecho to the latest version
  • Delete install.php and install directory once the installation completes.
  • Assign www and mysql nologin shell account for Apache/Nginx, PHP and MySQL.
  • Update your system regularly, DO NOT use EOL Operating System.
  • It's better to use Linux for webserver rather than Windows.
  • set open_basedir in php.ini

References and Credits

ph0rse

joyqi

blogsir

b374k

About

Typecho deserialization vulnerability exploit.

www.bennythink.com/typecho-exploit.html

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages