任意文件读取、未授权访问及信息泄露GET型EXP模版

飞扬的浩

于 2024-02-29 11:24:36 发布

阅读量413

点赞数 9

文章标签：网络安全安全

本文链接：https://blog.csdn.net/qq_36759934/article/details/136366347

版权

import requests
import argparse
from datetime import datetime
import time
import re
requests.packages.urllib3.disable_warnings()

RED_BOLD = "\033[1;31m"
RESET = "\033[0m"
def usage():
    global RED_BOLD
    global RESET
    text = '''
    使用方法:
        单个 python3 任意文件读取+未授权.py -u url[例 http://127.0.0.1:8080]
        批量 python3 任意文件读取+未授权.py -f filename

    开始检测................................
    '''
    print(f"{RED_BOLD}{text}{RESET}")

# proxies = {'http':'http://127.0.0.1:10808}

def save_file(url):
    with open('result.txt',mode='a',encoding='utf-8') as f:
        f.write(url+'\n')

def poc(check_url,flag):
    global num
    now_poc = datetime.now()
    global RED_BOLD
    global RESET
    url1 = check_url + ""  # 未授权和任意文件读取目录1
    # url2 = check_url + ""  # 未授权和任意文件读取目录目录2
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
        'Accept-Encoding': 'gzip, deflate',
        'Accept-Language': 'zh-CN,zh;q=0.9',
        'Cookie': 'language=zh; style=1; EnableAESLogin=0; maintitle=%u4E3B%u52A8%u5B89%u5168%u76D1%u63A7%u4E91%u5E73%u53F0; isPolice=0; name=value; JSESSIONID=FFA216A30B39FD49BA0613D4DC7C6A4D'
    }
    try:
        response1 = requests.get(url1, headers=headers,timeout=5,verify=False)
        # response2 = requests.get(url2, headers=headers,timeout=5,verify=False)
        if response1.status_code == 200 and "" in response1.text: # 引号中补充关键字，比如root win.ini
            print(f'{RED_BOLD}[+]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{check_url}\tvocal出货了！{RESET}')
            print(url1)
            num += 1
            print("挖到"+ str(num) +"个了")
            save_file(url1)

        # elif response2.status_code == 200 and "root" in response2.text:
        #     print(f'{RED_BOLD}[+]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{check_url}\t6a！{RESET}')
        #     print(url2)
        #     num += 1
        #     print("挖到"+ str(num) +"个了")
        #     save_file(url2)

        else:
            print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{check_url}\t没洞，泥煤的这谁顶得住啊！')

    except Exception as e:
        print(f'[-]{now_poc.strftime("%Y-%m-%d %H:%M:%S")}\t{check_url}\tVocal，死站！')

def run(filepath):
    global num
    num = 0
    flag = 0
    urls = [x.strip() for x in open(filepath, "r").readlines()]
    for u in urls:
        if 'http' in u:
            url = u
        elif 'https' in u:
            url = u
        else:
            url = 'http://' + u

        poc(url,flag)

def main():
    parse = argparse.ArgumentParser()
    parse.add_argument("-u", "--url", help="任意文件读取+未授权 -u url")
    parse.add_argument("-f", "--file", help="任意文件读取+未授权 -f file")
    args = parse.parse_args()
    url = args.url
    filepath = args.file
    usage()
    time.sleep(1)
    if url is not None and filepath is None:
        flag = 1
        poc(url,flag)
    elif url is None and filepath is not None:
        run(filepath)
    else:
        usage()

if __name__ == '__main__':
    main()